Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bpf: return proper error codes for lwt redirect #5399

Closed
wants to merge 2 commits into from

Conversation

kernel-patches-daemon-bpf[bot]
Copy link

Pull request for series with
subject: bpf: return proper error codes for lwt redirect
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=769117

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 22117b3
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=769117
version: 3

@kernel-patches-daemon-bpf
Copy link
Author

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=769117 expired. Closing PR.

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: aa89592
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=769511
version: 4

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: aa89592
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=769511
version: 4

Yan Zhai added 2 commits July 27, 2023 10:27
skb_do_redirect returns various of values: error code (negative),
0 (success), and some positive status code, e.g. NET_XMIT_CN,
NET_RX_DROP. Commit 3a0af8f ("bpf: BPF for lightweight tunnel
infrastructure") didn't check the return code correctly, so positive
values are propagated back along call chain:

  ip_finish_output2
    -> bpf_xmit
      -> run_lwt_bpf
        -> skb_do_redirect

Inside ip_finish_output2, redirected skb will continue to neighbor
subsystem as if LWTUNNEL_XMIT_CONTINUE is returned, despite that this
skb could have been freed. The bug can trigger use-after-free warning
and crashes kernel afterwards:

https://gist.github.com/zhaiyan920/8fbac245b261fe316a7ef04c9b1eba48

Convert positive statuses from skb_do_redirect eliminates this issue.

Fixes: 3a0af8f ("bpf: BPF for lightweight tunnel infrastructure")
Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
Suggested-by: Markus Elfring <Markus.Elfring@web.de>
Suggested-by: Stanislav Fomichev <sdf@google.com>
Reported-by: Jordan Griege <jgriege@cloudflare.com>
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Tests BPF redirect at the lwt xmit hook to ensure error handling are
safe, i.e. won't panic the kernel.

Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: bcc29b7
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=769511
version: 4

@kernel-patches-daemon-bpf
Copy link
Author

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=769511 expired. Closing PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
0 participants