From: Florian Westphal <fw@strlen.de>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>,
Florian Westphal <fw@strlen.de>,
netdev@vger.kernel.org, Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
netfilter-devel@vger.kernel.org, pablo@netfilter.org,
willemb@google.com, Christoph Paasch <cpaasch@apple.com>
Subject: Re: [PATCH net-next 1/2] net: add and use skb_get_hash_net
Date: Sun, 9 Jun 2024 00:17:30 +0200 [thread overview]
Message-ID: <20240608221730.GA13159@breakpoint.cc> (raw)
In-Reply-To: <6663159ab88ef_2f27b294c5@willemb.c.googlers.com.notmuch>
Willem de Bruijn <willemdebruijn.kernel@gmail.com> wrote:
> > > syzkaller did something like this:
> > > table inet filter {
> > > chain input {
> > > type filter hook input priority filter; policy accept;
> > > meta nftrace set 1 # calls skb_get_hash
> > > tcp dport 42 reject with tcp reset # emits skb with NULL skb dev/sk
> > > }
> > > chain output {
> > > type filter hook output priority filter; policy accept;
> > > # empty chain is enough
> > > }
> > > }
> > >
> > > ... then sends a tcp packet to port 42.
> > >
> > > Initial attempt to simply set skb->dev from nf_reject_ipv4 doesn't cover
> > > all cases: skbs generated via ipv4 igmp_send_report trigger similar splat.
>
> Does this mean we have more non-nf callsites to convert?
There might be non-nf call sites that need skb_get_hash_net(),
but I don't know of any.
The above comment was meant to say that I tried to patch this
outside of flow dissector by setting skb->dev properly in nf_reject,
but that still triggers a slightly different WARN trace, this time
due to igmp_send_report also sending skb without dev+sk pointers.
next prev parent reply other threads:[~2024-06-08 22:53 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-07 8:31 [PATCH net-next 0/2] net: flow dissector: allow explicit passing of netns Florian Westphal
2024-06-07 8:31 ` [PATCH net-next 1/2] net: add and use skb_get_hash_net Florian Westphal
2024-06-07 9:25 ` Eric Dumazet
2024-06-07 14:13 ` Willem de Bruijn
2024-06-08 22:17 ` Florian Westphal [this message]
2024-06-07 12:33 ` kernel test robot
2024-06-07 8:32 ` [PATCH net-next 2/2] net: add and use __skb_get_hash_symmetric_net Florian Westphal
2024-06-07 9:26 ` Eric Dumazet
2024-06-07 14:14 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240608221730.GA13159@breakpoint.cc \
--to=fw@strlen.de \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=willemb@google.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.