[PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode
@ 2025-01-27 13:13 Toke Høiland-Jørgensen
  2025-01-27 13:13 ` [PATCH net 2/2] selftests/net: Add test for loading devbound XDP program " Toke Høiland-Jørgensen
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Toke Høiland-Jørgensen @ 2025-01-27 13:13 UTC (permalink / raw)
  To: Alexei Starovoitov, Daniel Borkmann, David S. Miller,
	Jakub Kicinski, Jesper Dangaard Brouer, John Fastabend,
	Stanislav Fomichev, Martin KaFai Lau
  Cc: Toke Høiland-Jørgensen, Marcus Wichelmann, Eric Dumazet,
	Paolo Abeni, Simon Horman, netdev, bpf

Device-bound programs are used to support RX metadata kfuncs. These
kfuncs are driver-specific and rely on the driver context to read the
metadata. This means they can't work in generic XDP mode. However, there
is no check to disallow such programs from being attached in generic
mode, in which case the metadata kfuncs will be called in an invalid
context, leading to crashes.

Fix this by adding a check to disallow attaching device-bound programs
in generic mode.

Fixes: 2b3486bc2d23 ("bpf: Introduce device-bound XDP programs")
Reported-by: Marcus Wichelmann <marcus.wichelmann@hetzner-cloud.de>
Closes: https://lore.kernel.org/r/dae862ec-43b5-41a0-8edf-46c59071cdda@hetzner-cloud.de
Tested-by: Marcus Wichelmann <marcus.wichelmann@hetzner-cloud.de>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
 net/core/dev.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/core/dev.c b/net/core/dev.c
index afa2282f2604..c1fa68264989 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -9924,6 +9924,10 @@ static int dev_xdp_attach(struct net_device *dev, struct netlink_ext_ack *extack
 			NL_SET_ERR_MSG(extack, "Program bound to different device");
 			return -EINVAL;
 		}
+		if (bpf_prog_is_dev_bound(new_prog->aux) && mode == XDP_MODE_SKB) {
+			NL_SET_ERR_MSG(extack, "Can't attach device-bound programs in generic mode");
+			return -EINVAL;
+		}
 		if (new_prog->expected_attach_type == BPF_XDP_DEVMAP) {
 			NL_SET_ERR_MSG(extack, "BPF_XDP_DEVMAP programs can not be attached to a device");
 			return -EINVAL;
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH net 2/2] selftests/net: Add test for loading devbound XDP program in generic mode
  2025-01-27 13:13 [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode Toke Høiland-Jørgensen
@ 2025-01-27 13:13 ` Toke Høiland-Jørgensen
  2025-01-27 16:50   ` Stanislav Fomichev
  2025-01-27 15:55 ` [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs " Daniel Borkmann
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 6+ messages in thread
From: Toke Høiland-Jørgensen @ 2025-01-27 13:13 UTC (permalink / raw)
  To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Alexei Starovoitov, Daniel Borkmann,
	Jesper Dangaard Brouer, John Fastabend
  Cc: Toke Høiland-Jørgensen, Shuah Khan, netdev, bpf

Add a test to bpf_offload.py for loading a devbound XDP program in
generic mode, checking that it fails correctly.

Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
 tools/testing/selftests/net/bpf_offload.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/bpf_offload.py b/tools/testing/selftests/net/bpf_offload.py
index d10f420e4ef6..fd0d959914e4 100755
--- a/tools/testing/selftests/net/bpf_offload.py
+++ b/tools/testing/selftests/net/bpf_offload.py
@@ -215,12 +215,14 @@ def bpftool_map_list_wait(expected=0, n_retry=20, ns=""):
     raise Exception("Time out waiting for map counts to stabilize want %d, have %d" % (expected, nmaps))
 
 def bpftool_prog_load(sample, file_name, maps=[], prog_type="xdp", dev=None,
-                      fail=True, include_stderr=False):
+                      fail=True, include_stderr=False, dev_bind=None):
     args = "prog load %s %s" % (os.path.join(bpf_test_dir, sample), file_name)
     if prog_type is not None:
         args += " type " + prog_type
     if dev is not None:
         args += " dev " + dev
+    elif dev_bind is not None:
+        args += " xdpmeta_dev " + dev_bind
     if len(maps):
         args += " map " + " map ".join(maps)
 
@@ -980,6 +982,16 @@ try:
     rm("/sys/fs/bpf/offload")
     sim.wait_for_flush()
 
+    bpftool_prog_load("sample_ret0.bpf.o", "/sys/fs/bpf/devbound",
+                      dev_bind=sim['ifname'])
+    devbound = bpf_pinned("/sys/fs/bpf/devbound")
+    start_test("Test dev-bound program in generic mode...")
+    ret, _, err = sim.set_xdp(devbound, "generic", fail=False, include_stderr=True)
+    fail(ret == 0, "devbound program in generic mode allowed")
+    check_extack(err, "Can't attach device-bound programs in generic mode.", args)
+    rm("/sys/fs/bpf/devbound")
+    sim.wait_for_flush()
+
     start_test("Test XDP load failure...")
     sim.dfs["dev/bpf_bind_verifier_accept"] = 0
     ret, _, err = bpftool_prog_load("sample_ret0.bpf.o", "/sys/fs/bpf/offload",
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH net 2/2] selftests/net: Add test for loading devbound XDP program in generic mode
  2025-01-27 13:13 ` [PATCH net 2/2] selftests/net: Add test for loading devbound XDP program " Toke Høiland-Jørgensen
@ 2025-01-27 16:50   ` Stanislav Fomichev
  0 siblings, 0 replies; 6+ messages in thread
From: Stanislav Fomichev @ 2025-01-27 16:50 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen
  Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Alexei Starovoitov, Daniel Borkmann,
	Jesper Dangaard Brouer, John Fastabend, Shuah Khan, netdev, bpf

On 01/27, Toke Høiland-Jørgensen wrote:
> Add a test to bpf_offload.py for loading a devbound XDP program in
> generic mode, checking that it fails correctly.
> 
> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>

Acked-by: Stanislav Fomichev <sdf@fomichev.me>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode
  2025-01-27 13:13 [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode Toke Høiland-Jørgensen
  2025-01-27 13:13 ` [PATCH net 2/2] selftests/net: Add test for loading devbound XDP program " Toke Høiland-Jørgensen
@ 2025-01-27 15:55 ` Daniel Borkmann
  2025-01-27 23:23 ` Martin KaFai Lau
  2025-01-30  3:40 ` patchwork-bot+netdevbpf
  3 siblings, 0 replies; 6+ messages in thread
From: Daniel Borkmann @ 2025-01-27 15:55 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen, Alexei Starovoitov,
	David S. Miller, Jakub Kicinski, Jesper Dangaard Brouer,
	John Fastabend, Stanislav Fomichev, Martin KaFai Lau
  Cc: Marcus Wichelmann, Eric Dumazet, Paolo Abeni, Simon Horman,
	netdev, bpf

On 1/27/25 2:13 PM, Toke Høiland-Jørgensen wrote:
> Device-bound programs are used to support RX metadata kfuncs. These
> kfuncs are driver-specific and rely on the driver context to read the
> metadata. This means they can't work in generic XDP mode. However, there
> is no check to disallow such programs from being attached in generic
> mode, in which case the metadata kfuncs will be called in an invalid
> context, leading to crashes.
> 
> Fix this by adding a check to disallow attaching device-bound programs
> in generic mode.
> 
> Fixes: 2b3486bc2d23 ("bpf: Introduce device-bound XDP programs")
> Reported-by: Marcus Wichelmann <marcus.wichelmann@hetzner-cloud.de>
> Closes: https://lore.kernel.org/r/dae862ec-43b5-41a0-8edf-46c59071cdda@hetzner-cloud.de
> Tested-by: Marcus Wichelmann <marcus.wichelmann@hetzner-cloud.de>
> Acked-by: Stanislav Fomichev <sdf@fomichev.me>
> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>

Acked-by: Daniel Borkmann <daniel@iogearbox.net>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode
  2025-01-27 13:13 [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode Toke Høiland-Jørgensen
  2025-01-27 13:13 ` [PATCH net 2/2] selftests/net: Add test for loading devbound XDP program " Toke Høiland-Jørgensen
  2025-01-27 15:55 ` [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs " Daniel Borkmann
@ 2025-01-27 23:23 ` Martin KaFai Lau
  2025-01-30  3:40 ` patchwork-bot+netdevbpf
  3 siblings, 0 replies; 6+ messages in thread
From: Martin KaFai Lau @ 2025-01-27 23:23 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen
  Cc: Alexei Starovoitov, Daniel Borkmann, David S. Miller,
	Jakub Kicinski, Jesper Dangaard Brouer, John Fastabend,
	Stanislav Fomichev, Marcus Wichelmann, Eric Dumazet, Paolo Abeni,
	Simon Horman, netdev, bpf

On 1/27/25 5:13 AM, Toke Høiland-Jørgensen wrote:
> Device-bound programs are used to support RX metadata kfuncs. These
> kfuncs are driver-specific and rely on the driver context to read the
> metadata. This means they can't work in generic XDP mode. However, there
> is no check to disallow such programs from being attached in generic
> mode, in which case the metadata kfuncs will be called in an invalid
> context, leading to crashes.
> 
> Fix this by adding a check to disallow attaching device-bound programs
> in generic mode.

Acked-by: Martin KaFai Lau <martin.lau@kernel.org>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode
  2025-01-27 13:13 [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode Toke Høiland-Jørgensen
                   ` (2 preceding siblings ...)
  2025-01-27 23:23 ` Martin KaFai Lau
@ 2025-01-30  3:40 ` patchwork-bot+netdevbpf
  3 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-01-30  3:40 UTC (permalink / raw)
  To: =?utf-8?b?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2VuIDx0b2tlQHJlZGhhdC5jb20+?=
  Cc: ast, daniel, davem, kuba, hawk, john.fastabend, sdf, martin.lau,
	marcus.wichelmann, edumazet, pabeni, horms, netdev, bpf

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon, 27 Jan 2025 14:13:42 +0100 you wrote:
> Device-bound programs are used to support RX metadata kfuncs. These
> kfuncs are driver-specific and rely on the driver context to read the
> metadata. This means they can't work in generic XDP mode. However, there
> is no check to disallow such programs from being attached in generic
> mode, in which case the metadata kfuncs will be called in an invalid
> context, leading to crashes.
> 
> [...]

Here is the summary with links:
  - [net,1/2] net: xdp: Disallow attaching device-bound programs in generic mode
    https://git.kernel.org/netdev/net/c/3595599fa836
  - [net,2/2] selftests/net: Add test for loading devbound XDP program in generic mode
    https://git.kernel.org/netdev/net/c/f7bf624b1fed

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2025-01-30  3:40 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-27 13:13 [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode Toke Høiland-Jørgensen
2025-01-27 13:13 ` [PATCH net 2/2] selftests/net: Add test for loading devbound XDP program " Toke Høiland-Jørgensen
2025-01-27 16:50   ` Stanislav Fomichev
2025-01-27 15:55 ` [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs " Daniel Borkmann
2025-01-27 23:23 ` Martin KaFai Lau
2025-01-30  3:40 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).