From: Breno Leitao <leitao@debian.org>
To: Kuniyuki Iwashima <kuniyu@amazon.com>
Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
horms@kernel.org, kernel-team@meta.com, kuba@kernel.org,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
mathieu.desnoyers@efficios.com, mhiramat@kernel.org,
ncardwell@google.com, netdev@vger.kernel.org, pabeni@redhat.com,
rostedt@goodmis.org, song@kernel.org, yonghong.song@linux.dev
Subject: Re: [PATCH net-next v2 2/2] trace: tcp: Add tracepoint for tcp_sendmsg_locked()
Date: Tue, 8 Apr 2025 11:06:07 -0700 [thread overview]
Message-ID: <Z/Vlj7KPkwgEgsZu@gmail.com> (raw)
In-Reply-To: <20250408171231.35951-1-kuniyu@amazon.com>
On Tue, Apr 08, 2025 at 10:12:14AM -0700, Kuniyuki Iwashima wrote:
> From: Breno Leitao <leitao@debian.org>
> Date: Tue, 8 Apr 2025 10:01:05 -0700
> > On Tue, Apr 08, 2025 at 09:16:51AM -0600, David Ahern wrote:
> > > On 4/8/25 8:27 AM, Breno Leitao wrote:
> > > >
> > > > SEC("tracepoint/tcp/tcp_sendmsg_locked")
> > >
> > > Try `raw_tracepoint/tcp/tcp_sendmsg_locked`.
> > >
> > > This is the form I use for my tracepoint based packet capture (not tied
> > > to this tracepoint, but traces inside our driver) and it works fine.
> >
> > Thanks. I was not able to get this crashing as well. In fact, the
> > following program fails to be loaded:
> >
> > SEC("raw_tracepoint/tcp/tcp_sendmsg_locked")
>
> Try SEC("tp_btf/tcp_sendmsg_locked") and access the raw argument
> (struct sk_buff *skb) instead of bpf_raw_tracepoint_args.
Nice, I was able to crash the host, with the following code:
SEC("tp_btf/tcp_sendmsg_locked")
int BPF_PROG(tcp_sendmsg_locked, struct sock *sk, struct msghdr *msg, struct sk_buff *skb, int size_goal)
{
bpf_printk("skb->len %d\n", skb->len);
return 0;
}
This is the unusually expected stacktrace. :-)
BUG: kernel NULL pointer dereference, address: 0000000000000070
#PF: supervisor read access in kernel mode "virtme-ng" 11:03 08-Apr-25
#PF: error_code(0x0000) - not-present page
PGD 10ca78067 P4D 0
Oops: Oops: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
CPU: 13 UID: 0 PID: 1020 Comm: nc Tainted: G E N 6.14.0-upstream-05880-g14fbb7a1a500 #73 PREEMPT(undef)
Tainted: [E]=UNSIGNED_MODULE, [N]=TEST
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:bpf_prog_5b31430a4390397c_tcp_sendmsg_locked+0x18/0x37
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 f3 0f 1e fa 48 8b 7f 10 <8b> 57 70 48 bf d8 d9 03 06 01 00 11 ff be 0d 00 00 00 e8 15 f4 4c
RSP: 0018:ffa0000003c03bd0 EFLAGS: 00010282
RAX: 5aab7562e1de3200 RBX: ffa0000003be4000 RCX: 0000000000000018
RDX: 0000000000000000 RSI: ffa0000003be4048 RDI: 0000000000000000
RBP: ffa0000003c03bd0 R08: 000000000006043d R09: ffffffffffffffff
R10: 0000000000000000 R11: ffffffffa000096c R12: ff11000104ae5b00
R13: ff1100010610a3c0 R14: ffffffff814d34ef R15: 0000000000000000
FS: 00007fd67d550740(0000) GS:ff110005a40a9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000070 CR3: 000000010d9ec002 CR4: 0000000000771ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body+0xaf/0xc0
? page_fault_oops+0x35b/0x3c0
? do_user_addr_fault+0x6d4/0x730
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x5f/0xe0
? asm_exc_page_fault+0x26/0x30
? bpf_trace_run4+0xbf/0x240
? 0xffffffffa000096c
? bpf_prog_5b31430a4390397c_tcp_sendmsg_locked+0x18/0x37
bpf_trace_run4+0x14c/0x240
? trace_event_raw_event_tcp_sendmsg_locked+0xc3/0xf0
__traceiter_tcp_sendmsg_locked+0x44/0x60
tcp_sendmsg_locked+0x10c8/0x15b0
? __local_bh_enable_ip+0x166/0x1c0
? srso_alias_return_thunk+0x5/0xfbef5
tcp_sendmsg+0x2c/0x50
? __pfx_inet6_sendmsg+0x10/0x10
sock_sendmsg_nosec+0xa0/0x100
__sys_sendto+0x1b4/0x1f0
__x64_sys_sendto+0x26/0x30
do_syscall_64+0x83/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
next prev parent reply other threads:[~2025-04-08 18:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-07 13:40 [PATCH net-next v2 0/2] trace: add tracepoint to tcp_sendmsg_locked Breno Leitao
2025-04-07 13:40 ` [PATCH net-next v2 1/2] net: pass const to msg_data_left() Breno Leitao
2025-04-08 0:53 ` Kuniyuki Iwashima
2025-04-08 14:20 ` Eric Dumazet
2025-04-07 13:40 ` [PATCH net-next v2 2/2] trace: tcp: Add tracepoint for tcp_sendmsg_locked() Breno Leitao
2025-04-08 1:00 ` Kuniyuki Iwashima
2025-04-08 14:27 ` Breno Leitao
2025-04-08 15:16 ` David Ahern
2025-04-08 17:01 ` Breno Leitao
2025-04-08 17:12 ` Kuniyuki Iwashima
2025-04-08 18:06 ` Breno Leitao [this message]
2025-04-08 1:05 ` Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z/Vlj7KPkwgEgsZu@gmail.com \
--to=leitao@debian.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kernel-team@meta.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhiramat@kernel.org \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rostedt@goodmis.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).