Message ID | e5d05e56bf41de82f10d33229b8a8f6b49290e98.1690332693.git.yan@cloudflare.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a985:0:b0:3e4:2afc:c1 with SMTP id t5csp122300vqo; Tue, 25 Jul 2023 18:58:41 -0700 (PDT) X-Google-Smtp-Source: APBJJlGSCmsJ/tO/CnZoBUjgbwWWzxICEkPsCt2+PGCXj6C/Bl0idtpUdzChrSsgfcwcXqMbXMyG X-Received: by 2002:a5d:574b:0:b0:317:6c75:c361 with SMTP id q11-20020a5d574b000000b003176c75c361mr307888wrw.1.1690336721334; Tue, 25 Jul 2023 18:58:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690336721; cv=none; d=google.com; s=arc-20160816; b=ykIAcYcXDlpsGhskPscw5gf+OYo3HtVlYerj4z9bmH51fqz8F1y11Zk/flZ/3Su9j9 8Zqqxmhqomoa1pwh4SwpO+CQ15H1GQANPKWKKEmxUbpWopSrucNRgOKzOqUtJqiQRYBt MOQtH9AAB4fpOQ40DxW+G99VWKsi+tvAJdPEtkK1kaRZbPMhc9OePvN5vJBifSmykMfu 4kbNvKwNzbnbJaeC/S2hUxd+keivCA6LkF+/in066po5w0TR7BP8fP5SVU8DCBhe8xfS Q8CQm/RIDaqO0icEgtL3ahvpuGEoSJZnDm8XStt6XXSF5d2y3tbJgRlOq2vCEGy3iz0n 3rRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=n0NtF3U2QeP9UCLELIDDLvHXTMrNEAe+2WmgLDwewEc=; fh=tUEnnqvJ+JVPmX9GZQRvTnGoIyUPZkQwh65YlQvUPUo=; b=E9tdeIoY2FbNaZ27GJSrO+c0N66iwEfV06BYWHP9ntf6efPO8zSZV6Y/4cFlHpFjp2 OAvgO8hE+vyIaAx9x2gkT+G+w878fOmp4PlxRLjlrQn7ZJHS+VXZC2Rsz1PKtU48iQvE Z9mfIK4TjHgcyLC+mmMsCEE2jsF+UQpVu32/VzABlzPEfU/d/9Wq8q6maZ0oVWRJx4Ub Mj+gLtxFwXbzSTkkn2e8WRTAiOlXQOBdHwTzgEhCDPm1jIue2RDlc+aAYYMmwmVQuwYE ffQptzx8ho7QmDfUZuOkMG6IbZ/m3QpXpx1CU7U2B+xqc0WuwWFNJkQ2Bxw8C+GBhRmt 1QgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b="Zwegie/a"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p13-20020a056402074d00b005224e403e96si1733852edy.196.2023.07.25.18.58.17; Tue, 25 Jul 2023 18:58:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b="Zwegie/a"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230377AbjGZBIb (ORCPT <rfc822;kautuk.consul.80@gmail.com> + 99 others); Tue, 25 Jul 2023 21:08:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229987AbjGZBI3 (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 25 Jul 2023 21:08:29 -0400 Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36C0A268B for <linux-kernel@vger.kernel.org>; Tue, 25 Jul 2023 18:08:21 -0700 (PDT) Received: by mail-qk1-x72e.google.com with SMTP id af79cd13be357-76c4890a220so191370885a.3 for <linux-kernel@vger.kernel.org>; Tue, 25 Jul 2023 18:08:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; t=1690333700; x=1690938500; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=n0NtF3U2QeP9UCLELIDDLvHXTMrNEAe+2WmgLDwewEc=; b=Zwegie/aBtxLm5/hxoycUPRg/LkQ/+bpJIJPBs1adCSZnU6/M4XYi77KAHIkaUYFf5 5oiYrj8pSZiGiUIiSLGeDdPFyg85hpidIdlmu7QljlEKcwguPf2CD4c2jD2M9HiJpHkh c0rIWHce8o8oUAI6BuBWP529MRjgnrlaI7qpg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690333700; x=1690938500; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=n0NtF3U2QeP9UCLELIDDLvHXTMrNEAe+2WmgLDwewEc=; b=GJ+fVWbV8jHyFW5qC78m0aSO6/pw+UvA0vh683219JK21svyLyWYyBlJqz4lqwfzcc wfvMjTODJNX7JFDwDlWacDwcYThWsEZuxtM4pcFpGbUtfsto6T4I6j/j9gM4QhTy+y8y rxhMWgVyJbZXJygPYwTvnXQxhWngINjGkQAbg3Z7SMxtoRYA/snvG4exjvOwk0vB4oaQ Dv3l9pPfkzSbC12R+4ux5O/DTqtpjHwyAWHZwf/LvikBzH4Oc4xXkNaZQ/i0NzwfXNkE wKmoX8nYQ/JsphLOfd02uZBJIEkFusCuXVP+0s9QaBUo44ic5dQQi3M6NJmJT10XyBvV Rkng== X-Gm-Message-State: ABy/qLZDvrG7Z3CTYYbxc3qE1wOP1noOTXNSb2wxmIMtVFTVgAVIy8cY wMnxudA8OHOvICEou4m1cq3c1Q== X-Received: by 2002:a05:620a:e1e:b0:768:2472:d4ac with SMTP id y30-20020a05620a0e1e00b007682472d4acmr643965qkm.4.1690333700214; Tue, 25 Jul 2023 18:08:20 -0700 (PDT) Received: from debian.debian ([140.141.197.139]) by smtp.gmail.com with ESMTPSA id t4-20020a05620a004400b00767c8308329sm812377qkt.25.2023.07.25.18.08.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Jul 2023 18:08:19 -0700 (PDT) Date: Tue, 25 Jul 2023 18:08:17 -0700 From: Yan Zhai <yan@cloudflare.com> To: bpf@vger.kernel.org Cc: Alexei Starovoitov <ast@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, Andrii Nakryiko <andrii@kernel.org>, Martin KaFai Lau <martin.lau@linux.dev>, Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>, John Fastabend <john.fastabend@gmail.com>, KP Singh <kpsingh@kernel.org>, Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Mykola Lysenko <mykolal@fb.com>, Shuah Khan <shuah@kernel.org>, Yan Zhai <yan@cloudflare.com>, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, kernel-team@cloudflare.com, Jordan Griege <jgriege@cloudflare.com>, Markus Elfring <Markus.Elfring@web.de>, Jakub Sitnicki <jakub@cloudflare.com> Subject: [PATCH v4 bpf 1/2] bpf: fix skb_do_redirect return values Message-ID: <e5d05e56bf41de82f10d33229b8a8f6b49290e98.1690332693.git.yan@cloudflare.com> References: <cover.1690332693.git.yan@cloudflare.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <cover.1690332693.git.yan@cloudflare.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772446517737885950 X-GMAIL-MSGID: 1772446517737885950 |
Series |
bpf: return proper error codes for lwt redirect
|
|
Commit Message
Yan Zhai
July 26, 2023, 1:08 a.m. UTC
skb_do_redirect returns various of values: error code (negative), 0 (success), and some positive status code, e.g. NET_XMIT_CN, NET_RX_DROP. Commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") didn't check the return code correctly, so positive values are propagated back along call chain: ip_finish_output2 -> bpf_xmit -> run_lwt_bpf -> skb_do_redirect Inside ip_finish_output2, redirected skb will continue to neighbor subsystem as if LWTUNNEL_XMIT_CONTINUE is returned, despite that this skb could have been freed. The bug can trigger use-after-free warning and crashes kernel afterwards: https://gist.github.com/zhaiyan920/8fbac245b261fe316a7ef04c9b1eba48 Convert positive statuses from skb_do_redirect eliminates this issue. Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") Tested-by: Jakub Sitnicki <jakub@cloudflare.com> Suggested-by: Markus Elfring <Markus.Elfring@web.de> Suggested-by: Stanislav Fomichev <sdf@google.com> Reported-by: Jordan Griege <jgriege@cloudflare.com> Signed-off-by: Yan Zhai <yan@cloudflare.com> --- include/linux/netdevice.h | 2 ++ net/core/filter.c | 9 +++++++-- 2 files changed, 9 insertions(+), 2 deletions(-)
Comments
On Tue, Jul 25, 2023 at 06:08 PM -07, Yan Zhai wrote: > skb_do_redirect returns various of values: error code (negative), > 0 (success), and some positive status code, e.g. NET_XMIT_CN, > NET_RX_DROP. Commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel > infrastructure") didn't check the return code correctly, so positive > values are propagated back along call chain: > > ip_finish_output2 > -> bpf_xmit > -> run_lwt_bpf > -> skb_do_redirect > > Inside ip_finish_output2, redirected skb will continue to neighbor > subsystem as if LWTUNNEL_XMIT_CONTINUE is returned, despite that this > skb could have been freed. The bug can trigger use-after-free warning > and crashes kernel afterwards: > > https://gist.github.com/zhaiyan920/8fbac245b261fe316a7ef04c9b1eba48 > > Convert positive statuses from skb_do_redirect eliminates this issue. > > Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") > Tested-by: Jakub Sitnicki <jakub@cloudflare.com> > Suggested-by: Markus Elfring <Markus.Elfring@web.de> > Suggested-by: Stanislav Fomichev <sdf@google.com> > Reported-by: Jordan Griege <jgriege@cloudflare.com> > Signed-off-by: Yan Zhai <yan@cloudflare.com> > --- Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
I'm not positive I understand the code in ip_finish_output2(). I think instead of looking for LWTUNNEL_XMIT_DONE it should instead look for != LWTUNNEL_XMIT_CONTINUE. It's unfortunate that NET_XMIT_DROP and LWTUNNEL_XMIT_CONTINUE are the both 0x1. Why don't we just change that instead? Also there seems to be a leak in lwtunnel_xmit(). Should that return LWTUNNEL_XMIT_CONTINUE or should it call kfree_skb() before returning? Something like the following? diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 11652e464f5d..375790b672bc 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -112,6 +112,9 @@ void netdev_sw_irq_coalesce_default_on(struct net_device *dev); #define NET_XMIT_CN 0x02 /* congestion notification */ #define NET_XMIT_MASK 0x0f /* qdisc flags in net/sch_generic.h */ +#define LWTUNNEL_XMIT_DONE NET_XMIT_SUCCESS +#define LWTUNNEL_XMIT_CONTINUE 0x3 + /* NET_XMIT_CN is special. It does not guarantee that this packet is lost. It * indicates that the device will soon be dropping packets, or already drops * some packets of the same priority; prompting us to send less aggressively. */ diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h index 6f15e6fa154e..8ab032ee04d0 100644 --- a/include/net/lwtunnel.h +++ b/include/net/lwtunnel.h @@ -16,12 +16,6 @@ #define LWTUNNEL_STATE_INPUT_REDIRECT BIT(1) #define LWTUNNEL_STATE_XMIT_REDIRECT BIT(2) -enum { - LWTUNNEL_XMIT_DONE, - LWTUNNEL_XMIT_CONTINUE, -}; - - struct lwtunnel_state { __u16 type; __u16 flags; diff --git a/net/core/lwtunnel.c b/net/core/lwtunnel.c index 711cd3b4347a..732415d1287d 100644 --- a/net/core/lwtunnel.c +++ b/net/core/lwtunnel.c @@ -371,7 +371,7 @@ int lwtunnel_xmit(struct sk_buff *skb) if (lwtstate->type == LWTUNNEL_ENCAP_NONE || lwtstate->type > LWTUNNEL_ENCAP_MAX) - return 0; + return LWTUNNEL_XMIT_CONTINUE; ret = -EOPNOTSUPP; rcu_read_lock(); diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 6e70839257f7..4be50a211b14 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -216,7 +216,7 @@ static int ip_finish_output2(struct net *net, struct sock *sk, struct sk_buff *s if (lwtunnel_xmit_redirect(dst->lwtstate)) { int res = lwtunnel_xmit(skb); - if (res < 0 || res == LWTUNNEL_XMIT_DONE) + if (res != LWTUNNEL_XMIT_CONTINUE) return res; } diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 1e8c90e97608..016b0a513259 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -113,7 +113,7 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * if (lwtunnel_xmit_redirect(dst->lwtstate)) { int res = lwtunnel_xmit(skb); - if (res < 0 || res == LWTUNNEL_XMIT_DONE) + if (res != LWTUNNEL_XMIT_CONTINUE) return res; }
On Wed, Jul 26, 2023 at 04:39:08PM +0300, Dan Carpenter wrote: > I'm not positive I understand the code in ip_finish_output2(). I think > instead of looking for LWTUNNEL_XMIT_DONE it should instead look for > != LWTUNNEL_XMIT_CONTINUE. It's unfortunate that NET_XMIT_DROP and > LWTUNNEL_XMIT_CONTINUE are the both 0x1. Why don't we just change that > instead? > I considered about changing lwt side logic. But it would bring larger impact since there are multiple types of encaps on this hook, not just bpf redirect. Changing bpf return values is a minimum change on the other hand. In addition, returning value of NET_RX_DROP and NET_XMIT_CN are the same, so if we don't do something in bpf redirect, there is no way to distinguish them later: the former is considered as an error, while "CN" is considered as non-error. > Also there seems to be a leak in lwtunnel_xmit(). Should that return > LWTUNNEL_XMIT_CONTINUE or should it call kfree_skb() before returning? > > Something like the following? > > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h > index 11652e464f5d..375790b672bc 100644 > --- a/include/linux/netdevice.h > +++ b/include/linux/netdevice.h > @@ -112,6 +112,9 @@ void netdev_sw_irq_coalesce_default_on(struct net_device *dev); > #define NET_XMIT_CN 0x02 /* congestion notification */ > #define NET_XMIT_MASK 0x0f /* qdisc flags in net/sch_generic.h */ > > +#define LWTUNNEL_XMIT_DONE NET_XMIT_SUCCESS > +#define LWTUNNEL_XMIT_CONTINUE 0x3 > + > /* NET_XMIT_CN is special. It does not guarantee that this packet is lost. It > * indicates that the device will soon be dropping packets, or already drops > * some packets of the same priority; prompting us to send less aggressively. */ > diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h > index 6f15e6fa154e..8ab032ee04d0 100644 > --- a/include/net/lwtunnel.h > +++ b/include/net/lwtunnel.h > @@ -16,12 +16,6 @@ > #define LWTUNNEL_STATE_INPUT_REDIRECT BIT(1) > #define LWTUNNEL_STATE_XMIT_REDIRECT BIT(2) > > -enum { > - LWTUNNEL_XMIT_DONE, > - LWTUNNEL_XMIT_CONTINUE, > -}; > - > - > struct lwtunnel_state { > __u16 type; > __u16 flags; > diff --git a/net/core/lwtunnel.c b/net/core/lwtunnel.c > index 711cd3b4347a..732415d1287d 100644 > --- a/net/core/lwtunnel.c > +++ b/net/core/lwtunnel.c > @@ -371,7 +371,7 @@ int lwtunnel_xmit(struct sk_buff *skb) > > if (lwtstate->type == LWTUNNEL_ENCAP_NONE || > lwtstate->type > LWTUNNEL_ENCAP_MAX) > - return 0; > + return LWTUNNEL_XMIT_CONTINUE; You are correct this path would leak skb. Return continue (or drop) would avoid the leak. Personally I'd prefer drop instead to signal the error setup. Since this is a separate issue, do you want to send a separate patch on this? Or I am happy to do it if you prefer. > > ret = -EOPNOTSUPP; > rcu_read_lock(); > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c > index 6e70839257f7..4be50a211b14 100644 > --- a/net/ipv4/ip_output.c > +++ b/net/ipv4/ip_output.c > @@ -216,7 +216,7 @@ static int ip_finish_output2(struct net *net, struct sock *sk, struct sk_buff *s > if (lwtunnel_xmit_redirect(dst->lwtstate)) { > int res = lwtunnel_xmit(skb); > > - if (res < 0 || res == LWTUNNEL_XMIT_DONE) > + if (res != LWTUNNEL_XMIT_CONTINUE) > return res; Unfortunately we cannot return res directly here when res > 0. This is the final reason why I didn't patch here. Return values here can be propagated back to sendmsg syscall, so returning a positive value would break the syscall convention. best, Yan > } > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c > index 1e8c90e97608..016b0a513259 100644 > --- a/net/ipv6/ip6_output.c > +++ b/net/ipv6/ip6_output.c > @@ -113,7 +113,7 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * > if (lwtunnel_xmit_redirect(dst->lwtstate)) { > int res = lwtunnel_xmit(skb); > > - if (res < 0 || res == LWTUNNEL_XMIT_DONE) > + if (res != LWTUNNEL_XMIT_CONTINUE) > return res; > } >
On Wed, Jul 26, 2023 at 07:14:56AM -0700, Yan Zhai wrote: > On Wed, Jul 26, 2023 at 04:39:08PM +0300, Dan Carpenter wrote: > > I'm not positive I understand the code in ip_finish_output2(). I think > > instead of looking for LWTUNNEL_XMIT_DONE it should instead look for > > != LWTUNNEL_XMIT_CONTINUE. It's unfortunate that NET_XMIT_DROP and > > LWTUNNEL_XMIT_CONTINUE are the both 0x1. Why don't we just change that > > instead? > > > I considered about changing lwt side logic. But it would bring larger > impact since there are multiple types of encaps on this hook, not just > bpf redirect. Changing bpf return values is a minimum change on the > other hand. In addition, returning value of NET_RX_DROP and > NET_XMIT_CN are the same, so if we don't do something in bpf redirect, > there is no way to distinguish them later: the former is considered as > an error, while "CN" is considered as non-error. Uh, NET_RX/XMIT_DROP values are 1. NET_XMIT_CN is 2. I'm not an expert but I think what happens is that we treat NET_XMIT_CN as success so that it takes a while for the resend to happen. Eventually the TCP layer will detect it as a dropped packet. > > > Also there seems to be a leak in lwtunnel_xmit(). Should that return > > LWTUNNEL_XMIT_CONTINUE or should it call kfree_skb() before returning? > > > > Something like the following? > > > > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h > > index 11652e464f5d..375790b672bc 100644 > > --- a/include/linux/netdevice.h > > +++ b/include/linux/netdevice.h > > @@ -112,6 +112,9 @@ void netdev_sw_irq_coalesce_default_on(struct net_device *dev); > > #define NET_XMIT_CN 0x02 /* congestion notification */ > > #define NET_XMIT_MASK 0x0f /* qdisc flags in net/sch_generic.h */ > > > > +#define LWTUNNEL_XMIT_DONE NET_XMIT_SUCCESS > > +#define LWTUNNEL_XMIT_CONTINUE 0x3 > > + > > /* NET_XMIT_CN is special. It does not guarantee that this packet is lost. It > > * indicates that the device will soon be dropping packets, or already drops > > * some packets of the same priority; prompting us to send less aggressively. */ > > diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h > > index 6f15e6fa154e..8ab032ee04d0 100644 > > --- a/include/net/lwtunnel.h > > +++ b/include/net/lwtunnel.h > > @@ -16,12 +16,6 @@ > > #define LWTUNNEL_STATE_INPUT_REDIRECT BIT(1) > > #define LWTUNNEL_STATE_XMIT_REDIRECT BIT(2) > > > > -enum { > > - LWTUNNEL_XMIT_DONE, > > - LWTUNNEL_XMIT_CONTINUE, > > -}; > > - > > - > > struct lwtunnel_state { > > __u16 type; > > __u16 flags; > > diff --git a/net/core/lwtunnel.c b/net/core/lwtunnel.c > > index 711cd3b4347a..732415d1287d 100644 > > --- a/net/core/lwtunnel.c > > +++ b/net/core/lwtunnel.c > > @@ -371,7 +371,7 @@ int lwtunnel_xmit(struct sk_buff *skb) > > > > if (lwtstate->type == LWTUNNEL_ENCAP_NONE || > > lwtstate->type > LWTUNNEL_ENCAP_MAX) > > - return 0; > > + return LWTUNNEL_XMIT_CONTINUE; > > You are correct this path would leak skb. Return continue (or drop) > would avoid the leak. Personally I'd prefer drop instead to signal the > error setup. Since this is a separate issue, do you want to send a > separate patch on this? Or I am happy to do it if you prefer. > I don't know which makes sense so I'll leave that up to you. > > > > ret = -EOPNOTSUPP; > > rcu_read_lock(); > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c > > index 6e70839257f7..4be50a211b14 100644 > > --- a/net/ipv4/ip_output.c > > +++ b/net/ipv4/ip_output.c > > @@ -216,7 +216,7 @@ static int ip_finish_output2(struct net *net, struct sock *sk, struct sk_buff *s > > if (lwtunnel_xmit_redirect(dst->lwtstate)) { > > int res = lwtunnel_xmit(skb); > > > > - if (res < 0 || res == LWTUNNEL_XMIT_DONE) > > + if (res != LWTUNNEL_XMIT_CONTINUE) > > return res; > > Unfortunately we cannot return res directly here when res > 0. This is > the final reason why I didn't patch here. Return values here can be > propagated back to sendmsg syscall, so returning a positive value > would break the syscall convention. The neigh_output() function is going to return NET_XMIT_DROP so this already happens. Is that not what we want to happen? I guess my concern is that eventually people will eventually new introduce bugs. Fixing incorrect error codes is something that I do several times per week. :P regards, dan carpenter
On Wed, Jul 26, 2023 at 06:01:00PM +0300, Dan Carpenter wrote: > On Wed, Jul 26, 2023 at 07:14:56AM -0700, Yan Zhai wrote: > > On Wed, Jul 26, 2023 at 04:39:08PM +0300, Dan Carpenter wrote: > > > I'm not positive I understand the code in ip_finish_output2(). I think > > > instead of looking for LWTUNNEL_XMIT_DONE it should instead look for > > > != LWTUNNEL_XMIT_CONTINUE. It's unfortunate that NET_XMIT_DROP and > > > LWTUNNEL_XMIT_CONTINUE are the both 0x1. Why don't we just change that > > > instead? > > > > > I considered about changing lwt side logic. But it would bring larger > > impact since there are multiple types of encaps on this hook, not just > > bpf redirect. Changing bpf return values is a minimum change on the > > other hand. In addition, returning value of NET_RX_DROP and > > NET_XMIT_CN are the same, so if we don't do something in bpf redirect, > > there is no way to distinguish them later: the former is considered as > > an error, while "CN" is considered as non-error. > > Uh, NET_RX/XMIT_DROP values are 1. NET_XMIT_CN is 2. > > I'm not an expert but I think what happens is that we treat NET_XMIT_CN > as success so that it takes a while for the resend to happen. > Eventually the TCP layer will detect it as a dropped packet. > My eyes slipped lines. CN is 2. But the fact RX return value can be returned on a TX path still makes me feel unclean. Odds are low that we will have new statuses in future, it is a risk. I'd hope to contain these values only inside BPF redirect code as they are the reason why such rx values can show up there. Meanwhile, your argument do make good sense to me that the same problem may occur for other stuff. It is true. In fact, I just re-examined BPF-REROUTE path, it has the exact same issue by directly sending dst_output value back. So I would propose to do two things: 1. still convert BPF redirect ingress code to contain the propagation of mixed return. Return only TX side value instead, which is also what majority of those local senders are expecting. (I was wrong about positive values returned to sendmsg below btw, they are not). 2. change LWTUNNEL_XMIT_CONTINUE and check for this at xmit hook. > > > > > Also there seems to be a leak in lwtunnel_xmit(). Should that return > > > LWTUNNEL_XMIT_CONTINUE or should it call kfree_skb() before returning? > > > > > > Something like the following? > > > > > > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h > > > index 11652e464f5d..375790b672bc 100644 > > > --- a/include/linux/netdevice.h > > > +++ b/include/linux/netdevice.h > > > @@ -112,6 +112,9 @@ void netdev_sw_irq_coalesce_default_on(struct net_device *dev); > > > #define NET_XMIT_CN 0x02 /* congestion notification */ > > > #define NET_XMIT_MASK 0x0f /* qdisc flags in net/sch_generic.h */ > > > > > > +#define LWTUNNEL_XMIT_DONE NET_XMIT_SUCCESS > > > +#define LWTUNNEL_XMIT_CONTINUE 0x3 > > > + > > > /* NET_XMIT_CN is special. It does not guarantee that this packet is lost. It > > > * indicates that the device will soon be dropping packets, or already drops > > > * some packets of the same priority; prompting us to send less aggressively. */ > > > diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h > > > index 6f15e6fa154e..8ab032ee04d0 100644 > > > --- a/include/net/lwtunnel.h > > > +++ b/include/net/lwtunnel.h > > > @@ -16,12 +16,6 @@ > > > #define LWTUNNEL_STATE_INPUT_REDIRECT BIT(1) > > > #define LWTUNNEL_STATE_XMIT_REDIRECT BIT(2) > > > > > > -enum { > > > - LWTUNNEL_XMIT_DONE, > > > - LWTUNNEL_XMIT_CONTINUE, > > > -}; > > > - > > > - > > > struct lwtunnel_state { > > > __u16 type; > > > __u16 flags; > > > diff --git a/net/core/lwtunnel.c b/net/core/lwtunnel.c > > > index 711cd3b4347a..732415d1287d 100644 > > > --- a/net/core/lwtunnel.c > > > +++ b/net/core/lwtunnel.c > > > @@ -371,7 +371,7 @@ int lwtunnel_xmit(struct sk_buff *skb) > > > > > > if (lwtstate->type == LWTUNNEL_ENCAP_NONE || > > > lwtstate->type > LWTUNNEL_ENCAP_MAX) > > > - return 0; > > > + return LWTUNNEL_XMIT_CONTINUE; > > > > You are correct this path would leak skb. Return continue (or drop) > > would avoid the leak. Personally I'd prefer drop instead to signal the > > error setup. Since this is a separate issue, do you want to send a > > separate patch on this? Or I am happy to do it if you prefer. > > > > I don't know which makes sense so I'll leave that up to you. > This conversation is juicy, I think we discovered two potential new problem sites (the leak here and the reroute path) :) > > > > > > ret = -EOPNOTSUPP; > > > rcu_read_lock(); > > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c > > > index 6e70839257f7..4be50a211b14 100644 > > > --- a/net/ipv4/ip_output.c > > > +++ b/net/ipv4/ip_output.c > > > @@ -216,7 +216,7 @@ static int ip_finish_output2(struct net *net, struct sock *sk, struct sk_buff *s > > > if (lwtunnel_xmit_redirect(dst->lwtstate)) { > > > int res = lwtunnel_xmit(skb); > > > > > > - if (res < 0 || res == LWTUNNEL_XMIT_DONE) > > > + if (res != LWTUNNEL_XMIT_CONTINUE) > > > return res; > > > > Unfortunately we cannot return res directly here when res > 0. This is > > the final reason why I didn't patch here. Return values here can be > > propagated back to sendmsg syscall, so returning a positive value > > would break the syscall convention. > > The neigh_output() function is going to return NET_XMIT_DROP so this > already happens. Is that not what we want to happen? > My bad, those return values are processed at ip_send_skb etc, while I was staring only at ip_local_out and beneath with my sleepy eyes. > I guess my concern is that eventually people will eventually new > introduce bugs. Fixing incorrect error codes is something that I do > several times per week. :P > > regards, > dan carpenter > >
On Wed, Jul 26, 2023 at 09:10:20AM -0700, Yan Zhai wrote: > On Wed, Jul 26, 2023 at 06:01:00PM +0300, Dan Carpenter wrote: > > On Wed, Jul 26, 2023 at 07:14:56AM -0700, Yan Zhai wrote: > > > On Wed, Jul 26, 2023 at 04:39:08PM +0300, Dan Carpenter wrote: > > > > I'm not positive I understand the code in ip_finish_output2(). I think > > > > instead of looking for LWTUNNEL_XMIT_DONE it should instead look for > > > > != LWTUNNEL_XMIT_CONTINUE. It's unfortunate that NET_XMIT_DROP and > > > > LWTUNNEL_XMIT_CONTINUE are the both 0x1. Why don't we just change that > > > > instead? > > > > > > > I considered about changing lwt side logic. But it would bring larger > > > impact since there are multiple types of encaps on this hook, not just > > > bpf redirect. Changing bpf return values is a minimum change on the > > > other hand. In addition, returning value of NET_RX_DROP and > > > NET_XMIT_CN are the same, so if we don't do something in bpf redirect, > > > there is no way to distinguish them later: the former is considered as > > > an error, while "CN" is considered as non-error. > > > > Uh, NET_RX/XMIT_DROP values are 1. NET_XMIT_CN is 2. > > > > I'm not an expert but I think what happens is that we treat NET_XMIT_CN > > as success so that it takes a while for the resend to happen. > > Eventually the TCP layer will detect it as a dropped packet. > > > My eyes slipped lines. CN is 2. But the fact RX return value can be > returned on a TX path still makes me feel unclean. Odds are low that > we will have new statuses in future, it is a risk. I'd hope to contain > these values only inside BPF redirect code as they are the reason why > such rx values can show up there. Meanwhile, your argument do make > good sense to me that the same problem may occur for other stuff. It > is true. In fact, I just re-examined BPF-REROUTE path, it has the > exact same issue by directly sending dst_output value back. > > So I would propose to do two things: > 1. still convert BPF redirect ingress code to contain the propagation > of mixed return. Return only TX side value instead, which is also what > majority of those local senders are expecting. (I was wrong about > positive values returned to sendmsg below btw, they are not). > > 2. change LWTUNNEL_XMIT_CONTINUE and check for this at xmit hook. > Sounds good! regards, dan carpenter
On 7/25/23 6:08 PM, Yan Zhai wrote: > skb_do_redirect returns various of values: error code (negative), > 0 (success), and some positive status code, e.g. NET_XMIT_CN, > NET_RX_DROP. Commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel > infrastructure") didn't check the return code correctly, so positive > values are propagated back along call chain: > > ip_finish_output2 > -> bpf_xmit > -> run_lwt_bpf > -> skb_do_redirect From looking at skb_do_redirect, the skb_do_redirect should have consumed the skb except for the -EAGAIN return value. afaik, -EAGAIN could only happen by using the bpf_redirect_peer helper. lwt does not have the bpf_redirect_peer helper available, so there is no -EAGAIN case in lwt. iow, skb_do_redirect should have always consumed the skb in lwt. or did I miss something? If that is the case, it feels like the fix should be in run_lwt_bpf() and the "if (ret == 0)" test in run_lwt_bpf() is unnecessary? ret = skb_do_redirect(skb); if (ret == 0) ret = BPF_REDIRECT; > > Inside ip_finish_output2, redirected skb will continue to neighbor > subsystem as if LWTUNNEL_XMIT_CONTINUE is returned, despite that this > skb could have been freed. The bug can trigger use-after-free warning > and crashes kernel afterwards: > > https://gist.github.com/zhaiyan920/8fbac245b261fe316a7ef04c9b1eba48
I'm not a networking person, but I was looking at some use after free
static checker warnings.
Apparently the rule with xmit functions is that if they return a value
> 15 then that means the skb was not freed. Otherwise it's supposed to
be freed. So like NETDEV_TX_BUSY is 0x10 so it's not freed.
This is checked with using the dev_xmit_complete() function. So I feel
like it would make sense for LWTUNNEL_XMIT_CONTINUE to return higher
than 15.
Because that's the bug right? The original code was assuming that
everything besides LWTUNNEL_XMIT_DONE was freed.
regards,
dan carpenter
On Fri, Jul 28, 2023 at 5:02 PM Martin KaFai Lau <martin.lau@linux.dev> wrote: > > On 7/25/23 6:08 PM, Yan Zhai wrote: > > skb_do_redirect returns various of values: error code (negative), > > 0 (success), and some positive status code, e.g. NET_XMIT_CN, > > NET_RX_DROP. Commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel > > infrastructure") didn't check the return code correctly, so positive > > values are propagated back along call chain: > > > > ip_finish_output2 > > -> bpf_xmit > > -> run_lwt_bpf > > -> skb_do_redirect > > From looking at skb_do_redirect, the skb_do_redirect should have consumed the > skb except for the -EAGAIN return value. afaik, -EAGAIN could only happen by > using the bpf_redirect_peer helper. lwt does not have the bpf_redirect_peer > helper available, so there is no -EAGAIN case in lwt. iow, skb_do_redirect > should have always consumed the skb in lwt. or did I miss something? > > If that is the case, it feels like the fix should be in run_lwt_bpf() and the > "if (ret == 0)" test in run_lwt_bpf() is unnecessary? > > ret = skb_do_redirect(skb); > if (ret == 0) > ret = BPF_REDIRECT; > > Just fixing skb redirect return code won't be sufficient. I realized there are other return paths that need to be treated, e.g. bpf reroute path also directly returns dev_queue_xmit status. I plan to check for LWTUNNEL_XMIT_CONTINUE (and change it to a value that does not conflict with NET_RX_DROP and NET_XMIT_DROP) in the next revision. On the other hand, the return value of NETDEV_TX_BUSY is another hassle. As Dan suggested, packets might not have been freed when this is returned from drivers. The caller of dev_queue_xmit might need to free skb when this happens. Yan
On 7/31/23 2:35 PM, Yan Zhai wrote: > On Fri, Jul 28, 2023 at 5:02 PM Martin KaFai Lau <martin.lau@linux.dev> wrote: >> >> On 7/25/23 6:08 PM, Yan Zhai wrote: >>> skb_do_redirect returns various of values: error code (negative), >>> 0 (success), and some positive status code, e.g. NET_XMIT_CN, >>> NET_RX_DROP. Commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel >>> infrastructure") didn't check the return code correctly, so positive >>> values are propagated back along call chain: >>> >>> ip_finish_output2 >>> -> bpf_xmit >>> -> run_lwt_bpf >>> -> skb_do_redirect >> >> From looking at skb_do_redirect, the skb_do_redirect should have consumed the >> skb except for the -EAGAIN return value. afaik, -EAGAIN could only happen by >> using the bpf_redirect_peer helper. lwt does not have the bpf_redirect_peer >> helper available, so there is no -EAGAIN case in lwt. iow, skb_do_redirect >> should have always consumed the skb in lwt. or did I miss something? >> >> If that is the case, it feels like the fix should be in run_lwt_bpf() and the >> "if (ret == 0)" test in run_lwt_bpf() is unnecessary? >> >> ret = skb_do_redirect(skb); >> if (ret == 0) >> ret = BPF_REDIRECT; >> >> > Just fixing skb redirect return code won't be sufficient. I realized > there are other return paths that need to be treated, e.g. bpf reroute > path also directly returns dev_queue_xmit status. I plan to check for > LWTUNNEL_XMIT_CONTINUE (and change it to a value that does not > conflict with NET_RX_DROP and NET_XMIT_DROP) in the next revision. On > the other hand, the return value of NETDEV_TX_BUSY is another hassle. I suspect we are talking about different things or I am still missing something. I was thinking skb_do_redirect() should have always consumed the skb and bpf_xmit should always return LWTUNNEL_XMIT_DONE also (instead of LWTUNNEL_XMIT_CONTINUE described in the this patch commit message). It is what sch_handle_egress() is doing also. Could you explain how is it different from the skb_do_redirect usage in sch_handle_egress() or you are suggesting the current sch_handle_egress() has the issue too also? > As Dan suggested, packets might not have been freed when this is > returned from drivers. The caller of dev_queue_xmit might need to free > skb when this happens. > > Yan
On Mon, Jul 31, 2023 at 5:11 PM Martin KaFai Lau <martin.lau@linux.dev> wrote: > > On 7/31/23 2:35 PM, Yan Zhai wrote: > > On Fri, Jul 28, 2023 at 5:02 PM Martin KaFai Lau <martin.lau@linux.dev> wrote: > >> > >> On 7/25/23 6:08 PM, Yan Zhai wrote: > >>> skb_do_redirect returns various of values: error code (negative), > >>> 0 (success), and some positive status code, e.g. NET_XMIT_CN, > >>> NET_RX_DROP. Commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel > >>> infrastructure") didn't check the return code correctly, so positive > >>> values are propagated back along call chain: > >>> > >>> ip_finish_output2 > >>> -> bpf_xmit > >>> -> run_lwt_bpf > >>> -> skb_do_redirect > >> > >> From looking at skb_do_redirect, the skb_do_redirect should have consumed the > >> skb except for the -EAGAIN return value. afaik, -EAGAIN could only happen by > >> using the bpf_redirect_peer helper. lwt does not have the bpf_redirect_peer > >> helper available, so there is no -EAGAIN case in lwt. iow, skb_do_redirect > >> should have always consumed the skb in lwt. or did I miss something? > >> > >> If that is the case, it feels like the fix should be in run_lwt_bpf() and the > >> "if (ret == 0)" test in run_lwt_bpf() is unnecessary? > >> > >> ret = skb_do_redirect(skb); > >> if (ret == 0) > >> ret = BPF_REDIRECT; > >> > >> > > Just fixing skb redirect return code won't be sufficient. I realized > > there are other return paths that need to be treated, e.g. bpf reroute > > path also directly returns dev_queue_xmit status. I plan to check for > > LWTUNNEL_XMIT_CONTINUE (and change it to a value that does not > > conflict with NET_RX_DROP and NET_XMIT_DROP) in the next revision. On > > the other hand, the return value of NETDEV_TX_BUSY is another hassle. > > I suspect we are talking about different things or I am still missing something. > > I was thinking skb_do_redirect() should have always consumed the skb and > bpf_xmit should always return LWTUNNEL_XMIT_DONE also (instead of > LWTUNNEL_XMIT_CONTINUE described in the this patch commit message). It is what > sch_handle_egress() is doing also. Could you explain how is it different from > the skb_do_redirect usage in sch_handle_egress() or you are suggesting the > current sch_handle_egress() has the issue too also? > I think we were not on the same page. You are absolutely right that skb_do_redirect should consume the packet anyway. The difference between your proposal and this patch is that this patch returns errno or LWTUNNEL_XMIT_DONE, and yours does not even return errno. Both approaches fix the issue of "redirect to down device crashes the kernel". What I commented was an exact same issue at different location: BPF reroute may trigger the crash as well, since it also returns dev_queue_xmit status in bpf_xmit. Need to fix this, or instead fixing LWTUNNEL_XMIT_CONTINUE value and correct the behavior at lwtunnel_xmit rather than bpf_xmit. Yan > > > As Dan suggested, packets might not have been freed when this is > > returned from drivers. The caller of dev_queue_xmit might need to free > > skb when this happens. > > > > Yan >
On 7/31/23 4:01 PM, Yan Zhai wrote: > What I commented was an exact same issue at different location: BPF > reroute may trigger the crash as well, since it also returns > dev_queue_xmit status in bpf_xmit. Need to fix this, or instead fixing > LWTUNNEL_XMIT_CONTINUE value and correct the behavior at lwtunnel_xmit > rather than bpf_xmit. Ah. I think I got it. You meant the bpf_lwt_xmit_reroute() / BPF_LWT_REROUTE case? It would be clearer if some of these names were quoted instead. "reroute" could mean many things. Please put details comment in v5. Thanks. > > Yan > >> >>> As Dan suggested, packets might not have been freed when this is >>> returned from drivers. The caller of dev_queue_xmit might need to free >>> skb when this happens. >>> >>> Yan >>
On Mon, Jul 31, 2023 at 9:26 AM Dan Carpenter <dan.carpenter@linaro.org> wrote: > > I'm not a networking person, but I was looking at some use after free > static checker warnings. Did you refer to the gist I posted or something new? > > Apparently the rule with xmit functions is that if they return a value > > 15 then that means the skb was not freed. Otherwise it's supposed to > be freed. So like NETDEV_TX_BUSY is 0x10 so it's not freed. > > This is checked with using the dev_xmit_complete() function. So I feel > like it would make sense for LWTUNNEL_XMIT_CONTINUE to return higher > than 15. Yes I am adopting your suggestion in v5. Dealing with NETDEV_TX_BUSY would be left as another item (potentially more suited for netdev rather than bpf). Would be great to find a reproduction of memleak. > > Because that's the bug right? The original code was assuming that > everything besides LWTUNNEL_XMIT_DONE was freed. > > regards, > dan carpenter >
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index b828c7a75be2..520d808eec15 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -87,6 +87,8 @@ void netdev_sw_irq_coalesce_default_on(struct net_device *dev); #define NET_RX_SUCCESS 0 /* keep 'em coming, baby */ #define NET_RX_DROP 1 /* packet dropped */ +#define net_rx_errno(e) ((e) == NET_RX_DROP ? -ENOBUFS : (e)) + #define MAX_NEST_DEV 8 /* diff --git a/net/core/filter.c b/net/core/filter.c index 06ba0e56e369..564104543737 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2095,7 +2095,9 @@ static const struct bpf_func_proto bpf_csum_level_proto = { static inline int __bpf_rx_skb(struct net_device *dev, struct sk_buff *skb) { - return dev_forward_skb_nomtu(dev, skb); + int ret = dev_forward_skb_nomtu(dev, skb); + + return net_rx_errno(ret); } static inline int __bpf_rx_skb_no_mac(struct net_device *dev, @@ -2108,7 +2110,7 @@ static inline int __bpf_rx_skb_no_mac(struct net_device *dev, ret = netif_rx(skb); } - return ret; + return net_rx_errno(ret); } static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb) @@ -2129,6 +2131,9 @@ static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb) ret = dev_queue_xmit(skb); dev_xmit_recursion_dec(); + if (unlikely(ret > 0)) + ret = net_xmit_errno(ret); + return ret; }