netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v3,bpf-next] bpf: Don't redirect packets with invalid pkt_len
@ 2022-07-15  3:22 Zhengchao Shao
  2022-07-15  4:30 ` Jakub Kicinski
  0 siblings, 1 reply; 3+ messages in thread
From: Zhengchao Shao @ 2022-07-15  3:22 UTC (permalink / raw)
  To: bpf, netdev, linux-kernel, davem, edumazet, kuba, pabeni, hawk
  Cc: ast, daniel, andrii, martin.lau, song, yhs, john.fastabend,
	kpsingh, sdf, bigeasy, imagedong, petrm, arnd, dsahern,
	talalahmad, keescook, haoluo, jolsa, weiyongjun1, yuehaibing,
	shaozhengchao

Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
skbs, that is, the flow->head is null.
The root cause, as the [2] says, is because that bpf_prog_test_run_skb()
run a bpf prog which redirects empty skbs.
So we should determine whether the length of the packet modified by bpf
prog or others like bpf_prog_test is valid before forwarding it directly.

LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5
LINK: [2] https://www.spinics.net/lists/netdev/msg777503.html

Reported-by: syzbot+7a12909485b94426aceb@syzkaller.appspotmail.com
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
---
v2: need move checking to convert___skb_to_skb and add debug info
v1: should not check len in fast path

 include/linux/skbuff.h | 11 +++++++++++
 net/bpf/test_run.c     |  3 +++
 net/core/dev.c         |  1 +
 3 files changed, 15 insertions(+)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index f6a27ab19202..8ea41ad0786b 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2459,6 +2459,17 @@ static inline void skb_set_tail_pointer(struct sk_buff *skb, const int offset)
 
 #endif /* NET_SKBUFF_DATA_USES_OFFSET */
 
+static inline void skb_assert_len(struct sk_buff *skb)
+{
+#ifdef CONFIG_DEBUG_NET
+	if (unlikely(!skb->len)) {
+		pr_err("%s\n", __func__);
+		skb_dump(KERN_ERR, skb, false);
+		WARN_ON_ONCE(1);
+	}
+#endif /* CONFIG_DEBUG_NET */
+}
+
 /*
  *	Add data to an sk_buff
  */
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 2ca96acbc50a..dc9dc0bedca0 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -955,6 +955,9 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb)
 {
 	struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb;
 
+	if (!skb->len)
+		return -EINVAL;
+
 	if (!__skb)
 		return 0;
 
diff --git a/net/core/dev.c b/net/core/dev.c
index d588fd0a54ce..716df64fcfa5 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4168,6 +4168,7 @@ int __dev_queue_xmit(struct sk_buff *skb, struct net_device *sb_dev)
 	bool again = false;
 
 	skb_reset_mac_header(skb);
+	skb_assert_len(skb);
 
 	if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_SCHED_TSTAMP))
 		__skb_tstamp_tx(skb, NULL, NULL, skb->sk, SCM_TSTAMP_SCHED);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v3,bpf-next] bpf: Don't redirect packets with invalid pkt_len
  2022-07-15  3:22 [PATCH v3,bpf-next] bpf: Don't redirect packets with invalid pkt_len Zhengchao Shao
@ 2022-07-15  4:30 ` Jakub Kicinski
  2022-07-15  9:17   ` Eric Dumazet
  0 siblings, 1 reply; 3+ messages in thread
From: Jakub Kicinski @ 2022-07-15  4:30 UTC (permalink / raw)
  To: Zhengchao Shao
  Cc: bpf, netdev, linux-kernel, davem, edumazet, pabeni, hawk, ast,
	daniel, andrii, martin.lau, song, yhs, john.fastabend, kpsingh,
	sdf, bigeasy, imagedong, petrm, arnd, dsahern, talalahmad,
	keescook, haoluo, jolsa, weiyongjun1, yuehaibing

On Fri, 15 Jul 2022 11:22:33 +0800 Zhengchao Shao wrote:
> +#ifdef CONFIG_DEBUG_NET
> +	if (unlikely(!skb->len)) {
> +		pr_err("%s\n", __func__);
> +		skb_dump(KERN_ERR, skb, false);
> +		WARN_ON_ONCE(1);
> +	}

Is there a reason to open code WARN_ONCE() like that?

#ifdef CONFIG_DEBUG_NET
	if (WARN_ONCE(!skb->len, "%s\n", __func__))
		skb_dump(KERN_ERR, skb, false);

or

	if (IS_ENABLED(CONFIG_DEBUG_NET) &&
	    WARN_ONCE(!skb->len, "%s\n", __func__))
		skb_dump(KERN_ERR, skb, false);

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH v3,bpf-next] bpf: Don't redirect packets with invalid pkt_len
  2022-07-15  4:30 ` Jakub Kicinski
@ 2022-07-15  9:17   ` Eric Dumazet
  0 siblings, 0 replies; 3+ messages in thread
From: Eric Dumazet @ 2022-07-15  9:17 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Zhengchao Shao, bpf, netdev, LKML, David Miller, Paolo Abeni,
	Jesper Dangaard Brouer, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, martin.lau, song, Yonghong Song, John Fastabend,
	KP Singh, Stanislav Fomichev, Sebastian Andrzej Siewior,
	Menglong Dong, Petr Machata, Arnd Bergmann, David Ahern,
	Talal Ahmad, Kees Cook, Hao Luo, jolsa, weiyongjun1, YueHaibing

On Fri, Jul 15, 2022 at 6:30 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Fri, 15 Jul 2022 11:22:33 +0800 Zhengchao Shao wrote:
> > +#ifdef CONFIG_DEBUG_NET
> > +     if (unlikely(!skb->len)) {
> > +             pr_err("%s\n", __func__);
> > +             skb_dump(KERN_ERR, skb, false);
> > +             WARN_ON_ONCE(1);
> > +     }
>
> Is there a reason to open code WARN_ONCE() like that?
>
> #ifdef CONFIG_DEBUG_NET
>         if (WARN_ONCE(!skb->len, "%s\n", __func__))
>                 skb_dump(KERN_ERR, skb, false);
>
> or
>
>         if (IS_ENABLED(CONFIG_DEBUG_NET) &&
>             WARN_ONCE(!skb->len, "%s\n", __func__))
>                 skb_dump(KERN_ERR, skb, false);


Also the skb_dump() needs to be done once.

DO_ONCE_LITE(skb_dump, KERN_ERR, skb, false);

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-07-15  9:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-15  3:22 [PATCH v3,bpf-next] bpf: Don't redirect packets with invalid pkt_len Zhengchao Shao
2022-07-15  4:30 ` Jakub Kicinski
2022-07-15  9:17   ` Eric Dumazet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).