Fix int1 recursion and hard system lockup #232
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sync with torvalds/linux
Sync with torvalds/master
Sync with torvalds/master
Sync with torvalds/master
Sync with torvalds/master
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 11, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 11, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 12, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 13, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 14, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 14, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 14, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
borkmann
added a commit
to cilium/linux
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Jul 19, 2023
Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] torvalds#225 tc_links_after:OK torvalds#226 tc_links_append:OK torvalds#227 tc_links_basic:OK torvalds#228 tc_links_before:OK torvalds#229 tc_links_chain_classic:OK torvalds#230 tc_links_dev_cleanup:OK torvalds#231 tc_links_invalid:OK torvalds#232 tc_links_prepend:OK torvalds#233 tc_links_replace:OK torvalds#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Aug 18, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 torvalds#233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK torvalds#232/2 tc_bpf/tc_bpf_non_root:OK torvalds#232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <[email protected]>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Aug 23, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 torvalds#233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK torvalds#232/2 tc_bpf/tc_bpf_non_root:OK torvalds#232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <[email protected]>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Aug 23, 2023
- Without prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK test_tc_bpf_non_root:PASS:set_cap_bpf_cap_net_admin 0 nsec test_tc_bpf_non_root:PASS:disable_cap_sys_admin 0 nsec 0: R1=ctx(off=0,imm=0) R10=fp0 ; if ((long)(iph + 1) > (long)skb->data_end) 0: (61) r2 = *(u32 *)(r1 +80) ; R1=ctx(off=0,imm=0) R2_w=pkt_end(off=0,imm=0) ; struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); 1: (61) r1 = *(u32 *)(r1 +76) ; R1_w=pkt(off=0,r=0,imm=0) ; if ((long)(iph + 1) > (long)skb->data_end) 2: (07) r1 += 34 ; R1_w=pkt(off=34,r=0,imm=0) 3: (b4) w0 = 1 ; R0_w=1 4: (2d) if r1 > r2 goto pc+1 R2 pointer comparison prohibited processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 test_tc_bpf_non_root:FAIL:test_tc_bpf__open_and_load unexpected error: -13 torvalds#233/2 tc_bpf_non_root:FAIL - With prev commit $ tools/testing/selftests/bpf/test_progs --name=tc_bpf torvalds#232/1 tc_bpf/tc_bpf_root:OK torvalds#232/2 tc_bpf/tc_bpf_non_root:OK torvalds#232 tc_bpf:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Yafang Shao <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>
jonhunter
pushed a commit
to jonhunter/linux
that referenced
this pull request
Mar 5, 2024
The fast-path timer delivery introduced a recursive locking deadlock when userspace configures a timer which has already expired and is delivered immediately. The call to kvm_xen_inject_timer_irqs() can call to kvm_xen_set_evtchn() which may take kvm->arch.xen.xen_lock, which is already held in kvm_xen_vcpu_get_attr(). ============================================ WARNING: possible recursive locking detected 6.8.0-smp--5e10b4d51d77-drs torvalds#232 Tainted: G O -------------------------------------------- xen_shinfo_test/250013 is trying to acquire lock: ffff938c9930cc30 (&kvm->arch.xen.xen_lock){+.+.}-{3:3}, at: kvm_xen_set_evtchn+0x74/0x170 [kvm] but task is already holding lock: ffff938c9930cc30 (&kvm->arch.xen.xen_lock){+.+.}-{3:3}, at: kvm_xen_vcpu_get_attr+0x38/0x250 [kvm] Now that the gfn_to_pfn_cache has its own self-sufficient locking, its callers no longer need to ensure serialization, so just stop taking kvm->arch.xen.xen_lock from kvm_xen_set_evtchn(). Fixes: 77c9b9d ("KVM: x86/xen: Use fast path for Xen timer delivery") Signed-off-by: David Woodhouse <[email protected]> Reviewed-by: Paul Durrant <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sean Christopherson <[email protected]>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 16, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 17, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
kuba-moo
pushed a commit
to linux-netdev/testing
that referenced
this pull request
Dec 18, 2024
The VXLAN driver does not verify that transmitted packets have an Ethernet header in the linear part of the skb, which can result in the driver accessing uninitialized memory while processing the Ethernet header [1]. Issue can be reproduced using [2]. Fix by checking that we can pull the Ethernet header into the linear part of the skb. Note that the driver can transmit IP packets, but this is handled earlier in the xmit path. [1] CPU: 6 UID: 0 PID: 404 Comm: bpftool Tainted: G B 6.12.0-rc7-custom-g10d3437464d3 torvalds#232 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 ===================================================== ===================================================== BUG: KMSAN: uninit-value in __vxlan_find_mac+0x449/0x450 __vxlan_find_mac+0x449/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: __vxlan_find_mac+0x442/0x450 vxlan_xmit+0x1265/0x2f70 dev_hard_start_xmit+0x239/0x7e0 __dev_queue_xmit+0x2d65/0x45e0 __bpf_redirect+0x6d2/0xf60 bpf_clone_redirect+0x2c7/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: kmem_cache_alloc_node_noprof+0x4a8/0x9e0 kmalloc_reserve+0xd1/0x420 pskb_expand_head+0x1b4/0x15f0 skb_ensure_writable+0x2ee/0x390 bpf_clone_redirect+0x16a/0x450 bpf_prog_7423975f9f8be99f_mac_repo+0x20/0x22 bpf_test_run+0x60f/0xca0 bpf_prog_test_run_skb+0x115d/0x2300 bpf_prog_test_run+0x3b3/0x5c0 __sys_bpf+0x501/0xc60 __x64_sys_bpf+0xa8/0xf0 do_syscall_64+0xd9/0x1b0 [2] $ cat mac_repo.bpf.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("lwt_xmit") int mac_repo(struct __sk_buff *skb) { return bpf_clone_redirect(skb, 100, 0); } $ clang -O2 -target bpf -c mac_repo.bpf.c -o mac_repo.o # ip link add name vx0 up index 100 type vxlan id 10010 dstport 4789 local 192.0.2.1 # bpftool prog load mac_repo.o /sys/fs/bpf/mac_repo # echo -ne "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" | \ bpftool prog run pinned /sys/fs/bpf/mac_repo data_in - repeat 10 Fixes: d342894 ("vxlan: virtual extensible lan") Reported-by: [email protected] Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Ido Schimmel <[email protected]> Signed-off-by: NipaLocal <nipa@local>
ninadpalsule
pushed a commit
to ninadpalsule/linux
that referenced
this pull request
Feb 12, 2025
If the LED is set to keep the default state, the blink state needs to be set in the core when the LED device is added so the state is kept in sync. Signed-off-by: Eddie James <[email protected]>
torvalds
pushed a commit
that referenced
this pull request
Feb 21, 2025
The namespace percpu counter protects pending I/O, and we can only safely diable the namespace once the counter drop to zero. Otherwise we end up with a crash when running blktests/nvme/058 (eg for loop transport): [ 2352.930426] [ T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI [ 2352.930431] [ T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 2352.930434] [ T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G W 6.13.0-rc6 #232 [ 2352.930438] [ T53909] Tainted: [W]=WARN [ 2352.930440] [ T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 2352.930443] [ T53909] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop] [ 2352.930449] [ T53909] RIP: 0010:blkcg_set_ioprio+0x44/0x180 as the queue is already torn down when calling submit_bio(); So we need to init the percpu counter in nvmet_ns_enable(), and wait for it to drop to zero in nvmet_ns_disable() to avoid having I/O pending after the namespace has been disabled. Fixes: 74d1696 ("nvmet-loop: avoid using mutex in IO hotpath") Signed-off-by: Hannes Reinecke <[email protected]> Reviewed-by: Nilay Shroff <[email protected]> Reviewed-by: Sagi Grimberg <[email protected]> Reviewed-by: Christoph Hellwig <[email protected]> Reviewed-by: Chaitanya Kulkarni <[email protected]> Tested-by: Shin'ichiro Kawasaki <[email protected]> Signed-off-by: Keith Busch <[email protected]>
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi Linus,
The following changes since commit 527e931:
Linux 4.4-rc4 (2015-12-06 15:43:12 -0800)
are available in the git repository at:
https://github.com/jeffmerkey/linux/tree/fixes-for-linus
hw_breakpoint.c: fix INT1 recursion and system hard hang.
Fixes a 13 year old bug in the int1 handler path that results in a
hard system lockup is someone triggers an int1 breakpoint in the
hardware and no perf event has been registered. Prints a log message
and sets the resume flag in x86 and x86_64 to prevent the system from
locking up and gracefully prints a rate limited message.