From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Martin KaFai Lau <martin.lau@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>
Subject: [PATCH 5.15 14/22] bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state
Date: Wed, 1 Mar 2023 19:08:47 +0100 [thread overview]
Message-ID: <20230301180653.221539252@linuxfoundation.org> (raw)
In-Reply-To: <20230301180652.658125575@linuxfoundation.org>
From: Martin KaFai Lau <martin.lau@kernel.org>
commit 1fe4850b34ab512ff911e2c035c75fb6438f7307 upstream.
The bpf_fib_lookup() helper does not only look up the fib (ie. route)
but it also looks up the neigh. Before returning the neigh, the helper
does not check for NUD_VALID. When a neigh state (neigh->nud_state)
is in NUD_FAILED, its dmac (neigh->ha) could be all zeros. The helper
still returns SUCCESS instead of NO_NEIGH in this case. Because of the
SUCCESS return value, the bpf prog directly uses the returned dmac
and ends up filling all zero in the eth header.
This patch checks for NUD_VALID and returns NO_NEIGH if the neigh is
not valid.
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20230217004150.2980689-3-martin.lau@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/filter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5506,7 +5506,7 @@ static int bpf_ipv4_fib_lookup(struct ne
neigh = __ipv6_neigh_lookup_noref_stub(dev, dst);
}
- if (!neigh)
+ if (!neigh || !(neigh->nud_state & NUD_VALID))
return BPF_FIB_LKUP_RET_NO_NEIGH;
return bpf_fib_set_fwd_params(params, neigh, dev, mtu);
@@ -5621,7 +5621,7 @@ static int bpf_ipv6_fib_lookup(struct ne
* not needed here.
*/
neigh = __ipv6_neigh_lookup_noref_stub(dev, dst);
- if (!neigh)
+ if (!neigh || !(neigh->nud_state & NUD_VALID))
return BPF_FIB_LKUP_RET_NO_NEIGH;
return bpf_fib_set_fwd_params(params, neigh, dev, mtu);
next prev parent reply other threads:[~2023-03-01 18:10 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-01 18:08 [PATCH 5.15 00/22] 5.15.97-rc1 review Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 01/22] ionic: refactor use of ionic_rx_fill() Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 02/22] Fix XFRM-I support for nested ESP tunnels Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 03/22] arm64: dts: rockchip: drop unused LED mode property from rk3328-roc-cc Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 04/22] ARM: dts: rockchip: add power-domains property to dp node on rk3288 Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 05/22] HID: elecom: add support for TrackBall 056E:011C Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 06/22] ACPI: NFIT: fix a potential deadlock during NFIT teardown Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 07/22] btrfs: send: limit number of clones and allocated memory size Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 08/22] ASoC: rt715-sdca: fix clock stop prepare timeout issue Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 09/22] IB/hfi1: Assign npages earlier Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 10/22] neigh: make sure used and confirmed times are valid Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 11/22] HID: core: Fix deadloop in hid_apply_multiplier Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 12/22] x86/cpu: Add Lunar Lake M Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 13/22] staging: mt7621-dts: change palmbus address to lower case Greg Kroah-Hartman
2023-03-01 18:08 ` Greg Kroah-Hartman [this message]
2023-03-01 18:08 ` [PATCH 5.15 15/22] net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues() Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 16/22] vc_screen: dont clobber return value in vcs_read Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 17/22] scripts/tags.sh: Invoke realpath via xargs Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 18/22] scripts/tags.sh: fix incompatibility with PCRE2 Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 19/22] usb: dwc3: pci: add support for the Intel Meteor Lake-M Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 20/22] USB: serial: option: add support for VW/Skoda "Carstick LTE" Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 21/22] usb: gadget: u_serial: Add null pointer check in gserial_resume Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.15 22/22] USB: core: Dont hold device lock while reading the "descriptors" sysfs file Greg Kroah-Hartman
2023-03-01 21:27 ` [PATCH 5.15 00/22] 5.15.97-rc1 review Slade Watkins
2023-03-01 21:50 ` Florian Fainelli
2023-03-02 1:46 ` Shuah Khan
2023-03-02 9:20 ` Bagas Sanjaya
2023-03-02 11:35 ` Sudip Mukherjee (Codethink)
2023-03-02 13:32 ` Naresh Kamboju
2023-03-03 1:30 ` Guenter Roeck
2023-03-03 6:30 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230301180653.221539252@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel@iogearbox.net \
--cc=martin.lau@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).