Re: null pointer dereference in interrupt after receiving an ip packet on veth from xsk from user space

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
To: Jason Xing <kerneljasonxing@gmail.com>
Cc: mc36 <csmate@nop.hu>,
	alekcejk@googlemail.com,
	"Jonathan Lemon" <jonathan.lemon@gmail.com>,
	"Stanislav Fomichev" <sdf@fomichev.me>,
	"Magnus Karlsson" <magnus.karlsson@intel.com>,
	"Björn Töpel" <bjorn@kernel.org>,
	1118437@bugs.debian.org, netdev@vger.kernel.org,
	bpf@vger.kernel.org
Subject: Re: null pointer dereference in interrupt after receiving an ip packet on veth from xsk from user space
Date: Tue, 21 Oct 2025 16:47:55 +0200	[thread overview]
Message-ID: <aPedG99fdFBnbIqz@boxer> (raw)
In-Reply-To: <CAL+tcoA0TKWQY4oP4jJ5BHmEnA+HzHRrgsnQL9vRpnaqb+_8Ag@mail.gmail.com>

On Tue, Oct 21, 2025 at 07:02:06PM +0800, Jason Xing wrote:
> On Tue, Oct 21, 2025 at 5:31 AM mc36 <csmate@nop.hu> wrote:
> >
> > hi,
> >
> > On 10/20/25 11:04, Jason Xing wrote:
> > >
> > > I followed your steps you attached in your code:
> > > ////// gcc xskInt.c -lxdp
> > > ////// sudo ip link add veth1 type veth
> > > ////// sudo ip link set veth0 up
> > > ////// sudo ip link set veth1 up
> >
> > ip link set dev veth1 address 3a:10:5c:53:b3:5c
> 
> Great, it indeed helps me reproduce the issue, so I managed to see the
> exact same stack. Let me dig into it more deeply.

splat comes from skb_orphan() calling skb->destructor() with ::cb field
being already taken by IP layer. A hotfix would simply be moving this call
before we memset cb in ip_rcv_core():

diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 273578579a6b..db30645f8c35 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -535,14 +535,14 @@ static struct sk_buff *ip_rcv_core(struct sk_buff *skb, struct net *net)
        iph = ip_hdr(skb);
        skb->transport_header = skb->network_header + iph->ihl*4;

-       /* Remove any debris in the socket control block */
-       memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
-       IPCB(skb)->iif = skb->skb_iif;
-
        /* Must drop socket now because of tproxy. */
        if (!skb_sk_is_prefetched(skb))
                skb_orphan(skb);

+       /* Remove any debris in the socket control block */
+       memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
+       IPCB(skb)->iif = skb->skb_iif;
+
        return skb;

 csum_error:

However, I do not understand why setting mac addr on one veth interface
triggers this path.

> 
> Thanks,
> Jason

next prev parent reply	other threads:[~2025-10-21 14:48 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-20  4:45 null pointer dereference in interrupt after receiving an ip packet on veth from xsk from user space mc36
2025-10-20  6:41 ` Jason Xing
2025-10-20  7:15   ` mc36
2025-10-20  8:55   ` mc36
2025-10-20  9:04     ` Jason Xing
2025-10-20  9:18       ` mc36
2025-10-20  9:48         ` mc36
2025-10-20 21:31       ` mc36
2025-10-21 10:51         ` Fernando Fernandez Mancera
2025-10-21 12:25           ` Jason Xing
2025-10-21 12:59             ` mc36
2025-10-21 13:02               ` Jason Xing
2025-10-21 13:43                 ` mc36
2025-11-08 14:49           ` Salvatore Bonaccorso
2025-11-09  0:10             ` Jason Xing
2025-10-21 11:02         ` Jason Xing
2025-10-21 14:47           ` Maciej Fijalkowski [this message]
2025-10-21 15:09             ` Fernando Fernandez Mancera
2025-10-21 15:28             ` mc36

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:273578579a6 dfblob:db30645f8c3 )
 OR (
bs:"Re: null pointer dereference in interrupt after receiving an ip packet on veth from xsk from user space" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aPedG99fdFBnbIqz@boxer \
    --to=maciej.fijalkowski@intel.com \
    --cc=1118437@bugs.debian.org \
    --cc=alekcejk@googlemail.com \
    --cc=bjorn@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=csmate@nop.hu \
    --cc=jonathan.lemon@gmail.com \
    --cc=kerneljasonxing@gmail.com \
    --cc=magnus.karlsson@intel.com \
    --cc=netdev@vger.kernel.org \
    --cc=sdf@fomichev.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).