From patchwork Fri Oct 29 15:22:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 12592969 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E908C433EF for ; Fri, 29 Oct 2021 15:22:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6A9FC60187 for ; Fri, 29 Oct 2021 15:22:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229723AbhJ2PYo (ORCPT ); Fri, 29 Oct 2021 11:24:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57852 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229662AbhJ2PYn (ORCPT ); Fri, 29 Oct 2021 11:24:43 -0400 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A0953C061570 for ; Fri, 29 Oct 2021 08:22:14 -0700 (PDT) Received: by mail-pl1-x631.google.com with SMTP id l13so2015494pls.3 for ; Fri, 29 Oct 2021 08:22:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=pC2jgKZOxCsgHzGCq9gvBh4U7AvqPPcICZlnyfd8s14=; b=kCfZ3PogK0bN87+ysocyGB+dmwsTrGVyanrSpIUxhjfyD6y7YMHAt+0FyD2hgOaF8F 4uXuSJIWqqW2WZTc8RginHpFXERwNhuI+D43YoNkH1UhOU7Da2/sNun3VfBkcfacuY1x y6PLiUay3qTYKEgpV5SiychTjw8plKnT3KL7cl3GI/+39xDcGobCExfX2LFaL1RRd2bX ovHvrkRuCtt+1smY3t1i9xYe/RCCH7b7+cWdDZvG4DIAab2m4OlpO+mc0G77vRr/q4XC BwSbnf12W4B/tKwv1twvYT3YngQFJzuANebNdVttkRQ7Z8k+WGcyx9GhNw6ostjuy7/d ziwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=pC2jgKZOxCsgHzGCq9gvBh4U7AvqPPcICZlnyfd8s14=; b=D5m2mpR7qKat0huhpDMZAI2/kpwAK5wjWIdL9mNSOZiJALDznw3Risd/Pd68yW8X4J RuDDTvkplYiFTbFS9L+EUOzoH9LF9VJAPuoveNe57ECncV7aKLtWBqri276OF7wCx3Qq W67LjyFVXP5H4sSOJiagW+lWpEpNy7LUMbx5QDFLmKgGH8gJaw2/wa5/oPOarV3/I3f4 A3o/pUhK5bIsMyztYgjR3QlhN/JzzpZ3Bj2EeXCdBgZmSn0a4HkJqaH72IxZJxQFjfHy +mHgY9riKUo4swGy3HkqM+WXoMM25JYU9vyhUTavYVmAWdEx3EUuoC2kq0hClcoAO/nq voaw== X-Gm-Message-State: AOAM531NSLd6eaXLm5cXKyO/m7F8pOMdtxErQNXde+2Nqm6C8YK/21bu KrFpVM/J3Hj4RbNT/0uKdqw9Hxu5pxs= X-Google-Smtp-Source: ABdhPJz87xGQo8dWLp7z09hMsZZnAChscuMicBgCKVQNQfM4c8ZfaA9QtXPnbMkjtPVPL/b7YdxfBA== X-Received: by 2002:a17:902:e8d2:b0:141:6d21:f50b with SMTP id v18-20020a170902e8d200b001416d21f50bmr9914923plg.82.1635520933707; Fri, 29 Oct 2021 08:22:13 -0700 (PDT) Received: from [192.168.86.235] (c-73-241-150-58.hsd1.ca.comcast.net. [73.241.150.58]) by smtp.gmail.com with ESMTPSA id j126sm7185535pfd.113.2021.10.29.08.22.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 29 Oct 2021 08:22:13 -0700 (PDT) To: Daniel Borkmann , Alexei Starovoitov , Networking From: Eric Dumazet Subject: [RFC] should we allow BPF to transmit empty skbs Message-ID: Date: Fri, 29 Oct 2021 08:22:12 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org X-Patchwork-State: RFC Some layers in tx path do not expect skb being empty (skb->len == 0) syzbot reported a crash [1] in fq_codel. But I expect many drivers would also crash later. Sure the immediate fq_codel crash could be 'fixed', but I would rather add some sanity checks in net/core/filter.c Thanks. [1] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 6542 Comm: syz-executor965 Not tainted 5.15.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:dequeue_head net/sched/sch_fq_codel.c:120 [inline] RIP: 0010:fq_codel_drop net/sched/sch_fq_codel.c:168 [inline] RIP: 0010:fq_codel_enqueue+0x83e/0x10c0 net/sched/sch_fq_codel.c:230 Code: f8 e2 25 fa 45 39 ec 0f 83 cb 00 00 00 e8 1a dc 25 fa 48 8b 44 24 10 80 38 00 0f 85 9a 06 00 00 49 8b 07 48 89 c2 48 c1 ea 03 <42> 80 3c 32 00 0f 85 6e 06 00 00 48 8b 10 48 8d 78 28 49 89 17 48 RSP: 0018:ffffc90001187310 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff87504776 RDI: 0000000000000003 RBP: ffffc900011874e0 R08: 0000000000000400 R09: 0000000000000001 R10: ffffffff875046d6 R11: 0000000000000000 R12: 0000000000000400 R13: 0000000000000000 R14: dffffc0000000000 R15: ffff888071660000 FS: 0000555556b21300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9c09885040 CR3: 0000000021c77000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: dev_qdisc_enqueue+0x40/0x300 net/core/dev.c:3771 __dev_xmit_skb net/core/dev.c:3855 [inline] __dev_queue_xmit+0x1f0e/0x36e0 net/core/dev.c:4170 __bpf_tx_skb net/core/filter.c:2114 [inline] __bpf_redirect_no_mac net/core/filter.c:2139 [inline] __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162 ____bpf_clone_redirect net/core/filter.c:2429 [inline] bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401 ___bpf_prog_run+0x3592/0x77d0 kernel/bpf/core.c:1548 __bpf_prog_run512+0x91/0xd0 kernel/bpf/core.c:1776 bpf_dispatcher_nop_func include/linux/bpf.h:718 [inline] __bpf_prog_run include/linux/filter.h:624 [inline] bpf_prog_run include/linux/filter.h:631 [inline] bpf_test_run+0x37c/0xa20 net/bpf/test_run.c:119 bpf_prog_test_run_skb+0xa7c/0x1cb0 net/bpf/test_run.c:662 bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline] __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c index bb0cd6d3d2c2749d54e26368fb2558beedea85c9..73688b0ec83c473322669ca6a331bf3f3aefb293 100644 --- a/net/sched/sch_fq_codel.c +++ b/net/sched/sch_fq_codel.c @@ -203,7 +203,14 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch, codel_set_enqueue_time(skb); flow = &q->flows[idx]; flow_queue_add(flow, skb); - q->backlogs[idx] += qdisc_pkt_len(skb); + + /* fq_codel_drop() depends on qdisc_pkt_len(skb) being not zero. */ + pkt_len = qdisc_pkt_len(skb); + if (unlikely(!pkt_len)) { + pkt_len = 1; + qdisc_skb_cb(skb)->pkt_len = pkt_len; + } + q->backlogs[idx] += pkt_len; qdisc_qstats_backlog_inc(sch, skb); if (list_empty(&flow->flowchain)) { @@ -220,8 +227,6 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch, prev_backlog = sch->qstats.backlog; prev_qlen = sch->q.qlen; - /* save this packet length as it might be dropped by fq_codel_drop() */ - pkt_len = qdisc_pkt_len(skb); /* fq_codel_drop() is quite expensive, as it performs a linear search * in q->backlogs[] to find a fat flow. * So instead of dropping a single packet, drop half of its backlog