[PATCH bpf-next] bpf: test_bpf: add dummy dev->net for flow_dissector

[PATCH bpf-next] bpf: test_bpf: add dummy dev->net for flow_dissector

[Song Liu]

Latest changes in __skb_flow_dissect() assume skb->dev has valid nd_net.
However, this is not true for test_bpf. As a result, test_bpf.ko crashes
the system with the following stack trace:

[ 1133.716622] BUG: unable to handle kernel paging request at 0000000000001030
[ 1133.716623] PGD 8000001fbf7ee067
[ 1133.716624] P4D 8000001fbf7ee067
[ 1133.716624] PUD 1f6c1cf067
[ 1133.716625] PMD 0
[ 1133.716628] Oops: 0000 [#1] SMP PTI
[ 1133.716630] CPU: 7 PID: 40473 Comm: modprobe Kdump: loaded Not tainted 4.19.0-rc5-00805-gca11cc92ccd2 #1167
[ 1133.716631] Hardware name: Wiwynn Leopard-Orv2/Leopard-DDR BW, BIOS LBM12.5 12/06/2017
[ 1133.716638] RIP: 0010:__skb_flow_dissect+0x83/0x1680
[ 1133.716639] Code: 04 00 00 41 0f b7 44 24 04 48 85 db 4d 8d 14 07 0f 84 01 02 00 00 48 8b 43 10 48 85 c0 0f 84 e5 01 00 00 48 8b 80 a8 04 00 00 <48> 8b 90 30 10 00 00 48 85 d2 0f 84 dd 01 00 00 31 c0 b9 05 00 00
[ 1133.716640] RSP: 0018:ffffc900303c7a80 EFLAGS: 00010282
[ 1133.716642] RAX: 0000000000000000 RBX: ffff881fea0b7400 RCX: 0000000000000000
[ 1133.716643] RDX: ffffc900303c7bb4 RSI: ffffffff8235c3e0 RDI: ffff881fea0b7400
[ 1133.716643] RBP: ffffc900303c7b80 R08: 0000000000000000 R09: 000000000000000e
[ 1133.716644] R10: ffffc900303c7bb4 R11: ffff881fb6840400 R12: ffffffff8235c3e0
[ 1133.716645] R13: 0000000000000008 R14: 000000000000001e R15: ffffc900303c7bb4
[ 1133.716646] FS:  00007f54e75d3740(0000) GS:ffff881fff5c0000(0000) knlGS:0000000000000000
[ 1133.716648] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1133.716649] CR2: 0000000000001030 CR3: 0000001f6c226005 CR4: 00000000003606e0
[ 1133.716649] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1133.716650] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1133.716651] Call Trace:
[ 1133.716660]  ? sched_clock_cpu+0xc/0xa0
[ 1133.716662]  ? sched_clock_cpu+0xc/0xa0
[ 1133.716665]  ? log_store+0x1b5/0x260
[ 1133.716667]  ? up+0x12/0x60
[ 1133.716669]  ? skb_get_poff+0x4b/0xa0
[ 1133.716674]  ? __kmalloc_reserve.isra.47+0x2e/0x80
[ 1133.716675]  skb_get_poff+0x4b/0xa0
[ 1133.716680]  bpf_skb_get_pay_offset+0xa/0x10
[ 1133.716686]  ? test_bpf_init+0x578/0x1000 [test_bpf]
[ 1133.716690]  ? netlink_broadcast_filtered+0x153/0x3d0
[ 1133.716695]  ? free_pcppages_bulk+0x324/0x600
[ 1133.716696]  ? 0xffffffffa0279000
[ 1133.716699]  ? do_one_initcall+0x46/0x1bd
[ 1133.716704]  ? kmem_cache_alloc_trace+0x144/0x1a0
[ 1133.716709]  ? do_init_module+0x5b/0x209
[ 1133.716712]  ? load_module+0x2136/0x25d0
[ 1133.716715]  ? __do_sys_finit_module+0xba/0xe0
[ 1133.716717]  ? __do_sys_finit_module+0xba/0xe0
[ 1133.716719]  ? do_syscall_64+0x48/0x100
[ 1133.716724]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9

This patch fixes tes_bpf by adding a dummy struct net to the dummy dev.

Fixes: d0e13a1488ad ("flow_dissector: lookup netns by skb->sk if skb->dev is NULL")
Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
Cc: Willem de Bruijn <willemb@google.com>
Cc: Petar Penkov <ppenkov@google.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
---
 lib/test_bpf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/test_bpf.c b/lib/test_bpf.c
index 08d3d59dca17..5e29d4bd06c8 100644
--- a/lib/test_bpf.c
+++ b/lib/test_bpf.c
@@ -6470,6 +6470,7 @@ static struct bpf_test tests[] = {
 	},
 };
 
+static struct net net;
 static struct net_device dev;
 
 static struct sk_buff *populate_skb(char *buf, int size)
@@ -6494,6 +6495,8 @@ static struct sk_buff *populate_skb(char *buf, int size)
 	skb->queue_mapping = SKB_QUEUE_MAP;
 	skb->vlan_tci = SKB_VLAN_TCI;
 	skb->vlan_proto = htons(ETH_P_IP);
+	dev_net_set(&dev, &net);
+	RCU_INIT_POINTER(net.flow_dissector_prog, NULL);
 	skb->dev = &dev;
 	skb->dev->ifindex = SKB_DEV_IFINDEX;
 	skb->dev->type = SKB_DEV_TYPE;
-- 
2.17.1

Re: [PATCH bpf-next] bpf: test_bpf: add dummy dev->net for flow_dissector

[Eric Dumazet]

On 09/27/2018 12:15 AM, Song Liu wrote:
> Latest changes in __skb_flow_dissect() assume skb->dev has valid nd_net.
> However, this is not true for test_bpf. As a result, test_bpf.ko crashes
> the system with the following stack trace:
> 
> 
> This patch fixes tes_bpf by adding a dummy struct net to the dummy dev.
> 
> Fixes: d0e13a1488ad ("flow_dissector: lookup netns by skb->sk if skb->dev is NULL")
> Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
> Cc: Willem de Bruijn <willemb@google.com>
> Cc: Petar Penkov <ppenkov@google.com>
> Signed-off-by: Song Liu <songliubraving@fb.com>

Reported-by: Eric Dumazet <edumazet@google.com>

Thanks.

Re: [PATCH bpf-next] bpf: test_bpf: add dummy dev->net for flow_dissector

[Eric Dumazet]

On 09/27/2018 12:15 AM, Song Liu wrote:
> Latest changes in __skb_flow_dissect() assume skb->dev has valid nd_net.
> However, this is not true for test_bpf. As a result, test_bpf.ko crashes
> the system with the following stack trace:
> 

> +	dev_net_set(&dev, &net);

This is yet another fake stuff that will break some day, so many other things would
need to be setup properly in a real "struct net"

What about using the current net_ns ?

dev_net_set(&dev, current->nsproxy->net_ns);

This might be &init_net in the context of test_bpf(), so maybe simply use &init_net
to clearly state that test_bpf is not net ns fully ready.


> +	RCU_INIT_POINTER(net.flow_dissector_prog, NULL);

This really was not needed. Everything is already zero.

>  	skb->dev = &dev;
>  	skb->dev->ifindex = SKB_DEV_IFINDEX;
>  	skb->dev->type = SKB_DEV_TYPE;
> 

Re: [PATCH bpf-next] bpf: test_bpf: add dummy dev->net for flow_dissector

[Willem de Bruijn]

On Thu, Sep 27, 2018 at 9:00 AM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
>
>
> On 09/27/2018 12:15 AM, Song Liu wrote:
> > Latest changes in __skb_flow_dissect() assume skb->dev has valid nd_net.
> > However, this is not true for test_bpf. As a result, test_bpf.ko crashes
> > the system with the following stack trace:
> >
>
> > +     dev_net_set(&dev, &net);
>
> This is yet another fake stuff that will break some day, so many other things would
> need to be setup properly in a real "struct net"
>
> What about using the current net_ns ?
>
> dev_net_set(&dev, current->nsproxy->net_ns);
>
> This might be &init_net in the context of test_bpf(), so maybe simply use &init_net
> to clearly state that test_bpf is not net ns fully ready.

Agreed.

Thanks for fixing this.