| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <da02105f8b623cf906cccbc701787aec26bd7603f1855814285493beaa847196@mail.kernel.org>
Date: Thu, 5 Feb 2026 09:54:59 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: yangfeng59949@....com,davem@...emloft.net,edumazet@...gle.com,kuba@...nel.org,pabeni@...hat.com,horms@...nel.org
Cc: bpf@...r.kernel.org,netdev@...r.kernel.org,linux-kernel@...r.kernel.org,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH v2] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> index 178c4738e..c05b31cd1 100644
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -982,6 +982,7 @@ static struct proto bpf_dummy_proto = {
> .obj_size = sizeof(struct sock),
> };
>
> +struct dst_entry bpf_test_run_lwt_xmit_dst;
The bpf_test_run_lwt_xmit_dst is a global variable shared by all callers of
bpf_prog_test_run_skb(). If two processes concurrently run LWT_XMIT tests,
could this race?
Process A:
bpf_test_run_lwt_xmit_dst.dev = dev_A;
skb_dst_set(skb_A, &bpf_test_run_lwt_xmit_dst);
Process B preempts and runs:
bpf_test_run_lwt_xmit_dst.dev = dev_B;
skb_dst_set(skb_B, &bpf_test_run_lwt_xmit_dst);
Now Process A resumes but skb_A's dst_entry has dev_B instead of dev_A.
This could lead to wrong headroom calculation in bpf_lwt_push_ip_encap()
via LL_RESERVED_SPACE(skb_dst(skb)->dev).
Would a per-cpu variable or allocating the dst_entry locally avoid this
race condition?
> int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
> union bpf_attr __user *uattr)
> {
[ ... ]
> @@ -1156,7 +1157,13 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
> skb->ip_summed = CHECKSUM_COMPLETE;
> }
>
> + if (prog->type == BPF_PROG_TYPE_LWT_XMIT) {
> + bpf_test_run_lwt_xmit_dst.dev = dev;
> + skb_dst_set(skb, &bpf_test_run_lwt_xmit_dst);
> + }
> ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false);
> + if (prog->type == BPF_PROG_TYPE_LWT_XMIT)
> + skb_dst_set(skb, NULL);
The skb_dst_set() documentation states: "Sets skb dst, assuming a reference
was taken on dst and should be released by skb_dst_drop()". The global
bpf_test_run_lwt_xmit_dst isn't reference counted and wasn't initialized via
dst_init().
When skb_dst_set(skb, NULL) is called, skb_dst_check_unset() will trigger
DEBUG_NET_WARN_ON_ONCE because the dst was set without the SKB_DST_NOREF bit.
Is this the intended behavior, or should skb_dst_set_noref() be used instead
(which would require holding rcu_read_lock)?
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21706325881
AI-authorship-score: low
AI-authorship-explanation: The commit shows characteristics of human-authored code including real bug reporters, kernel crash stack trace from actual testing, and the self-aware comment Temporarily indicating the author knows this is not an ideal fix.
issues-found: 1
issue-severity-score: low
issue-severity-explanation: Race condition on global dst_entry when concurrent LWT_XMIT tests run, could cause wrong headroom calculation but unlikely to cause crashes in typical usage scenarios.
Powered by blists - more mailing lists