Re: [Syzkaller & bisect] There is general protection fault in bpf_prog_offload_verifier_prep in v6.6-rc1 kernel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 9/14/23 8:46 PM, Pengfei Xu wrote:

Hi Stanislav,

Greeting!

There is general protection fault in bpf_prog_offload_verifier_prep in
v6.6-rc1 kernel.

All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/230914_154711_bpf_prog_offload_verifier_prep
Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/230914_154711_bpf_prog_offload_verifier_prep/repro.c
Syzkaller reproduced steps: https://github.com/xupengfe/syzkaller_logs/blob/main/230914_154711_bpf_prog_offload_verifier_prep/repro.prog
Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/230914_154711_bpf_prog_offload_verifier_prep/bisect_info.log
Issue dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/230914_154711_bpf_prog_offload_verifier_prep/0bb80ecc33a8fb5a682236443c1e740d5c917d1d_dmesg.log
bzImage: https://github.com/xupengfe/syzkaller_logs/raw/main/230914_154711_bpf_prog_offload_verifier_prep/bzImage_0bb80ecc33a8fb5a682236443c1e740d5c917d1d.tar.gz
Kconfig: https://github.com/xupengfe/syzkaller_logs/blob/main/230914_154711_bpf_prog_offload_verifier_prep/kconfig_origin

Bisected and found suspected commit is:
2b3486bc2d23 bpf: Introduce device-bound XDP programs


Thanks for the report.

It has just been fixed in the following commit in the bpf tree:

commit 1a49f4195d3498fe458a7f5ff7ec5385da70d92e
Author: Eduard Zingerman <eddyz87@xxxxxxxxx>
Date:   Mon Sep 11 17:55:37 2023

    bpf: Avoid dummy bpf_offload_netdev in __bpf_prog_dev_bound_init

    Fix for a bug observable under the following sequence of events:
    1. Create a network device that does not support XDP offload.
    2. Load a device bound XDP program with BPF_F_XDP_DEV_BOUND_ONLY flag
       (such programs are not offloaded).
    3. Load a device bound XDP program with zero flags
       (such programs are offloaded).

    At step (2) __bpf_prog_dev_bound_init() associates with device (1)
    a dummy bpf_offload_netdev struct with .offdev field set to NULL.
    At step (3) __bpf_prog_dev_bound_init() would reuse dummy struct
    allocated at step (2).
    However, downstream usage of the bpf_offload_netdev assumes that
    .offdev field can't be NULL, e.g. in bpf_prog_offload_verifier_prep().

    Adjust __bpf_prog_dev_bound_init() to require bpf_offload_netdev
    with non-NULL .offdev for offloaded BPF programs.

    Fixes: 2b3486bc2d23 ("bpf: Introduce device-bound XDP programs")
    Reported-by: syzbot+291100dcb32190ec02a8@xxxxxxxxxxxxxxxxxxxxxxxxx
    Closes: https://lore.kernel.org/bpf/000000000000d97f3c060479c4f8@xxxxxxxxxx/
    Signed-off-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20230912005539.2248244-2-eddyz87@xxxxxxxxx
    Signed-off-by: Martin KaFai Lau <martin.lau@xxxxxxxxxx>
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux