Patch "bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled" has been added to the 6.11-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled

to the 6.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-test_run-fix-live_frame-frame-update-after-a-pag.patch
and it can be found in the queue-6.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2d65f745d7d43c7170338fe80c8f89899aa6ba9d
Author: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
Date:   Wed Oct 30 11:48:26 2024 +0100

    bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled
    
    [ Upstream commit c40dd8c4732551605712985bc5b7045094c6458d ]
    
    The test_run code detects whether a page has been modified and
    re-initialises the xdp_frame structure if it has, using
    xdp_update_frame_from_buff(). However, xdp_update_frame_from_buff()
    doesn't touch frame->mem, so that wasn't correctly re-initialised, which
    led to the pages from page_pool not being returned correctly. Syzbot
    noticed this as a memory leak.
    
    Fix this by also copying the frame->mem structure when re-initialising
    the frame, like we do on initialisation of a new page from page_pool.
    
    Fixes: e5995bc7e2ba ("bpf, test_run: fix crashes due to XDP frame overwriting/corruption")
    Fixes: b530e9e1063e ("bpf: Add "live packet" mode for XDP in BPF_PROG_RUN")
    Reported-by: syzbot+d121e098da06af416d23@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
    Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
    Tested-by: syzbot+d121e098da06af416d23@xxxxxxxxxxxxxxxxxxxxxxxxx
    Reviewed-by: Alexander Lobakin <aleksander.lobakin@xxxxxxxxx>
    Acked-by: Stanislav Fomichev <sdf@xxxxxxxxxxx>
    Link: https://lore.kernel.org/bpf/20241030-test-run-mem-fix-v1-1-41e88e8cae43@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 6d7a442ceb89b..501ec4249fedc 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -246,6 +246,7 @@ static void reset_ctx(struct xdp_page_head *head)
 	head->ctx.data_meta = head->orig_ctx.data_meta;
 	head->ctx.data_end = head->orig_ctx.data_end;
 	xdp_update_frame_from_buff(&head->ctx, head->frame);
+	head->frame->mem = head->orig_ctx.rxq->mem;
 }
 
 static int xdp_recv_frames(struct xdp_frame **frames, int nframes,