Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix int1 recursion and hard system lockup #232

Closed
wants to merge 37 commits into from
Closed

Fix int1 recursion and hard system lockup #232

wants to merge 37 commits into from

Conversation

ghost
Copy link

@ghost ghost commented Dec 13, 2015

Hi Linus,

The following changes since commit 527e931:

Linux 4.4-rc4 (2015-12-06 15:43:12 -0800)

are available in the git repository at:

https://github.com/jeffmerkey/linux/tree/fixes-for-linus

hw_breakpoint.c: fix INT1 recursion and system hard hang.

Fixes a 13 year old bug in the int1 handler path that results in a
hard system lockup is someone triggers an int1 breakpoint in the
hardware and no perf event has been registered. Prints a log message
and sets the resume flag in x86 and x86_64 to prevent the system from
locking up and gracefully prints a rate limited message.

borkmann added a commit to cilium/linux that referenced this pull request Jul 10, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 11, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 11, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 11, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 12, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 14, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 14, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 14, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API:

  # ./vmtest.sh -- ./test_progs -t tc_links
  [...]
  torvalds#225     tc_links_after:OK
  torvalds#226     tc_links_append:OK
  torvalds#227     tc_links_basic:OK
  torvalds#228     tc_links_before:OK
  torvalds#229     tc_links_chain_classic:OK
  torvalds#230     tc_links_dev_cleanup:OK
  torvalds#231     tc_links_invalid:OK
  torvalds#232     tc_links_prepend:OK
  torvalds#233     tc_links_replace:OK
  torvalds#234     tc_links_revision:OK
  Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20230719140858.13224-9-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Aug 18, 2023
- Without prev commit

  $ tools/testing/selftests/bpf/test_progs --name=tc_bpf
  torvalds#232/1   tc_bpf/tc_bpf_root:OK
  test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec
  test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec
  0: R1=ctx(off=0,imm=0) R10=fp0
  ; if ((long)(iph + 1) > (long)skb->data_end)
  0: (61) r2 = *(u32 *)(r1 +80)         ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0)
  ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
  1: (61) r1 = *(u32 *)(r1 +76)         ; R1_w=pkt(off=0,r=0,imm=0)
  ; if ((long)(iph + 1) > (long)skb->data_end)
  2: (07) r1 += 34                      ; R1_w=pkt(off=34,r=0,imm=0)
  3: (b4) w0 = 1                        ; R0_w=1
  4: (2d) if r1 > r2 goto pc+1
  R2 pointer comparison prohibited
  processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
  test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13
  torvalds#233/2   tc_bpf_non_root:FAIL

- With prev commit

  $ tools/testing/selftests/bpf/test_progs --name=tc_bpf
  torvalds#232/1   tc_bpf/tc_bpf_root:OK
  torvalds#232/2   tc_bpf/tc_bpf_non_root:OK
  torvalds#232     tc_bpf:OK
  Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Aug 23, 2023
- Without prev commit

  $ tools/testing/selftests/bpf/test_progs --name=tc_bpf
  torvalds#232/1   tc_bpf/tc_bpf_root:OK
  test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec
  test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec
  0: R1=ctx(off=0,imm=0) R10=fp0
  ; if ((long)(iph + 1) > (long)skb->data_end)
  0: (61) r2 = *(u32 *)(r1 +80)         ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0)
  ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
  1: (61) r1 = *(u32 *)(r1 +76)         ; R1_w=pkt(off=0,r=0,imm=0)
  ; if ((long)(iph + 1) > (long)skb->data_end)
  2: (07) r1 += 34                      ; R1_w=pkt(off=34,r=0,imm=0)
  3: (b4) w0 = 1                        ; R0_w=1
  4: (2d) if r1 > r2 goto pc+1
  R2 pointer comparison prohibited
  processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
  test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13
  torvalds#233/2   tc_bpf_non_root:FAIL

- With prev commit

  $ tools/testing/selftests/bpf/test_progs --name=tc_bpf
  torvalds#232/1   tc_bpf/tc_bpf_root:OK
  torvalds#232/2   tc_bpf/tc_bpf_non_root:OK
  torvalds#232     tc_bpf:OK
  Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Aug 23, 2023
- Without prev commit

  $ tools/testing/selftests/bpf/test_progs --name=tc_bpf
  torvalds#232/1   tc_bpf/tc_bpf_root:OK
  test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec
  test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec
  0: R1=ctx(off=0,imm=0) R10=fp0
  ; if ((long)(iph + 1) > (long)skb->data_end)
  0: (61) r2 = *(u32 *)(r1 +80)         ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0)
  ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
  1: (61) r1 = *(u32 *)(r1 +76)         ; R1_w=pkt(off=0,r=0,imm=0)
  ; if ((long)(iph + 1) > (long)skb->data_end)
  2: (07) r1 += 34                      ; R1_w=pkt(off=34,r=0,imm=0)
  3: (b4) w0 = 1                        ; R0_w=1
  4: (2d) if r1 > r2 goto pc+1
  R2 pointer comparison prohibited
  processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
  test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13
  torvalds#233/2   tc_bpf_non_root:FAIL

- With prev commit

  $ tools/testing/selftests/bpf/test_progs --name=tc_bpf
  torvalds#232/1   tc_bpf/tc_bpf_root:OK
  torvalds#232/2   tc_bpf/tc_bpf_non_root:OK
  torvalds#232     tc_bpf:OK
  Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
Link: https://lore.kernel.org/r/20230823020703.3790-3-laoar.shao@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
jonhunter pushed a commit to jonhunter/linux that referenced this pull request Mar 5, 2024
The fast-path timer delivery introduced a recursive locking deadlock
when userspace configures a timer which has already expired and is
delivered immediately. The call to kvm_xen_inject_timer_irqs() can
call to kvm_xen_set_evtchn() which may take kvm->arch.xen.xen_lock,
which is already held in kvm_xen_vcpu_get_attr().

 ============================================
 WARNING: possible recursive locking detected
 6.8.0-smp--5e10b4d51d77-drs torvalds#232 Tainted: G           O
 --------------------------------------------
 xen_shinfo_test/250013 is trying to acquire lock:
 ffff938c9930cc30 (&kvm->arch.xen.xen_lock){+.+.}-{3:3}, at: kvm_xen_set_evtchn+0x74/0x170 [kvm]

 but task is already holding lock:
 ffff938c9930cc30 (&kvm->arch.xen.xen_lock){+.+.}-{3:3}, at: kvm_xen_vcpu_get_attr+0x38/0x250 [kvm]

Now that the gfn_to_pfn_cache has its own self-sufficient locking, its
callers no longer need to ensure serialization, so just stop taking
kvm->arch.xen.xen_lock from kvm_xen_set_evtchn().

Fixes: 77c9b9d ("KVM: x86/xen: Use fast path for Xen timer delivery")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Reviewed-by: Paul Durrant <paul@xen.org>
Link: https://lore.kernel.org/r/20240227115648.3104-6-dwmw2@infradead.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
kuba-moo pushed a commit to linux-netdev/testing that referenced this pull request Dec 18, 2024
The VXLAN driver does not verify that transmitted packets have an
Ethernet header in the linear part of the skb, which can result in the
driver accessing uninitialized memory while processing the Ethernet
header [1]. Issue can be reproduced using [2].

Fix by checking that we can pull the Ethernet header into the linear
part of the skb. Note that the driver can transmit IP packets, but this
is handled earlier in the xmit path.

[1]
CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G    B              6.12.0-rc7-custom-g10d3437464d3 torvalds#232
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
=====================================================
=====================================================
BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450
 __vxlan_find_mac+0x449/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __vxlan_find_mac+0x442/0x450
 vxlan_xmit+0x1265/0x2f70
 dev_hard_start_xmit+0x239/0x7e0
 __dev_queue_xmit+0x2d65/0x45e0
 __bpf_redirect+0x6d2/0xf60
 bpf_clone_redirect+0x2c7/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 kmem_cache_alloc_node_noprof+0x4a8/0x9e0
 kmalloc_reserve+0xd1/0x420
 pskb_expand_head+0x1b4/0x15f0
 skb_ensure_writable+0x2ee/0x390
 bpf_clone_redirect+0x16a/0x450
 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22
 bpf_test_run+0x60f/0xca0
 bpf_prog_test_run_skb+0x115d/0x2300
 bpf_prog_test_run+0x3b3/0x5c0
 __sys_bpf+0x501/0xc60
 __x64_sys_bpf+0xa8/0xf0
 do_syscall_64+0xd9/0x1b0

[2]
 $ cat mac_repo.bpf.c
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>

 SEC("lwt_xmit")
 int mac_repo(struct __sk_buff *skb)
 {
         return bpf_clone_redirect(skb, 100, 0);
 }

 $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o

 # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1

 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo

 # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \
	bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10

Fixes: d342894 ("vxlan: virtual extensible lan")
Reported-by: syzbot+35e7e2811bbe5777b20e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6735d39a.050a0220.1324f8.0096.GAE@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: NipaLocal <nipa@local>
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant