From: "Toke Høiland-Jørgensen" <toke@kernel.org>
To: Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Breno Leitao <leitao@debian.org>
Cc: Jakub Kicinski <kuba@kernel.org>,
andrii@kernel.org, ast@kernel.org,
syzbot <syzbot+08811615f0e17bc6708b@syzkaller.appspotmail.com>,
bpf@vger.kernel.org, daniel@iogearbox.net, davem@davemloft.net,
eddyz87@gmail.com, haoluo@google.com, hawk@kernel.org,
john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
linux-kernel@vger.kernel.org, martin.lau@linux.dev,
netdev@vger.kernel.org, sdf@fomichev.me, song@kernel.org,
syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: Re: [PATCH net-net] tun: Assign missing bpf_net_context.
Date: Thu, 12 Sep 2024 16:24:20 +0200 [thread overview]
Message-ID: <87wmjhar1n.fsf@toke.dk> (raw)
In-Reply-To: <20240912122847.x70_LgN_@linutronix.de>
Sebastian Andrzej Siewior <bigeasy@linutronix.de> writes:
> On 2024-09-12 05:06:36 [-0700], Breno Leitao wrote:
>> Hello Sebastian, Jakub,
> Hi,
>
>> I've seen some crashes in 6.11-rc7 that seems related to 401cb7dae8130
>> ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.").
>>
>> Basically bpf_net_context is NULL, and it is being dereferenced by
>> bpf_net_ctx->ri.kern_flags (offset 0x38) in the following code.
>>
>> static inline struct bpf_redirect_info *bpf_net_ctx_get_ri(void)
>> {
>> struct bpf_net_context *bpf_net_ctx = bpf_net_ctx_get();
>> if (!(bpf_net_ctx->ri.kern_flags & BPF_RI_F_RI_INIT)) {
>>
>> That said, it means that bpf_net_ctx_get() is returning NULL.
>>
>> This stack is coming from the bpf function bpf_redirect()
>> BPF_CALL_2(bpf_redirect, u32, ifindex, u64, flags)
>> {
>> struct bpf_redirect_info *ri = bpf_net_ctx_get_ri();
>>
>>
>> Since I don't think there is XDP involved, I wondering if we need some
>> preotection before calling bpf_redirect()
>
> This origins in netkit_xmit(). If my memory serves me, then Daniel told
> me that netkit is not doing any redirect and therefore does not need
> "this". This must have been during one of the first "designs"/ versions.
>
> If you are saying, that this is possible then something must be done.
> Either assign a context or reject the bpf program.
Netkit definitely redirects, so it should assign a context object in
netkit_xmit()...
-Toke
next prev parent reply other threads:[~2024-09-12 14:24 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-01 20:19 [syzbot] [net?] [bpf?] general protection fault in dev_map_redirect syzbot
2024-07-02 18:40 ` Jakub Kicinski
2024-07-03 12:27 ` [PATCH net-net] tun: Assign missing bpf_net_context Sebastian Andrzej Siewior
2024-07-03 19:01 ` Jakub Kicinski
2024-07-03 19:21 ` Sebastian Andrzej Siewior
2024-07-04 10:14 ` [PATCH v2 " Sebastian Andrzej Siewior
2024-07-04 14:24 ` Jakub Kicinski
2024-07-04 14:48 ` [PATCH v3 net-next] " Sebastian Andrzej Siewior
2024-07-06 0:10 ` patchwork-bot+netdevbpf
2024-09-12 12:06 ` [PATCH net-net] " Breno Leitao
2024-09-12 12:28 ` Sebastian Andrzej Siewior
2024-09-12 13:17 ` Breno Leitao
2024-09-12 13:32 ` Vadim Fedorenko
2024-09-12 14:19 ` Breno Leitao
2024-09-12 14:30 ` Sebastian Andrzej Siewior
2024-09-12 14:40 ` Breno Leitao
2024-09-12 13:33 ` Sebastian Andrzej Siewior
2024-09-12 15:03 ` Daniel Borkmann
2024-09-16 10:19 ` Sebastian Andrzej Siewior
2024-09-12 14:24 ` Toke Høiland-Jørgensen [this message]
2024-07-06 6:21 ` [syzbot] [bpf?] [net?] general protection fault in dev_map_redirect syzbot
2024-07-06 13:13 ` Sebastian Andrzej Siewior
2024-07-06 13:38 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wmjhar1n.fsf@toke.dk \
--to=toke@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bigeasy@linutronix.de \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=leitao@debian.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=syzbot+08811615f0e17bc6708b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox