From: "Toke Høiland-Jørgensen" <toke@redhat.com>
To: Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
syzbot <syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com>
Cc: alexei.starovoitov@gmail.com, andrii@kernel.org, ast@kernel.org,
bpf@vger.kernel.org, daniel@iogearbox.net, davem@davemloft.net,
eddyz87@gmail.com, haoluo@google.com, hawk@kernel.org,
john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
kuba@kernel.org, linux-kernel@vger.kernel.org,
martin.lau@linux.dev, michal.switala@infogain.com,
netdev@vger.kernel.org, revest@google.com, sdf@fomichev.me,
sdf@google.com, song@kernel.org, syzkaller-bugs@googlegroups.com,
yonghong.song@linux.dev
Subject: Re: [syzbot] [bpf?] [net?] general protection fault in dev_map_enqueue (2)
Date: Fri, 20 Sep 2024 13:18:53 +0200 [thread overview]
Message-ID: <874j6aindu.fsf@toke.dk> (raw)
In-Reply-To: <20240902080232.wnhtxiWK@linutronix.de>
Sebastian Andrzej Siewior <bigeasy@linutronix.de> writes:
> On 2024-08-31 13:55:02 [-0700], syzbot wrote:
>> syzbot suspects this issue was fixed by commit:
>>
>> commit 401cb7dae8130fd34eb84648e02ab4c506df7d5e
>> Author: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
>> Date: Thu Jun 20 13:22:04 2024 +0000
>>
>> net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.
>>
>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12597c63980000
>> start commit: 36534d3c5453 tcp: use signed arithmetic in tcp_rtx_probe0_..
>> git tree: bpf
>> kernel config: https://syzkaller.appspot.com/x/.config?x=333ebe38d43c42e2
>> dashboard link: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13390aea980000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10948741980000
>
> This looks like ri->tgt_value is a NULL pointer (dst in
> dev_map_enqueue()). The commit referenced by syz should not have fixed
> that.
> It is possible that there were leftovers in bpf_redirect_info (from a
> previous invocation) which were memset(,0,) during the switch from
> per-CPU to stack usage and now it does not trigger anymore.
Yes, I believe you are right. AFAICT, the original issue stems from the
SKB path and XDP path using the same numeric flag values in the
ri->flags field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). So if
bpf_redirect_neigh() was used and subsequently, an XDP redirect was
performed using the same bpf_redirect_info struct, the XDP path would
get confused and end up crashing. Now, with the stack-allocated
bpf_redirect_info, this sharing can no longer happen, so the crash
doesn't happen anymore.
However, different code paths using identically-numbered flag values
in the same struct field still seems like a bit of a mess, so I'll send
a patch to fix this just to be safe in case we ever move back to sharing
this data structure.
-Toke
next prev parent reply other threads:[~2024-09-20 11:19 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-27 0:44 [syzbot] [bpf?] [net?] general protection fault in dev_map_enqueue (2) syzbot
2024-06-09 11:34 ` syzbot
2024-07-08 16:03 ` [syzbot] bpf: Ensure BPF programs testing skb context initialization syzbot
2024-08-31 20:55 ` [syzbot] [bpf?] [net?] general protection fault in dev_map_enqueue (2) syzbot
2024-09-02 8:02 ` Sebastian Andrzej Siewior
2024-09-20 11:18 ` Toke Høiland-Jørgensen [this message]
[not found] <20240708160329.1868842-1-michal.switala@infogain.com>
2024-07-08 16:49 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874j6aindu.fsf@toke.dk \
--to=toke@redhat.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bigeasy@linutronix.de \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=michal.switala@infogain.com \
--cc=netdev@vger.kernel.org \
--cc=revest@google.com \
--cc=sdf@fomichev.me \
--cc=sdf@google.com \
--cc=song@kernel.org \
--cc=syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.