bpf: return proper error codes for lwt redirect #5399
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: 22117b3 |
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=769117 expired. Closing PR. |
|
Upstream branch: aa89592 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/769117=>bpf
branch
from
1760acf
to
6ce4bb6
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf_base
branch
from
894fa9c
to
64e47c0
Compare
|
Upstream branch: aa89592 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/769117=>bpf
branch
from
6ce4bb6
to
18d964a
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf_base
branch
from
64e47c0
to
d312ac9
Compare
added 2 commits
July 27, 2023 10:27
skb_do_redirect returns various of values: error code (negative), 0 (success), and some positive status code, e.g. NET_XMIT_CN, NET_RX_DROP. Commit 3a0af8f ("bpf: BPF for lightweight tunnel infrastructure") didn't check the return code correctly, so positive values are propagated back along call chain: ip_finish_output2 -> bpf_xmit -> run_lwt_bpf -> skb_do_redirect Inside ip_finish_output2, redirected skb will continue to neighbor subsystem as if LWTUNNEL_XMIT_CONTINUE is returned, despite that this skb could have been freed. The bug can trigger use-after-free warning and crashes kernel afterwards: https://gist.github.com/zhaiyan920/8fbac245b261fe316a7ef04c9b1eba48 Convert positive statuses from skb_do_redirect eliminates this issue. Fixes: 3a0af8f ("bpf: BPF for lightweight tunnel infrastructure") Tested-by: Jakub Sitnicki <jakub@cloudflare.com> Suggested-by: Markus Elfring <Markus.Elfring@web.de> Suggested-by: Stanislav Fomichev <sdf@google.com> Reported-by: Jordan Griege <jgriege@cloudflare.com> Signed-off-by: Yan Zhai <yan@cloudflare.com> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Tests BPF redirect at the lwt xmit hook to ensure error handling are safe, i.e. won't panic the kernel. Tested-by: Jakub Sitnicki <jakub@cloudflare.com> Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> Signed-off-by: Yan Zhai <yan@cloudflare.com> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
|
Upstream branch: bcc29b7 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/769117=>bpf
branch
from
18d964a
to
093a91a
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=769511 expired. Closing PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: return proper error codes for lwt redirect
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=769117