Re: Unchecked sock pointer causes panic in RAW_TP

Kuniyuki Iwashima <kuniyu@xxxxxxxxxx> · Fri, 31 Jan 2025 15:28:51 -0800

From: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
Date: Fri, 31 Jan 2025 14:38:38 -0800
> From: Yan Zhai <yan@xxxxxxxxxxxxxx>
> Date: Fri, 31 Jan 2025 12:32:57 -0800
> > Hello,
> > 
> > We encountered a panic when tracing kfree_skb with RAW_TP. The problematic
> > argument was introduced in commit ba8de796baf4 ("net: introduce
> > sk_skb_reason_drop function"). It turns out that the verifier still accepted
> > the program despite it didn't test sk == NULL. And this caused kernel panic. I
> > attached a small reproducer and panic trace at the end. It's stably
> > reproducible when packets are dropped without a receiver (e.g. run iperf2 UDP
> > test toward localhost), in both 6.12.11 release and a recent bpf-next master
> > snapshot (I was using commit c03320a6768c).
> > 
> > As a contrast, for another tracepoint like tcp_send_reset, if sk is not checked
> > before dereferencing, the verifier will complain and reject the program as
> > expected. So this feels like some annotation is missing? Appreciate if someone
> > could help me figure out.
> 
> Maybe __nullable is missing given we annotated skb for tcp_send_reset ?
> https://lore.kernel.org/netdev/20240911033719.91468-4-lulie@xxxxxxxxxxxxxxxxx/
> 
> completely untested:
> 
> ---8<---
> diff --git a/include/trace/events/skb.h b/include/trace/events/skb.h
> index b877133cd93a..34accc5929d6 100644
> --- a/include/trace/events/skb.h
> +++ b/include/trace/events/skb.h
> @@ -24,14 +24,14 @@ DEFINE_DROP_REASON(FN, FN)
>  TRACE_EVENT(kfree_skb,
>  
>  	TP_PROTO(struct sk_buff *skb, void *location,
> -		 enum skb_drop_reason reason, struct sock *rx_sk),
> +		 enum skb_drop_reason reason, struct sock *rx_sk__nullable),
>  
> -	TP_ARGS(skb, location, reason, rx_sk),
> +	TP_ARGS(skb, location, reason, rx_sk__nullable),
>  
>  	TP_STRUCT__entry(
>  		__field(void *,		skbaddr)
>  		__field(void *,		location)
> -		__field(void *,		rx_sk)
> +		__field(void *,		rx_sk__nullable)

This part is unnecessary.

>  		__field(unsigned short,	protocol)
>  		__field(enum skb_drop_reason,	reason)
>  	),
> @@ -39,7 +39,7 @@ TRACE_EVENT(kfree_skb,
>  	TP_fast_assign(
>  		__entry->skbaddr = skb;
>  		__entry->location = location;
> -		__entry->rx_sk = rx_sk;
> +		__entry->rx_sk = rx_sk__nullable;
>  		__entry->protocol = ntohs(skb->protocol);
>  		__entry->reason = reason;
>  	),
> ---8<---
> 