All of lore.kernel.org
 help / color / mirror / Atom feed
From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Christoph Paasch <cpaasch@apple.com>,
	Florian Westphal <fw@strlen.de>,
	Netfilter <netfilter-devel@vger.kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, daniel@iogearbox.net, willemb@google.com
Subject: Re: [PATCH nf] netfilter: nf_reject: init skb->dev for reset packet
Date: Wed, 5 Jun 2024 21:08:33 +0200	[thread overview]
Message-ID: <20240605190833.GB7176@breakpoint.cc> (raw)
In-Reply-To: <ZmCwlbF8BvLGNgRM@calendula>

Pablo Neira Ayuso <pablo@netfilter.org> wrote:

[ CC Willem ]

> On Wed, Jun 05, 2024 at 08:14:50PM +0200, Florian Westphal wrote:
> > Christoph Paasch <cpaasch@apple.com> wrote:
> > > > Reported-by: Christoph Paasch <cpaasch@apple.com>
> > > > Suggested-by: Paolo Abeni <pabeni@redhat.com>
> > > > Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/494
> > > > Signed-off-by: Florian Westphal <fw@strlen.de>
> > >
> > > I just gave this one a shot in my syzkaller instances and am still hitting the issue.
> >
> > No, different bug, this patch is correct.
> >
> > I refuse to touch the flow dissector.
> 
> I see callers of ip_local_out() in the tree which do not set skb->dev.
> 
> I don't understand this:
> 
> bool __skb_flow_dissect(const struct net *net,
>                         const struct sk_buff *skb,
>                         struct flow_dissector *flow_dissector,
>                         void *target_container, const void *data,
>                         __be16 proto, int nhoff, int hlen, unsigned int flags)
> {
> [...]
>         WARN_ON_ONCE(!net);
>         if (net) {
> 
> it was added by 9b52e3f267a6 ("flow_dissector: handle no-skb use case")
> 
> Is this WARN_ON_ONCE() bogus?

When this was added (handle dissection from bpf prog, per netns), the correct
solution would have been to pass 'struct net' explicitly via skb_get_hash()
and all variants.  As that was likely deemed to be too much code churn it
tries to infer struct net via skb->{dev,sk}.

So there are several options here:
1. remove the WARN_ON_ONCE and be done with it
2. remove the WARN_ON_ONCE and pretend net was init_net
3. also look at skb_dst(skb)->dev if skb->dev is unset, then back to 1)
   or 2)
4. stop using skb_get_hash() from netfilter (but there are likely other
   callers that might hit this).
5. fix up callers, one by one
6. assign skb->dev inside netfilter if its unset

3 and 2 combined are probably going to be the least invasive.

5 might take some time, we now know two, namely tcp resets generated
from netfilter and igmp_send_report().  No idea if there are more.

I dislike 3) mainly because of the 'guess the netns' design, not because it
adds more code to a way too large function however, so maybe its
acceptable?

  reply	other threads:[~2024-06-05 19:08 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-04 12:03 [PATCH nf] netfilter: nf_reject: init skb->dev for reset packet Florian Westphal
     [not found] ` <FF8A506F-6F0F-440E-9F52-B27D05731B77@apple.com>
2024-06-05 18:14   ` Florian Westphal
2024-06-05 18:38     ` Pablo Neira Ayuso
2024-06-05 19:08       ` Florian Westphal [this message]
2024-06-05 19:45         ` Pablo Neira Ayuso
2024-06-05 21:38           ` Willem de Bruijn
2024-06-05 22:16             ` Pablo Neira Ayuso
2024-06-06  1:54               ` Willem de Bruijn
2024-06-06  6:20                 ` Pablo Neira Ayuso
2024-06-06  8:39             ` Florian Westphal
2024-06-06  9:26         ` Florian Westphal
2024-06-06 13:04           ` Florian Westphal
2024-06-06 14:09             ` Willem de Bruijn
2024-06-06 14:15               ` Florian Westphal
2024-06-06 14:28                 ` Willem de Bruijn
2024-06-06 14:38                   ` Florian Westphal
2024-06-06 14:43                     ` Willem de Bruijn
2024-06-06 14:52                       ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240605190833.GB7176@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=cpaasch@apple.com \
    --cc=daniel@iogearbox.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=willemb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.