[PATCH] Fixes the null pointer deferences in nsim

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] Fixes the null pointer deferences in nsim_bpf
@ 2023-11-10  8:44 Dipendra Khadka
  2023-11-10  8:52 ` Eric Dumazet
  2023-11-10 11:18 ` [PATCH v2] " Dipendra Khadka
  0 siblings, 2 replies; 5+ messages in thread
From: Dipendra Khadka @ 2023-11-10  8:44 UTC (permalink / raw)
  To: kuba, davem, edumazet, pabeni
  Cc: Dipendra Khadka, netdev, linux-kernel, linux-kernel-mentees,
	syzbot+44c2416196b7c607f226

Syzkaller found a null pointer dereference in nsim_bpf
originating from the lack of a null check for state.

This patch fixes the issue by adding a check for state
in two functions nsim_prog_set_loaded and nsim_setup_prog_hw_checks

Reported-by: syzbot+44c2416196b7c607f226@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com./bug?extid=44c2416196b7c607f226

Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
---
 drivers/net/netdevsim/bpf.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c
index f60eb97e3a62..e407efb0e3de 100644
--- a/drivers/net/netdevsim/bpf.c
+++ b/drivers/net/netdevsim/bpf.c
@@ -97,7 +97,8 @@ static void nsim_prog_set_loaded(struct bpf_prog *prog, bool loaded)
 		return;
 
 	state = prog->aux->offload->dev_priv;
-	state->is_loaded = loaded;
+	if (state)
+		state->is_loaded = loaded;
 }
 
 static int
@@ -317,10 +318,12 @@ nsim_setup_prog_hw_checks(struct netdevsim *ns, struct netdev_bpf *bpf)
 	}
 
 	state = bpf->prog->aux->offload->dev_priv;
-	if (WARN_ON(strcmp(state->state, "xlated"))) {
-		NSIM_EA(bpf->extack, "offloading program in bad state");
-		return -EINVAL;
-	}
+	if (state) {
+		if (WARN_ON(strcmp(state->state, "xlated"))) {
+			NSIM_EA(bpf->extack, "offloading program in bad state");
+			return -EINVAL;
+		}
+	}
 	return 0;
 }
 
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] Fixes the null pointer deferences in nsim_bpf
  2023-11-10  8:44 [PATCH] Fixes the null pointer deferences in nsim_bpf Dipendra Khadka
@ 2023-11-10  8:52 ` Eric Dumazet
  2023-11-10 11:18 ` [PATCH v2] " Dipendra Khadka
  1 sibling, 0 replies; 5+ messages in thread
From: Eric Dumazet @ 2023-11-10  8:52 UTC (permalink / raw)
  To: Dipendra Khadka
  Cc: kuba, davem, pabeni, netdev, linux-kernel, linux-kernel-mentees,
	syzbot+44c2416196b7c607f226

On Fri, Nov 10, 2023 at 9:45 AM Dipendra Khadka <kdipendra88@gmail.com> wrote:
>
> Syzkaller found a null pointer dereference in nsim_bpf
> originating from the lack of a null check for state.
>
> This patch fixes the issue by adding a check for state
> in two functions nsim_prog_set_loaded and nsim_setup_prog_hw_checks
>
> Reported-by: syzbot+44c2416196b7c607f226@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com./bug?extid=44c2416196b7c607f226

Please add a Fixes: tag, and remove this empty line, thanks.

>
> Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
> ---
>  drivers/net/netdevsim/bpf.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c
> index f60eb97e3a62..e407efb0e3de 100644
> --- a/drivers/net/netdevsim/bpf.c
> +++ b/drivers/net/netdevsim/bpf.c
> @@ -97,7 +97,8 @@ static void nsim_prog_set_loaded(struct bpf_prog *prog, bool loaded)
>                 return;
>
>         state = prog->aux->offload->dev_priv;
> -       state->is_loaded = loaded;
> +       if (state)
> +               state->is_loaded = loaded;
>  }
>
>  static int
> @@ -317,10 +318,12 @@ nsim_setup_prog_hw_checks(struct netdevsim *ns, struct netdev_bpf *bpf)
>         }
>
>         state = bpf->prog->aux->offload->dev_priv;
> -       if (WARN_ON(strcmp(state->state, "xlated"))) {
> -               NSIM_EA(bpf->extack, "offloading program in bad state");
> -               return -EINVAL;
> -       }
> +       if (state) {
> +               if (WARN_ON(strcmp(state->state, "xlated"))) {
> +                       NSIM_EA(bpf->extack, "offloading program in bad state");
> +                       return -EINVAL;
> +               }
> +       }
>         return 0;
>  }
>
> --
> 2.34.1
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2] Fixes the null pointer deferences in nsim_bpf
  2023-11-10  8:44 [PATCH] Fixes the null pointer deferences in nsim_bpf Dipendra Khadka
  2023-11-10  8:52 ` Eric Dumazet
@ 2023-11-10 11:18 ` Dipendra Khadka
  2023-11-10 19:12   ` Jakub Kicinski
  1 sibling, 1 reply; 5+ messages in thread
From: Dipendra Khadka @ 2023-11-10 11:18 UTC (permalink / raw)
  To: kuba, davem, edumazet, pabeni
  Cc: Dipendra Khadka, netdev, linux-kernel, linux-kernel-mentees,
	syzbot+44c2416196b7c607f226

Syzkaller found a null pointer dereference in nsim_bpf
originating from the lack of a null check for state.

This patch fixes the issue by adding a check for state
in two functions nsim_prog_set_loaded() and nsim_setup_prog_hw_checks()

Reported-by: syzbot+44c2416196b7c607f226@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com./bug?extid=44c2416196b7c607f226
Fixes: 31d3ad832948 ("netdevsim: add bpf offload support")
Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
---
 drivers/net/netdevsim/bpf.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c
index f60eb97e3a62..5d755da3c736 100644
--- a/drivers/net/netdevsim/bpf.c
+++ b/drivers/net/netdevsim/bpf.c
@@ -97,7 +97,8 @@ static void nsim_prog_set_loaded(struct bpf_prog *prog, bool loaded)
 		return;
 
 	state = prog->aux->offload->dev_priv;
-	state->is_loaded = loaded;
+	if (state)
+		state->is_loaded = loaded;
 }
 
 static int
@@ -317,9 +318,11 @@ nsim_setup_prog_hw_checks(struct netdevsim *ns, struct netdev_bpf *bpf)
 	}
 
 	state = bpf->prog->aux->offload->dev_priv;
-	if (WARN_ON(strcmp(state->state, "xlated"))) {
-		NSIM_EA(bpf->extack, "offloading program in bad state");
-		return -EINVAL;
+	if (state) {
+		if (WARN_ON(strcmp(state->state, "xlated"))) {
+			NSIM_EA(bpf->extack, "offloading program in bad state");
+			return -EINVAL;
+		}
 	}
 	return 0;
 }
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] Fixes the null pointer deferences in nsim_bpf
  2023-11-10 11:18 ` [PATCH v2] " Dipendra Khadka
@ 2023-11-10 19:12   ` Jakub Kicinski
  2023-11-10 19:20     ` Stanislav Fomichev
  0 siblings, 1 reply; 5+ messages in thread
From: Jakub Kicinski @ 2023-11-10 19:12 UTC (permalink / raw)
  To: Dipendra Khadka
  Cc: davem, edumazet, pabeni, netdev, linux-kernel,
	linux-kernel-mentees, syzbot+44c2416196b7c607f226,
	Stanislav Fomichev

On Fri, 10 Nov 2023 11:18:23 +0000 Dipendra Khadka wrote:
> Syzkaller found a null pointer dereference in nsim_bpf
> originating from the lack of a null check for state.
> 
> This patch fixes the issue by adding a check for state
> in two functions nsim_prog_set_loaded() and nsim_setup_prog_hw_checks()
> 
> Reported-by: syzbot+44c2416196b7c607f226@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com./bug?extid=44c2416196b7c607f226
> Fixes: 31d3ad832948 ("netdevsim: add bpf offload support")

Don't think so. It's probably due to Stan's extensions / reuse of 
the offload infra.

Please put more effort into figuring out when and why this started
happening. Describe your findings in the commit message.

Current patch looks too much like a bandaid.

Before you repost read:
https://www.kernel.org/doc/html/next/process/maintainer-netdev.html
-- 
pw-bot: cr
pv-bot: syz
pv-bot: 24h

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] Fixes the null pointer deferences in nsim_bpf
  2023-11-10 19:12   ` Jakub Kicinski
@ 2023-11-10 19:20     ` Stanislav Fomichev
  0 siblings, 0 replies; 5+ messages in thread
From: Stanislav Fomichev @ 2023-11-10 19:20 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Dipendra Khadka, davem, edumazet, pabeni, netdev, linux-kernel,
	linux-kernel-mentees, syzbot+44c2416196b7c607f226,
	Stanislav Fomichev

On 11/10, Jakub Kicinski wrote:
> On Fri, 10 Nov 2023 11:18:23 +0000 Dipendra Khadka wrote:
> > Syzkaller found a null pointer dereference in nsim_bpf
> > originating from the lack of a null check for state.
> > 
> > This patch fixes the issue by adding a check for state
> > in two functions nsim_prog_set_loaded() and nsim_setup_prog_hw_checks()
> > 
> > Reported-by: syzbot+44c2416196b7c607f226@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com./bug?extid=44c2416196b7c607f226
> > Fixes: 31d3ad832948 ("netdevsim: add bpf offload support")
> 
> Don't think so. It's probably due to Stan's extensions / reuse of 
> the offload infra.
> 
> Please put more effort into figuring out when and why this started
> happening. Describe your findings in the commit message.
> 
> Current patch looks too much like a bandaid.
> 
> Before you repost read:
> https://www.kernel.org/doc/html/next/process/maintainer-netdev.html

I agree, I have a similar suspicion for the same report on the bpf list [0].

0: https://lore.kernel.org/bpf/ZU13dQb2z66CJlYi@google.com/

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-11-10 19:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-10  8:44 [PATCH] Fixes the null pointer deferences in nsim_bpf Dipendra Khadka
2023-11-10  8:52 ` Eric Dumazet
2023-11-10 11:18 ` [PATCH v2] " Dipendra Khadka
2023-11-10 19:12   ` Jakub Kicinski
2023-11-10 19:20     ` Stanislav Fomichev

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).