lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <202602060101.PefMJeTB-lkp@intel.com>
Date: Fri, 6 Feb 2026 01:58:32 +0800
From: kernel test robot <lkp@...el.com>
To: Feng Yang <yangfeng59949@....com>, davem@...emloft.net,
	edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
	horms@...nel.org
Cc: oe-kbuild-all@...ts.linux.dev, bpf@...r.kernel.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] bpf: test_run: Fix the null pointer dereference issue
 in bpf_lwt_xmit_push_encap

Hi Feng,

kernel test robot noticed the following build warnings:

[auto build test WARNING on bpf-next/net]
[also build test WARNING on bpf-next/master bpf/master net-next/main net/main linus/master v6.19-rc8 next-20260205]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Feng-Yang/bpf-test_run-Fix-the-null-pointer-dereference-issue-in-bpf_lwt_xmit_push_encap/20260205-172527
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git net
patch link:    https://lore.kernel.org/r/20260205092227.126665-1-yangfeng59949%40163.com
patch subject: [PATCH v2] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
config: hexagon-randconfig-r132-20260205 (https://download.01.org/0day-ci/archive/20260206/202602060101.PefMJeTB-lkp@intel.com/config)
compiler: clang version 19.1.7 (https://github.com/llvm/llvm-project cd708029e0b2869e80abe31ddb175f7c35361f90)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260206/202602060101.PefMJeTB-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202602060101.PefMJeTB-lkp@intel.com/

sparse warnings: (new ones prefixed by >>)
   net/bpf/test_run.c:617:18: sparse: sparse: symbol 'bpf_kfunc_call_test_release_dtor' was not declared. Should it be static?
   net/bpf/test_run.c:627:18: sparse: sparse: symbol 'bpf_kfunc_call_memb_release_dtor' was not declared. Should it be static?
>> net/bpf/test_run.c:984:18: sparse: sparse: symbol 'bpf_test_run_lwt_xmit_dst' was not declared. Should it be static?

vim +/bpf_test_run_lwt_xmit_dst +984 net/bpf/test_run.c

   983	
 > 984	struct dst_entry bpf_test_run_lwt_xmit_dst;
   985	int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
   986				  union bpf_attr __user *uattr)
   987	{
   988		bool is_l2 = false, is_direct_pkt_access = false, is_lwt = false;
   989		u32 tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
   990		struct net *net = current->nsproxy->net_ns;
   991		struct net_device *dev = net->loopback_dev;
   992		u32 headroom = NET_SKB_PAD + NET_IP_ALIGN;
   993		u32 linear_sz = kattr->test.data_size_in;
   994		u32 repeat = kattr->test.repeat;
   995		struct __sk_buff *ctx = NULL;
   996		struct sk_buff *skb = NULL;
   997		struct sock *sk = NULL;
   998		u32 retval, duration;
   999		int hh_len = ETH_HLEN;
  1000		void *data = NULL;
  1001		int ret;
  1002	
  1003		if ((kattr->test.flags & ~BPF_F_TEST_SKB_CHECKSUM_COMPLETE) ||
  1004		    kattr->test.cpu || kattr->test.batch_size)
  1005			return -EINVAL;
  1006	
  1007		if (kattr->test.data_size_in < ETH_HLEN)
  1008			return -EINVAL;
  1009	
  1010		switch (prog->type) {
  1011		case BPF_PROG_TYPE_SCHED_CLS:
  1012		case BPF_PROG_TYPE_SCHED_ACT:
  1013			is_direct_pkt_access = true;
  1014			is_l2 = true;
  1015			break;
  1016		case BPF_PROG_TYPE_LWT_IN:
  1017		case BPF_PROG_TYPE_LWT_OUT:
  1018		case BPF_PROG_TYPE_LWT_XMIT:
  1019			is_lwt = true;
  1020			fallthrough;
  1021		case BPF_PROG_TYPE_CGROUP_SKB:
  1022			is_direct_pkt_access = true;
  1023			break;
  1024		default:
  1025			break;
  1026		}
  1027	
  1028		ctx = bpf_ctx_init(kattr, sizeof(struct __sk_buff));
  1029		if (IS_ERR(ctx))
  1030			return PTR_ERR(ctx);
  1031	
  1032		if (ctx) {
  1033			if (ctx->data_end > kattr->test.data_size_in || ctx->data || ctx->data_meta) {
  1034				ret = -EINVAL;
  1035				goto out;
  1036			}
  1037			if (ctx->data_end) {
  1038				/* Non-linear LWT test_run is unsupported for now. */
  1039				if (is_lwt) {
  1040					ret = -EINVAL;
  1041					goto out;
  1042				}
  1043				linear_sz = max(ETH_HLEN, ctx->data_end);
  1044			}
  1045		}
  1046	
  1047		linear_sz = min_t(u32, linear_sz, PAGE_SIZE - headroom - tailroom);
  1048	
  1049		data = bpf_test_init(kattr, linear_sz, linear_sz, headroom, tailroom);
  1050		if (IS_ERR(data)) {
  1051			ret = PTR_ERR(data);
  1052			data = NULL;
  1053			goto out;
  1054		}
  1055	
  1056		sk = sk_alloc(net, AF_UNSPEC, GFP_USER, &bpf_dummy_proto, 1);
  1057		if (!sk) {
  1058			ret = -ENOMEM;
  1059			goto out;
  1060		}
  1061		sock_init_data(NULL, sk);
  1062	
  1063		skb = slab_build_skb(data);
  1064		if (!skb) {
  1065			ret = -ENOMEM;
  1066			goto out;
  1067		}
  1068		skb->sk = sk;
  1069	
  1070		data = NULL; /* data released via kfree_skb */
  1071	
  1072		skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);
  1073		__skb_put(skb, linear_sz);
  1074	
  1075		if (unlikely(kattr->test.data_size_in > linear_sz)) {
  1076			void __user *data_in = u64_to_user_ptr(kattr->test.data_in);
  1077			struct skb_shared_info *sinfo = skb_shinfo(skb);
  1078			u32 copied = linear_sz;
  1079	
  1080			while (copied < kattr->test.data_size_in) {
  1081				struct page *page;
  1082				u32 data_len;
  1083	
  1084				if (sinfo->nr_frags == MAX_SKB_FRAGS) {
  1085					ret = -ENOMEM;
  1086					goto out;
  1087				}
  1088	
  1089				page = alloc_page(GFP_KERNEL);
  1090				if (!page) {
  1091					ret = -ENOMEM;
  1092					goto out;
  1093				}
  1094	
  1095				data_len = min_t(u32, kattr->test.data_size_in - copied,
  1096						 PAGE_SIZE);
  1097				skb_fill_page_desc(skb, sinfo->nr_frags, page, 0, data_len);
  1098	
  1099				if (copy_from_user(page_address(page), data_in + copied,
  1100						   data_len)) {
  1101					ret = -EFAULT;
  1102					goto out;
  1103				}
  1104				skb->data_len += data_len;
  1105				skb->truesize += PAGE_SIZE;
  1106				skb->len += data_len;
  1107				copied += data_len;
  1108			}
  1109		}
  1110	
  1111		if (ctx && ctx->ifindex > 1) {
  1112			dev = dev_get_by_index(net, ctx->ifindex);
  1113			if (!dev) {
  1114				ret = -ENODEV;
  1115				goto out;
  1116			}
  1117		}
  1118		skb->protocol = eth_type_trans(skb, dev);
  1119		skb_reset_network_header(skb);
  1120	
  1121		switch (skb->protocol) {
  1122		case htons(ETH_P_IP):
  1123			sk->sk_family = AF_INET;
  1124			if (sizeof(struct iphdr) <= skb_headlen(skb)) {
  1125				sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
  1126				sk->sk_daddr = ip_hdr(skb)->daddr;
  1127			}
  1128			break;
  1129	#if IS_ENABLED(CONFIG_IPV6)
  1130		case htons(ETH_P_IPV6):
  1131			sk->sk_family = AF_INET6;
  1132			if (sizeof(struct ipv6hdr) <= skb_headlen(skb)) {
  1133				sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
  1134				sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
  1135			}
  1136			break;
  1137	#endif
  1138		default:
  1139			break;
  1140		}
  1141	
  1142		if (is_l2)
  1143			__skb_push(skb, hh_len);
  1144		if (is_direct_pkt_access)
  1145			bpf_compute_data_pointers(skb);
  1146	
  1147		ret = convert___skb_to_skb(skb, ctx);
  1148		if (ret)
  1149			goto out;
  1150	
  1151		if (kattr->test.flags & BPF_F_TEST_SKB_CHECKSUM_COMPLETE) {
  1152			const int off = skb_network_offset(skb);
  1153			int len = skb->len - off;
  1154	
  1155			skb->csum = skb_checksum(skb, off, len, 0);
  1156			skb->ip_summed = CHECKSUM_COMPLETE;
  1157		}
  1158	
  1159		if (prog->type == BPF_PROG_TYPE_LWT_XMIT) {
  1160			bpf_test_run_lwt_xmit_dst.dev = dev;
  1161			skb_dst_set(skb, &bpf_test_run_lwt_xmit_dst);
  1162		}
  1163		ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false);
  1164		if (prog->type == BPF_PROG_TYPE_LWT_XMIT)
  1165			skb_dst_set(skb, NULL);
  1166		if (ret)
  1167			goto out;
  1168		if (!is_l2) {
  1169			if (skb_headroom(skb) < hh_len) {
  1170				int nhead = HH_DATA_ALIGN(hh_len - skb_headroom(skb));
  1171	
  1172				if (pskb_expand_head(skb, nhead, 0, GFP_USER)) {
  1173					ret = -ENOMEM;
  1174					goto out;
  1175				}
  1176			}
  1177			memset(__skb_push(skb, hh_len), 0, hh_len);
  1178		}
  1179	
  1180		if (kattr->test.flags & BPF_F_TEST_SKB_CHECKSUM_COMPLETE) {
  1181			const int off = skb_network_offset(skb);
  1182			int len = skb->len - off;
  1183			__wsum csum;
  1184	
  1185			csum = skb_checksum(skb, off, len, 0);
  1186	
  1187			if (csum_fold(skb->csum) != csum_fold(csum)) {
  1188				ret = -EBADMSG;
  1189				goto out;
  1190			}
  1191		}
  1192	
  1193		convert_skb_to___skb(skb, ctx);
  1194	
  1195		if (skb_is_nonlinear(skb))
  1196			/* bpf program can never convert linear skb to non-linear */
  1197			WARN_ON_ONCE(linear_sz == kattr->test.data_size_in);
  1198		ret = bpf_test_finish(kattr, uattr, skb->data, skb_shinfo(skb), skb->len,
  1199				      skb->data_len, retval, duration);
  1200		if (!ret)
  1201			ret = bpf_ctx_finish(kattr, uattr, ctx,
  1202					     sizeof(struct __sk_buff));
  1203	out:
  1204		if (dev && dev != net->loopback_dev)
  1205			dev_put(dev);
  1206		kfree_skb(skb);
  1207		kfree(data);
  1208		if (sk)
  1209			sk_free(sk);
  1210		kfree(ctx);
  1211		return ret;
  1212	}
  1213	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ