From: sashiko-bot@kernel.org
To: "Kuniyuki Iwashima" <kuniyu@google.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v3 bpf-next 4/4] selftest: bpf: Add test for hwtstamp proxy.
Date: Sat, 13 Jun 2026 22:59:49 +0000 [thread overview]
Message-ID: <20260613225950.5A9441F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260613224823.2399535-5-kuniyu@google.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Medium] The function `check_tstamp()` unconditionally returns -1 even upon successful validation, which causes the test driver to silently skip the RX phase of the test.
- [Medium] An uninitialized stack buffer `buf_cmsg` is passed to the kernel via `sendmsg()`, passing stack padding into the kernel and risking Memory Sanitizer (MSAN) failures.
--
commit cbe313a245c9f97c0ad306889154ce4bfae090f0
Author: Kuniyuki Iwashima <kuniyu@google.com>
selftest: bpf: Add test for hwtstamp proxy.
This selftest simulates the hardware timestamp proxy scenario using two UDP
sockets. It receives and injects encapsulated packets via a GENEVE device to
verify hardware timestamp behavior.
> diff --git a/tools/testing/selftests/bpf/prog_tests/proxy_hwtstamp.c b/tools/testing/selftests/bpf/prog_tests/proxy_hwtstamp.c
> new file mode 100644
> index 0000000000000..175d8be74804d
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/proxy_hwtstamp.c
[ ... ]
> @@ -335,11 +335,11 @@ static int check_tstamp(struct proxy_hwtstamp_test_case *test_case, bool tx)
> ret = memcmp(buf_msg, test_case->app_payload, sizeof(test_case->app_payload));
> ASSERT_OK(ret, "memcmp");
>
> ret = -1;
>
> for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
[Severity: Medium]
Is ret intentionally left as -1 here?
If it isn't updated to 0 upon success, won't this cause the function to always
return -1?
Looking at run_test(), the RX test phase is guarded by checking this return
value:
run_test() {
...
ret = test_proxy_hwtstamp_tx(test_case);
if (!ret)
test_proxy_hwtstamp_rx(test_case);
Since test_proxy_hwtstamp_tx() returns the -1 from check_tstamp(), doesn't
this unconditionally skip the RX test phase without actually failing the test?
[ ... ]
> @@ -364,22 +364,22 @@ static int test_proxy_hwtstamp_tx(struct proxy_hwtstamp_test_case *test_case)
> {
> char h_source_dummy[ETH_HLEN] = {0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA};
> char buf_cmsg[CMSG_SPACE(sizeof(u32))];
> struct proxy_header *phdr;
> struct msghdr msg = {};
> struct iovec iov = {};
> struct cmsghdr *cmsg;
> int ret;
>
> memset(test_case->app_payload, 0xAB, sizeof(test_case->app_payload));
> iov.iov_base = test_case->app_payload;
> iov.iov_len = sizeof(test_case->app_payload);
>
> msg.msg_iov = &iov;
> msg.msg_iovlen = 1;
> msg.msg_control = buf_cmsg;
> msg.msg_controllen = sizeof(buf_cmsg);
>
> cmsg = CMSG_FIRSTHDR(&msg);
> cmsg->cmsg_level = SOL_SOCKET;
> cmsg->cmsg_type = SCM_TS_OPT_ID;
> cmsg->cmsg_len = CMSG_LEN(sizeof(u32));
> *(u32 *)CMSG_DATA(cmsg) = TSKEY;
>
> ret = sendmsg(test_case->app_fd, &msg, 0);
[Severity: Medium]
Can this pass uninitialized stack memory to the kernel?
The buf_cmsg array is allocated on the stack without being zero-initialized.
While the cmsghdr structure assignments initialize CMSG_LEN(sizeof(u32)) bytes,
does this leave the remaining alignment padding bytes uninitialized?
If so, passing it to sendmsg() could leak uninitialized stack padding into the
kernel and trigger Memory Sanitizer (MSAN) warnings in continuous integration
environments.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260613224823.2399535-1-kuniyu@google.com?part=4
next prev parent reply other threads:[~2026-06-13 22:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-13 22:48 [PATCH v3 bpf-next 0/4] bpf: Support RX/TX HW timestamp proxy Kuniyuki Iwashima
2026-06-13 22:48 ` [PATCH v3 bpf-next 1/4] bpf: Rename bpf_kfunc_set_tcp_reqsk to bpf_kfunc_set_sched_cls Kuniyuki Iwashima
2026-06-13 22:48 ` [PATCH v3 bpf-next 2/4] bpf: Add bpf_skb_set_hwtstamp() Kuniyuki Iwashima
2026-06-13 22:48 ` [PATCH v3 bpf-next 3/4] bpf: Add kfunc to proxy TX HW Timestamp Kuniyuki Iwashima
2026-06-13 23:11 ` sashiko-bot
2026-06-13 22:48 ` [PATCH v3 bpf-next 4/4] selftest: bpf: Add test for hwtstamp proxy Kuniyuki Iwashima
2026-06-13 22:59 ` sashiko-bot [this message]
2026-06-13 23:06 ` [PATCH v3 bpf-next 0/4] bpf: Support RX/TX HW timestamp proxy Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260613225950.5A9441F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kuniyu@google.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox