From: "Toke Høiland-Jørgensen" <toke@kernel.org>
To: Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Breno Leitao <leitao@debian.org>
Cc: Jakub Kicinski <kuba@kernel.org>,
andrii@kernel.org, ast@kernel.org,
syzbot <syzbot+08811615f0e17bc6708b@syzkaller.appspotmail.com>,
bpf@vger.kernel.org, daniel@iogearbox.net, davem@davemloft.net,
eddyz87@gmail.com, haoluo@google.com, hawk@kernel.org,
john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
linux-kernel@vger.kernel.org, martin.lau@linux.dev,
netdev@vger.kernel.org, sdf@fomichev.me, song@kernel.org,
syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: Re: [PATCH net-net] tun: Assign missing bpf_net_context.
Date: Thu, 12 Sep 2024 16:24:20 +0200 [thread overview]
Message-ID: <87wmjhar1n.fsf@toke.dk> (raw)
In-Reply-To: <20240912122847.x70_LgN_@linutronix.de>
Sebastian Andrzej Siewior <bigeasy@linutronix.de> writes:
> On 2024-09-12 05:06:36 [-0700], Breno Leitao wrote:
>> Hello Sebastian, Jakub,
> Hi,
>
>> I've seen some crashes in 6.11-rc7 that seems related to 401cb7dae8130
>> ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.").
>>
>> Basically bpf_net_context is NULL, and it is being dereferenced by
>> bpf_net_ctx->ri.kern_flags (offset 0x38) in the following code.
>>
>> static inline struct bpf_redirect_info *bpf_net_ctx_get_ri(void)
>> {
>> struct bpf_net_context *bpf_net_ctx = bpf_net_ctx_get();
>> if (!(bpf_net_ctx->ri.kern_flags & BPF_RI_F_RI_INIT)) {
>>
>> That said, it means that bpf_net_ctx_get() is returning NULL.
>>
>> This stack is coming from the bpf function bpf_redirect()
>> BPF_CALL_2(bpf_redirect, u32, ifindex, u64, flags)
>> {
>> struct bpf_redirect_info *ri = bpf_net_ctx_get_ri();
>>
>>
>> Since I don't think there is XDP involved, I wondering if we need some
>> preotection before calling bpf_redirect()
>
> This origins in netkit_xmit(). If my memory serves me, then Daniel told
> me that netkit is not doing any redirect and therefore does not need
> "this". This must have been during one of the first "designs"/ versions.
>
> If you are saying, that this is possible then something must be done.
> Either assign a context or reject the bpf program.
Netkit definitely redirects, so it should assign a context object in
netkit_xmit()...
-Toke
next prev parent reply other threads:[~2024-09-12 14:24 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-01 20:19 [syzbot] [net?] [bpf?] general protection fault in dev_map_redirect syzbot
2024-07-02 18:40 ` Jakub Kicinski
2024-07-03 12:27 ` [PATCH net-net] tun: Assign missing bpf_net_context Sebastian Andrzej Siewior
2024-07-03 19:01 ` Jakub Kicinski
2024-07-03 19:21 ` Sebastian Andrzej Siewior
2024-07-04 10:14 ` [PATCH v2 " Sebastian Andrzej Siewior
2024-07-04 14:24 ` Jakub Kicinski
2024-07-04 14:48 ` [PATCH v3 net-next] " Sebastian Andrzej Siewior
2024-07-06 0:10 ` patchwork-bot+netdevbpf
2024-09-12 12:06 ` [PATCH net-net] " Breno Leitao
2024-09-12 12:28 ` Sebastian Andrzej Siewior
2024-09-12 13:17 ` Breno Leitao
2024-09-12 13:32 ` Vadim Fedorenko
2024-09-12 14:19 ` Breno Leitao
2024-09-12 14:30 ` Sebastian Andrzej Siewior
2024-09-12 14:40 ` Breno Leitao
2024-09-12 13:33 ` Sebastian Andrzej Siewior
2024-09-12 15:03 ` Daniel Borkmann
2024-09-16 10:19 ` Sebastian Andrzej Siewior
2024-09-12 14:24 ` Toke Høiland-Jørgensen [this message]
2024-07-06 6:21 ` [syzbot] [bpf?] [net?] general protection fault in dev_map_redirect syzbot
2024-07-06 13:13 ` Sebastian Andrzej Siewior
2024-07-06 13:38 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wmjhar1n.fsf@toke.dk \
--to=toke@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bigeasy@linutronix.de \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=leitao@debian.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=syzbot+08811615f0e17bc6708b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.