Re: null pointer dereference in interrupt after receiving an ip packet on veth from xsk from user space

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
To: Jason Xing <kerneljasonxing@gmail.com>
Cc: mc36 <csmate@nop.hu>,
	alekcejk@googlemail.com,
	"Jonathan Lemon" <jonathan.lemon@gmail.com>,
	"Stanislav Fomichev" <sdf@fomichev.me>,
	"Magnus Karlsson" <magnus.karlsson@intel.com>,
	"Björn Töpel" <bjorn@kernel.org>,
	1118437@bugs.debian.org, netdev@vger.kernel.org,
	bpf@vger.kernel.org
Subject: Re: null pointer dereference in interrupt after receiving an ip packet on veth from xsk from user space
Date: Tue, 21 Oct 2025 16:47:55 +0200	[thread overview]
Message-ID: <aPedG99fdFBnbIqz@boxer> (raw)
In-Reply-To: <CAL+tcoA0TKWQY4oP4jJ5BHmEnA+HzHRrgsnQL9vRpnaqb+_8Ag@mail.gmail.com>

On Tue, Oct 21, 2025 at 07:02:06PM +0800, Jason Xing wrote:
> On Tue, Oct 21, 2025 at 5:31 AM mc36 <csmate@nop.hu> wrote:
> >
> > hi,
> >
> > On 10/20/25 11:04, Jason Xing wrote:
> > >
> > > I followed your steps you attached in your code:
> > > ////// gcc xskInt.c -lxdp
> > > ////// sudo ip link add veth1 type veth
> > > ////// sudo ip link set veth0 up
> > > ////// sudo ip link set veth1 up
> >
> > ip link set dev veth1 address 3a:10:5c:53:b3:5c
> 
> Great, it indeed helps me reproduce the issue, so I managed to see the
> exact same stack. Let me dig into it more deeply.

splat comes from skb_orphan() calling skb->destructor() with ::cb field
being already taken by IP layer. A hotfix would simply be moving this call
before we memset cb in ip_rcv_core():

diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 273578579a6b..db30645f8c35 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -535,14 +535,14 @@ static struct sk_buff *ip_rcv_core(struct sk_buff *skb, struct net *net)
        iph = ip_hdr(skb);
        skb->transport_header = skb->network_header + iph->ihl*4;

-       /* Remove any debris in the socket control block */
-       memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
-       IPCB(skb)->iif = skb->skb_iif;
-
        /* Must drop socket now because of tproxy. */
        if (!skb_sk_is_prefetched(skb))
                skb_orphan(skb);

+       /* Remove any debris in the socket control block */
+       memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
+       IPCB(skb)->iif = skb->skb_iif;
+
        return skb;

 csum_error:

However, I do not understand why setting mac addr on one veth interface
triggers this path.

> 
> Thanks,
> Jason

next prev parent reply	other threads:[~2025-10-21 14:48 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-20  4:45 null pointer dereference in interrupt after receiving an ip packet on veth from xsk from user space mc36
2025-10-20  6:41 ` Jason Xing
2025-10-20  7:15   ` mc36
2025-10-20  8:55   ` mc36
2025-10-20  9:04     ` Jason Xing
2025-10-20  9:18       ` mc36
2025-10-20  9:48         ` mc36
2025-10-20 21:31       ` mc36
2025-10-21 10:51         ` Fernando Fernandez Mancera
2025-10-21 12:25           ` Jason Xing
2025-10-21 12:59             ` mc36
2025-10-21 13:02               ` Jason Xing
2025-10-21 13:43                 ` mc36
2025-11-08 14:49           ` Salvatore Bonaccorso
2025-11-09  0:10             ` Jason Xing
2025-10-21 11:02         ` Jason Xing
2025-10-21 14:47           ` Maciej Fijalkowski [this message]
2025-10-21 15:09             ` Fernando Fernandez Mancera
2025-10-21 15:28             ` mc36

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:273578579a6 dfblob:db30645f8c3 )
 OR (
bs:"Re: null pointer dereference in interrupt after receiving an ip packet on veth from xsk from user space" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aPedG99fdFBnbIqz@boxer \
    --to=maciej.fijalkowski@intel.com \
    --cc=1118437@bugs.debian.org \
    --cc=alekcejk@googlemail.com \
    --cc=bjorn@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=csmate@nop.hu \
    --cc=jonathan.lemon@gmail.com \
    --cc=kerneljasonxing@gmail.com \
    --cc=magnus.karlsson@intel.com \
    --cc=netdev@vger.kernel.org \
    --cc=sdf@fomichev.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.