lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAAVpQUD=_-rsQcva7EkkV6oqOuah+n17NZq3r05yeiE1z9N=Lw@mail.gmail.com>
Date: Thu, 17 Jul 2025 14:41:42 -0700
From: Kuniyuki Iwashima <kuniyu@...gle.com>
To: Florian Westphal <fw@...len.de>
Cc: Alexei Starovoitov <alexei.starovoitov@...il.com>, Alexei Starovoitov <ast@...nel.org>, 
	Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Daniel Xu <dxu@...uu.xyz>, 
	Pablo Neira Ayuso <pablo@...filter.org>, Jozsef Kadlecsik <kadlec@...filter.org>, 
	Kuniyuki Iwashima <kuni1840@...il.com>, bpf <bpf@...r.kernel.org>, 
	Network Development <netdev@...r.kernel.org>, netfilter-devel <netfilter-devel@...r.kernel.org>, 
	syzbot+40f772d37250b6d10efc@...kaller.appspotmail.com
Subject: Re: [PATCH v1 bpf] bpf: Disable migration in nf_hook_run_bpf().

On Thu, Jul 17, 2025 at 2:26 PM Florian Westphal <fw@...len.de> wrote:
>
> Alexei Starovoitov <alexei.starovoitov@...il.com> wrote:
> > > Let's call migrate_disable() before calling bpf_prog_run() in
> > > nf_hook_run_bpf().
>
> Or use bpf_prog_run_pin_on_cpu() which wraps bpf_prog_run().

Thanks, this is cleaner.

>
> > > Fixes: 91721c2d02d3 ("netfilter: bpf: Support BPF_F_NETFILTER_IP_DEFRAG in netfilter link")
> >
> > Fixes tag looks wrong.
> > I don't think it's Daniel's defrag series.
> > No idea why syzbot bisected it to this commit.
>
> Didn't check but I'd wager the bpf prog attach is rejected due to an
> unsupported flag before this commit.  Looks like correct tag is
>
> Fixes: fd9c663b9ad6 ("bpf: minimal support for programs hooked into netfilter framework")

Sorry, I should've checked closely.  This tag looks correct.


>
> I don't see anything that implicitly disables preemption and even 6.4 has
> the cant_migrate() call there.
>
> > > +       unsigned int ret;
> > >
> > > -       return bpf_prog_run(prog, &ctx);
> > > +       migrate_disable();
> > > +       ret = bpf_prog_run(prog, &ctx);
> > > +       migrate_enable();
> >
> > The fix looks correct, but we need to root cause it better.
> > Why did it start now ?
>
> I guess most people don't have preemptible rcu enabled.

I have no idea why syzbot found it now, at least it has
supported the netfilter prog since 2023 too.

commit d966708639b67fe767995dfab47bf4296201993f
Author: Paul Chaignon <paul.chaignon@...il.com>
Date:   Wed Sep 6 13:38:44 2023

    sys/linux: cover BPF links for BPF netfilter programs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ