diff mbox series

[bpf] bpf: fix for BUG: kernel NULL pointer dereference, address: 0000000000000000

Message ID 20210708080409.73525-1-xuanzhuo@linux.alibaba.com (mailing list archive)
State Accepted
Delegated to: BPF
Headers show
Series [bpf] bpf: fix for BUG: kernel NULL pointer dereference, address: 0000000000000000 | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present fail Series targets non-next tree, but doesn't contain any Fixes tags
netdev/patch_count success Link
netdev/tree_selection success Clearly marked for bpf
netdev/subject_prefix success Link
netdev/cc_maintainers success CCed 13 of 13 maintainers
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 13 this patch: 13
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 12 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 13 this patch: 13
netdev/header_inline success Link

Commit Message

Xuan Zhuo July 8, 2021, 8:04 a.m. UTC 
These two types of xdp prog(BPF_XDP_DEVMAP, BPF_XDP_CPUMAP) will not be
executed directly in the driver, we should not directly run these two
XDP progs here. To run these two situations, there must be some special
preparations, otherwise it may cause kernel exceptions.

For more reference dev_xdp_attach().

[   46.982479] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   46.984295] #PF: supervisor read access in kernel mode
[   46.985777] #PF: error_code(0x0000) - not-present page
[   46.987227] PGD 800000010dca4067 P4D 800000010dca4067 PUD 10dca6067 PMD 0
[   46.989201] Oops: 0000 [#1] SMP PTI
[   46.990304] CPU: 7 PID: 562 Comm: a.out Not tainted 5.13.0+ #44
[   46.992001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/24
[   46.995113] RIP: 0010:___bpf_prog_run+0x17b/0x1710
[   46.996586] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02
[   47.001562] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246
[   47.003115] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000
[   47.005163] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98
[   47.007135] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff
[   47.009171] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98
[   47.011172] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8
[   47.013244] FS:  00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
[   47.015705] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   47.017475] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0
[   47.019558] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   47.021595] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   47.023574] PKRU: 55555554
[   47.024571] Call Trace:
[   47.025424]  __bpf_prog_run32+0x32/0x50
[   47.026296]  ? printk+0x53/0x6a
[   47.027066]  ? ktime_get+0x39/0x90
[   47.027895]  bpf_test_run.cold.28+0x23/0x123
[   47.028866]  ? printk+0x53/0x6a
[   47.029630]  bpf_prog_test_run_xdp+0x149/0x1d0
[   47.030649]  __sys_bpf+0x1305/0x23d0
[   47.031482]  __x64_sys_bpf+0x17/0x20
[   47.032316]  do_syscall_64+0x3a/0x80
[   47.033165]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   47.034254] RIP: 0033:0x7f04a51364dd
[   47.035133] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 48
[   47.038768] RSP: 002b:00007fff8f9fc518 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
[   47.040344] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f04a51364dd
[   47.041749] RDX: 0000000000000048 RSI: 0000000020002a80 RDI: 000000000000000a
[   47.043171] RBP: 00007fff8f9fc530 R08: 0000000002049300 R09: 0000000020000100
[   47.044626] R10: 0000000000000004 R11: 0000000000000213 R12: 0000000000401070
[   47.046088] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   47.047579] Modules linked in:
[   47.048318] CR2: 0000000000000000
[   47.049120] ---[ end trace 7ad34443d5be719a ]---
[   47.050273] RIP: 0010:___bpf_prog_run+0x17b/0x1710
[   47.051343] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02
[   47.054943] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246
[   47.056068] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000
[   47.057522] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98
[   47.058961] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff
[   47.060390] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98
[   47.061803] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8
[   47.063249] FS:  00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
[   47.065070] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   47.066307] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0
[   47.067747] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   47.069217] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   47.070652] PKRU: 55555554
[   47.071318] Kernel panic - not syncing: Fatal exception
[   47.072854] Kernel Offset: disabled
[   47.073683] ---[ end Kernel panic - not syncing: Fatal exception ]---

Reported-by: Abaci <abaci@linux.alibaba.com>
Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
---
 net/bpf/test_run.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Jesper Dangaard Brouer July 8, 2021, 10:26 a.m. UTC | #1 
Thanks for catching this.

Cc: Ahern, are you okay with disabling this for the 
bpf_prog_test_run_xdp() infra?

I don't think the selftests/bpf (e.g. prog_tests/xdp_devmap_attach.c) 
use the bpf_prog_test_run, right?

Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>

On 08/07/2021 10.04, Xuan Zhuo wrote:
> These two types of xdp prog(BPF_XDP_DEVMAP, BPF_XDP_CPUMAP) will not be
> executed directly in the driver, we should not directly run these two
> XDP progs here. To run these two situations, there must be some special
> preparations, otherwise it may cause kernel exceptions.
> 
> For more reference dev_xdp_attach().
> 
> [   46.982479] BUG: kernel NULL pointer dereference, address: 0000000000000000
> [   46.984295] #PF: supervisor read access in kernel mode
> [   46.985777] #PF: error_code(0x0000) - not-present page
> [   46.987227] PGD 800000010dca4067 P4D 800000010dca4067 PUD 10dca6067 PMD 0
> [   46.989201] Oops: 0000 [#1] SMP PTI
> [   46.990304] CPU: 7 PID: 562 Comm: a.out Not tainted 5.13.0+ #44
> [   46.992001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/24
> [   46.995113] RIP: 0010:___bpf_prog_run+0x17b/0x1710
> [   46.996586] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02
> [   47.001562] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246
> [   47.003115] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000
> [   47.005163] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98
> [   47.007135] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff
> [   47.009171] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98
> [   47.011172] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8
> [   47.013244] FS:  00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
> [   47.015705] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   47.017475] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0
> [   47.019558] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   47.021595] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [   47.023574] PKRU: 55555554
> [   47.024571] Call Trace:
> [   47.025424]  __bpf_prog_run32+0x32/0x50
> [   47.026296]  ? printk+0x53/0x6a
> [   47.027066]  ? ktime_get+0x39/0x90
> [   47.027895]  bpf_test_run.cold.28+0x23/0x123
> [   47.028866]  ? printk+0x53/0x6a
> [   47.029630]  bpf_prog_test_run_xdp+0x149/0x1d0
> [   47.030649]  __sys_bpf+0x1305/0x23d0
> [   47.031482]  __x64_sys_bpf+0x17/0x20
> [   47.032316]  do_syscall_64+0x3a/0x80
> [   47.033165]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> [   47.034254] RIP: 0033:0x7f04a51364dd
> [   47.035133] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 48
> [   47.038768] RSP: 002b:00007fff8f9fc518 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
> [   47.040344] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f04a51364dd
> [   47.041749] RDX: 0000000000000048 RSI: 0000000020002a80 RDI: 000000000000000a
> [   47.043171] RBP: 00007fff8f9fc530 R08: 0000000002049300 R09: 0000000020000100
> [   47.044626] R10: 0000000000000004 R11: 0000000000000213 R12: 0000000000401070
> [   47.046088] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [   47.047579] Modules linked in:
> [   47.048318] CR2: 0000000000000000
> [   47.049120] ---[ end trace 7ad34443d5be719a ]---
> [   47.050273] RIP: 0010:___bpf_prog_run+0x17b/0x1710
> [   47.051343] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02
> [   47.054943] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246
> [   47.056068] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000
> [   47.057522] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98
> [   47.058961] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff
> [   47.060390] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98
> [   47.061803] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8
> [   47.063249] FS:  00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
> [   47.065070] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   47.066307] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0
> [   47.067747] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   47.069217] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [   47.070652] PKRU: 55555554
> [   47.071318] Kernel panic - not syncing: Fatal exception
> [   47.072854] Kernel Offset: disabled
> [   47.073683] ---[ end Kernel panic - not syncing: Fatal exception ]---
> 
> Reported-by: Abaci <abaci@linux.alibaba.com>
> Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
> Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
> ---
>   net/bpf/test_run.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> index aa47af349ba8..17227e0b277b 100644
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -701,6 +701,12 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
>   	void *data;
>   	int ret;
>   
> +	if (prog->expected_attach_type == BPF_XDP_DEVMAP)
> +		return -EINVAL;
> +
> +	if (prog->expected_attach_type == BPF_XDP_CPUMAP)
> +		return -EINVAL;
> +
>   	if (kattr->test.ctx_in || kattr->test.ctx_out)
>   		return -EINVAL;
>
David Ahern July 8, 2021, 2:44 p.m. UTC | #2 
On 7/8/21 4:26 AM, Jesper Dangaard Brouer wrote:
> 
> Thanks for catching this.
> 
> Cc: Ahern, are you okay with disabling this for the
> bpf_prog_test_run_xdp() infra?

yes.

> 
> I don't think the selftests/bpf (e.g. prog_tests/xdp_devmap_attach.c)
> use the bpf_prog_test_run, right?
> 
> Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>


Acked-by: David Ahern <dsahern@kernel.org>
Song Liu July 8, 2021, 7:14 p.m. UTC | #3 
On Thu, Jul 8, 2021 at 7:45 AM David Ahern <dsahern@gmail.com> wrote:
>
> On 7/8/21 4:26 AM, Jesper Dangaard Brouer wrote:
> >
> > Thanks for catching this.
> >
> > Cc: Ahern, are you okay with disabling this for the
> > bpf_prog_test_run_xdp() infra?
>
> yes.
>
> >
> > I don't think the selftests/bpf (e.g. prog_tests/xdp_devmap_attach.c)
> > use the bpf_prog_test_run, right?
> >
> > Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
>
>
> Acked-by: David Ahern <dsahern@kernel.org>

Acked-by: Song Liu <songliubraving@fb.com>
Daniel Borkmann July 12, 2021, 3:16 p.m. UTC | #4 
On 7/8/21 10:04 AM, Xuan Zhuo wrote:
> These two types of xdp prog(BPF_XDP_DEVMAP, BPF_XDP_CPUMAP) will not be
> executed directly in the driver, we should not directly run these two
> XDP progs here. To run these two situations, there must be some special
> preparations, otherwise it may cause kernel exceptions.

Applied, thanks!
diff mbox series

Patch

diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index aa47af349ba8..17227e0b277b 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -701,6 +701,12 @@  int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
 	void *data;
 	int ret;
 
+	if (prog->expected_attach_type == BPF_XDP_DEVMAP)
+		return -EINVAL;
+
+	if (prog->expected_attach_type == BPF_XDP_CPUMAP)
+		return -EINVAL;
+
 	if (kattr->test.ctx_in || kattr->test.ctx_out)
 		return -EINVAL;