diff mbox series

[BUG] list corruption in __bpf_lru_node_move () 【 bug found and suggestions for fixing it】

Message ID CA+HokZqeQsYkLeyrwaJK-T8ngXDO207_QuuZX2G8AbWFuvYG-A@mail.gmail.com (mailing list archive)
State New
Delegated to: BPF
Headers show
Series [BUG] list corruption in __bpf_lru_node_move () 【 bug found and suggestions for fixing it】 | expand

Checks

Context Check Description
netdev/tree_selection success Guessing tree name failed - patch did not apply
bpf/vmtest-bpf-PR fail merge-conflict

Commit Message

Strforexc yn March 5, 2025, 1:28 p.m. UTC 
Hi Maintainers,

When using our customized Syzkaller to fuzz the latest Linux kernel,
the following crash was triggered.
Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config

A kernel BUG was reported due to list corruption during BPF LRU node movement.
The issue occurs when the node being moved is the sole element in its list and
also the next_inactive_rotation candidate. After moving, the list became empty,
but next_inactive_rotation incorrectly pointed to the moved node, causing later
operations to corrupt the list.

Here is my fix suggestion:
The fix checks if the node was the only element before adjusting
next_inactive_rotation. If so, it sets the pointer to NULL, preventing invalid
access.
diff mbox series

Patch

diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c
index XXXXXXX..XXXXXXX 100644
--- a/kernel/bpf/bpf_lru_list.c
+++ b/kernel/bpf/bpf_lru_list.c
@@ -119,8 +119,13 @@  static void __bpf_lru_node_move(struct bpf_lru_list *l,
  * move the next_inactive_rotation pointer also.
  */
  if (&node->list == l->next_inactive_rotation)
- l->next_inactive_rotation = l->next_inactive_rotation->prev;
-
+ {
+ if (l->next_inactive_rotation->prev == &node->list) {
+ l->next_inactive_rotation = NULL;
+ } else {
+ l->next_inactive_rotation = l->next_inactive_rotation->prev;
+ }
+ }
  list_move(&node->list, &l->lists[tgt_type]);
 }