Re: [Syzkaller & bisect] There is general protection fault in bpf_prog_offload_verifier_prep in v6.6-rc1 kernel

[Martin KaFai Lau <martin.lau@linux.dev>]

On 9/14/23 8:46 PM, Pengfei Xu wrote:
> Hi Stanislav,
> 
> Greeting!
> 
> There is general protection fault in bpf_prog_offload_verifier_prep in
> v6.6-rc1 kernel.
> 
> All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/230914_154711_bpf_prog_offload_verifier_prep
> Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/230914_154711_bpf_prog_offload_verifier_prep/repro.c
> Syzkaller reproduced steps: https://github.com/xupengfe/syzkaller_logs/blob/main/230914_154711_bpf_prog_offload_verifier_prep/repro.prog
> Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/230914_154711_bpf_prog_offload_verifier_prep/bisect_info.log
> Issue dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/230914_154711_bpf_prog_offload_verifier_prep/0bb80ecc33a8fb5a682236443c1e740d5c917d1d_dmesg.log
> bzImage: https://github.com/xupengfe/syzkaller_logs/raw/main/230914_154711_bpf_prog_offload_verifier_prep/bzImage_0bb80ecc33a8fb5a682236443c1e740d5c917d1d.tar.gz
> Kconfig: https://github.com/xupengfe/syzkaller_logs/blob/main/230914_154711_bpf_prog_offload_verifier_prep/kconfig_origin
> 
> Bisected and found suspected commit is:
> 2b3486bc2d23 bpf: Introduce device-bound XDP programs

Thanks for the report.

It has just been fixed in the following commit in the bpf tree:

commit 1a49f4195d3498fe458a7f5ff7ec5385da70d92e
Author: Eduard Zingerman <eddyz87@gmail.com>
Date:   Mon Sep 11 17:55:37 2023

     bpf: Avoid dummy bpf_offload_netdev in __bpf_prog_dev_bound_init

     Fix for a bug observable under the following sequence of events:
     1. Create a network device that does not support XDP offload.
     2. Load a device bound XDP program with BPF_F_XDP_DEV_BOUND_ONLY flag
        (such programs are not offloaded).
     3. Load a device bound XDP program with zero flags
        (such programs are offloaded).

     At step (2) __bpf_prog_dev_bound_init() associates with device (1)
     a dummy bpf_offload_netdev struct with .offdev field set to NULL.
     At step (3) __bpf_prog_dev_bound_init() would reuse dummy struct
     allocated at step (2).
     However, downstream usage of the bpf_offload_netdev assumes that
     .offdev field can't be NULL, e.g. in bpf_prog_offload_verifier_prep().

     Adjust __bpf_prog_dev_bound_init() to require bpf_offload_netdev
     with non-NULL .offdev for offloaded BPF programs.

     Fixes: 2b3486bc2d23 ("bpf: Introduce device-bound XDP programs")
     Reported-by: syzbot+291100dcb32190ec02a8@syzkaller.appspotmail.com
     Closes: https://lore.kernel.org/bpf/000000000000d97f3c060479c4f8@google.com/
     Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
     Link: https://lore.kernel.org/r/20230912005539.2248244-2-eddyz87@gmail.com
     Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>