From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D07BFEB64DD for ; Fri, 28 Jul 2023 22:02:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235265AbjG1WCt (ORCPT ); Fri, 28 Jul 2023 18:02:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41174 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231146AbjG1WCo (ORCPT ); Fri, 28 Jul 2023 18:02:44 -0400 Received: from out-127.mta1.migadu.com (out-127.mta1.migadu.com [IPv6:2001:41d0:203:375::7f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 182D92D5F for ; Fri, 28 Jul 2023 15:02:29 -0700 (PDT) Message-ID: <266ab56e-ae83-7ddc-618e-3af228df81bd@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1690581747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8hWvaYfIn7U7DdQhxoUICMLRNRgSRaJIOm4Ba5/IrXM=; b=WdVTItCTD9ygpob4ihOR+/GOrZVv2IJlkxrw21VRkyQgnRjcam5YMd5HHNBToM2Fj52wGy d63P3UDnhS7hVxUvDfwgGmkgLcg78W1sDnP8lyY4VTL8ADsM6fRrb8FOnFs2aa7Gu7ZlEn qwjI3sZklIivyKGi+AVTXfYJpoIZiJs= Date: Fri, 28 Jul 2023 15:02:19 -0700 MIME-Version: 1.0 Subject: Re: [PATCH v4 bpf 1/2] bpf: fix skb_do_redirect return values Content-Language: en-US To: Yan Zhai Cc: bpf@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Mykola Lysenko , Shuah Khan , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, kernel-team@cloudflare.com, Jordan Griege , Markus Elfring , Jakub Sitnicki References: X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Martin KaFai Lau In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/25/23 6:08 PM, Yan Zhai wrote: > skb_do_redirect returns various of values: error code (negative), > 0 (success), and some positive status code, e.g. NET_XMIT_CN, > NET_RX_DROP. Commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel > infrastructure") didn't check the return code correctly, so positive > values are propagated back along call chain: > > ip_finish_output2 > -> bpf_xmit > -> run_lwt_bpf > -> skb_do_redirect From looking at skb_do_redirect, the skb_do_redirect should have consumed the skb except for the -EAGAIN return value. afaik, -EAGAIN could only happen by using the bpf_redirect_peer helper. lwt does not have the bpf_redirect_peer helper available, so there is no -EAGAIN case in lwt. iow, skb_do_redirect should have always consumed the skb in lwt. or did I miss something? If that is the case, it feels like the fix should be in run_lwt_bpf() and the "if (ret == 0)" test in run_lwt_bpf() is unnecessary? ret = skb_do_redirect(skb); if (ret == 0) ret = BPF_REDIRECT; > > Inside ip_finish_output2, redirected skb will continue to neighbor > subsystem as if LWTUNNEL_XMIT_CONTINUE is returned, despite that this > skb could have been freed. The bug can trigger use-after-free warning > and crashes kernel afterwards: > > https://gist.github.com/zhaiyan920/8fbac245b261fe316a7ef04c9b1eba48