Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KASAN: use-after-free in dst_destroy (net/core/dst.c:118) #270

Closed
matttbe opened this issue Apr 27, 2022 · 3 comments
Closed

KASAN: use-after-free in dst_destroy (net/core/dst.c:118) #270

matttbe opened this issue Apr 27, 2022 · 3 comments
Assignees
@matttbe
Labels
bug selftests
Projects
MPTCP Bugs

Comments

@matttbe
Copy link
Member

matttbe commented Apr 27, 2022
edited

It looks like a new issue has been spot by KASAN. It has been detected by both the public CI and the one at Tessares with the latest export tag (export/20220427T055600) after a sync with upstream. I guess it is due to a bug upstream.

[ 1021.244913][    C1] ==================================================================
[ 1021.259391][ C1] BUG: KASAN: use-after-free in dst_destroy (net/core/dst.c:118) 
[ 1021.271811][    C1] Read of size 8 at addr ffff888009b28830 by task swapper/1/0
[ 1021.284955][    C1] 
[ 1021.288788][    C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.18.0-rc3-gb0182701285f #1
[ 1021.302672][    C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 1021.320147][    C1] Call Trace:
[ 1021.325955][    C1]  <IRQ>
[ 1021.330426][ C1] dump_stack_lvl (lib/dump_stack.c:107) 
[ 1021.338306][ C1] print_address_description.constprop.0.cold (mm/kasan/report.c:314) 
[ 1021.350263][ C1] ? dst_destroy (net/core/dst.c:118) 
[ 1021.357370][ C1] ? dst_destroy (net/core/dst.c:118) 
[ 1021.364645][ C1] print_report.cold (mm/kasan/report.c:430) 
[ 1021.372519][ C1] ? do_raw_spin_lock (arch/x86/include/asm/atomic.h:202) 
[ 1021.380101][ C1] kasan_report (mm/kasan/report.c:162) 
[ 1021.386547][ C1] ? dst_destroy (net/core/dst.c:118) 
[ 1021.393368][ C1] dst_destroy (net/core/dst.c:118) 
[ 1021.400684][ C1] rcu_do_batch (include/linux/rcupdate.h:273) 
[ 1021.408377][ C1] ? rcu_gp_kthread (kernel/rcu/tree.c:2474) 
[ 1021.415183][ C1] ? _raw_spin_unlock_irqrestore (include/linux/spinlock_api_smp.h:151) 
[ 1021.424564][ C1] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4358) 
[ 1021.433369][ C1] ? _raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:103) 
[ 1021.443211][ C1] rcu_core (kernel/rcu/tree.c:2788) 
[ 1021.450457][ C1] __do_softirq (arch/x86/include/asm/jump_label.h:27) 
[ 1021.458344][ C1] irq_exit_rcu (kernel/softirq.c:432) 
[ 1021.465414][ C1] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1097 (discriminator 14)) 
[ 1021.474851][    C1]  </IRQ>
[ 1021.479980][    C1]  <TASK>
[ 1021.485090][ C1] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:645) 
[ 1021.494832][ C1] RIP: 0010:default_idle (arch/x86/kernel/process.c:734) 
[ 1021.503161][ C1] Code: e2 48 89 ef 31 f6 5d 41 5c e9 fc be 42 fe cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 eb 07 0f 00 2d 62 f3 53 00 fb f4 <c3> 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 41
All code
========
   0:	e2 48                	loop   0x4a
   2:	89 ef                	mov    %ebp,%edi
   4:	31 f6                	xor    %esi,%esi
   6:	5d                   	pop    %rbp
   7:	41 5c                	pop    %r12
   9:	e9 fc be 42 fe       	jmpq   0xfffffffffe42bf0a
   e:	cc                   	int3   
   f:	cc                   	int3   
  10:	cc                   	int3   
  11:	cc                   	int3   
  12:	cc                   	int3   
  13:	cc                   	int3   
  14:	cc                   	int3   
  15:	cc                   	int3   
  16:	cc                   	int3   
  17:	cc                   	int3   
  18:	cc                   	int3   
  19:	cc                   	int3   
  1a:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1f:	eb 07                	jmp    0x28
  21:	0f 00 2d 62 f3 53 00 	verw   0x53f362(%rip)        # 0x53f38a
  28:	fb                   	sti    
  29:	f4                   	hlt    
  2a:*	c3                   	retq   		<-- trapping instruction
  2b:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
  32:	00 00 00 00 
  36:	0f 1f 40 00          	nopl   0x0(%rax)
  3a:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  3f:	41                   	rex.B

Code starting with the faulting instruction
===========================================
   0:	c3                   	retq   
   1:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
   8:	00 00 00 00 
   c:	0f 1f 40 00          	nopl   0x0(%rax)
  10:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  15:	41                   	rex.B
[ 1021.535934][    C1] RSP: 0018:ffffc9000011fde0 EFLAGS: 00000206
[ 1021.546422][    C1] RAX: 0000000000e78733 RBX: 0000000000000001 RCX: ffffffff96f091ca
[ 1021.558655][    C1] RDX: 0000000000000000 RSI: ffffffff974c0f80 RDI: ffffffff9768e7e0
[ 1021.572130][    C1] RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed100cb97443
[ 1021.584312][    C1] R10: ffff888065cba213 R11: ffffed100cb97442 R12: 0000000000000001
[ 1021.597437][    C1] R13: 0000000000000001 R14: ffffffff98f98610 R15: 0000000000000000
[ 1021.610473][ C1] ? rcu_eqs_enter.constprop.0 (kernel/rcu/tree.c:644) 
[ 1021.620700][ C1] default_idle_call (arch/x86/include/asm/irqflags.h:40) 
[ 1021.628695][ C1] do_idle (kernel/sched/idle.c:192) 
[ 1021.635293][ C1] ? arch_cpu_idle_exit+0x40/0x40
 
[ 1021.643245][ C1] cpu_startup_entry (kernel/sched/idle.c:399 (discriminator 1)) 
[ 1021.651677][ C1] start_secondary (arch/x86/kernel/smpboot.c:218) 
[ 1021.660059][ C1] ? init_freq_invariance (arch/x86/kernel/smpboot.c:218) 
[ 1021.668512][ C1] secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:303) 
[ 1021.678476][    C1]  </TASK>
[ 1021.683659][    C1] 
[ 1021.687678][    C1] Allocated by task 5850:
[ 1021.694814][ C1] kasan_save_stack (mm/kasan/common.c:39) 
[ 1021.702982][ C1] __kasan_slab_alloc (mm/kasan/common.c:45) 
[ 1021.710384][ C1] kmem_cache_alloc (include/linux/kasan.h:224) 
[ 1021.718773][ C1] copy_net_ns (include/linux/slab.h:704) 
[ 1021.726117][ C1] create_new_namespaces.isra.0 (kernel/nsproxy.c:110) 
[ 1021.736477][ C1] unshare_nsproxy_namespaces (kernel/nsproxy.c:226 (discriminator 4)) 
[ 1021.745599][ C1] ksys_unshare (kernel/fork.c:3132) 
[ 1021.753014][ C1] __x64_sys_unshare (kernel/fork.c:3201) 
[ 1021.761054][ C1] do_syscall_64 (arch/x86/entry/common.c:50) 
[ 1021.767078][ C1] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) 
[ 1021.776232][    C1] 
[ 1021.779753][    C1] Last potentially related work creation:
[ 1021.789410][ C1] kasan_save_stack (mm/kasan/common.c:39) 
[ 1021.796800][ C1] __kasan_record_aux_stack (mm/kasan/generic.c:348) 
[ 1021.804748][ C1] insert_work (include/linux/instrumented.h:71) 
[ 1021.811898][ C1] __queue_work (kernel/workqueue.c:1520) 
[ 1021.819782][ C1] call_timer_fn (arch/x86/include/asm/jump_label.h:27) 
[ 1021.827564][ C1] __run_timers.part.0 (kernel/time/timer.c:1462) 
[ 1021.835979][ C1] __do_softirq (arch/x86/include/asm/jump_label.h:27) 
[ 1021.843786][    C1] 
[ 1021.847724][    C1] Second to last potentially related work creation:
[ 1021.858296][ C1] kasan_save_stack (mm/kasan/common.c:39) 
[ 1021.865763][ C1] __kasan_record_aux_stack (mm/kasan/generic.c:348) 
[ 1021.874732][ C1] insert_work (include/linux/instrumented.h:71) 
[ 1021.881913][ C1] __queue_work (kernel/workqueue.c:1520) 
[ 1021.889145][ C1] call_timer_fn (arch/x86/include/asm/jump_label.h:27) 
[ 1021.896559][ C1] __run_timers.part.0 (kernel/time/timer.c:1462) 
[ 1021.905172][ C1] __do_softirq (arch/x86/include/asm/jump_label.h:27) 
[ 1021.912371][    C1] 
[ 1021.916187][    C1] The buggy address belongs to the object at ffff888009b28000
[ 1021.916187][    C1]  which belongs to the cache net_namespace of size 5376
[ 1021.940550][    C1] The buggy address is located 2096 bytes inside of
[ 1021.940550][    C1]  5376-byte region [ffff888009b28000, ffff888009b29500)
[ 1021.963713][    C1] 
[ 1021.967819][    C1] The buggy address belongs to the physical page:
[ 1021.978795][    C1] page:00000000b573002d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9b28
[ 1021.995681][    C1] head:00000000b573002d order:3 compound_mapcount:0 compound_pincount:0
[ 1022.009130][    C1] flags: 0x100000000010200(slab|head|node=0|zone=1)
[ 1022.020323][    C1] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888001aa6b40
==========================================

https://api.cirrus-ci.com/v1/artifact/task/6502615964975104/summary/summary.txt
@matttbe matttbe added this to Needs triage in MPTCP Bugs via automation Apr 27, 2022
@matttbe
Copy link
Member Author

matttbe commented Apr 27, 2022

Here is the call trace seen by Tessares CI:

01:10:30.760 # 019 multiple flows, signal, link failure syn[ ok ] - synack[ ok ] - ack[ ok ]
01:10:30.760 #                                          add[ ok ] - echo  [ ok ]
01:10:30.760 #                                          stale             [ ok ]
01:10:30.760 [  564.980494] IPv6: ADDRCONF(NETDEV_CHANGE): ns1eth1: link becomes ready
01:10:30.761 [  565.530311] IPv6: ADDRCONF(NETDEV_CHANGE): ns2eth1: link becomes ready
01:10:30.761 [  565.746375] IPv6: ADDRCONF(NETDEV_CHANGE): ns1eth2: link becomes ready
01:10:30.761 [  566.490032] IPv6: ADDRCONF(NETDEV_CHANGE): ns1eth3: link becomes ready
01:10:30.761 [  566.531432] IPv6: ADDRCONF(NETDEV_CHANGE): ns2eth2: link becomes ready
01:10:30.761 [  567.281692] IPv6: ADDRCONF(NETDEV_CHANGE): ns1eth4: link becomes ready
01:10:30.761 # Created /tmp/tmp.vbfRPWmeyI (size 22528 KB) containing data sent by server
01:10:30.762 [  575.361323] ==================================================================
01:10:30.762 [  575.362760] BUG: KASAN: use-after-free in dst_destroy (net/core/dst.c:118) 
01:10:31.190 [  575.363977] Read of size 8 at addr ffff888004ae87f0 by task swapper/0/0
01:10:31.191 [  575.365275] 
01:10:31.191 [  575.365596] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.18.0-rc3-gb0182701285f #2
01:10:31.191 [  575.366969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
01:10:31.191 [  575.368603] Call Trace:
01:10:31.191 [  575.369119]  <IRQ>
01:10:31.191 [  575.369592] dump_stack_lvl (lib/dump_stack.c:107) 
01:10:31.563 [  575.370426] print_report.cold (mm/kasan/report.c:314) 
01:10:31.954 [  575.371379] ? dst_destroy (net/core/dst.c:118) 
01:10:31.957 [  575.372227] kasan_report (mm/kasan/report.c:162) 
01:10:32.340 [  575.373047] ? rcu_read_lock_sched_held (./include/linux/lockdep.h:283) 
01:10:32.731 [  575.374120] ? dst_destroy (net/core/dst.c:118) 
01:10:32.733 [  575.374987] dst_destroy (net/core/dst.c:118) 
01:10:32.736 [  575.375769] ? dst_destroy (net/core/dst.c:137) 
01:10:32.964 [  575.376612] rcu_core (kernel/rcu/tree.c:2535) 
01:10:33.361 [  575.377367] ? call_rcu (kernel/rcu/tree.c:2733) 
01:10:33.733 [  575.378146] ? rcu_read_lock_sched_held (./include/linux/lockdep.h:283) 
01:10:33.959 [  575.379174] ? rcu_read_lock_bh_held (kernel/rcu/update.c:120) 
01:10:34.349 [  575.380170] __do_softirq (kernel/softirq.c:558) 
01:10:34.678 [  575.381008] irq_exit_rcu (kernel/softirq.c:432) 
01:10:35.058 [  575.381824] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1097 (discriminator 14)) 
01:10:35.452 [  575.382900]  </IRQ>
01:10:35.453 [  575.383387]  <TASK>
01:10:35.453 [  575.383883] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) 
01:10:35.864 [  575.385033] RIP: 0010:default_idle (arch/x86/kernel/process.c:734) 
01:10:36.232 [ 575.386001] Code: e2 48 89 ef 31 f6 5d 41 5c e9 3c 0a 29 ff cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 eb 07 0f 00 2d e2 0d 47 00 fb f4 <c3> 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 41
01:10:36.249 All code
01:10:36.281 ========
01:10:36.281    0:	e2 48                	loop   0x4a
01:10:36.281    2:	89 ef                	mov    %ebp,%edi
01:10:36.281    4:	31 f6                	xor    %esi,%esi
01:10:36.281    6:	5d                   	pop    %rbp
01:10:36.281    7:	41 5c                	pop    %r12
01:10:36.281    9:	e9 3c 0a 29 ff       	jmpq   0xffffffffff290a4a
01:10:36.281    e:	cc                   	int3   
01:10:36.281    f:	cc                   	int3   
01:10:36.281   10:	cc                   	int3   
01:10:36.281   11:	cc                   	int3   
01:10:36.281   12:	cc                   	int3   
01:10:36.281   13:	cc                   	int3   
01:10:36.281   14:	cc                   	int3   
01:10:36.281   15:	cc                   	int3   
01:10:36.281   16:	cc                   	int3   
01:10:36.281   17:	cc                   	int3   
01:10:36.281   18:	cc                   	int3   
01:10:36.281   19:	cc                   	int3   
01:10:36.281   1a:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
01:10:36.281   1f:	eb 07                	jmp    0x28
01:10:36.281   21:	0f 00 2d e2 0d 47 00 	verw   0x470de2(%rip)        # 0x470e0a
01:10:36.281   28:	fb                   	sti    
01:10:36.281   29:	f4                   	hlt    
01:10:36.281   2a:*	c3                   	retq   		<-- trapping instruction
01:10:36.281   2b:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
01:10:36.281   32:	00 00 00 00 
01:10:36.281   36:	0f 1f 40 00          	nopl   0x0(%rax)
01:10:36.281   3a:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
01:10:36.281   3f:	41                   	rex.B
01:10:36.281 
01:10:36.281 Code starting with the faulting instruction
01:10:36.282 ===========================================
01:10:36.282    0:	c3                   	retq   
01:10:36.282    1:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
01:10:36.282    8:	00 00 00 00 
01:10:36.282    c:	0f 1f 40 00          	nopl   0x0(%rax)
01:10:36.282   10:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
01:10:36.282   15:	41                   	rex.B
01:10:36.282 [  575.390191] RSP: 0018:ffffffffa1607e40 EFLAGS: 00000202
01:10:36.284 [  575.391387] RAX: ffffffffa05ea070 RBX: 0000000000000000 RCX: ffffffffa05d8461
01:10:36.284 [  575.392958] RDX: 0000000000000000 RSI: ffffffffa0aa82e0 RDI: ffffffffa0c1aa40
01:10:36.284 [  575.394505] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed100d1491d3
01:10:36.284 [  575.396055] R10: ffff888068a48e93 R11: ffffed100d1491d2 R12: 0000000000000000
01:10:36.284 [  575.397610] R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffa1646640
01:10:36.284 [  575.399160] ? __cpuidle_text_start (arch/x86/kernel/process.c:732) 
01:10:36.615 [  575.400091] ? rcu_eqs_enter.constprop.0 (kernel/rcu/tree.c:644) 
01:10:37.011 [  575.401155] default_idle_call (./arch/x86/include/asm/irqflags.h:40) 
01:10:37.384 [  575.402064] do_idle (kernel/sched/idle.c:192) 
01:10:37.756 [  575.402829] ? arch_cpu_idle_exit+0x40/0x40
 
01:10:37.932 [  575.403778] cpu_startup_entry (kernel/sched/idle.c:399 (discriminator 1)) 
01:10:38.302 [  575.404680] start_kernel (init/main.c:1142) 
01:10:38.696 [  575.405535] secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:303) 
01:10:39.088 [  575.406728]  </TASK>
01:10:39.088 [  575.407247] 
01:10:39.088 [  575.407615] Allocated by task 6891:
01:10:39.089 [  575.408442] kasan_save_stack (mm/kasan/common.c:39) 
01:10:39.470 [  575.409301] __kasan_slab_alloc (mm/kasan/common.c:45) 
01:10:39.808 [  575.410190] kmem_cache_alloc (./include/linux/kasan.h:224) 
01:10:40.196 [  575.411057] copy_net_ns (./include/linux/slab.h:704) 
01:10:40.569 [  575.411836] create_new_namespaces.isra.0 (kernel/nsproxy.c:110) 
01:10:40.976 [  575.412946] unshare_nsproxy_namespaces (kernel/nsproxy.c:226 (discriminator 4)) 
01:10:41.376 [  575.413983] ksys_unshare (kernel/fork.c:3132) 
01:10:41.757 [  575.414802] __x64_sys_unshare (kernel/fork.c:3201) 
01:10:42.122 [  575.415682] do_syscall_64 (arch/x86/entry/common.c:50) 
01:10:42.491 [  575.416480] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) 
01:10:42.861 [  575.417585] 
01:10:42.861 [  575.417931] Last potentially related work creation:
01:10:42.861 [  575.419006] kasan_save_stack (mm/kasan/common.c:39) 
01:10:42.864 [  575.419857] __kasan_record_aux_stack (mm/kasan/generic.c:348) 
01:10:43.198 [  575.420867] insert_work (./include/linux/instrumented.h:71) 
01:10:43.578 [  575.421656] __queue_work (kernel/workqueue.c:1520) 
01:10:43.934 [  575.422487] call_timer_fn (kernel/time/timer.c:1421) 
01:10:44.301 [  575.423316] run_timer_softirq (kernel/time/timer.c:1462) 
01:10:44.692 [  575.424255] __do_softirq (kernel/softirq.c:558) 
01:10:44.695 [  575.425112] 
01:10:44.695 [  575.425465] Second to last potentially related work creation:
01:10:44.695 [  575.426713] kasan_save_stack (mm/kasan/common.c:39) 
01:10:44.697 [  575.427565] __kasan_record_aux_stack (mm/kasan/generic.c:348) 
01:10:44.700 [  575.428579] insert_work (./include/linux/instrumented.h:71) 
01:10:44.703 [  575.429375] __queue_work (kernel/workqueue.c:1520) 
01:10:44.705 [  575.430214] call_timer_fn (kernel/time/timer.c:1421) 
01:10:44.708 [  575.431067] run_timer_softirq (kernel/time/timer.c:1462) 
01:10:44.710 [  575.431992] __do_softirq (kernel/softirq.c:558) 
01:10:44.713 [  575.432827] 
01:10:44.714 [  575.433175] The buggy address belongs to the object at ffff888004ae8000
01:10:44.714 [  575.433175]  which belongs to the cache net_namespace of size 5312
01:10:44.714 [  575.435937] The buggy address is located 2032 bytes inside of
01:10:44.714 [  575.435937]  5312-byte region [ffff888004ae8000, ffff888004ae94c0)
01:10:44.714 [  575.438570] 
01:10:44.714 [  575.438937] The buggy address belongs to the physical page:
01:10:44.714 [  575.440202] page:000000003d1ceaff refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888004ae8000 pfn:0x4ae8
01:10:44.715 [  575.442491] head:000000003d1ceaff order:3 compound_mapcount:0 compound_pincount:0
01:10:44.715 [  575.444111] flags: 0x100000000010200(slab|head|node=0|zone=1)
01:10:44.715 [  575.445370] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888001264b40
01:10:44.715 [  575.447055] raw: ffff888004ae8000 0000000080050003 00000001ffffffff 0000000000000000
01:10:44.715 [  575.448739] page dumped because: kasan: bad access detected
01:10:44.715 [  575.449959]

@matttbe
Copy link
Member Author

matttbe commented May 2, 2022

I didn't find an easy way to reproduce it but it looks like it is linked to 68822bd: if I revert this commit, I can no longer reproduce the use-after-free when I run:

run_kunit
run_selftest_one ./mptcp_connect.sh
run_selftest_one ./mptcp_join.sh -fesl

If I run only the last one or just the test 19/20, I don't have the issue.

But should be fixed with 783d108dd71d97e4cac5fe8ce70ca43ed7dc7bb7. Just noticed the tree was no longer sync...

@matttbe
Copy link
Member Author

matttbe commented May 3, 2022

It seems we no longer have this issue, probably thanks to 783d108 commit.

@matttbe matttbe closed this as completed May 3, 2022
MPTCP Bugs automation moved this from Needs triage to Closed May 3, 2022
@matttbe matttbe self-assigned this May 3, 2022
jenkins-tessares pushed a commit that referenced this issue Oct 13, 2023
@borkmann
selftests/bpf: Test bpf_mprog query API via libbpf and raw syscall
f9b0879 
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  #252     tc_opts_after:OK
  #253     tc_opts_append:OK
  #254     tc_opts_basic:OK
  #255     tc_opts_before:OK
  #256     tc_opts_chain_classic:OK
  #257     tc_opts_chain_mixed:OK
  #258     tc_opts_delete_empty:OK
  #259     tc_opts_demixed:OK
  #260     tc_opts_detach:OK
  #261     tc_opts_detach_after:OK
  #262     tc_opts_detach_before:OK
  #263     tc_opts_dev_cleanup:OK
  #264     tc_opts_invalid:OK
  #265     tc_opts_max:OK
  #266     tc_opts_mixed:OK
  #267     tc_opts_prepend:OK
  #268     tc_opts_query:OK            <--- (new test)
  #269     tc_opts_replace:OK
  #270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20231006220655.1653-4-daniel@iogearbox.net
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
jenkins-tessares pushed a commit that referenced this issue Oct 13, 2023
@borkmann
selftests/bpf: Test query on empty mprog and pass revision into attach
685446b 
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  #252     tc_opts_after:OK
  #253     tc_opts_append:OK
  #254     tc_opts_basic:OK
  #255     tc_opts_before:OK
  #256     tc_opts_chain_classic:OK
  #257     tc_opts_chain_mixed:OK
  #258     tc_opts_delete_empty:OK
  #259     tc_opts_demixed:OK
  #260     tc_opts_detach:OK
  #261     tc_opts_detach_after:OK
  #262     tc_opts_detach_before:OK
  #263     tc_opts_dev_cleanup:OK
  #264     tc_opts_invalid:OK
  #265     tc_opts_max:OK
  #266     tc_opts_mixed:OK
  #267     tc_opts_prepend:OK
  #268     tc_opts_query:OK
  #269     tc_opts_query_attach:OK     <--- (new test)
  #270     tc_opts_replace:OK
  #271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20231006220655.1653-6-daniel@iogearbox.net
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
matttbe pushed a commit that referenced this issue Oct 27, 2023
@borkmann @anakryiko
selftests/bpf: Add additional mprog query test coverage
2451630 
Add several new test cases which assert corner cases on the mprog query
mechanism, for example, around passing in a too small or a larger array
than the current count.

  ./test_progs -t tc_opts
  #252     tc_opts_after:OK
  #253     tc_opts_append:OK
  #254     tc_opts_basic:OK
  #255     tc_opts_before:OK
  #256     tc_opts_chain_classic:OK
  #257     tc_opts_chain_mixed:OK
  #258     tc_opts_delete_empty:OK
  #259     tc_opts_demixed:OK
  #260     tc_opts_detach:OK
  #261     tc_opts_detach_after:OK
  #262     tc_opts_detach_before:OK
  #263     tc_opts_dev_cleanup:OK
  #264     tc_opts_invalid:OK
  #265     tc_opts_max:OK
  #266     tc_opts_mixed:OK
  #267     tc_opts_prepend:OK
  #268     tc_opts_query:OK
  #269     tc_opts_query_attach:OK
  #270     tc_opts_replace:OK
  #271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Link: https://lore.kernel.org/bpf/20231017081728.24769-1-daniel@iogearbox.net
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matttbe matttbe

Labels
bug selftests
Projects
No open projects
MPTCP Bugs
  
Closed
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matttbe