"Yury Vostrikov" <mon@xxxxxxxxxxx> writes:
> Hi,
>
> I stumbled upon a NULL pointer derefence inside BPF code. The triggering condition is
> message from OOM killer + netconsole. The crash happens at
>
> u32 kern_flags = bpf_net_ctx->ri.kern_flags;
>
> line of bpf_net_ctx_get_all_used_flush_lists() function. bpf_net_ctx is NULL here. With trivial fix
>
> diff --git a/include/linux/filter.h b/include/linux/filter.h
> index 7d7578a8eac1..cba16bf307f7 100644
> --- a/include/linux/filter.h
> +++ b/include/linux/filter.h
> @@ -844,6 +844,9 @@ static inline void bpf_net_ctx_get_all_used_flush_lists(struct list_head **lh_ma
> struct list_head **lh_xsk)
> {
> struct bpf_net_context *bpf_net_ctx = bpf_net_ctx_get();
> + WARN_ON(bpf_net_ctx == NULL);
> + if (bpf_net_ctx == NULL)
> + return;
> u32 kern_flags = bpf_net_ctx->ri.kern_flags;
> struct list_head *lh;
>
> I get the following backtrace instead of crash:
[...]
> [ 177.216474] efx_poll+0x178/0x380 [sfc_siena]
Looks like the sfc driver is missing the context setup stuff entirely...
-Toke
