[PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode

[PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode

[Toke Høiland-Jørgensen]

Device-bound programs are used to support RX metadata kfuncs. These
kfuncs are driver-specific and rely on the driver context to read the
metadata. This means they can't work in generic XDP mode. However, there
is no check to disallow such programs from being attached in generic
mode, in which case the metadata kfuncs will be called in an invalid
context, leading to crashes.

Fix this by adding a check to disallow attaching device-bound programs
in generic mode.

Fixes: 2b3486bc2d23 ("bpf: Introduce device-bound XDP programs")
Reported-by: Marcus Wichelmann <marcus.wichelmann@hetzner-cloud.de>
Closes: https://lore.kernel.org/r/dae862ec-43b5-41a0-8edf-46c59071cdda@hetzner-cloud.de
Tested-by: Marcus Wichelmann <marcus.wichelmann@hetzner-cloud.de>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
 net/core/dev.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/core/dev.c b/net/core/dev.c
index afa2282f2604..c1fa68264989 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -9924,6 +9924,10 @@ static int dev_xdp_attach(struct net_device *dev, struct netlink_ext_ack *extack
 			NL_SET_ERR_MSG(extack, "Program bound to different device");
 			return -EINVAL;
 		}
+		if (bpf_prog_is_dev_bound(new_prog->aux) && mode == XDP_MODE_SKB) {
+			NL_SET_ERR_MSG(extack, "Can't attach device-bound programs in generic mode");
+			return -EINVAL;
+		}
 		if (new_prog->expected_attach_type == BPF_XDP_DEVMAP) {
 			NL_SET_ERR_MSG(extack, "BPF_XDP_DEVMAP programs can not be attached to a device");
 			return -EINVAL;
-- 
2.48.1

[PATCH net 2/2] selftests/net: Add test for loading devbound XDP program in generic mode

[Toke Høiland-Jørgensen]

Add a test to bpf_offload.py for loading a devbound XDP program in
generic mode, checking that it fails correctly.

Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
 tools/testing/selftests/net/bpf_offload.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/bpf_offload.py b/tools/testing/selftests/net/bpf_offload.py
index d10f420e4ef6..fd0d959914e4 100755
--- a/tools/testing/selftests/net/bpf_offload.py
+++ b/tools/testing/selftests/net/bpf_offload.py
@@ -215,12 +215,14 @@ def bpftool_map_list_wait(expected=0, n_retry=20, ns=""):
     raise Exception("Time out waiting for map counts to stabilize want %d, have %d" % (expected, nmaps))
 
 def bpftool_prog_load(sample, file_name, maps=[], prog_type="xdp", dev=None,
-                      fail=True, include_stderr=False):
+                      fail=True, include_stderr=False, dev_bind=None):
     args = "prog load %s %s" % (os.path.join(bpf_test_dir, sample), file_name)
     if prog_type is not None:
         args += " type " + prog_type
     if dev is not None:
         args += " dev " + dev
+    elif dev_bind is not None:
+        args += " xdpmeta_dev " + dev_bind
     if len(maps):
         args += " map " + " map ".join(maps)
 
@@ -980,6 +982,16 @@ try:
     rm("/sys/fs/bpf/offload")
     sim.wait_for_flush()
 
+    bpftool_prog_load("sample_ret0.bpf.o", "/sys/fs/bpf/devbound",
+                      dev_bind=sim['ifname'])
+    devbound = bpf_pinned("/sys/fs/bpf/devbound")
+    start_test("Test dev-bound program in generic mode...")
+    ret, _, err = sim.set_xdp(devbound, "generic", fail=False, include_stderr=True)
+    fail(ret == 0, "devbound program in generic mode allowed")
+    check_extack(err, "Can't attach device-bound programs in generic mode.", args)
+    rm("/sys/fs/bpf/devbound")
+    sim.wait_for_flush()
+
     start_test("Test XDP load failure...")
     sim.dfs["dev/bpf_bind_verifier_accept"] = 0
     ret, _, err = bpftool_prog_load("sample_ret0.bpf.o", "/sys/fs/bpf/offload",
-- 
2.48.1

Re: [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode

[Daniel Borkmann]

On 1/27/25 2:13 PM, Toke Høiland-Jørgensen wrote:
> Device-bound programs are used to support RX metadata kfuncs. These
> kfuncs are driver-specific and rely on the driver context to read the
> metadata. This means they can't work in generic XDP mode. However, there
> is no check to disallow such programs from being attached in generic
> mode, in which case the metadata kfuncs will be called in an invalid
> context, leading to crashes.
> 
> Fix this by adding a check to disallow attaching device-bound programs
> in generic mode.
> 
> Fixes: 2b3486bc2d23 ("bpf: Introduce device-bound XDP programs")
> Reported-by: Marcus Wichelmann <marcus.wichelmann@hetzner-cloud.de>
> Closes: https://lore.kernel.org/r/dae862ec-43b5-41a0-8edf-46c59071cdda@hetzner-cloud.de
> Tested-by: Marcus Wichelmann <marcus.wichelmann@hetzner-cloud.de>
> Acked-by: Stanislav Fomichev <sdf@fomichev.me>
> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>

Acked-by: Daniel Borkmann <daniel@iogearbox.net>

Re: [PATCH net 2/2] selftests/net: Add test for loading devbound XDP program in generic mode

[Stanislav Fomichev]

On 01/27, Toke Høiland-Jørgensen wrote:
> Add a test to bpf_offload.py for loading a devbound XDP program in
> generic mode, checking that it fails correctly.
> 
> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>

Acked-by: Stanislav Fomichev <sdf@fomichev.me>

Re: [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode

[Martin KaFai Lau]

On 1/27/25 5:13 AM, Toke Høiland-Jørgensen wrote:
> Device-bound programs are used to support RX metadata kfuncs. These
> kfuncs are driver-specific and rely on the driver context to read the
> metadata. This means they can't work in generic XDP mode. However, there
> is no check to disallow such programs from being attached in generic
> mode, in which case the metadata kfuncs will be called in an invalid
> context, leading to crashes.
> 
> Fix this by adding a check to disallow attaching device-bound programs
> in generic mode.

Acked-by: Martin KaFai Lau <martin.lau@kernel.org>

Re: [PATCH net 1/2] net: xdp: Disallow attaching device-bound programs in generic mode

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon, 27 Jan 2025 14:13:42 +0100 you wrote:
> Device-bound programs are used to support RX metadata kfuncs. These
> kfuncs are driver-specific and rely on the driver context to read the
> metadata. This means they can't work in generic XDP mode. However, there
> is no check to disallow such programs from being attached in generic
> mode, in which case the metadata kfuncs will be called in an invalid
> context, leading to crashes.
> 
> [...]

Here is the summary with links:
  - [net,1/2] net: xdp: Disallow attaching device-bound programs in generic mode
    https://git.kernel.org/netdev/net/c/3595599fa836
  - [net,2/2] selftests/net: Add test for loading devbound XDP program in generic mode
    https://git.kernel.org/netdev/net/c/f7bf624b1fed

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html