Re: [PATCH net v2 2/3] net: ipv6: fix lwtunnel loops in ioam6, rpl and seg6

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ido Schimmel <idosch@idosch.org>
To: Justin Iurman <justin.iurman@uliege.be>
Cc: netdev@vger.kernel.org, davem@davemloft.net, dsahern@kernel.org,
	edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
	horms@kernel.org, Alexander Aring <alex.aring@gmail.com>,
	David Lebrun <dlebrun@google.com>
Subject: Re: [PATCH net v2 2/3] net: ipv6: fix lwtunnel loops in ioam6, rpl and seg6
Date: Mon, 17 Feb 2025 16:40:32 +0200	[thread overview]
Message-ID: <Z7NKYMY7fJT5cYWu@shredder> (raw)
In-Reply-To: <Z7ISxnU0QhtRGTnb@shredder>

On Sun, Feb 16, 2025 at 06:31:06PM +0200, Ido Schimmel wrote:
> On Thu, Feb 13, 2025 at 11:51:49PM +0100, Justin Iurman wrote:
> > On 2/13/25 14:28, Ido Schimmel wrote:
> > > On Tue, Feb 11, 2025 at 11:16:23PM +0100, Justin Iurman wrote:
> > > > When the destination is the same post-transformation, we enter a
> > > > lwtunnel loop. This is true for ioam6_iptunnel, rpl_iptunnel, and
> > > > seg6_iptunnel, in both input() and output() handlers respectively, where
> > > > either dst_input() or dst_output() is called at the end. It happens for
> > > > instance with the ioam6 inline mode, but can also happen for any of them
> > > > as long as the post-transformation destination still matches the fib
> > > > entry. Note that ioam6_iptunnel was already comparing the old and new
> > > > destination address to prevent the loop, but it is not enough (e.g.,
> > > > other addresses can still match the same subnet).
> > > > 
> > > > Here is an example for rpl_input():
> > > > 
> > > > dump_stack_lvl+0x60/0x80
> > > > rpl_input+0x9d/0x320
> > > > lwtunnel_input+0x64/0xa0
> > > > lwtunnel_input+0x64/0xa0
> > > > lwtunnel_input+0x64/0xa0
> > > > lwtunnel_input+0x64/0xa0
> > > > lwtunnel_input+0x64/0xa0
> > > > [...]
> > > > lwtunnel_input+0x64/0xa0
> > > > lwtunnel_input+0x64/0xa0
> > > > lwtunnel_input+0x64/0xa0
> > > > lwtunnel_input+0x64/0xa0
> > > > lwtunnel_input+0x64/0xa0
> > > > ip6_sublist_rcv_finish+0x85/0x90
> > > > ip6_sublist_rcv+0x236/0x2f0
> > > > 
> > > > ... until rpl_do_srh() fails, which means skb_cow_head() failed.
> > > > 
> > > > This patch prevents that kind of loop by redirecting to the origin
> > > > input() or output() when the destination is the same
> > > > post-transformation.
> > > 
> > > A loop was reported a few months ago with a similar stack trace:
> > > https://lore.kernel.org/netdev/2bc9e2079e864a9290561894d2a602d6@akamai.com/
> > > 
> > > But even with this series applied my VM gets stuck. Can you please check
> > > if the fix is incomplete?
> > 
> > Good catch! Indeed, seg6_local also needs to be fixed the same way.
> > 
> > Back to my first idea: maybe we could directly fix it in lwtunnel_input()
> > and lwtunnel_output() to make our lives easier, but we'd have to be careful
> > to modify all users accordingly. The users I'm 100% sure that are concerned:
> > ioam6 (output), rpl (input/output), seg6 (input/output), seg6_local (input).
> > Other users I'm not totally sure (to be checked): ila (output), bpf (input).
> > 
> > Otherwise, we'll need to apply the fix to each user concerned (probably the
> > safest (best?) option right now). Any opinions?
> 
> I audited the various lwt users and I agree with your analysis about
> which users seem to be effected by this issue.
> 
> I'm not entirely sure how you want to fix this in
> lwtunnel_{input,output}() given that only the input()/output() handlers
> of the individual lwt users are aware of both the old and new dst
> entries.
> 
> BTW, I noticed that bpf implements the xmit() hook in addition to
> input()/output(). I wonder if a loop is possible in the following case:
> 
> ip_finish_output2()                                         <----+
> 	lwtunnel_xmit()                                          |
> 		bpf_xmit()                                       |
> 			// bpf program does not change           |
> 			// the packet and returns                |
> 			// BPF_LWT_REROUTE                       |
> 			bpf_lwt_xmit_reroute()                   |
> 				// unmodified packet resolves    |
> 				// the same dst entry            |
> 				dst_output()                     |
> 					ip_output() -------------+

FWIW, verified that this is indeed the case. Reproducer:

$ cat lwt_xmit_repo.bpf.c
// SPDX-License-Identifier: GPL-2.0
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>

SEC("lwt_xmit")
int repo(struct __sk_buff *skb)
{
        return BPF_LWT_REROUTE;
}
$ clang -O2 -target bpf -c lwt_xmit_repo.bpf.c -o lwt_xmit_repo.o
# ip link add name dummy1 up type dummy
# ip route add 192.0.2.0/24 nexthop encap bpf xmit obj ./lwt_xmit_repo.o sec lwt_xmit dev dummy1
# ping 192.0.2.1

next prev parent reply	other threads:[~2025-02-17 14:40 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-11 22:16 [PATCH net v2 0/3] several fixes for ioam6, rpl and seg6 lwtunnels Justin Iurman
2025-02-11 22:16 ` [PATCH net v2 1/3] net: ipv6: fix dst ref loops on input in " Justin Iurman
2025-02-13 12:27   ` Ido Schimmel
2025-02-13 22:37     ` Justin Iurman
2025-02-11 22:16 ` [PATCH net v2 2/3] net: ipv6: fix lwtunnel loops in ioam6, rpl and seg6 Justin Iurman
2025-02-12 20:42   ` Justin Iurman
2025-02-13 13:28   ` Ido Schimmel
2025-02-13 22:51     ` Justin Iurman
2025-02-16 16:31       ` Ido Schimmel
2025-02-17 14:40         ` Ido Schimmel [this message]
2025-02-25 18:47           ` Justin Iurman
2025-03-06 18:14           ` Justin Iurman
2025-02-25 18:36         ` Justin Iurman
2025-02-11 22:16 ` [PATCH net v2 3/3] net: ipv6: fix consecutive input and output transformation in lwtunnels Justin Iurman
2025-02-13 14:33   ` Paolo Abeni
2025-02-13 22:57     ` Justin Iurman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z7NKYMY7fJT5cYWu@shredder \
    --to=idosch@idosch.org \
    --cc=alex.aring@gmail.com \
    --cc=davem@davemloft.net \
    --cc=dlebrun@google.com \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=justin.iurman@uliege.be \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.