bpf, sockmap: allow verdict only sk_skb progs #232
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Master branch: ac53a0d |
|
Master branch: 673e375 |
kernel-patches-bot
force-pushed
the
series/362695=>bpf-next
branch
from
cb62c91 to
4d46f1a
Compare
|
Master branch: 52b07e5 |
kernel-patches-bot
force-pushed
the
series/362695=>bpf-next
branch
from
4d46f1a to
181b601
Compare
|
Master branch: d1c362e |
kernel-patches-bot
force-pushed
the
series/362695=>bpf-next
branch
from
181b601 to
95ea47e
Compare
|
Master branch: ebb034b |
kernel-patches-bot
force-pushed
the
series/362695=>bpf-next
branch
from
95ea47e to
203fc2e
Compare
We are about to allow skb_verdict to run without skb_parser programs as a first step change code to check each program type specifically. This should be a mechanical change without any impact to actual result. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Currently, we often run with a nop parser namely one that just does this, 'return skb->len'. This happens when either our verdict program can handle streaming data or it is only looking at socket data such as IP addresses and other metadata associated with the flow. The second case is common for a L3/L4 proxy for instance. So lets allow loading programs without the parser then we can skip the stream parser logic and avoid having to add a BPF program that is effectively a nop. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Add option to allow running without a parser program in place. To test
with ping/pong program use,
# test_sockmap -t ping --txmsg_omit_skb_parser
this will send packets between two socket bouncing through a proxy
socket that does not use a parser program.
(ping) (pong)
sender proxy_recv proxy_send recv
| | |
| verdict -----+ |
| | | |
+----------------+ +------------+
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Here we add three new tests for sockmap to test having a verdict program
without setting the parser program.
The first test covers the most simply case,
sender proxy_recv proxy_send recv
| | |
| verdict -----+ |
| | | |
+----------------+ +------------+
We load the verdict program on the proxy_recv socket without a
parser program. It then does a redirect into the send path of the
proxy_send socket using sendpage_locked().
Next we test the drop case to ensure if we kfree_skb as a result of
the verdict program everything behaves as expected.
Next we test the same configuration above, but with ktls and a
redirect into socket ingress queue. Shown here
tls tls
sender proxy_recv proxy_send recv
| | |
| verdict ------------------+
| | redirect_ingress
+----------------+
Also to set up ping/pong test
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
|
Master branch: 20a6d91 |
kernel-patches-bot
force-pushed
the
series/362695=>bpf-next
branch
from
203fc2e to
4ad9ca2
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=362695 irrelevant now. Closing PR. |
borkmann
added a commit
to cilium/kernel-bpf-ci
that referenced
this pull request
Jun 7, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] kernel-patches#224 tc_links_after:OK kernel-patches#225 tc_links_append:OK kernel-patches#226 tc_links_basic:OK kernel-patches#227 tc_links_before:OK kernel-patches#228 tc_links_both:OK kernel-patches#229 tc_links_chain_classic:OK kernel-patches#230 tc_links_dev_cleanup:OK kernel-patches#231 tc_links_first:OK kernel-patches#232 tc_links_invalid:OK kernel-patches#233 tc_links_last:OK kernel-patches#234 tc_links_prepend:OK kernel-patches#235 tc_links_replace:OK kernel-patches#236 tc_links_revision:OK Summary: 13/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jun 7, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #224 tc_links_after:OK #225 tc_links_append:OK #226 tc_links_basic:OK #227 tc_links_before:OK #228 tc_links_both:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_first:OK #232 tc_links_invalid:OK #233 tc_links_last:OK #234 tc_links_prepend:OK #235 tc_links_replace:OK #236 tc_links_revision:OK Summary: 13/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
yurinnick
pushed a commit
to yurinnick/kernel-patches-bpf
that referenced
this pull request
Jun 7, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] kernel-patches#224 tc_links_after:OK kernel-patches#225 tc_links_append:OK kernel-patches#226 tc_links_basic:OK kernel-patches#227 tc_links_before:OK kernel-patches#228 tc_links_both:OK kernel-patches#229 tc_links_chain_classic:OK kernel-patches#230 tc_links_dev_cleanup:OK kernel-patches#231 tc_links_first:OK kernel-patches#232 tc_links_invalid:OK kernel-patches#233 tc_links_last:OK kernel-patches#234 tc_links_prepend:OK kernel-patches#235 tc_links_replace:OK kernel-patches#236 tc_links_revision:OK Summary: 13/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jun 8, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #224 tc_links_after:OK #225 tc_links_append:OK #226 tc_links_basic:OK #227 tc_links_before:OK #228 tc_links_both:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_first:OK #232 tc_links_invalid:OK #233 tc_links_last:OK #234 tc_links_prepend:OK #235 tc_links_replace:OK #236 tc_links_revision:OK Summary: 13/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
yurinnick
pushed a commit
to yurinnick/kernel-patches-bpf
that referenced
this pull request
Jun 8, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] kernel-patches#224 tc_links_after:OK kernel-patches#225 tc_links_append:OK kernel-patches#226 tc_links_basic:OK kernel-patches#227 tc_links_before:OK kernel-patches#228 tc_links_both:OK kernel-patches#229 tc_links_chain_classic:OK kernel-patches#230 tc_links_dev_cleanup:OK kernel-patches#231 tc_links_first:OK kernel-patches#232 tc_links_invalid:OK kernel-patches#233 tc_links_last:OK kernel-patches#234 tc_links_prepend:OK kernel-patches#235 tc_links_replace:OK kernel-patches#236 tc_links_revision:OK Summary: 13/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jul 7, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #225 tc_links_after:OK #226 tc_links_append:OK #227 tc_links_basic:OK #228 tc_links_before:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_invalid:OK #232 tc_links_prepend:OK #233 tc_links_replace:OK #234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jul 17, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #225 tc_links_after:OK #226 tc_links_append:OK #227 tc_links_basic:OK #228 tc_links_before:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_invalid:OK #232 tc_links_prepend:OK #233 tc_links_replace:OK #234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #225 tc_links_after:OK #226 tc_links_append:OK #227 tc_links_basic:OK #228 tc_links_before:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_invalid:OK #232 tc_links_prepend:OK #233 tc_links_replace:OK #234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #225 tc_links_after:OK #226 tc_links_append:OK #227 tc_links_basic:OK #228 tc_links_before:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_invalid:OK #232 tc_links_prepend:OK #233 tc_links_replace:OK #234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #225 tc_links_after:OK #226 tc_links_append:OK #227 tc_links_basic:OK #228 tc_links_before:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_invalid:OK #232 tc_links_prepend:OK #233 tc_links_replace:OK #234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #225 tc_links_after:OK #226 tc_links_append:OK #227 tc_links_basic:OK #228 tc_links_before:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_invalid:OK #232 tc_links_prepend:OK #233 tc_links_replace:OK #234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #225 tc_links_after:OK #226 tc_links_append:OK #227 tc_links_basic:OK #228 tc_links_before:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_invalid:OK #232 tc_links_prepend:OK #233 tc_links_replace:OK #234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #225 tc_links_after:OK #226 tc_links_append:OK #227 tc_links_basic:OK #228 tc_links_before:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_invalid:OK #232 tc_links_prepend:OK #233 tc_links_replace:OK #234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #225 tc_links_after:OK #226 tc_links_append:OK #227 tc_links_basic:OK #228 tc_links_before:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_invalid:OK #232 tc_links_prepend:OK #233 tc_links_replace:OK #234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20230719140858.13224-9-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Aug 18, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Aug 18, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Aug 18, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Aug 18, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Aug 18, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Aug 18, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Aug 21, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Aug 21, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Aug 23, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Aug 23, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 #233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf #232/1 tc_bpf/tc_bpf_root:OK #232/2 tc_bpf/tc_bpf_non_root:OK #232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Link: https://lore.kernel.org/r/20230823020703.3790-3-laoar.shao@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Dec 18, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 kernel-patches#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf, sockmap: allow verdict only sk_skb progs
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=362695