From: Jakub Sitnicki <jakub@cloudflare.com>
To: Yan Zhai <yan@cloudflare.com>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Mykola Lysenko <mykolal@fb.com>, Shuah Khan <shuah@kernel.org>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-kselftest@vger.kernel.org, kernel-team@cloudflare.com,
Jordan Griege <jgriege@cloudflare.com>,
Markus Elfring <Markus.Elfring@web.de>
Subject: Re: [PATCH v4 bpf 1/2] bpf: fix skb_do_redirect return values
Date: Wed, 26 Jul 2023 14:25:38 +0200 [thread overview]
Message-ID: <87ila6yi3l.fsf@cloudflare.com> (raw)
In-Reply-To: <e5d05e56bf41de82f10d33229b8a8f6b49290e98.1690332693.git.yan@cloudflare.com>
On Tue, Jul 25, 2023 at 06:08 PM -07, Yan Zhai wrote:
> skb_do_redirect returns various of values: error code (negative),
> 0 (success), and some positive status code, e.g. NET_XMIT_CN,
> NET_RX_DROP. Commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel
> infrastructure") didn't check the return code correctly, so positive
> values are propagated back along call chain:
>
> ip_finish_output2
> -> bpf_xmit
> -> run_lwt_bpf
> -> skb_do_redirect
>
> Inside ip_finish_output2, redirected skb will continue to neighbor
> subsystem as if LWTUNNEL_XMIT_CONTINUE is returned, despite that this
> skb could have been freed. The bug can trigger use-after-free warning
> and crashes kernel afterwards:
>
> https://gist.github.com/zhaiyan920/8fbac245b261fe316a7ef04c9b1eba48
>
> Convert positive statuses from skb_do_redirect eliminates this issue.
>
> Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure")
> Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
> Suggested-by: Markus Elfring <Markus.Elfring@web.de>
> Suggested-by: Stanislav Fomichev <sdf@google.com>
> Reported-by: Jordan Griege <jgriege@cloudflare.com>
> Signed-off-by: Yan Zhai <yan@cloudflare.com>
> ---
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
next prev parent reply other threads:[~2023-07-26 12:26 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-26 1:07 [PATCH v4 bpf 0/2] bpf: return proper error codes for lwt redirect Yan Zhai
2023-07-26 1:08 ` [PATCH v4 bpf 1/2] bpf: fix skb_do_redirect return values Yan Zhai
2023-07-26 7:42 ` Markus Elfring
2023-07-26 11:48 ` Markus Elfring
2023-07-26 12:25 ` Jakub Sitnicki [this message]
2023-07-26 13:39 ` Dan Carpenter
2023-07-26 14:14 ` Yan Zhai
2023-07-26 15:01 ` Dan Carpenter
2023-07-26 16:10 ` Yan Zhai
2023-07-26 16:53 ` Dan Carpenter
2023-07-31 14:26 ` Dan Carpenter
2023-08-01 22:18 ` Yan Zhai
2023-07-28 22:02 ` Martin KaFai Lau
2023-07-31 21:35 ` Yan Zhai
2023-07-31 22:11 ` Martin KaFai Lau
2023-07-31 23:01 ` Yan Zhai
2023-07-31 23:52 ` Martin KaFai Lau
2023-07-26 1:09 ` [PATCH v4 bpf 2/2] bpf: selftests: add lwt redirect regression test cases Yan Zhai
2023-07-26 8:10 ` Markus Elfring
[not found] ` <CAO3-PbraNcfQnqHUG_992vssuA795RxtexYsMdEo=k9zp-XHog@mail.gmail.com>
2023-07-26 10:30 ` Yan Zhai
2023-07-26 13:22 ` Dan Carpenter
2023-07-26 11:04 ` [v4 " Markus Elfring
2023-07-26 12:26 ` [PATCH v4 " Jakub Sitnicki
2023-07-28 22:47 ` Martin KaFai Lau
2023-07-31 9:48 ` Jakub Sitnicki
2023-07-31 18:46 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ila6yi3l.fsf@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=Markus.Elfring@web.de \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=jgriege@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mykolal@fb.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@google.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yan@cloudflare.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.