From: sashiko-bot@kernel.org
To: "Sun Jian" <sun.jian.kdev@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf v5 2/2] selftests/bpf: Cover generic devmap egress last-dst rewrite
Date: Fri, 12 Jun 2026 11:56:56 +0000 [thread overview]
Message-ID: <20260612115656.B59841F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612114032.244616-3-sun.jian.kdev@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [Medium] The sentinel value `sentinel_mac` is identically initialized to the same value as `last_mac`, masking the bug the test is intended to detect and resulting in unreachably broken assertions.
- [Low] Redundant manual file descriptor validation on skeleton-generated maps violates the BPF subsystem Skeleton vs Manual Lookup guidelines.
Pre-existing issues:
- [High] Uninitialized stack variable `net_config` is passed to `cleanup_network` on error paths in `xdp_veth_egress`, leading to undefined behavior and potential command injection.
--
commit a20e1dfd3338912dfdbb631c91d105ada7591c25
Author: Sun Jian <sun.jian.kdev@gmail.com>
selftests/bpf: Cover generic devmap egress last-dst rewrite
This commit strengthens xdp_veth_egress to check that each destination
observes the MAC selected for its own egress ifindex, and adds a generic
XDP last-destination test.
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_xdp_veth.c b/tools/testing/selftests/bpf/prog_tests/test_xdp_veth.c
> index 3e98a16659362..1675b32753a8a 100644
> --- a/tools/testing/selftests/bpf/prog_tests/test_xdp_veth.c
> +++ b/tools/testing/selftests/bpf/prog_tests/test_xdp_veth.c
> @@ -531,15 +541,162 @@ static void xdp_veth_egress(u32 flags)
[ ... ]
> +destroy_xdp_redirect_map:
> + close_netns(nstoken);
> + xdp_redirect_map__destroy(xdp_redirect_map);
> +destroy_xdp_redirect_multi_kern:
> + xdp_redirect_multi_kern__destroy(xdp_redirect_multi_kern);
> +destroy_xdp_dummy:
> + xdp_dummy__destroy(xdp_dummy);
> +
> + cleanup_network(&net_config);
[Severity: High]
This isn't a bug introduced by this patch, but is it safe to pass the
uninitialized net_config struct to cleanup_network() on error paths?
In xdp_veth_egress(), we declare net_config without initialization:
struct net_configuration net_config;
If skeleton loading fails (e.g., xdp_redirect_multi_kern__open_and_load()),
the code jumps to destroy_xdp_dummy and calls cleanup_network(&net_config).
Inside cleanup_network(), uninitialized stack data like net_config.ns0_name
is passed to system() commands via SYS_NOFAIL(), which might trigger arbitrary
shell commands since selftests run as root.
> +}
> +
> +static void xdp_veth_egress_last_dst(u32 flags)
> +{
[ ... ]
> + if (!ASSERT_OK(create_network(&net_config), "create network"))
> + goto destroy_xdp_redirect_map;
> +
> + mac_map = bpf_map__fd(xdp_redirect_multi_kern->maps.mac_map);
> + if (!ASSERT_OK_FD(mac_map, "open mac_map"))
> + goto destroy_xdp_redirect_map;
> +
> + egress_map = bpf_map__fd(xdp_redirect_multi_kern->maps.map_egress);
> + if (!ASSERT_OK_FD(egress_map, "open map_egress"))
> + goto destroy_xdp_redirect_map;
[Severity: Low]
Are these FD validation checks needed?
After a successful skeleton __open_and_load(), the skeleton guarantees that
all maps and programs are loaded with valid FDs. We don't need additional
ASSERT_OK_FD() validation when accessing fields like
xdp_redirect_multi_kern->maps.mac_map.
[ ... ]
> + res_map = bpf_map__fd(xdp_redirect_map->maps.rx_mac);
> + if (!ASSERT_OK_FD(res_map, "open rx_map"))
> + goto destroy_xdp_redirect_map;
> +
> + memcpy(&sentinel_mac, egress_macs[VETH_PAIRS_COUNT - 1], ETH_ALEN);
> + memcpy(&last_mac, egress_macs[VETH_PAIRS_COUNT - 1], ETH_ALEN);
[Severity: Medium]
Does initializing sentinel_mac and last_mac to the same value bypass the
intended checks?
Since both are initialized to egress_macs[VETH_PAIRS_COUNT - 1], if the
res equals last_mac, the test will fail at the first assertion:
if (!ASSERT_NEQ(res, sentinel_mac, "rx_mac overwritten by store_mac_1"))
with a misleading error message. The second assertion checking against
last_mac then becomes unreachable:
if (!ASSERT_NEQ(res, last_mac, "earlier dst not rewritten by last dst"))
> +
> + key = 0;
> + err = bpf_map_update_elem(res_map, &key, &sentinel_mac, 0);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612114032.244616-1-sun.jian.kdev@gmail.com?part=2
next prev parent reply other threads:[~2026-06-12 11:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 11:40 [PATCH bpf v5 0/2] bpf: Fix generic devmap egress skb sharing Sun Jian
2026-06-12 11:40 ` [PATCH bpf v5 1/2] bpf: Run generic devmap egress prog on private skb Sun Jian
2026-06-13 17:25 ` Jakub Kicinski
2026-06-13 17:53 ` Alexei Starovoitov
2026-06-13 20:03 ` Jakub Kicinski
2026-06-12 11:40 ` [PATCH bpf v5 2/2] selftests/bpf: Cover generic devmap egress last-dst rewrite Sun Jian
2026-06-12 11:56 ` sashiko-bot [this message]
2026-06-13 1:30 ` [PATCH bpf v5 0/2] bpf: Fix generic devmap egress skb sharing patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612115656.B59841F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sun.jian.kdev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.