New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf, test_run: fix alignment problem in bpf_prog_test_run_skb() #3935
Conversation
Upstream branch: d9095f9 |
641d5be
to
e2395c4
Compare
3c5e08b
to
1f272dc
Compare
Upstream branch: d9095f9 |
e2395c4
to
e584523
Compare
1f272dc
to
b2050d3
Compare
Upstream branch: d9095f9 |
e584523
to
d8f0bf2
Compare
b2050d3
to
078e6cc
Compare
Upstream branch: d9095f9 |
d8f0bf2
to
dd0a884
Compare
078e6cc
to
45b4929
Compare
Upstream branch: 0ed041b |
dd0a884
to
670b5b8
Compare
45b4929
to
d2d4fa2
Compare
Upstream branch: 07ec7b5 |
670b5b8
to
a58ebcd
Compare
d2d4fa2
to
9588f70
Compare
Upstream branch: aa3496a |
a58ebcd
to
7eda972
Compare
9588f70
to
816772e
Compare
Upstream branch: af085f5 |
7eda972
to
106c946
Compare
816772e
to
5d1b61c
Compare
Upstream branch: db55911 |
106c946
to
a8cf2ed
Compare
5d1b61c
to
e869fb9
Compare
we got a syzkaller problem because of aarch64 alignment fault if KFENCE enabled. When the size from user bpf program is an odd number, like 399, 407, etc, it will cause the struct skb_shared_info's unaligned access. As seen below: BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 Use-after-free read at 0xffff6254fffac077 (in kfence-#213): __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline] arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline] arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline] atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline] __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 skb_clone+0xf4/0x214 net/core/skbuff.c:1481 ____bpf_clone_redirect net/core/filter.c:2433 [inline] bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420 bpf_prog_d3839dd9068ceb51+0x80/0x330 bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline] bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53 bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512 allocated by task 15074 on cpu 0 at 1342.585390s: kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:675 [inline] bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191 bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381 To fix the problem, we adjust @SiZe so that (@SiZe + @hearoom) is a multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info is aligned to a cache line. Fixes: 1cf1cae ("bpf: introduce BPF_PROG_TEST_RUN command") Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
Upstream branch: f71b2f6 |
a8cf2ed
to
cfd2017
Compare
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=691099 irrelevant now. Closing PR. |
Pull request for series with
subject: bpf, test_run: fix alignment problem in bpf_prog_test_run_skb()
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=691099