From patchwork Wed Mar  5 13:28:18 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Strforexc yn <strforexc@gmail.com>
X-Patchwork-Id: 14002699
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-oa1-f50.google.com (mail-oa1-f50.google.com
 [209.85.160.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B0AD2E3396;
	Wed,  5 Mar 2025 13:28:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.160.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1741181312; cv=none;
 b=Wwm450X1vvnfBLE48zk+5YII70A6CFhHbsXsmg/lMn1xxwR+6K/YC8KPIc7Ey4W9fY+LaHJ3GT0zJFn45SfKoXN2z+WEiQEXnEvhOewv3zMz22R/++7DJhZZrk3nfbQxW4Q7QhpCdnCI4be/d672OX33wB2j4VRJeLCQyGHNG0Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1741181312; c=relaxed/simple;
	bh=rGBj7dVt1RavRkxRS63LNUf7YDov3xjEg/AcTR1w6FI=;
	h=MIME-Version:From:Date:Message-ID:Subject:To:Content-Type;
 b=hd0O7GFZ0DnNvCOt+gxrkbtuv2iacF8iM0VuFk74zSRmEWzY4XxMEuqj4SdnjqSlsz4cGmK1AzA/QW6FgqXBCBQcdajKl2tGHmS72LSRxU3wkDqD0Y5SkVb6A2GKmwVkplhsx7dpcGYySSKNaqe0x5RpDFemQW+V1k0molf7S68=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=mU8M+p4Y; arc=none smtp.client-ip=209.85.160.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="mU8M+p4Y"
Received: by mail-oa1-f50.google.com with SMTP id
 586e51a60fabf-2b8e26063e4so3476285fac.3;
        Wed, 05 Mar 2025 05:28:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1741181309; x=1741786109;
 darn=vger.kernel.org;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=I+wI51ktHcqEkDfOx1x2HQqCQFm9fi/Gjngxq8wZXFI=;
        b=mU8M+p4YFJL/Qmd2MKp78lfvdvABpeWaGMWYNCCeB+bgz7yV0HvloHTUOWMhL9e4kA
         mQAxcjX3Pft04F9SODkGoERR7xBzd52Gc7qjr0aSae7HyFZo6e6KpkY85t3csbi7+elQ
         yUk/gMX2hDJiq95obfboifYiim9Cp9P1Nx1Be0/QalOZfBRvcQBetUwoehREFTT24u48
         XViV34ny6Pj2g+33CDlCxCVNnuqWbbosU9jX+LSTpZQ9i5u6hC+C+E7W8UTNwK1VN8SC
         mOOEVuIShD+2wtQk7TBXEf+/1wWp6Afk1Rs1FOVCLcVf47RxI0JZ06hDvdX/LJI1EHUI
         LVRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1741181309; x=1741786109;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=I+wI51ktHcqEkDfOx1x2HQqCQFm9fi/Gjngxq8wZXFI=;
        b=r4CEydemXqJorv65TcCkjwnuXgkRSU5usa3Xt14nCuV8f3JUfUm89LfI3N6ypvLUBy
         QIB0LbuHsBM49RTuwJIXwj2+0wI4YhLd/tiVPcyo2pC1CduJePya8Umrei54IRsCdzNI
         F22lQG0Rd/saW2RWNalAwqB5KZVpnX9LgkQRH/X1bEZL0JffQtxALzVmk8Ifhe8JFiZ6
         ypCXPH+BatNRe6w9IInqmME9vrdCf4r0jka8cef+4kJ9AOpWyw/abcGPhKd+fswQAvMM
         fkHZ+6knXU3VQJ2i6Ddvd87HqTmQeeJrtu/6ZPuTeB2lwik0+OHXevs5Ztb/IN/gy6bj
         m1mg==
X-Forwarded-Encrypted: i=1;
 AJvYcCVKZn2C0ofhHk+cKaPTeJtgDmy8ZOFrnB8u2mK9vRTp6ndAuZ/XY7Mmd43DyBkLpZzCvVWEh2DU59IYQ7Gb@vger.kernel.org,
 AJvYcCVrdzrw4b4DD1zOPIwBeUrAgoloUuFxhvMklLw6ahRcoJmiKdIUc1LTRU/tXaXUXw6Magw=@vger.kernel.org
X-Gm-Message-State: AOJu0YwrhxzFTisiT+WRp27PECFtB9Uo6P3oCqDeBoytPmSp/HsT6e9W
	qPlYILqycH1TXMRQfPBcVd2QQi5vaBcRhc9za+ZProF8vFkeCpaskN9U23FRinfWvXJL3EEFeaj
	ZBzYv4HalTn8kN7aPT3vg8Loyv3Y=
X-Gm-Gg: ASbGncueblSZ+HkirJ51gO2wEt4dvSpVY0Ij+HM9iGfem/EFNhTorQzUqQ51ZjkVfXq
	g59GmMcesRTVYIMdeOzEONAYZopNLcqrwoAQUiEFWFFO1EHUkmVpcUfas/USi4BXDp+1i8KKxeN
	Wcczih2yXf6FffeKkZfsHpW09NMQ==
X-Google-Smtp-Source: 
 AGHT+IH7Nt1CQ0iMhn63GtgT65QKf4iagQkRDjyWf7VmXU3pa/zuehd9xh31N3d1H/7+79SeQ9iCKL7VfAN+rJlnos4=
X-Received: by 2002:a05:6870:d186:b0:2bc:9197:3508 with SMTP id
 586e51a60fabf-2c21ce437c4mr1776731fac.34.1741181309225; Wed, 05 Mar 2025
 05:28:29 -0800 (PST)
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
From: Strforexc yn <strforexc@gmail.com>
Date: Wed, 5 Mar 2025 21:28:18 +0800
X-Gm-Features: AQ5f1JoH5OoaXA590z8B2G25EL7HVufkT02Ea02mEzBuP0tewUQxl_KsV2GBpbc
Message-ID: 
 <CA+HokZqeQsYkLeyrwaJK-T8ngXDO207_QuuZX2G8AbWFuvYG-A@mail.gmail.com>
Subject: =?utf-8?q?=5BBUG=5D_list_corruption_in_=5F=5Fbpf=5Flru=5Fnode=5Fmov?=
	=?utf-8?q?e_=28=29_=E3=80=90_bug_found_and_suggestions_for_fixing_it?=
	=?utf-8?q?=E3=80=91?=
To: Martin KaFai Lau <martin.lau@linux.dev>,
 Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>, Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
 John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@kernel.org>, Stanislav Fomichev <sdf@fomichev.me>,
 Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>, bpf@vger.kernel.org,
 linux-kernel@vger.kernel.org

Hi Maintainers,

When using our customized Syzkaller to fuzz the latest Linux kernel,
the following crash was triggered.
Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config

A kernel BUG was reported due to list corruption during BPF LRU node movement.
The issue occurs when the node being moved is the sole element in its list and
also the next_inactive_rotation candidate. After moving, the list became empty,
but next_inactive_rotation incorrectly pointed to the moved node, causing later
operations to corrupt the list.

Here is my fix suggestion:
The fix checks if the node was the only element before adjusting
next_inactive_rotation. If so, it sets the pointer to NULL, preventing invalid
access.

diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c
index XXXXXXX..XXXXXXX 100644
--- a/kernel/bpf/bpf_lru_list.c
+++ b/kernel/bpf/bpf_lru_list.c
@@ -119,8 +119,13 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l,
  * move the next_inactive_rotation pointer also.
  */
  if (&node->list == l->next_inactive_rotation)
- l->next_inactive_rotation = l->next_inactive_rotation->prev;
-
+ {
+ if (l->next_inactive_rotation->prev == &node->list) {
+ l->next_inactive_rotation = NULL;
+ } else {
+ l->next_inactive_rotation = l->next_inactive_rotation->prev;
+ }
+ }
  list_move(&node->list, &l->lists[tgt_type]);
 }