Re: [PATCH net 1/3] net: Extend bpf_net_context lifetime to cover qdisc enqueue

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The patch moves `bpf_net_context` initialization to `__dev_queue_xmit()`, but fails to handle asynchronous qdisc enqueue operations (e.g., via `netem`'s `dequeue` function), leaving a NULL pointer dereference unaddressed when qevents execute during `net_tx_action()`.
--

commit 804facd8bc23cc276a2c5ce958a8503b7b036912
Author: Jamal Hadi Salim <jhs@mojatatu.com>

net: Extend bpf_net_context lifetime to cover qdisc enqueue

This commit moves the bpf_net_context lifecycle management from
sch_handle_egress() to __dev_queue_xmit(). The intent is to cover the
qdisc enqueue phase so that a qevent filter returning TC_ACT_REDIRECT can
safely call skb_do_redirect() without triggering a NULL pointer dereference.

Closes: https://sashiko.dev/#/patchset/20260620130749.226642-1-jhs%40mojatatu.com

> diff --git a/net/core/dev.c b/net/core/dev.c
> index 4b3d5cfdf6e00..8c214bfff8aa9 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c

[ ... ]

> @@ -4795,6 +4791,9 @@ int __dev_queue_xmit(struct sk_buff *skb, struct net_device *sb_dev)
>  	skb_update_prio(skb);
>  
>  	tcx_set_ingress(skb, false);
> +#ifdef CONFIG_NET_XGRESS
> +	bpf_net_ctx = bpf_net_ctx_set(&__bpf_net_ctx);
> +#endif

[Severity: High]
This is a pre-existing issue, but does this patch fully cover asynchronous
qdisc enqueue operations?

While this patch successfully covers synchronous enqueue via
__dev_queue_xmit(), the bpf_net_context might still be uninitialized during
asynchronous qdisc operations driven by the net_tx_action() softirq.

For example, if netem delays a packet, its dequeue function is called
asynchronously from net_tx_action() in net/core/dev.c, which runs
qdisc_run() without setting up a bpf_net_context. The netem_dequeue()
function then enqueues the packet to its child qdisc.

If that child qdisc evaluates a qevent and the attached BPF filter calls the
bpf_redirect() helper, the helper invokes bpf_net_ctx_get_ri() in
include/linux/filter.h:

struct bpf_net_context *bpf_net_ctx = bpf_net_ctx_get();

if (!(bpf_net_ctx->ri.kern_flags & BPF_RI_F_RI_INIT)) {

Since net_tx_action() did not initialize the context, current->bpf_net_context
is NULL, resulting in a kernel panic when accessing bpf_net_ctx->ri.

Although a later patch ("net/sched: Handle TC_ACT_REDIRECT from qdisc filter
chains") addresses the crash in skb_do_redirect(), does it prevent the crash
inside the bpf_redirect() helper itself during these asynchronous paths?

>  #ifdef CONFIG_NET_EGRESS
>  	if (static_branch_unlikely(&egress_needed_key)) {
>  		if (nf_hook_egress_active()) {

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626165156.169012-1-jhs@mojatatu.com?part=1