-
Notifications
You must be signed in to change notification settings - Fork 54.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix int1 recursion and hard system lockup #232
Closed
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sync with torvalds/linux
Sync with torvalds/master
Sync with torvalds/master
Sync with torvalds/master
Sync with torvalds/master
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 10, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 11, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 11, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 11, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 12, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 14, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 14, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 14, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20230719140858.13224-9-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Aug 18, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 torvalds#233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK torvalds#232/2 tc_bpf/tc_bpf_non_root:OK torvalds#232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Aug 23, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 torvalds#233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK torvalds#232/2 tc_bpf/tc_bpf_non_root:OK torvalds#232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Aug 23, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 torvalds#233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK torvalds#232/2 tc_bpf/tc_bpf_non_root:OK torvalds#232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Link: https://lore.kernel.org/r/20230823020703.3790-3-laoar.shao@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
jonhunter
pushed a commit
to jonhunter/linux
that referenced
this pull request
Mar 5, 2024
The fast-path timer delivery introduced a recursive locking deadlock when userspace configures a timer which has already expired and is delivered immediately. The call to kvm_xen_inject_timer_irqs() can call to kvm_xen_set_evtchn() which may take kvm->arch.xen.xen_lock, which is already held in kvm_xen_vcpu_get_attr(). ============================================ WARNING: possible recursive locking detected 6.8.0-smp--5e10b4d51d77-drs torvalds#232 Tainted: G O -------------------------------------------- xen_shinfo_test/250013 is trying to acquire lock: ffff938c9930cc30 (&kvm->arch.xen.xen_lock){+.+.}-{3:3}, at: kvm_xen_set_evtchn+0x74/0x170 [kvm] but task is already holding lock: ffff938c9930cc30 (&kvm->arch.xen.xen_lock){+.+.}-{3:3}, at: kvm_xen_vcpu_get_attr+0x38/0x250 [kvm] Now that the gfn_to_pfn_cache has its own self-sufficient locking, its callers no longer need to ensure serialization, so just stop taking kvm->arch.xen.xen_lock from kvm_xen_set_evtchn(). Fixes: 77c9b9d ("KVM: x86/xen: Use fast path for Xen timer delivery") Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> Reviewed-by: Paul Durrant <paul@xen.org> Link: https://lore.kernel.org/r/20240227115648.3104-6-dwmw2@infradead.org Signed-off-by: Sean Christopherson <seanjc@google.com>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 18, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: NipaLocal <nipa@local>
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi Linus,
The following changes since commit 527e931:
Linux 4.4-rc4 (2015-12-06 15:43:12 -0800)
are available in the git repository at:
https://github.com/jeffmerkey/linux/tree/fixes-for-linus
hw_breakpoint.c: fix INT1 recursion and system hard hang.
Fixes a 13 year old bug in the int1 handler path that results in a
hard system lockup is someone triggers an int1 breakpoint in the
hardware and no perf event has been registered. Prints a log message
and sets the resume flag in x86 and x86_64 to prevent the system from
locking up and gracefully prints a rate limited message.