selftests: netfilter: add cpu counter check #206
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
run task on first CPU with netfilter counters reset and check cpu meta after another ping Signed-off-by: Fabian Frederick <fabf@skynet.be> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
When some test directly done with check_one_counter() fails,
counter variable is undefined. This patch calls ip with cname
which avoids errors like:
FAIL: oskuidcounter, want "packets 2", got
Error: syntax error, unexpected newline, expecting string
list counter inet filter
^
Error is now correctly rendered:
FAIL: oskuidcounter, want "packets 2", got
table inet filter {
counter oskuidcounter {
packets 1 bytes 84
}
}
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
cnt was not used in nft_meta.sh This patch also fixes 2 shellcheck SC2181 warnings: "check exit code directly with e.g. 'if mycmd;', not indirectly with $?." Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Check packets are correctly placed in current year. Also do a NULL check for another one. Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
Master branch: d82a532 |
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 12, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 12, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 12, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 12, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 12, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 15, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 15, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 16, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 16, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 16, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 16, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-bot
pushed a commit
that referenced
this pull request
Nov 16, 2021
This patch adds '--timing' to test_progs. It tracks and print timing information for each tests, it also prints top 10 slowest tests in the summary. Example output: $./test_progs --timing -j #1 align:OK (16 ms) ... #203 xdp_bonding:OK (2019 ms) #206 xdp_cpumap_attach:OK (3 ms) #207 xdp_devmap_attach:OK (4 ms) #208 xdp_info:OK (4 ms) #209 xdp_link:OK (4 ms) Top 10 Slowest tests: #48 fexit_stress: 34356 ms #160 test_lsm: 29602 ms #161 test_overhead: 29190 ms #159 test_local_storage: 28959 ms #158 test_ima: 28521 ms #185 verif_scale_pyperf600: 19524 ms #199 vmlinux: 17310 ms #154 tc_redirect: 11491 ms (serial) #147 task_local_storage: 7612 ms #183 verif_scale_pyperf180: 7186 ms Summary: 212/973 PASSED, 3 SKIPPED, 0 FAILED Signed-off-by: Yucong Sun <sunyucong@gmail.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Apr 11, 2023
UBSAN: shift-out-of-bounds in net/ipv4/tcp_input.c:555:23 shift exponent 255 is too large for 32-bit type 'int' CPU: 1 PID: 7907 Comm: ssh Not tainted 6.3.0-rc4-00161-g62bad54b26db-dirty #206 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x136/0x150 __ubsan_handle_shift_out_of_bounds+0x21f/0x5a0 tcp_init_transfer.cold+0x3a/0xb9 tcp_finish_connect+0x1d0/0x620 tcp_rcv_state_process+0xd78/0x4d60 tcp_v4_do_rcv+0x33d/0x9d0 __release_sock+0x133/0x3b0 release_sock+0x58/0x1b0 'maxwin' is int, shifting int for 32 or more bits is undefined behaviour. Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: David S. Miller <davem@davemloft.net>
kuba-moo
pushed a commit
to linux-netdev/testing-bpf-ci
that referenced
this pull request
Jan 10, 2025
[BUG] Syzbot reported a crash with the following call trace: BTRFS info (device loop0): scrub: started on devid 1 BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0 Oops: Oops: 0000 [kernel-patches#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ kernel-patches#206 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs] scrub_simple_mirror+0x175/0x260 [btrfs] scrub_stripe+0x5d4/0x6c0 [btrfs] scrub_chunk+0xbb/0x170 [btrfs] scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs] btrfs_scrub_dev+0x240/0x600 [btrfs] btrfs_ioctl+0x1dc8/0x2fa0 [btrfs] ? do_sys_openat2+0xa5/0xf0 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [CAUSE] The reproducer is using a corrupted image where extent tree root is corrupted, thus forcing to use "rescue=all,ro" mount option to mount the image. Then it triggered a scrub, but since scrub relies on extent tree to find where the data/metadata extents are, scrub_find_fill_first_stripe() relies on an non-empty extent root. But unfortunately scrub_find_fill_first_stripe() doesn't really expect an NULL pointer for extent root, it use extent_root to grab fs_info and triggered a NULL pointer dereference. [FIX] Add an extra check for a valid extent root at the beginning of scrub_find_fill_first_stripe(). The new error path is introduced by 42437a6 ("btrfs: introduce mount option rescue=ignorebadroots"), but that's pretty old, and later commit b979547 ("btrfs: scrub: introduce helper to find and fill sector info for a scrub_stripe") changed how we do scrub. So for kernels older than 6.6, the fix will need manual backport. Reported-by: syzbot+339e9dbe3a2ca419b85d@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/67756935.050a0220.25abdd.0a12.GAE@google.com/ Fixes: 42437a6 ("btrfs: introduce mount option rescue=ignorebadroots") Reviewed-by: Anand Jain <anand.jain@oracle.com> Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Feb 1, 2025
Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL. Let's add __nullable suffix to rx_sk to let the BPF verifier validate such a prog and prevent the issue. Now we fail to load such a prog: libbpf: prog 'drop': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = *(u64 *)(r1 +24) func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock' 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = *(u16 *)(r3 +16) R3 invalid mem access 'trusted_ptr_or_null_' processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- Note this fix requires commit 8aeaed2 ("bpf: Support __nullable argument suffix for tp_btf"). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP CPU: 6 UID: 0 PID: 348 Comm: sshd Not tainted 6.12.11 #206 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 48 8b 57 18 <48> 0f b7 4a 10 48 bf 0c 4f e2 c1 ad 90 ff ff be 0c 00 00 00 e8 0f RSP: 0018:ffffa86640b53da8 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffa866402d1000 RCX: 0000000000000002 RDX: 0000000000000000 RSI: ffffa866402d1048 RDI: ffffa86640b53dc8 RBP: ffffa86640b53da8 R08: 0000000000000000 R09: 9c908cd09b9c8c91 R10: ffff90adc056b540 R11: 0000000000000002 R12: 0000000000000000 R13: ffffa86640b53e88 R14: 0000000000000800 R15: fffffffffffffffe FS: 00007f2a27c2b480(0000) GS:ffff90b0efd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000100e69004 CR4: 00000000001726f0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x148/0x420 ? search_bpf_extables+0x5b/0x70 ? fixup_exception+0x27/0x2c0 ? exc_page_fault+0x75/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d bpf_trace_run4+0x68/0xd0 ? unix_stream_connect+0x1f4/0x6f0 sk_skb_reason_drop+0x90/0x120 unix_stream_connect+0x1f4/0x6f0 __sys_connect+0x7f/0xb0 __x64_sys_connect+0x14/0x20 do_syscall_64+0x47/0xc30 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f2a27f296a0 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 41 ff 0c 00 00 74 17 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 54 RSP: 002b:00007ffe29274f58 EFLAGS: 00000202 ORIG_RAX: 000000000000002a Fixes: c53795d ("net: add rx_sk to trace_kfree_skb") Reported-by: Yan Zhai <yan@cloudflare.com> Closes: https://lore.kernel.org/netdev/Z50zebTRzI962e6X@debian.debian/ Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Feb 1, 2025
Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL. Let's add __nullable suffix to rx_sk to let the BPF verifier validate such a prog and prevent the issue. Now we fail to load such a prog: libbpf: prog 'drop': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = *(u64 *)(r1 +24) func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock' 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = *(u16 *)(r3 +16) R3 invalid mem access 'trusted_ptr_or_null_' processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- Note this fix requires commit 8aeaed2 ("bpf: Support __nullable argument suffix for tp_btf"). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP CPU: 6 UID: 0 PID: 348 Comm: sshd Not tainted 6.12.11 #206 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 48 8b 57 18 <48> 0f b7 4a 10 48 bf 0c 4f e2 c1 ad 90 ff ff be 0c 00 00 00 e8 0f RSP: 0018:ffffa86640b53da8 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffa866402d1000 RCX: 0000000000000002 RDX: 0000000000000000 RSI: ffffa866402d1048 RDI: ffffa86640b53dc8 RBP: ffffa86640b53da8 R08: 0000000000000000 R09: 9c908cd09b9c8c91 R10: ffff90adc056b540 R11: 0000000000000002 R12: 0000000000000000 R13: ffffa86640b53e88 R14: 0000000000000800 R15: fffffffffffffffe FS: 00007f2a27c2b480(0000) GS:ffff90b0efd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000100e69004 CR4: 00000000001726f0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x148/0x420 ? search_bpf_extables+0x5b/0x70 ? fixup_exception+0x27/0x2c0 ? exc_page_fault+0x75/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d bpf_trace_run4+0x68/0xd0 ? unix_stream_connect+0x1f4/0x6f0 sk_skb_reason_drop+0x90/0x120 unix_stream_connect+0x1f4/0x6f0 __sys_connect+0x7f/0xb0 __x64_sys_connect+0x14/0x20 do_syscall_64+0x47/0xc30 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f2a27f296a0 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 41 ff 0c 00 00 74 17 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 54 RSP: 002b:00007ffe29274f58 EFLAGS: 00000202 ORIG_RAX: 000000000000002a Fixes: c53795d ("net: add rx_sk to trace_kfree_skb") Reported-by: Yan Zhai <yan@cloudflare.com> Closes: https://lore.kernel.org/netdev/Z50zebTRzI962e6X@debian.debian/ Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Tested-by: Yan Zhai <yan@cloudflare.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Feb 1, 2025
Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL. Let's add kfree_skb to raw_tp_null_args[] to let the BPF verifier validate such a prog and prevent the issue. Now we fail to load such a prog: libbpf: prog 'drop': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = *(u64 *)(r1 +24) func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock' 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = *(u16 *)(r3 +16) R3 invalid mem access 'trusted_ptr_or_null_' processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- Note this fix requires commit 838a10b ("bpf: Augment raw_tp arguments with PTR_MAYBE_NULL"). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP CPU: 6 UID: 0 PID: 348 Comm: sshd Not tainted 6.12.11 #206 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 48 8b 57 18 <48> 0f b7 4a 10 48 bf 0c 4f e2 c1 ad 90 ff ff be 0c 00 00 00 e8 0f RSP: 0018:ffffa86640b53da8 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffa866402d1000 RCX: 0000000000000002 RDX: 0000000000000000 RSI: ffffa866402d1048 RDI: ffffa86640b53dc8 RBP: ffffa86640b53da8 R08: 0000000000000000 R09: 9c908cd09b9c8c91 R10: ffff90adc056b540 R11: 0000000000000002 R12: 0000000000000000 R13: ffffa86640b53e88 R14: 0000000000000800 R15: fffffffffffffffe FS: 00007f2a27c2b480(0000) GS:ffff90b0efd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000100e69004 CR4: 00000000001726f0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x148/0x420 ? search_bpf_extables+0x5b/0x70 ? fixup_exception+0x27/0x2c0 ? exc_page_fault+0x75/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d bpf_trace_run4+0x68/0xd0 ? unix_stream_connect+0x1f4/0x6f0 sk_skb_reason_drop+0x90/0x120 unix_stream_connect+0x1f4/0x6f0 __sys_connect+0x7f/0xb0 __x64_sys_connect+0x14/0x20 do_syscall_64+0x47/0xc30 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f2a27f296a0 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 41 ff 0c 00 00 74 17 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 54 RSP: 002b:00007ffe29274f58 EFLAGS: 00000202 ORIG_RAX: 000000000000002a Fixes: c53795d ("net: add rx_sk to trace_kfree_skb") Reported-by: Yan Zhai <yan@cloudflare.com> Closes: https://lore.kernel.org/netdev/Z50zebTRzI962e6X@debian.debian/ Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Feb 1, 2025
Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL. Let's add kfree_skb to raw_tp_null_args[] to let the BPF verifier validate such a prog and prevent the issue. Now we fail to load such a prog: libbpf: prog 'drop': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = *(u64 *)(r1 +24) func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock' 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = *(u16 *)(r3 +16) R3 invalid mem access 'trusted_ptr_or_null_' processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- Note this fix requires commit 838a10b ("bpf: Augment raw_tp arguments with PTR_MAYBE_NULL"). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP CPU: 6 UID: 0 PID: 348 Comm: sshd Not tainted 6.12.11 #206 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 48 8b 57 18 <48> 0f b7 4a 10 48 bf 0c 4f e2 c1 ad 90 ff ff be 0c 00 00 00 e8 0f RSP: 0018:ffffa86640b53da8 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffa866402d1000 RCX: 0000000000000002 RDX: 0000000000000000 RSI: ffffa866402d1048 RDI: ffffa86640b53dc8 RBP: ffffa86640b53da8 R08: 0000000000000000 R09: 9c908cd09b9c8c91 R10: ffff90adc056b540 R11: 0000000000000002 R12: 0000000000000000 R13: ffffa86640b53e88 R14: 0000000000000800 R15: fffffffffffffffe FS: 00007f2a27c2b480(0000) GS:ffff90b0efd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000100e69004 CR4: 00000000001726f0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x148/0x420 ? search_bpf_extables+0x5b/0x70 ? fixup_exception+0x27/0x2c0 ? exc_page_fault+0x75/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d bpf_trace_run4+0x68/0xd0 ? unix_stream_connect+0x1f4/0x6f0 sk_skb_reason_drop+0x90/0x120 unix_stream_connect+0x1f4/0x6f0 __sys_connect+0x7f/0xb0 __x64_sys_connect+0x14/0x20 do_syscall_64+0x47/0xc30 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f2a27f296a0 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 41 ff 0c 00 00 74 17 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 54 RSP: 002b:00007ffe29274f58 EFLAGS: 00000202 ORIG_RAX: 000000000000002a Fixes: c53795d ("net: add rx_sk to trace_kfree_skb") Reported-by: Yan Zhai <yan@cloudflare.com> Closes: https://lore.kernel.org/netdev/Z50zebTRzI962e6X@debian.debian/ Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Tested-by: Yan Zhai <yan@cloudflare.com>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Feb 1, 2025
Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL. Let's add kfree_skb to raw_tp_null_args[] to let the BPF verifier validate such a prog and prevent the issue. Now we fail to load such a prog: libbpf: prog 'drop': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = *(u64 *)(r1 +24) func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock' 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = *(u16 *)(r3 +16) R3 invalid mem access 'trusted_ptr_or_null_' processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- Note this fix requires commit 838a10b ("bpf: Augment raw_tp arguments with PTR_MAYBE_NULL"). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP CPU: 6 UID: 0 PID: 348 Comm: sshd Not tainted 6.12.11 #206 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 48 8b 57 18 <48> 0f b7 4a 10 48 bf 0c 4f e2 c1 ad 90 ff ff be 0c 00 00 00 e8 0f RSP: 0018:ffffa86640b53da8 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffa866402d1000 RCX: 0000000000000002 RDX: 0000000000000000 RSI: ffffa866402d1048 RDI: ffffa86640b53dc8 RBP: ffffa86640b53da8 R08: 0000000000000000 R09: 9c908cd09b9c8c91 R10: ffff90adc056b540 R11: 0000000000000002 R12: 0000000000000000 R13: ffffa86640b53e88 R14: 0000000000000800 R15: fffffffffffffffe FS: 00007f2a27c2b480(0000) GS:ffff90b0efd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000100e69004 CR4: 00000000001726f0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x148/0x420 ? search_bpf_extables+0x5b/0x70 ? fixup_exception+0x27/0x2c0 ? exc_page_fault+0x75/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d bpf_trace_run4+0x68/0xd0 ? unix_stream_connect+0x1f4/0x6f0 sk_skb_reason_drop+0x90/0x120 unix_stream_connect+0x1f4/0x6f0 __sys_connect+0x7f/0xb0 __x64_sys_connect+0x14/0x20 do_syscall_64+0x47/0xc30 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f2a27f296a0 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 41 ff 0c 00 00 74 17 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 54 RSP: 002b:00007ffe29274f58 EFLAGS: 00000202 ORIG_RAX: 000000000000002a Fixes: c53795d ("net: add rx_sk to trace_kfree_skb") Reported-by: Yan Zhai <yan@cloudflare.com> Closes: https://lore.kernel.org/netdev/Z50zebTRzI962e6X@debian.debian/ Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Tested-by: Yan Zhai <yan@cloudflare.com> Acked-by: Jiri Olsa <jolsa@kernel.org>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Feb 3, 2025
Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL. Let's add kfree_skb to raw_tp_null_args[] to let the BPF verifier validate such a prog and prevent the issue. Now we fail to load such a prog: libbpf: prog 'drop': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = *(u64 *)(r1 +24) func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock' 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = *(u16 *)(r3 +16) R3 invalid mem access 'trusted_ptr_or_null_' processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- Note this fix requires commit 838a10b ("bpf: Augment raw_tp arguments with PTR_MAYBE_NULL"). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP CPU: 6 UID: 0 PID: 348 Comm: sshd Not tainted 6.12.11 #206 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 48 8b 57 18 <48> 0f b7 4a 10 48 bf 0c 4f e2 c1 ad 90 ff ff be 0c 00 00 00 e8 0f RSP: 0018:ffffa86640b53da8 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffa866402d1000 RCX: 0000000000000002 RDX: 0000000000000000 RSI: ffffa866402d1048 RDI: ffffa86640b53dc8 RBP: ffffa86640b53da8 R08: 0000000000000000 R09: 9c908cd09b9c8c91 R10: ffff90adc056b540 R11: 0000000000000002 R12: 0000000000000000 R13: ffffa86640b53e88 R14: 0000000000000800 R15: fffffffffffffffe FS: 00007f2a27c2b480(0000) GS:ffff90b0efd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000100e69004 CR4: 00000000001726f0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x148/0x420 ? search_bpf_extables+0x5b/0x70 ? fixup_exception+0x27/0x2c0 ? exc_page_fault+0x75/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d bpf_trace_run4+0x68/0xd0 ? unix_stream_connect+0x1f4/0x6f0 sk_skb_reason_drop+0x90/0x120 unix_stream_connect+0x1f4/0x6f0 __sys_connect+0x7f/0xb0 __x64_sys_connect+0x14/0x20 do_syscall_64+0x47/0xc30 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f2a27f296a0 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 41 ff 0c 00 00 74 17 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 54 RSP: 002b:00007ffe29274f58 EFLAGS: 00000202 ORIG_RAX: 000000000000002a Fixes: c53795d ("net: add rx_sk to trace_kfree_skb") Reported-by: Yan Zhai <yan@cloudflare.com> Closes: https://lore.kernel.org/netdev/Z50zebTRzI962e6X@debian.debian/ Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Tested-by: Yan Zhai <yan@cloudflare.com> Acked-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20250201030142.62703-1-kuniyu@amazon.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Feb 3, 2025
Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL. Let's add __nullable suffix to rx_sk to let the BPF verifier validate such a prog and prevent the issue. Now we fail to load such a prog: libbpf: prog 'drop': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = *(u64 *)(r1 +24) func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock' 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = *(u16 *)(r3 +16) R3 invalid mem access 'trusted_ptr_or_null_' processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- Note this fix requires commit 8aeaed2 ("bpf: Support __nullable argument suffix for tp_btf"). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP CPU: 6 UID: 0 PID: 348 Comm: sshd Not tainted 6.12.11 #206 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 48 8b 57 18 <48> 0f b7 4a 10 48 bf 0c 4f e2 c1 ad 90 ff ff be 0c 00 00 00 e8 0f RSP: 0018:ffffa86640b53da8 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffa866402d1000 RCX: 0000000000000002 RDX: 0000000000000000 RSI: ffffa866402d1048 RDI: ffffa86640b53dc8 RBP: ffffa86640b53da8 R08: 0000000000000000 R09: 9c908cd09b9c8c91 R10: ffff90adc056b540 R11: 0000000000000002 R12: 0000000000000000 R13: ffffa86640b53e88 R14: 0000000000000800 R15: fffffffffffffffe FS: 00007f2a27c2b480(0000) GS:ffff90b0efd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000100e69004 CR4: 00000000001726f0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x148/0x420 ? search_bpf_extables+0x5b/0x70 ? fixup_exception+0x27/0x2c0 ? exc_page_fault+0x75/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d bpf_trace_run4+0x68/0xd0 ? unix_stream_connect+0x1f4/0x6f0 sk_skb_reason_drop+0x90/0x120 unix_stream_connect+0x1f4/0x6f0 __sys_connect+0x7f/0xb0 __x64_sys_connect+0x14/0x20 do_syscall_64+0x47/0xc30 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f2a27f296a0 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 41 ff 0c 00 00 74 17 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 54 RSP: 002b:00007ffe29274f58 EFLAGS: 00000202 ORIG_RAX: 000000000000002a Fixes: c53795d ("net: add rx_sk to trace_kfree_skb") Reported-by: Yan Zhai <yan@cloudflare.com> Closes: https://lore.kernel.org/netdev/Z50zebTRzI962e6X@debian.debian/ Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Tested-by: Yan Zhai <yan@cloudflare.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: selftests: netfilter: add cpu counter check
version: 1
url: https://patchwork.kernel.org/project/bpf/list/?series=360561