lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202409301255.h6vAvBWG-lkp@intel.com>
Date: Mon, 30 Sep 2024 13:15:51 +0800
From: kernel test robot <lkp@...el.com>
To: Jordan Rife <jrife@...gle.com>, bpf@...r.kernel.org
Cc: oe-kbuild-all@...ts.linux.dev, Jordan Rife <jrife@...gle.com>,
	netdev@...r.kernel.org, Daniel Borkmann <daniel@...earbox.net>,
	Alexei Starovoitov <ast@...nel.org>,
	Andrii Nakryiko <andrii@...nel.org>,
	Martin KaFai Lau <martin.lau@...ux.dev>,
	Kui-Feng Lee <thinker.li@...il.com>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	stable@...r.kernel.org
Subject: Re: [PATCH v1] bpf: Prevent infinite loops with bpf_redirect_peer

Hi Jordan,

kernel test robot noticed the following build warnings:

[auto build test WARNING on bpf-next/master]
[also build test WARNING on bpf/master net/main net-next/main linus/master v6.12-rc1 next-20240927]
[cannot apply to horms-ipvs/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Jordan-Rife/bpf-Prevent-infinite-loops-with-bpf_redirect_peer/20240930-010356
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master
patch link:    https://lore.kernel.org/r/20240929170219.1881536-1-jrife%40google.com
patch subject: [PATCH v1] bpf: Prevent infinite loops with bpf_redirect_peer
config: openrisc-defconfig (https://download.01.org/0day-ci/archive/20240930/202409301255.h6vAvBWG-lkp@intel.com/config)
compiler: or1k-linux-gcc (GCC) 14.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240930/202409301255.h6vAvBWG-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409301255.h6vAvBWG-lkp@intel.com/

All warnings (new ones prefixed by >>):

   net/core/dev.c: In function '__netif_receive_skb_core':
>> net/core/dev.c:5458:13: warning: unused variable 'loops' [-Wunused-variable]
    5458 |         int loops = 0;
         |             ^~~~~


vim +/loops +5458 net/core/dev.c

  5448	
  5449	static int __netif_receive_skb_core(struct sk_buff **pskb, bool pfmemalloc,
  5450					    struct packet_type **ppt_prev)
  5451	{
  5452		struct packet_type *ptype, *pt_prev;
  5453		rx_handler_func_t *rx_handler;
  5454		struct sk_buff *skb = *pskb;
  5455		struct net_device *orig_dev;
  5456		bool deliver_exact = false;
  5457		int ret = NET_RX_DROP;
> 5458		int loops = 0;
  5459		__be16 type;
  5460	
  5461		net_timestamp_check(!READ_ONCE(net_hotdata.tstamp_prequeue), skb);
  5462	
  5463		trace_netif_receive_skb(skb);
  5464	
  5465		orig_dev = skb->dev;
  5466	
  5467		skb_reset_network_header(skb);
  5468		if (!skb_transport_header_was_set(skb))
  5469			skb_reset_transport_header(skb);
  5470		skb_reset_mac_len(skb);
  5471	
  5472		pt_prev = NULL;
  5473	
  5474	another_round:
  5475		skb->skb_iif = skb->dev->ifindex;
  5476	
  5477		__this_cpu_inc(softnet_data.processed);
  5478	
  5479		if (static_branch_unlikely(&generic_xdp_needed_key)) {
  5480			int ret2;
  5481	
  5482			migrate_disable();
  5483			ret2 = do_xdp_generic(rcu_dereference(skb->dev->xdp_prog),
  5484					      &skb);
  5485			migrate_enable();
  5486	
  5487			if (ret2 != XDP_PASS) {
  5488				ret = NET_RX_DROP;
  5489				goto out;
  5490			}
  5491		}
  5492	
  5493		if (eth_type_vlan(skb->protocol)) {
  5494			skb = skb_vlan_untag(skb);
  5495			if (unlikely(!skb))
  5496				goto out;
  5497		}
  5498	
  5499		if (skb_skip_tc_classify(skb))
  5500			goto skip_classify;
  5501	
  5502		if (pfmemalloc)
  5503			goto skip_taps;
  5504	
  5505		list_for_each_entry_rcu(ptype, &net_hotdata.ptype_all, list) {
  5506			if (pt_prev)
  5507				ret = deliver_skb(skb, pt_prev, orig_dev);
  5508			pt_prev = ptype;
  5509		}
  5510	
  5511		list_for_each_entry_rcu(ptype, &skb->dev->ptype_all, list) {
  5512			if (pt_prev)
  5513				ret = deliver_skb(skb, pt_prev, orig_dev);
  5514			pt_prev = ptype;
  5515		}
  5516	
  5517	skip_taps:
  5518	#ifdef CONFIG_NET_INGRESS
  5519		if (static_branch_unlikely(&ingress_needed_key)) {
  5520			bool another = false;
  5521	
  5522			nf_skip_egress(skb, true);
  5523			skb = sch_handle_ingress(skb, &pt_prev, &ret, orig_dev,
  5524						 &another);
  5525			if (another) {
  5526				loops++;
  5527				if (unlikely(loops == RX_LOOP_LIMIT)) {
  5528					ret = NET_RX_DROP;
  5529					net_crit_ratelimited("bpf: loop limit reached on datapath, buggy bpf program?\n");
  5530					goto out;
  5531				}
  5532	
  5533				goto another_round;
  5534			}
  5535			if (!skb)
  5536				goto out;
  5537	
  5538			nf_skip_egress(skb, false);
  5539			if (nf_ingress(skb, &pt_prev, &ret, orig_dev) < 0)
  5540				goto out;
  5541		}
  5542	#endif
  5543		skb_reset_redirect(skb);
  5544	skip_classify:
  5545		if (pfmemalloc && !skb_pfmemalloc_protocol(skb))
  5546			goto drop;
  5547	
  5548		if (skb_vlan_tag_present(skb)) {
  5549			if (pt_prev) {
  5550				ret = deliver_skb(skb, pt_prev, orig_dev);
  5551				pt_prev = NULL;
  5552			}
  5553			if (vlan_do_receive(&skb))
  5554				goto another_round;
  5555			else if (unlikely(!skb))
  5556				goto out;
  5557		}
  5558	
  5559		rx_handler = rcu_dereference(skb->dev->rx_handler);
  5560		if (rx_handler) {
  5561			if (pt_prev) {
  5562				ret = deliver_skb(skb, pt_prev, orig_dev);
  5563				pt_prev = NULL;
  5564			}
  5565			switch (rx_handler(&skb)) {
  5566			case RX_HANDLER_CONSUMED:
  5567				ret = NET_RX_SUCCESS;
  5568				goto out;
  5569			case RX_HANDLER_ANOTHER:
  5570				goto another_round;
  5571			case RX_HANDLER_EXACT:
  5572				deliver_exact = true;
  5573				break;
  5574			case RX_HANDLER_PASS:
  5575				break;
  5576			default:
  5577				BUG();
  5578			}
  5579		}
  5580	
  5581		if (unlikely(skb_vlan_tag_present(skb)) && !netdev_uses_dsa(skb->dev)) {
  5582	check_vlan_id:
  5583			if (skb_vlan_tag_get_id(skb)) {
  5584				/* Vlan id is non 0 and vlan_do_receive() above couldn't
  5585				 * find vlan device.
  5586				 */
  5587				skb->pkt_type = PACKET_OTHERHOST;
  5588			} else if (eth_type_vlan(skb->protocol)) {
  5589				/* Outer header is 802.1P with vlan 0, inner header is
  5590				 * 802.1Q or 802.1AD and vlan_do_receive() above could
  5591				 * not find vlan dev for vlan id 0.
  5592				 */
  5593				__vlan_hwaccel_clear_tag(skb);
  5594				skb = skb_vlan_untag(skb);
  5595				if (unlikely(!skb))
  5596					goto out;
  5597				if (vlan_do_receive(&skb))
  5598					/* After stripping off 802.1P header with vlan 0
  5599					 * vlan dev is found for inner header.
  5600					 */
  5601					goto another_round;
  5602				else if (unlikely(!skb))
  5603					goto out;
  5604				else
  5605					/* We have stripped outer 802.1P vlan 0 header.
  5606					 * But could not find vlan dev.
  5607					 * check again for vlan id to set OTHERHOST.
  5608					 */
  5609					goto check_vlan_id;
  5610			}
  5611			/* Note: we might in the future use prio bits
  5612			 * and set skb->priority like in vlan_do_receive()
  5613			 * For the time being, just ignore Priority Code Point
  5614			 */
  5615			__vlan_hwaccel_clear_tag(skb);
  5616		}
  5617	
  5618		type = skb->protocol;
  5619	
  5620		/* deliver only exact match when indicated */
  5621		if (likely(!deliver_exact)) {
  5622			deliver_ptype_list_skb(skb, &pt_prev, orig_dev, type,
  5623					       &ptype_base[ntohs(type) &
  5624							   PTYPE_HASH_MASK]);
  5625		}
  5626	
  5627		deliver_ptype_list_skb(skb, &pt_prev, orig_dev, type,
  5628				       &orig_dev->ptype_specific);
  5629	
  5630		if (unlikely(skb->dev != orig_dev)) {
  5631			deliver_ptype_list_skb(skb, &pt_prev, orig_dev, type,
  5632					       &skb->dev->ptype_specific);
  5633		}
  5634	
  5635		if (pt_prev) {
  5636			if (unlikely(skb_orphan_frags_rx(skb, GFP_ATOMIC)))
  5637				goto drop;
  5638			*ppt_prev = pt_prev;
  5639		} else {
  5640	drop:
  5641			if (!deliver_exact)
  5642				dev_core_stats_rx_dropped_inc(skb->dev);
  5643			else
  5644				dev_core_stats_rx_nohandler_inc(skb->dev);
  5645			kfree_skb_reason(skb, SKB_DROP_REASON_UNHANDLED_PROTO);
  5646			/* Jamal, now you will not able to escape explaining
  5647			 * me how you were going to use this. :-)
  5648			 */
  5649			ret = NET_RX_DROP;
  5650		}
  5651	
  5652	out:
  5653		/* The invariant here is that if *ppt_prev is not NULL
  5654		 * then skb should also be non-NULL.
  5655		 *
  5656		 * Apparently *ppt_prev assignment above holds this invariant due to
  5657		 * skb dereferencing near it.
  5658		 */
  5659		*pskb = skb;
  5660		return ret;
  5661	}
  5662	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ