- dev - passt

[PATCH v2 00/11] Improve robustness of calculations related to frame size limits
by David Gibson 20 Mar '25

20 Mar '25

There are a number of places where we make calculations and checks around how large frames can be and where they sit in memory. Several of these are roughly correct, but can be wrong in certain edge cases. Improve robustness by clarifying what we're doing and being more careful about the edge cases. v2: * Added additional patches 5..11 * Patches 1..4 rebased but unchanged David Gibson (11): vu_common: Tighten vu_packet_check_range() packet: More cautious checks to avoid pointer arithmetic UB tap: Make size of pool_tap[46] purely a tuning parameter tap: Clarify calculation of TAP_MSGS packet: Correct type of PACKET_MAX_LEN packet: Avoid integer overflows in packet_get_do() packet: Move checks against PACKET_MAX_LEN to packet_check_range() packet: Rework packet_get() versus packet_get_try() util: Add abort_with_msg() and ASSERT_WITH_MSG() helpers packet: ASSERT on signs of pool corruption packet: Upgrade severity of most packet errors packet.c | 110 ++++++++++++++++++++++++++++++++++------------------ packet.h | 13 +++++-- passt.h | 2 - tap.c | 43 ++++++++++++++++---- tap.h | 3 +- util.c | 19 +++++++++ util.h | 25 +++++------- vu_common.c | 15 ++++--- 8 files changed, 158 insertions(+), 72 deletions(-) -- 2.48.1

2 12

passt: new version 2025_03_20.32f6212 available
by Stefano Brivio 20 Mar '25

20 Mar '25

The new version with tag 2025_03_20.32f6212 includes the following changes: 32f6212 Makefile: Enable -Wformat-security 07c2d58 conf: Include libgen.h for basename(), fix build against musl ebdd463 tcp: Flush socket before checking for more data in active close state c250ffc migrate: Bump migration version number cfb3740 migrate, tcp: Migrate RFC 7323 timestamp 28772ee migrate, tcp: More careful marshalling of mss parameter during migration 51f3c07 passt-repair: Fix build with -Werror=format-security cb5b593 tcp, flow: Better use flow specific logging heleprs 96fe554 conf: Unify several paths in conf_ports() 78f1f0f test/perf: Simplify iperf3 server lifetime management 26df8a3 conf: Limit maximum MTU based on backend frame size 9d1a6b3 pcap: Correctly set snaplen based on tap backend type b6945e0 Simplify sizing of pkt_buf c4bfa33 tap: Use explicit defines for maximum length of L2 frame 1eda8de packet: Remove redundant TAP_BUF_BYTES define c43972a packet: Give explicit name to maximum packet size 74cd82a conf: Detect vhost-user mode earlier 4b17d04 conf: Move mode detection into helper function bb00a04 conf: Use the same optstring for passt and pasta modes c8b520c flow, repair: Wait for a short while for passt-repair to connect 0470170 passt-repair: Add directory watch 2b58b22 cppcheck: Add suppressions for "logically" exported functions a83c806 vhost_user: Don't export several functions 27395e6 tcp: Don't export tcp_update_csum() 12d5b36 checksum: Don't export various functions e36c35c log: Don't export passt_vsyslog() 57d2db3 treewide: Mark assorted functions static 68b0418 udp: create and send ICMPv6 to local peer when applicable 87e6a46 tap: break out building of udp header from tap_udp6_send function 55431f0 udp: create and send ICMPv4 to local peer when applicable 82a839b tap: break out building of udp header from tap_udp4_send function 1924e25 conf: Be more precise about minimum MTUs 672d786 tcp: Send RST in response to guest packets that match no connection 1f23681 tap: Consider IPv6 flow label when building packet sequences 0081756 ip: Helpers to access IPv6 flow label 52419a6 migrate, tcp: Don't flow_alloc_cancel() during incoming migration b270821 tcp: Unconditionally move to CLOSED state on tcp_rst() 56ce03e tcp: Correct error code handling from tcp_flow_repair_socket() 39f85bc migrate, flow: Don't attempt to migrate TCP flows without passt-repair 7b92f2e migrate, flow: Trivially succeed if migrating with no flows 8747173 selinux: Fixes/workarounds for passt and passt-repair, mostly for libvirt usage be86232 seccomp.sh: Silence stty errors ea69ca6 tap: always set the no_frag flag in IPv4 headers 4dac235 contrib/fedora: Actually install passt-repair SELinux policy file 16553c8 dhcp: Add option code byte in calculation for OPT_MAX boundary check 183bedf Makefile: Use mmap2() as alternative for mmap() in valgrind extra syscalls 1cc5d4c conf: Use 0 instead of -1 as "unassigned" mtu value 3dc7da6 conf: More thorough error checking when parsing --mtu option 65e317a flow: Clean up and generalise flow traversal macros b79a22d flow: Remove unneeded bound parameter from flow traversal macros 7ffca35 flow: Remove unneeded index from foreach_* macros adb46c1 flow: Add flow_perror() helper ba0823f tcp: Don't pass both flow pointer and flow index 854bc7b tcp: Remove spurious prototype for tcp_flow_migrate_shrink_window e56c803 tcp: More type safety for tcp_flow_migrate_target_ext() 5a07eb3 tcp_vu: head_cnt need not be global 6b40651 tap: Remove unused ETH_HDR_INIT() macro 354bc0b packet: Don't pass start and offset separately to packet_check_range() 0a51060 packet: Use flexible array member in struct pool bcc4908 dhcp: Remove option 255 length byte https://passt.top/passt/log/?qt=range&q=2025_02_17.a1e48a0..2025_03_20.32f6… Packages: - Alpine Linux: https://pkgs.alpinelinux.org/packages?name=passt - Arch Linux: https://www.archlinux.org/packages/extra/x86_64/passt/ https://archlinuxarm.org/packages/aarch64/passt https://archlinuxarm.org/packages/armv7h/passt - Chimera: https://pkgs.chimera-linux.org/packages?name=passt - Clear Linux: https://github.com/clearlinux-pkgs/passt/ - Copr (CentOS Stream, EPEL, Fedora, Mageia): https://copr.fedorainfracloud.org/coprs/sbrivio/passt/build/8797676/ permanent mirror: https://passt.top/builds/copr/0^20250320.g32f6212/ - Debian tracker: https://tracker.debian.org/pkg/passt - Fedora updates: https://bodhi.fedoraproject.org/updates/?packages=passt - Gentoo versions: https://packages.gentoo.org/packages/net-misc/passt - GNU Guix: https://packages.guix.gnu.org/packages/passt/ - Homebrew: https://formulae.brew.sh/formula/passt - NixOS: https://github.com/NixOS/nixpkgs/tree/nixos-unstable/pkgs/by-name/pa/passt - openSUSE: https://software.opensuse.org/package/passt - OpenMandriva: https://github.com/OpenMandrivaAssociation/passt/tree/master - PLD Linux: https://git.pld-linux.org/cgi-bin/gitweb.cgi?p=packages/passt.git - Solus: https://github.com/getsolus/packages/tree/main/packages/p/passt - Ubuntu tracker: https://launchpad.net/ubuntu/+source/passt - Void Linux: https://voidlinux.org/packages/?q=passt - Static builds: - Package for other RPM-based distributions, x86_64 only: https://passt.top/builds/latest/x86_64/passt-g32f6212-1.x86_64.rpm - x86_64 static binaries: https://passt.top/builds/latest/x86_64/ - Debian package, from x86_64 static build: https://passt.top/builds/latest/x86_64/passt_32f6212-1_all.deb -- Stefano

1 0

[PATCH] tcp: Flush socket before checking for more data in active close state
by Stefano Brivio 20 Mar '25

20 Mar '25

Otherwise, if all the pending data is acknowledged: - tcp_update_seqack_from_tap() updates the current tap-side ACK sequence (conn->seq_ack_from_tap) - next, we compare the sequence we sent (conn->seq_to_tap) to the ACK sequence (conn->seq_ack_from_tap) in tcp_data_from_sock() to understand if there's more data we can send. If they match, we conclude that we haven't sent any of that data, and keep re-sending it. We need, instead, to flush the socket (drop acknowledged data) before calling tcp_update_seqack_from_tap(), so that once we update conn->seq_ack_from_tap, we can be sure that all data until there is gone from the socket. Link: https://bugs.passt.top/show_bug.cgi?id=114 Reported-by: Marek Marczykowski-Górecki <marmarek(a)invisiblethingslab.com> Fixes: 30f1e082c3c0 ("tcp: Keep updating window and checking for socket data after FIN from guest") Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- tcp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tcp.c b/tcp.c index 68af43d..fa1d885 100644 --- a/tcp.c +++ b/tcp.c @@ -2049,6 +2049,7 @@ int tcp_tap_handler(const struct ctx *c, uint8_t pif, sa_family_t af, /* Established connections not accepting data from tap */ if (conn->events & TAP_FIN_RCVD) { + tcp_sock_consume(conn, ntohl(th->ack_seq)); tcp_update_seqack_from_tap(c, conn, ntohl(th->ack_seq)); tcp_tap_window_update(conn, ntohs(th->window)); tcp_data_from_sock(c, conn); -- 2.43.0

2 1

[PATCH] conf: Include libgen.h for basename(), fix build against musl
by Stefano Brivio 20 Mar '25

20 Mar '25

Fixes: 4b17d042c7e4 ("conf: Move mode detection into helper function") Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- conf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/conf.c b/conf.c index 0e2e8dc..b54c55d 100644 --- a/conf.c +++ b/conf.c @@ -16,6 +16,7 @@ #include <errno.h> #include <fcntl.h> #include <getopt.h> +#include <libgen.h> #include <string.h> #include <sched.h> #include <sys/types.h> -- 2.43.0

2 1

[PATCH] Makefile: Enable -Wformat-security
by Stefano Brivio 20 Mar '25

20 Mar '25

It looks like an easy win to prevent a number of possible security flaws. Suggested-by: David Gibson <david(a)gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f2ac8e5..31cbac3 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,7 @@ ifeq ($(shell $(CC) -O2 -dM -E - < /dev/null 2>&1 | grep ' _FORTIFY_SOURCE ' > / FORTIFY_FLAG := -D_FORTIFY_SOURCE=2 endif -FLAGS := -Wall -Wextra -Wno-format-zero-length +FLAGS := -Wall -Wextra -Wno-format-zero-length -Wformat-security FLAGS += -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE FLAGS += $(FORTIFY_FLAG) -O2 -pie -fPIE FLAGS += -DPAGE_SIZE=$(shell getconf PAGE_SIZE) -- 2.43.0

2 1

[PATCH 0/3] Fix migration bugs
by David Gibson 19 Mar '25

19 Mar '25

This series addresses the migration bug I encountered with different (simulated) source and target hosts. While fixing it, I spotted another problem in the migration stream format, with the marshalling of the MSS parameter, so I fixed that as well. Because this represents a change in the migration stream format, but we don't actually bump the version until 3/3, this series should be applied "atomically" - all 3 patches, or none of them. David Gibson (3): migrate, tcp: More careful marshalling of mss parameter during migration migrate, tcp: Migrate RFC7323 timestamp migrate: Bump migration version number migrate.c | 10 ++++++--- tcp.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++- tcp_conn.h | 2 ++ 3 files changed, 74 insertions(+), 4 deletions(-) -- 2.48.1

2 4

[PATCH 0/2] udp: add guest-to-remote traceroute for IPv4
by Jon Maloy 19 Mar '25

19 Mar '25

We add support for UDP/IPv4 traceroute in the tap-sock direction. More will follow when this one is settled. Jon Maloy (2): udp: correct source address for ICMP messages udp: support traceroute for IPv4 packet.h | 2 ++ tap.c | 8 ++++++-- udp.c | 36 ++++++++++++++++++++++++------------ udp.h | 3 ++- 4 files changed, 34 insertions(+), 15 deletions(-) -- 2.48.1

2 6

Migration failure across bridge
by David Gibson 19 Mar '25

19 Mar '25

Continued investigating the problem with migration failing across a bridge. Good news is I've found the problem... or at least one problem. Bad news is we'll have to change the migration stream format to fix it. The packets are being dropped in tcp_validate_incoming() due to a failed PAWS check (skb drop reason "TCP_RFC7323_PAWS"). That in turn looks to be because we don't preserve TCP timestamp state across the migration. We preserve _whether_ TCP timestamps are active on the connection (TCPOPT_TIMESTAMP entry in TCP_REPAIR_OPTIONS), but we don't preserve the current timestamp values (TCP_TIMESTAMP socket option). The equivalent CRIU code is https://github.com/checkpoint-restore/criu/blob/d18912fc88f3dc7bde5fdfa3575… and https://github.com/checkpoint-restore/criu/blob/d18912fc88f3dc7bde5fdfa3575… I'll work on writing a fix tomorrow. Not yet sure why we didn't hit this with a local migration. I'm guessing some part of being a local connection means we're bypassing the PAWS check. -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson

2 2

[PATCH] passt-repair: Fix build with -Werror=format-security
by Stefano Brivio 19 Mar '25

19 Mar '25

Fixes: 04701702471e ("passt-repair: Add directory watch") Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- Note: I just pushed this for my own sanity, as it's trivial and builds are otherwise broken on CentOS Stream / RHEL. I'm posting for review anyway in the unlikely case something can ever be wrong with this. passt-repair.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/passt-repair.c b/passt-repair.c index 8bb3f00..120f7aa 100644 --- a/passt-repair.c +++ b/passt-repair.c @@ -150,7 +150,7 @@ int main(int argc, char **argv) _exit(1); } - ret = snprintf(a.sun_path, sizeof(a.sun_path), path); + ret = snprintf(a.sun_path, sizeof(a.sun_path), "%s", path); inotify_dir = true; } else { ret = snprintf(a.sun_path, sizeof(a.sun_path), "%s", argv[1]); -- 2.43.0

2 1

[PATCH v2] conf: Unify several paths in conf_ports()
by David Gibson 18 Mar '25

18 Mar '25

In conf_ports() we have three different paths which actually do the setup of an individual forwarded port: one for the "all" case, one for the exclusions only case and one for the range of ports with possible exclusions case. We can unify those cases using a new helper which handles a single range of ports, with a bitmap of exclusions. Although this is slightly longer (largely due to the new helpers function comment), it reduces duplicated logic. It will also make future improvements to the tracking of port forwards easier. The new conf_ports_range_except() function has a pretty prodigious parameter list, but I still think it's an overall improvement in conceptual complexity. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- conf.c | 173 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 90 insertions(+), 83 deletions(-) v2: * Commit message updated slightly, but otherwise unmodified. diff --git a/conf.c b/conf.c index 065e7201..4e0099ba 100644 --- a/conf.c +++ b/conf.c @@ -123,6 +123,75 @@ static int parse_port_range(const char *s, char **endptr, return 0; } +/** + * conf_ports_range_except() - Set up forwarding for a range of ports minus a + * bitmap of exclusions + * @c: Execution context + * @optname: Short option name, t, T, u, or U + * @optarg: Option argument (port specification) + * @fwd: Pointer to @fwd_ports to be updated + * @addr: Listening address + * @ifname: Listening interface + * @first: First port to forward + * @last: Last port to forward + * @exclude: Bitmap of ports to exclude + * @to: Port to translate @first to when forwarding + * @weak: Ignore errors, as long as at least one port is mapped + */ +static void conf_ports_range_except(const struct ctx *c, char optname, + const char *optarg, struct fwd_ports *fwd, + const union inany_addr *addr, + const char *ifname, + uint16_t first, uint16_t last, + const uint8_t *exclude, uint16_t to, + bool weak) +{ + bool bound_one = false; + unsigned i; + int ret; + + if (first == 0) { + die("Can't forward port 0 for option '-%c %s'", + optname, optarg); + } + + for (i = first; i <= last; i++) { + if (bitmap_isset(exclude, i)) + continue; + + if (bitmap_isset(fwd->map, i)) { + warn( +"Altering mapping of already mapped port number: %s", optarg); + } + + bitmap_set(fwd->map, i); + fwd->delta[i] = to - first; + + if (optname == 't') + ret = tcp_sock_init(c, addr, ifname, i); + else if (optname == 'u') + ret = udp_sock_init(c, 0, addr, ifname, i); + else + /* No way to check in advance for -T and -U */ + ret = 0; + + if (ret == -ENFILE || ret == -EMFILE) { + die("Can't open enough sockets for port specifier: %s", + optarg); + } + + if (!ret) { + bound_one = true; + } else if (!weak) { + die("Failed to bind port %u (%s) for option '-%c %s'", + i, strerror_(-ret), optname, optarg); + } + } + + if (!bound_one) + die("Failed to bind any port for '-%c %s'", optname, optarg); +} + /** * conf_ports() - Parse port configuration options, initialise UDP/TCP sockets * @c: Execution context @@ -135,10 +204,9 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, { union inany_addr addr_buf = inany_any6, *addr = &addr_buf; char buf[BUFSIZ], *spec, *ifname = NULL, *p; - bool exclude_only = true, bound_one = false; uint8_t exclude[PORT_BITMAP_SIZE] = { 0 }; + bool exclude_only = true; unsigned i; - int ret; if (!strcmp(optarg, "none")) { if (fwd->mode) @@ -173,32 +241,15 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, fwd->mode = FWD_ALL; - /* Skip port 0. It has special meaning for many socket APIs, so - * trying to bind it is not really safe. - */ - for (i = 1; i < NUM_PORTS; i++) { + /* Exclude ephemeral ports */ + for (i = 0; i < NUM_PORTS; i++) if (fwd_port_is_ephemeral(i)) - continue; - - bitmap_set(fwd->map, i); - if (optname == 't') { - ret = tcp_sock_init(c, NULL, NULL, i); - if (ret == -ENFILE || ret == -EMFILE) - goto enfile; - if (!ret) - bound_one = true; - } else if (optname == 'u') { - ret = udp_sock_init(c, 0, NULL, NULL, i); - if (ret == -ENFILE || ret == -EMFILE) - goto enfile; - if (!ret) - bound_one = true; - } - } - - if (!bound_one) - goto bind_all_fail; + bitmap_set(exclude, i); + conf_ports_range_except(c, optname, optarg, fwd, + NULL, NULL, + 1, NUM_PORTS - 1, exclude, + 1, true); return; } @@ -275,37 +326,15 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, } while ((p = next_chunk(p, ','))); if (exclude_only) { - /* Skip port 0. It has special meaning for many socket APIs, so - * trying to bind it is not really safe. - */ - for (i = 1; i < NUM_PORTS; i++) { - if (fwd_port_is_ephemeral(i) || - bitmap_isset(exclude, i)) - continue; - - bitmap_set(fwd->map, i); - - if (optname == 't') { - ret = tcp_sock_init(c, addr, ifname, i); - if (ret == -ENFILE || ret == -EMFILE) - goto enfile; - if (!ret) - bound_one = true; - } else if (optname == 'u') { - ret = udp_sock_init(c, 0, addr, ifname, i); - if (ret == -ENFILE || ret == -EMFILE) - goto enfile; - if (!ret) - bound_one = true; - } else { - /* No way to check in advance for -T and -U */ - bound_one = true; - } - } - - if (!bound_one) - goto bind_all_fail; + /* Exclude ephemeral ports */ + for (i = 0; i < NUM_PORTS; i++) + if (fwd_port_is_ephemeral(i)) + bitmap_set(exclude, i); + conf_ports_range_except(c, optname, optarg, fwd, + addr, ifname, + 1, NUM_PORTS - 1, exclude, + 1, true); return; } @@ -334,40 +363,18 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, if ((*p != '\0') && (*p != ',')) /* Garbage after the ranges */ goto bad; - for (i = orig_range.first; i <= orig_range.last; i++) { - if (bitmap_isset(fwd->map, i)) - warn( -"Altering mapping of already mapped port number: %s", optarg); - - if (bitmap_isset(exclude, i)) - continue; - - bitmap_set(fwd->map, i); - - fwd->delta[i] = mapped_range.first - orig_range.first; - - ret = 0; - if (optname == 't') - ret = tcp_sock_init(c, addr, ifname, i); - else if (optname == 'u') - ret = udp_sock_init(c, 0, addr, ifname, i); - if (ret) - goto bind_fail; - } + conf_ports_range_except(c, optname, optarg, fwd, + addr, ifname, + orig_range.first, orig_range.last, + exclude, + mapped_range.first, false); } while ((p = next_chunk(p, ','))); return; -enfile: - die("Can't open enough sockets for port specifier: %s", optarg); bad: die("Invalid port specifier %s", optarg); mode_conflict: die("Port forwarding mode '%s' conflicts with previous mode", optarg); -bind_fail: - die("Failed to bind port %u (%s) for option '-%c %s', exiting", - i, strerror_(-ret), optname, optarg); -bind_all_fail: - die("Failed to bind any port for '-%c %s', exiting", optname, optarg); } /** -- 2.48.1

3 6