From: John Fastabend <john.fastabend@gmail.com>
To: Eric Dumazet <edumazet@google.com>,
"David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
eric.dumazet@gmail.com, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
John Fastabend <john.fastabend@gmail.com>,
Jakub Sitnicki <jakub@cloudflare.com>
Subject: RE: [PATCH net] bpf, sockmap: avoid potential NULL dereference in sk_psock_verdict_data_ready()
Date: Tue, 30 May 2023 14:01:20 -0700 [thread overview]
Message-ID: <647664201d3ce_16adb2085c@john.notmuch> (raw)
In-Reply-To: <20230530195149.68145-1-edumazet@google.com>
Eric Dumazet wrote:
> syzbot found sk_psock(sk) could return NULL when called
> from sk_psock_verdict_data_ready().
>
> Just make sure to handle this case.
>
> [1]
> general protection fault, probably for non-canonical address 0xdffffc000000005c: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x00000000000002e0-0x00000000000002e7]
> CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.4.0-rc3-syzkaller-00588-g4781e965e655 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023
> RIP: 0010:sk_psock_verdict_data_ready+0x19f/0x3c0 net/core/skmsg.c:1213
> Code: 4c 89 e6 e8 63 70 5e f9 4d 85 e4 75 75 e8 19 74 5e f9 48 8d bb e0 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 07 02 00 00 48 89 ef ff 93 e0 02 00 00 e8 29 fd
> RSP: 0018:ffffc90000147688 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000100
> RDX: 000000000000005c RSI: ffffffff8825ceb7 RDI: 00000000000002e0
> RBP: ffff888076518c40 R08: 0000000000000007 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000008000 R15: ffff888076518c40
> FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f901375bab0 CR3: 000000004bf26000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> tcp_data_ready+0x10a/0x520 net/ipv4/tcp_input.c:5006
> tcp_data_queue+0x25d3/0x4c50 net/ipv4/tcp_input.c:5080
> tcp_rcv_established+0x829/0x1f90 net/ipv4/tcp_input.c:6019
> tcp_v4_do_rcv+0x65a/0x9c0 net/ipv4/tcp_ipv4.c:1726
> tcp_v4_rcv+0x2cbf/0x3340 net/ipv4/tcp_ipv4.c:2148
> ip_protocol_deliver_rcu+0x9f/0x480 net/ipv4/ip_input.c:205
> ip_local_deliver_finish+0x2ec/0x520 net/ipv4/ip_input.c:233
> NF_HOOK include/linux/netfilter.h:303 [inline]
> NF_HOOK include/linux/netfilter.h:297 [inline]
> ip_local_deliver+0x1ae/0x200 net/ipv4/ip_input.c:254
> dst_input include/net/dst.h:468 [inline]
> ip_rcv_finish+0x1cf/0x2f0 net/ipv4/ip_input.c:449
> NF_HOOK include/linux/netfilter.h:303 [inline]
> NF_HOOK include/linux/netfilter.h:297 [inline]
> ip_rcv+0xae/0xd0 net/ipv4/ip_input.c:569
> __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491
> __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605
> process_backlog+0x101/0x670 net/core/dev.c:5933
> __napi_poll+0xb7/0x6f0 net/core/dev.c:6499
> napi_poll net/core/dev.c:6566 [inline]
> net_rx_action+0x8a9/0xcb0 net/core/dev.c:6699
> __do_softirq+0x1d4/0x905 kernel/softirq.c:571
> run_ksoftirqd kernel/softirq.c:939 [inline]
> run_ksoftirqd+0x31/0x60 kernel/softirq.c:931
> smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164
> kthread+0x344/0x440 kernel/kthread.c:379
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
> </TASK>
>
> Fixes: 6df7f764cd3c ("bpf, sockmap: Wake up polling after data copy")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Jakub Sitnicki <jakub@cloudflare.com>
> ---
Seems syzbot is getting good at finding misuse of psock.
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
next prev parent reply other threads:[~2023-05-30 21:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-30 19:51 [PATCH net] bpf, sockmap: avoid potential NULL dereference in sk_psock_verdict_data_ready() Eric Dumazet
2023-05-30 21:01 ` John Fastabend [this message]
2023-06-01 14:33 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=647664201d3ce_16adb2085c@john.notmuch \
--to=john.fastabend@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=jakub@cloudflare.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.