lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANn89iLpOcrEERr5ZJPb7Yyub0JUenkSLojV_DPxMqTSqeS-Qw@mail.gmail.com>
Date: Tue, 14 Oct 2025 06:58:13 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: Florian Westphal <fw@...len.de>
Cc: Michal Kubecek <mkubecek@...e.cz>, Paolo Abeni <pabeni@...hat.com>, 
	Sabrina Dubroca <sd@...asysnail.net>, "David S . Miller" <davem@...emloft.net>, 
	Jakub Kicinski <kuba@...nel.org>, Simon Horman <horms@...nel.org>, 
	Willem de Bruijn <willemb@...gle.com>, netdev@...r.kernel.org, eric.dumazet@...il.com
Subject: Re: [PATCH net] udp: drop secpath before storing an skb in a receive queue

On Tue, Oct 14, 2025 at 6:40 AM Florian Westphal <fw@...len.de> wrote:
>
> Eric Dumazet <edumazet@...gle.com> wrote:
> > Thanks for testing. I will follow Sabrina suggestion and send :
> >
> > diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> > index 95241093b7f0..d66f273f9070 100644
> > --- a/net/ipv4/udp.c
> > +++ b/net/ipv4/udp.c
> > @@ -1851,8 +1851,13 @@ void skb_consume_udp(struct sock *sk, struct
> > sk_buff *skb, int len)
> >                 sk_peek_offset_bwd(sk, len);
> >
> >         if (!skb_shared(skb)) {
> > -               if (unlikely(udp_skb_has_head_state(skb)))
> > -                       skb_release_head_state(skb);
> > +               /* Make sure that this skb has no dst, destructor
> > +                * or conntracking parts, because it might stay
> > +                * in a remote cpu list for a very long time.
> > +                */
> > +               DEBUG_NET_WARN_ON_ONCE(skb_dst(skb));
> > +               DEBUG_NET_WARN_ON_ONCE(skb->destructor);
> > +               DEBUG_NET_WARN_ON_ONCE(skb_nfct(skb));
> >                 skb_attempt_defer_free(skb);
>
> Are there cases where we expect to pass skb which violate this to
> skb_attempt_defer_free()?

So far UDP makes sure these fields are cleared.

>
> If no, then maybe move existing checks in skb_attempt_defer_free() up and
> apped the skb_nfct check there so syzbot can blame other offenders too.

You are right, I forgot skb_attempt_defer_free() already had:

commit e8e1ce8454c9cc8ad2e4422bef346428e52455e3
Author: Eric Dumazet <edumazet@...gle.com>
Date:   Fri Apr 21 09:43:53 2023 +0000

    net: add debugging checks in skb_attempt_defer_free()

    Make sure skbs that are stored in softnet_data.defer_list
    do not have a dst attached.

    Also make sure the the skb was orphaned.

    Link: https://lore.kernel.org/netdev/CANn89iJuEVe72bPmEftyEJHLzzN=QNR2yueFjTxYXCEpS5S8HQ@mail.gmail.com/T/
    Signed-off-by: Eric Dumazet <edumazet@...gle.com>
    Signed-off-by: David S. Miller <davem@...emloft.net>

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 0d998806b377..bd815a00d2af 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6881,6 +6881,9 @@ nodefer:  __kfree_skb(skb);
                return;
        }

+       DEBUG_NET_WARN_ON_ONCE(skb_dst(skb));
+       DEBUG_NET_WARN_ON_ONCE(skb->destructor);
+
        sd = &per_cpu(softnet_data, cpu);
        defer_max = READ_ONCE(sysctl_skb_defer_max);
        if (READ_ONCE(sd->defer_count) >= defer_max)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ