From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: Matt Hamilton <matt@thmail.io>, passt-user@passt.top
Subject: Re: Pasta 20240726 and newer crash with ASSERTION FAILED in flow_hash
Date: Wed, 14 Aug 2024 20:01:28 +1000 [thread overview]
Message-ID: <ZryAeIVWH_SaQmq9@zatzit.fritz.box> (raw)
In-Reply-To: <20240814084022.02e39e31@elisabeth>
[-- Attachment #1: Type: text/plain, Size: 3360 bytes --]
On Wed, Aug 14, 2024 at 08:40:22AM +0200, Stefano Brivio wrote:
> Hi Matt,
>
> On Tue, 13 Aug 2024 22:58:42 -0700
> Matt Hamilton <matt@thmail.io> wrote:
>
> > I am using Podman in Fedora 40, which uses pasta by default for rootless
> > container networking.
> >
> > Fedora 40's base version of passt is `passt-0^20240326.g4988e2b-1.fc40`,
> > but recently two newer versions were released,
> > `passt-0^20240726.g57a21d2-1.fc40` and `0^20240806.gee36266-1.fc40`.
> >
> > After upgrading, one pod kept going offline after a few minutes. The
> > containers remained running, but could not make outbound connections.
> > Journalctl revealed that the pasta process for the pod had crashed with:
> >
> > Aug 08 23:07:55 dev pasta[95859]: ASSERTION FAILED in flow_hash
> > (flow.c:566): pif != PIF_NONE && !inany_is_unspecified(&side->eaddr)
> > && side->eport != 0 && side->fport != 0
> > Aug 08 23:07:55 dev audit[95859]: SECCOMP auid=1000 uid=1000
> > gid=1000 ses=1
> > subj=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023
> > pid=95859 comm="pasta.avx2" exe="/usr/bin/pasta.avx2" sig=31
> > arch=c000003e syscall=186 compat=0 ip=0x7f8f8c23b64f code=0x80000000
> > Aug 08 23:07:55 dev audit[95859]: ANOM_ABEND auid=1000 uid=1000
> > gid=1000 ses=1
> > subj=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023
> > pid=95859 comm="pasta.avx2" exe="/usr/bin/pasta.avx2" sig=31 res=1
> >
> > After much debugging, I isolated the trigger to a particular container
> > making a peer-to-peer TCP connection to a remote address with port 0.
>
> Thanks for the analysis and for the report!
>
> > Reverting passt to version 20240326 works as expected, and the container
> > stays online. It's been a long time since I wrote any C, but the code
> > seems clear and checks that the endpoint and forwarding ports do not
> > equal 0. I assume that a port 0 connection is not realistic or useful,
> > and that actual attempt to connect over this port indicate a bug in the
> > client code. Is this correct?
>
> Right, that's somehow unexpected because TCP port zero is reserved
> and not assigned, so it should never be used. However, I'm not sure how
> we can even reach flow_hash() with it.
>
> David, this seems to come from 163a339214dd ("tcp, flow: Replace TCP
> specific hash function with general flow hash"), any clue?
Stefano reproduced, and I've found the issue. The assert was intended
to check that we never created flows with 0 port - and we don't.
Unfortunately it was also invoked when searching for an existing flow
matching a new packet.
Patch coming shortly. Note that this will fix the crash, but it still
won't permit the connection to port 0 to go through. I don't know if
that will allow your application to run, or whether it relies on that
port 0 connection.
Actually allowing the connection to go through would be much harder.
It's easy to remove the explicit checks, obviously, but making sure we
never pass that 0 to an API where it doesn't mean what we want it to
would require some time.
--
David Gibson (he or they) | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you, not the other way
| around.
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-08-14 10:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1f7aefdc-11e8-4993-b647-7429da67b26c@thmail.io>
2024-08-14 6:39 ` Pasta 20240726 and newer crash with ASSERTION FAILED in flow_hash David Gibson
2024-08-14 6:56 ` Matt Hamilton
2024-08-14 7:01 ` Stefano Brivio
2024-08-14 9:57 ` Stefano Brivio
2024-08-14 6:40 ` Stefano Brivio
2024-08-14 10:01 ` David Gibson [this message]
2024-08-14 17:22 ` Matt Hamilton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZryAeIVWH_SaQmq9@zatzit.fritz.box \
--to=david@gibson.dropbear.id.au \
--cc=matt@thmail.io \
--cc=passt-user@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).