For a device bound BPF program with flag BPF_F_XDP_DEV_BOUND_ONLY, in case if device does not support offload, __bpf_prog_dev_bound_init() creates a dummy bpf_offload_netdev struct with .offdev field set to NULL. This dummy struct might be reused for programs without this flag bound to the same device. However, bpf_prog_offload_verifier_prep() that uses bpf_offload_netdev assumes that .offdev field cannot be NULL. This bug was reported by syzbot in [1]. [1] https://lore.kernel.org/bpf/000000000000d97f3c060479c4f8@xxxxxxxxxx/ Eduard Zingerman (2): bpf: Avoid dummy bpf_offload_netdev in __bpf_prog_dev_bound_init selftests/bpf: Offloaded prog after non-offloaded should not cause BUG kernel/bpf/offload.c | 12 ++-- .../bpf/prog_tests/xdp_dev_bound_only.c | 58 +++++++++++++++++++ 2 files changed, 65 insertions(+), 5 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/xdp_dev_bound_only.c -- 2.41.0
