diff mbox series

[net] tun: Add missing bpf_net_ctx_clear() in do_xdp_generic()

Message ID 20240725214049.2439-1-aha310510@gmail.com (mailing list archive)
State Accepted
Commit 9da49aa80d686582bc3a027112a30484c9be6b6e
Delegated to: Netdev Maintainers
Headers show
Series [net] tun: Add missing bpf_net_ctx_clear() in do_xdp_generic() | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 273 this patch: 273
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 10 of 10 maintainers
netdev/build_clang success Errors and warnings before: 281 this patch: 281
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 286 this patch: 286
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 7 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 79 this patch: 79
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-07-26--15-00 (tests: 707)

Commit Message

Jeongjun Park July 25, 2024, 9:40 p.m. UTC 
There are cases where do_xdp_generic returns bpf_net_context without 
clearing it. This causes various memory corruptions, so the missing 
bpf_net_ctx_clear must be added.

Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 net/core/dev.c | 1 +
 1 file changed, 1 insertion(+)

--

Comments

Jason Wang July 26, 2024, 2:21 a.m. UTC | #1 
On Fri, Jul 26, 2024 at 5:41 AM Jeongjun Park <aha310510@gmail.com> wrote:
>
> There are cases where do_xdp_generic returns bpf_net_context without
> clearing it. This causes various memory corruptions, so the missing
> bpf_net_ctx_clear must be added.
>
> Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
> Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>

Acked-by: Jason Wang <jasowang@redhat.com>

(Looks like the do_xdp_generic() needs some tweak for example we can
merge the two paths for XDP_DROP at least).

Thanks

> ---
>  net/core/dev.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 6ea1d20676fb..751d9b70e6ad 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -5150,6 +5150,7 @@ int do_xdp_generic(struct bpf_prog *xdp_prog, struct sk_buff **pskb)
>                         bpf_net_ctx_clear(bpf_net_ctx);
>                         return XDP_DROP;
>                 }
> +               bpf_net_ctx_clear(bpf_net_ctx);
>         }
>         return XDP_PASS;
>  out_redir:
> --
>
Willem de Bruijn July 26, 2024, 3:03 a.m. UTC | #2 
On Thu, Jul 25, 2024 at 10:21 PM Jason Wang <jasowang@redhat.com> wrote:
>
> On Fri, Jul 26, 2024 at 5:41 AM Jeongjun Park <aha310510@gmail.com> wrote:
> >
> > There are cases where do_xdp_generic returns bpf_net_context without
> > clearing it. This causes various memory corruptions, so the missing
> > bpf_net_ctx_clear must be added.
> >
> > Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
> > Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>
> Acked-by: Jason Wang <jasowang@redhat.com>

Reviewed-by: Willem de Bruijn <willemb@google.com>
Jakub Kicinski July 26, 2024, 2:41 p.m. UTC | #3 
On Fri, 26 Jul 2024 06:40:49 +0900 Jeongjun Park wrote:
> There are cases where do_xdp_generic returns bpf_net_context without 
> clearing it. This causes various memory corruptions, so the missing 
> bpf_net_ctx_clear must be added.
> 
> Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
> Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>

Also likely:

Reported-by: syzbot+3c2b6d5d4bec3b904933@syzkaller.appspotmail.com
Reported-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com

Right?
Jeongjun Park July 27, 2024, 2:16 a.m. UTC | #4 
Jakub Kicinski wrote:
>
> On Fri, 26 Jul 2024 06:40:49 +0900 Jeongjun Park wrote:
> > There are cases where do_xdp_generic returns bpf_net_context without
> > clearing it. This causes various memory corruptions, so the missing
> > bpf_net_ctx_clear must be added.
> >
> > Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
> > Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>
> Also likely:
>
> Reported-by: syzbot+3c2b6d5d4bec3b904933@syzkaller.appspotmail.com
> Reported-by: syzbot+707d98c8649695eaf329@syzkaller.appspotmail.com
>
> Right?

Yes, both appear to be bugs with the same root cause.

Regards,
Jeongjun Park
Jeongjun Park July 27, 2024, 2:28 a.m. UTC | #5 
On Fri, 26 Jul 2024 06:40:49 +0900 Jeongjun Park wrote:
> There are cases where do_xdp_generic returns bpf_net_context without
> clearing it. This causes various memory corruptions, so the missing
> bpf_net_ctx_clear must be added.
>
> Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
> Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>

Reported-by: syzbot+c226757eb784a9da3e8b@syzkaller.appspotmail.com
Reported-by: syzbot+61a1cfc2b6632363d319@syzkaller.appspotmail.com
Reported-by: syzbot+709e4c85c904bcd62735@syzkaller.appspotmail.com

After searching, I found reports with the same root cause, so I added
them.
patchwork-bot+netdevbpf@kernel.org July 29, 2024, 10:08 a.m. UTC | #6 
Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Fri, 26 Jul 2024 06:40:49 +0900 you wrote:
> There are cases where do_xdp_generic returns bpf_net_context without
> clearing it. This causes various memory corruptions, so the missing
> bpf_net_ctx_clear must be added.
> 
> Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
> Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> 
> [...]

Here is the summary with links:
  - [net] tun: Add missing bpf_net_ctx_clear() in do_xdp_generic()
    https://git.kernel.org/netdev/net/c/9da49aa80d68

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/core/dev.c b/net/core/dev.c
index 6ea1d20676fb..751d9b70e6ad 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -5150,6 +5150,7 @@  int do_xdp_generic(struct bpf_prog *xdp_prog, struct sk_buff **pskb)
 			bpf_net_ctx_clear(bpf_net_ctx);
 			return XDP_DROP;
 		}
+		bpf_net_ctx_clear(bpf_net_ctx);
 	}
 	return XDP_PASS;
 out_redir: