lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5af7b3b9-3ee1-4ef6-8431-72b40445eacd@linux.dev>
Date: Wed, 1 Oct 2025 13:26:03 -0700
From: Ihor Solodrai <ihor.solodrai@...ux.dev>
To: Octavian Purdila <tavip@...gle.com>, kuba@...nel.org
Cc: davem@...emloft.net, edumazet@...gle.com, pabeni@...hat.com,
 horms@...nel.org, ast@...nel.org, daniel@...earbox.net, hawk@...nel.org,
 john.fastabend@...il.com, sdf@...ichev.me, kuniyu@...gle.com,
 aleksander.lobakin@...el.com, maciej.fijalkowski@...el.com, toke@...hat.com,
 lorenzo@...nel.org, netdev@...r.kernel.org, bpf@...r.kernel.org,
 syzbot+ff145014d6b0ce64a173@...kaller.appspotmail.com,
 Kernel Team <kernel-team@...a.com>
Subject: Re: [PATCH net v2] xdp: update mem type when page pool is used for
 generic XDP

On 10/1/25 12:47 AM, Octavian Purdila wrote:
> When a BPF program that supports BPF_F_XDP_HAS_FRAGS is issuing
> bpf_xdp_adjust_tail and a large packet is injected via /dev/net/tun a
> crash occurs due to detecting a bad page state (page_pool leak).
> 
> This is because xdp_buff does not record the type of memory and
> instead relies on the netdev receive queue xdp info. Since
> netif_alloc_rx_queues only calls xdp_rxq_info_reg mem.type is going to
> be set to MEM_TYPE_PAGE_SHARED. So shrinking will eventually call
> page_frag_free. But with current multi-buff support for
> BPF_F_XDP_HAS_FRAGS programs buffers are allocated via the page pool
> in skb_cow_data_for_xdp.
> 
> To fix this issue use the same approach that is used in
> cpu_map_bpf_prog_run_xdp: declare an xdp_rxq_info structure on the
> stack instead of using the xdp_rxq_info structure from the netdev rx
> queue. And update mem.type to reflect how the buffers are allocated,
> in this case to MEM_TYPE_PAGE_POOL if skb_cow_data_for_xdp is used.
> 
> Reported-by: syzbot+ff145014d6b0ce64a173@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/6756c37b.050a0220.a30f1.019a.GAE@google.com/
> Fixes: e6d5dbdd20aa ("xdp: add multi-buff support for xdp running in generic mode")
> Signed-off-by: Octavian Purdila <tavip@...gle.com>
> ---
> 
> v2:
> - use a local xdp_rxq_info structure and update mem.type instead of
>   skipping using page pool if the netdev xdp_rxq_info is not set to
>   MEM_TYPE_PAGE_POOL (which is always the case currently)
> v1: https://lore.kernel.org/netdev/20250924060843.2280499-1-tavip@google.com/
> 
>  include/linux/netdevice.h |  4 +++-
>  kernel/bpf/cpumap.c       |  2 +-
>  kernel/bpf/devmap.c       |  2 +-
>  net/core/dev.c            | 32 +++++++++++++++++++++-----------
>  4 files changed, 26 insertions(+), 14 deletions(-)
> 
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index f3a3b761abfb..41585414e45c 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -78,6 +78,7 @@ struct udp_tunnel_nic_info;
>  struct udp_tunnel_nic;
>  struct bpf_prog;
>  struct xdp_buff;
> +struct xdp_rxq_info;
>  struct xdp_frame;
>  struct xdp_metadata_ops;
>  struct xdp_md;
> @@ -4149,7 +4150,8 @@ static inline void dev_consume_skb_any(struct sk_buff *skb)
>  }
>  
>  u32 bpf_prog_run_generic_xdp(struct sk_buff *skb, struct xdp_buff *xdp,
> -			     const struct bpf_prog *xdp_prog);
> +			     const struct bpf_prog *xdp_prog,
> +			     struct xdp_rxq_info *rxq);
>  void generic_xdp_tx(struct sk_buff *skb, const struct bpf_prog *xdp_prog);
>  int do_xdp_generic(const struct bpf_prog *xdp_prog, struct sk_buff **pskb);
>  int netif_rx(struct sk_buff *skb);
> diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c
> index c46360b27871..a057a58ba969 100644
> --- a/kernel/bpf/cpumap.c
> +++ b/kernel/bpf/cpumap.c
> @@ -145,7 +145,7 @@ static u32 cpu_map_bpf_prog_run_skb(struct bpf_cpu_map_entry *rcpu,
>  	for (u32 i = 0; i < skb_n; i++) {
>  		struct sk_buff *skb = skbs[i];
>  
> -		act = bpf_prog_run_generic_xdp(skb, &xdp, rcpu->prog);
> +		act = bpf_prog_run_generic_xdp(skb, &xdp, rcpu->prog, NULL);
>  		switch (act) {
>  		case XDP_PASS:
>  			skbs[pass++] = skb;
> diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
> index 482d284a1553..29459b79bacb 100644
> --- a/kernel/bpf/devmap.c
> +++ b/kernel/bpf/devmap.c
> @@ -512,7 +512,7 @@ static u32 dev_map_bpf_prog_run_skb(struct sk_buff *skb, struct bpf_dtab_netdev
>  	__skb_pull(skb, skb->mac_len);
>  	xdp.txq = &txq;
>  
> -	act = bpf_prog_run_generic_xdp(skb, &xdp, dst->xdp_prog);
> +	act = bpf_prog_run_generic_xdp(skb, &xdp, dst->xdp_prog, NULL);
>  	switch (act) {
>  	case XDP_PASS:
>  		__skb_push(skb, skb->mac_len);
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 8d49b2198d07..365c43ffc9c1 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -5230,10 +5230,10 @@ static struct netdev_rx_queue *netif_get_rxqueue(struct sk_buff *skb)
>  }
>  
>  u32 bpf_prog_run_generic_xdp(struct sk_buff *skb, struct xdp_buff *xdp,
> -			     const struct bpf_prog *xdp_prog)
> +			     const struct bpf_prog *xdp_prog,
> +			     struct xdp_rxq_info *rxq)
>  {
>  	void *orig_data, *orig_data_end, *hard_start;
> -	struct netdev_rx_queue *rxqueue;
>  	bool orig_bcast, orig_host;
>  	u32 mac_len, frame_sz;
>  	__be16 orig_eth_type;
> @@ -5251,8 +5251,9 @@ u32 bpf_prog_run_generic_xdp(struct sk_buff *skb, struct xdp_buff *xdp,
>  	frame_sz = (void *)skb_end_pointer(skb) - hard_start;
>  	frame_sz += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
>  
> -	rxqueue = netif_get_rxqueue(skb);
> -	xdp_init_buff(xdp, frame_sz, &rxqueue->xdp_rxq);
> +	if (!rxq)
> +		rxq = &netif_get_rxqueue(skb)->xdp_rxq;
> +	xdp_init_buff(xdp, frame_sz, rxq);
>  	xdp_prepare_buff(xdp, hard_start, skb_headroom(skb) - mac_len,
>  			 skb_headlen(skb) + mac_len, true);
>  	if (skb_is_nonlinear(skb)) {
> @@ -5331,17 +5332,23 @@ u32 bpf_prog_run_generic_xdp(struct sk_buff *skb, struct xdp_buff *xdp,
>  	return act;
>  }


Hi Octavian,

This patch seems to be causing a null pointer dereference.
See a splat caught by BPF CI below.

You might be able to reproduce with:

cd tools/testing/selftests/bpf
make test_progs
# in kernel with this patch
./test_progs -t xdp_veth

Reverting this commit mitigates the failure:
https://github.com/linux-netdev/testing-bpf-ci/commit/9e1eab63cd1bcbe37e205856f7ff7d1ad49669f5

Could you please take a look?


$ ./scripts/faddr2line ./net/core/dev.o bpf_prog_run_generic_xdp+0x536
bpf_prog_run_generic_xdp+0x536/0x1050:
__netif_receive_skb_list_core at /home/isolodrai/kernels/linux/./include/linux/filter.h:?

Splat:

2025-10-01T18:17:31.5122455Z #651     xdp_synproxy:OK
2025-10-01T18:17:42.3676827Z [  579.623193] BUG: kernel NULL pointer dereference, address: 00000000000000e0
2025-10-01T18:17:42.3679754Z [  579.623890] #PF: supervisor read access in kernel mode
2025-10-01T18:17:42.3683498Z [  579.624392] #PF: error_code(0x0000) - not-present page
2025-10-01T18:17:42.3685646Z [  579.624781] PGD 0 P4D 0
2025-10-01T18:17:42.3688931Z [  579.625000] Oops: Oops: 0000 [#1] SMP KASAN NOPTI
2025-10-01T18:17:42.3697156Z [  579.625326] CPU: 0 UID: 0 PID: 1027 Comm: kworker/0:7 Tainted: G        W  OE       6.17.0-rc7-g353b4dc5171a-dirty #1 PREEMPT(full)
2025-10-01T18:17:42.3701106Z [  579.626121] Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
2025-10-01T18:17:42.3707833Z [  579.626537] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
2025-10-01T18:17:42.3710307Z [  579.627196] Workqueue: mld mld_ifc_work
2025-10-01T18:17:42.3715764Z [  579.627466] RIP: 0010:bpf_prog_5933448505fe5d21_xdp_redirect_map_multi_prog+0x41/0xe9
2025-10-01T18:17:42.3730250Z [  579.627995] Code: 08 00 00 00 53 b8 01 00 00 00 48 8b 57 08 48 8b 77 00 48 89 f1 48 83 c1 0e 48 39 d1 0f 87 a9 00 00 00 48 8b 5f 20 48 8b 5b 00 <8b> 9b e0 00 00 00 48 0f b6 7e 0c 48 0f b6 76 0d c1 e6 08 09 fe 66
2025-10-01T18:17:42.3731737Z [  579.629231] RSP: 0018:ffffc90000007778 EFLAGS: 00010297
2025-10-01T18:17:42.3736558Z [  579.629602] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff888107798110
2025-10-01T18:17:42.3741383Z [  579.630082] RDX: ffff88810779815c RSI: ffff888107798102 RDI: ffffc90000007948
2025-10-01T18:17:42.3746171Z [  579.630560] RBP: ffffc90000007788 R08: ffff888107798ee3 R09: 1ffff11020ef31dc
2025-10-01T18:17:42.3750937Z [  579.631039] R10: dffffc0000000000 R11: ffffed1020ef31dd R12: ffffc90000007948
2025-10-01T18:17:42.3755794Z [  579.631519] R13: 1ffff92000000f2a R14: dffffc0000000000 R15: ffffc9000316f060
2025-10-01T18:17:42.3761599Z [  579.631999] FS:  0000000000000000(0000) GS:ffff888162441000(0000) knlGS:0000000000000000
2025-10-01T18:17:42.3765107Z [  579.632539] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
2025-10-01T18:17:42.3769941Z [  579.632938] CR2: 00000000000000e0 CR3: 0000000105bae002 CR4: 0000000000770ef0
2025-10-01T18:17:42.3774730Z [  579.633421] DR0: 000055dd9fe121c0 DR1: 0000000000000000 DR2: 0000000000000000
2025-10-01T18:17:42.3779502Z [  579.633900] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
2025-10-01T18:17:42.3781786Z [  579.634376] PKRU: 55555554
2025-10-01T18:17:42.3784191Z [  579.634615] Call Trace:
2025-10-01T18:17:42.3786202Z [  579.634860]  <IRQ>
2025-10-01T18:17:42.3790811Z [  579.635060]  bpf_prog_run_generic_xdp+0x536/0x1040
2025-10-01T18:17:42.3794547Z [  579.635518]  do_xdp_generic+0x79f/0xe40
2025-10-01T18:17:42.3798463Z [  579.635910]  ? unwind_next_frame+0x1d06/0x25a0
2025-10-01T18:17:42.3802275Z [  579.636282]  ? do_xdp_generic+0x378/0xe40
2025-10-01T18:17:42.3805659Z [  579.636683]  ? __asan_memset+0x22/0x50
2025-10-01T18:17:42.3809203Z [  579.637005]  ? dl_server_update_idle_time+0x1e6/0x370
2025-10-01T18:17:42.3812506Z [  579.637376]  ? lock_is_held_type+0x95/0x130
2025-10-01T18:17:42.3817120Z [  579.637688]  __netif_receive_skb_core+0x113e/0x3110
2025-10-01T18:17:42.3821075Z [  579.638138]  ? __lock_acquire+0x5e5/0x2a80
2025-10-01T18:17:42.3824988Z [  579.638544]  ? lock_is_held_type+0x95/0x130
2025-10-01T18:17:42.3828694Z [  579.638940]  __netif_receive_skb+0x6d/0x310
2025-10-01T18:17:42.3832414Z [  579.639307]  ? lock_release+0xff/0x330
2025-10-01T18:17:42.3836338Z [  579.639677]  ? process_backlog+0x2de/0xf30
2025-10-01T18:17:42.3839804Z [  579.640068]  process_backlog+0x87b/0xf30
2025-10-01T18:17:42.3843676Z [  579.640420]  ? process_backlog+0x2de/0xf30
2025-10-01T18:17:42.3846948Z [  579.640805]  __napi_poll+0x98/0x2c0
2025-10-01T18:17:42.3851782Z [  579.641129]  ? lockdep_hardirqs_on_prepare+0x115/0x250
2025-10-01T18:17:42.3855038Z [  579.641635]  net_rx_action+0x404/0x9a0
2025-10-01T18:17:42.3858674Z [  579.641948]  handle_softirqs+0x24d/0x790
2025-10-01T18:17:42.3861893Z [  579.642329]  ? do_softirq+0x6f/0xb0
2025-10-01T18:17:42.3865863Z [  579.642641]  ? __dev_queue_xmit+0x12d/0x2640
2025-10-01T18:17:42.3869402Z [  579.643024]  do_softirq+0x6f/0xb0
2025-10-01T18:17:42.3870950Z [  579.643380]  </IRQ>
2025-10-01T18:17:42.3872470Z [  579.643532]  <TASK>
2025-10-01T18:17:42.3875951Z [  579.643685]  __local_bh_enable_ip+0x11d/0x160
2025-10-01T18:17:42.3879177Z [  579.644032]  ? __dev_queue_xmit+0x12d/0x2640
2025-10-01T18:17:42.3882770Z [  579.644374]  __dev_queue_xmit+0xd61/0x2640
2025-10-01T18:17:42.3886175Z [  579.644713]  ? __dev_queue_xmit+0x12d/0x2640
2025-10-01T18:17:42.3889313Z [  579.645055]  ? lock_acquire+0xef/0x260
2025-10-01T18:17:42.3894058Z [  579.645369]  ? ipv6_chk_mcast_addr+0x2c/0x610
2025-10-01T18:17:42.3897287Z [  579.645845]  ? lock_acquire+0xef/0x260
2025-10-01T18:17:42.3901267Z [  579.646164]  ? ip6_finish_output+0x2f9/0x7a0
2025-10-01T18:17:42.3905693Z [  579.646564]  ? ip6_finish_output2+0xd0c/0x1620
2025-10-01T18:17:42.3909956Z [  579.647006]  ip6_finish_output2+0xf64/0x1620
2025-10-01T18:17:42.3913138Z [  579.647433]  ip6_finish_output+0x2f9/0x7a0
2025-10-01T18:17:42.3915927Z [  579.647744]  ip6_output+0x22b/0x3b0
2025-10-01T18:17:42.3919351Z [  579.648032]  ? ip6_output+0xce/0x3b0
2025-10-01T18:17:42.3922445Z [  579.648375]  NF_HOOK+0xb6/0x320
2025-10-01T18:17:42.3926286Z [  579.648680]  ? __pfx_dst_output+0x10/0x10
2025-10-01T18:17:42.3929621Z [  579.649076]  mld_sendpack+0x574/0x930
2025-10-01T18:17:42.3933216Z [  579.649404]  ? mld_sendpack+0x113/0x930
2025-10-01T18:17:42.3936845Z [  579.649762]  mld_ifc_work+0x63c/0xa30
2025-10-01T18:17:42.3942035Z [  579.650121]  ? process_scheduled_works+0x768/0x1120
2025-10-01T18:17:42.3945976Z [  579.650637]  ? process_scheduled_works+0x768/0x1120
2025-10-01T18:17:42.3950095Z [  579.651033]  process_scheduled_works+0x7ec/0x1120
2025-10-01T18:17:42.3953728Z [  579.651451]  worker_thread+0x83e/0xca0
2025-10-01T18:17:42.3956821Z [  579.651802]  kthread+0x4fa/0x620
2025-10-01T18:17:42.3960308Z [  579.652144]  ? do_raw_spin_lock+0xdf/0x260
2025-10-01T18:17:42.3964376Z [  579.652469]  ? __pfx_worker_thread+0x10/0x10
2025-10-01T18:17:42.3968056Z [  579.652880]  ? __pfx_kthread+0x10/0x10
2025-10-01T18:17:42.3971233Z [  579.653241]  ret_from_fork+0x1f8/0x2f0
2025-10-01T18:17:42.3974717Z [  579.653562]  ? __pfx_kthread+0x10/0x10
2025-10-01T18:17:42.3978585Z [  579.653927]  ret_from_fork_asm+0x1a/0x30
2025-10-01T18:17:42.3980595Z [  579.654318]  </TASK>
2025-10-01T18:17:42.3987171Z [  579.654511] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_test_no_cfi(OE)]
2025-10-01T18:17:42.3990310Z [  579.655141] CR2: 00000000000000e0
2025-10-01T18:17:42.3994781Z [  579.655471] ---[ end trace 0000000000000000 ]---
2025-10-01T18:17:42.4000455Z [  579.655917] RIP: 0010:bpf_prog_5933448505fe5d21_xdp_redirect_map_multi_prog+0x41/0xe9
2025-10-01T18:17:42.4015489Z [  579.656468] Code: 08 00 00 00 53 b8 01 00 00 00 48 8b 57 08 48 8b 77 00 48 89 f1 48 83 c1 0e 48 39 d1 0f 87 a9 00 00 00 48 8b 5f 20 48 8b 5b 00 <8b> 9b e0 00 00 00 48 0f b6 7e 0c 48 0f b6 76 0d c1 e6 08 09 fe 66
2025-10-01T18:17:42.4017037Z [  579.657759] RSP: 0018:ffffc90000007778 EFLAGS: 00010297
2025-10-01T18:17:42.4021865Z [  579.658131] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff888107798110
2025-10-01T18:17:42.4026639Z [  579.658607] RDX: ffff88810779815c RSI: ffff888107798102 RDI: ffffc90000007948
2025-10-01T18:17:42.4031381Z [  579.659086] RBP: ffffc90000007788 R08: ffff888107798ee3 R09: 1ffff11020ef31dc
2025-10-01T18:17:42.4036164Z [  579.659563] R10: dffffc0000000000 R11: ffffed1020ef31dd R12: ffffc90000007948
2025-10-01T18:17:42.4040923Z [  579.660041] R13: 1ffff92000000f2a R14: dffffc0000000000 R15: ffffc9000316f060
2025-10-01T18:17:42.4046423Z [  579.660518] FS:  0000000000000000(0000) GS:ffff888162441000(0000) knlGS:0000000000000000
2025-10-01T18:17:42.4050167Z [  579.661060] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
2025-10-01T18:17:42.4055028Z [  579.661449] CR2: 00000000000000e0 CR3: 0000000105bae002 CR4: 0000000000770ef0
2025-10-01T18:17:42.4059819Z [  579.661929] DR0: 000055dd9fe121c0 DR1: 0000000000000000 DR2: 0000000000000000
2025-10-01T18:17:42.4064651Z [  579.662409] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
2025-10-01T18:17:42.4066378Z [  579.662888] PKRU: 55555554
2025-10-01T18:17:42.4070808Z [  579.663077] Kernel panic - not syncing: Fatal exception in interrupt
2025-10-01T18:17:42.4082805Z [  579.663739] Kernel Offset: 0x33000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)



>  
> -static int
> -netif_skb_check_for_xdp(struct sk_buff **pskb, const struct bpf_prog *prog)
> +static int netif_skb_check_for_xdp(struct sk_buff **pskb,
> +				   const struct bpf_prog *prog,
> +				   struct xdp_rxq_info *rxq)
>  {
>  	struct sk_buff *skb = *pskb;
>  	int err, hroom, troom;
> +	struct page_pool *pool;
>  
> +	pool = this_cpu_read(system_page_pool.pool);
>  	local_lock_nested_bh(&system_page_pool.bh_lock);
> -	err = skb_cow_data_for_xdp(this_cpu_read(system_page_pool.pool), pskb, prog);
> +	err = skb_cow_data_for_xdp(pool, pskb, prog);
>  	local_unlock_nested_bh(&system_page_pool.bh_lock);
> -	if (!err)
> +	if (!err) {
> +		rxq->mem.type = MEM_TYPE_PAGE_POOL;
> +		rxq->mem.id = pool->xdp_mem_id;
>  		return 0;
> +	}
>  
>  	/* In case we have to go down the path and also linearize,
>  	 * then lets do the pskb_expand_head() work just once here.
> @@ -5379,13 +5386,13 @@ static u32 netif_receive_generic_xdp(struct sk_buff **pskb,
>  
>  	if (skb_cloned(skb) || skb_is_nonlinear(skb) ||
>  	    skb_headroom(skb) < XDP_PACKET_HEADROOM) {
> -		if (netif_skb_check_for_xdp(pskb, xdp_prog))
> +		if (netif_skb_check_for_xdp(pskb, xdp_prog, xdp->rxq))
>  			goto do_drop;
>  	}
>  
>  	__skb_pull(*pskb, mac_len);
>  
> -	act = bpf_prog_run_generic_xdp(*pskb, xdp, xdp_prog);
> +	act = bpf_prog_run_generic_xdp(*pskb, xdp, xdp_prog, xdp->rxq);
>  	switch (act) {
>  	case XDP_REDIRECT:
>  	case XDP_TX:
> @@ -5442,7 +5449,10 @@ int do_xdp_generic(const struct bpf_prog *xdp_prog, struct sk_buff **pskb)
>  	struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;
>  
>  	if (xdp_prog) {
> -		struct xdp_buff xdp;
> +		struct xdp_rxq_info rxq = {};
> +		struct xdp_buff xdp = {
> +			.rxq = &rxq,
> +		};
>  		u32 act;
>  		int err;
>  


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ