Re: kernels > v4.12 oops/crash with ipsec-traffic: bisected to b838d5e1c5b6e57b10ec8af2268824041e3ea911: ipv4: mark DST_NOGC and remove the operation of dst_free()

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Steffen Klassert <steffen.klassert@secunet.com>
To: Wolfgang Walter <linux@stwm.de>
Cc: <netdev@vger.kernel.org>, Wei Wang <weiwan@google.com>,
	Tobias Hommel <netdev-list@genoetigt.de>,
	Eric Dumazet <edumazet@google.com>
Subject: Re: kernels > v4.12 oops/crash with ipsec-traffic: bisected to b838d5e1c5b6e57b10ec8af2268824041e3ea911: ipv4: mark DST_NOGC and remove the operation of dst_free()
Date: Mon, 10 Sep 2018 08:37:39 +0200	[thread overview]
Message-ID: <20180910063739.GX23674@gauss3.secunet.de> (raw)
In-Reply-To: <1619354.H6dCVflbiu@stwm.de>

On Fri, Sep 07, 2018 at 11:10:55PM +0200, Wolfgang Walter wrote:
> Hello Steffen,
> 
> in one of your emails to Thomas you wrote:
> > xfrm_lookup+0x2a is at the very beginning of xfrm_lookup(), here we
> > find:
> > 
> > u16 family = dst_orig->ops->family;
> > 
> > ops has an offset of 32 bytes (20 hex) in dst_orig, so looks like
> > dst_orig is NULL.
> > 
> > In the forwarding case, we get dst_orig from the skb and dst_orig
> > can't be NULL here unless the skb itself is already fishy.
> 
> Is this really true?
> 
> If xfrm_lookup is called from 
> 
> __xfrm_route_forward():
> 
> int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
> {
>         struct net *net = dev_net(skb->dev);
>         struct flowi fl;
>         struct dst_entry *dst;
>         int res = 1;
> 
>         if (xfrm_decode_session(skb, &fl, family) < 0) {
>                 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
>                 return 0;
>         }
> 
>         skb_dst_force(skb);
> 
>         dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
>         if (IS_ERR(dst)) {
>                 res = 0;
>                 dst = NULL;
>         }
>         skb_dst_set(skb, dst);
>         return res;
> }
> 
> couldn't it be possible that skb_dst_force(skb) actually sets dst to NULL if 
> it cannot safely lock it? If it is absolutely sure that skb_dst_force() never 
> can set dst to NULL I wonder why it is called at all?

Ugh, skb_dst_force apparently changed since I looked at it last time.
I did not expect that it can clear skb->dst. This behaviour was
introduced with:

commit 222d7dbd258dad4cd5241c43ef818141fad5a87a
net: prevent dst uses after free

from Eric Dumazet (put him to Cc).

The easy fix that could be backported to stable would be
to check skb->dst for NULL and drop the packet in that case.

I wonder if we can do better here. We can still use the
dst_entry as long as we don't exit the RCU grace period.
But looking deeper into it, the crypto layer might return
asynchronously. In this case, we exit the RCU grace period
and we have to drop the packet anyway.

If I understand correct, the bug happens rarely. So maybe
we could just stay with the easy fix (I'll do a patch today).

The other thing I wonder about is why Tobias bisected this to

commit b838d5e1c5b6e57b10ec8af2268824041e3ea911
ipv4: mark DST_NOGC and remove the operation of dst_free()

from 'Jun 17 2017' and not to

commit 222d7dbd258dad4cd5241c43ef818141fad5a87a
net: prevent dst uses after free

from 'Sep 21 2017'.

Maybe Tobias has seen two bugs. Before
("net: prevent dst uses after free"), it was the
use after free, and after this fix it was a NULL
pointer derference of skb->dst.

next prev parent reply	other threads:[~2018-09-10 11:30 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-30 10:48 kernels >= v4.12 oops/crash with ipsec-traffic: partly bisected Wolfgang Walter
2018-08-30 18:53 ` kernels > v4.12 oops/crash with ipsec-traffic: bisected to b838d5e1c5b6e57b10ec8af2268824041e3ea911: ipv4: mark DST_NOGC and remove the operation of dst_free() Wolfgang Walter
2018-08-31  6:50   ` Steffen Klassert
2018-09-07  9:53     ` Wolfgang Walter
2018-09-07 20:22     ` Wolfgang Walter
2018-09-07 21:10       ` Wolfgang Walter
2018-09-10  6:37         ` Steffen Klassert [this message]
2018-09-10  8:18           ` Kristian Evensen
2018-09-10 10:46             ` Wolfgang Walter
2018-09-11 10:33             ` Steffen Klassert
2018-09-11 16:53               ` Wolfgang Walter
2018-09-11 19:02                 ` Tobias Hommel
2018-09-12  8:50                   ` Steffen Klassert
2018-09-12 15:18                     ` Tobias Hommel
2018-09-19 18:38                       ` Tobias Hommel
2018-09-10  9:06           ` Tobias Hommel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180910063739.GX23674@gauss3.secunet.de \
    --to=steffen.klassert@secunet.com \
    --cc=edumazet@google.com \
    --cc=linux@stwm.de \
    --cc=netdev-list@genoetigt.de \
    --cc=netdev@vger.kernel.org \
    --cc=weiwan@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).