Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix NPE discovered by running bpf kselftest #4729

Closed
wants to merge 2 commits into from
Closed

Fix NPE discovered by running bpf kselftest #4729

wants to merge 2 commits into from

Conversation

kernel-patches-daemon-bpf-rc[bot]
Copy link

Pull request for series with
subject: Fix NPE discovered by running bpf kselftest
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c721d8f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c721d8f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c721d8f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 932fc2f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: e2f0791
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: dff8470
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: dff8470
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: dd42e01
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: e10500b
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: a7c2051
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: a7c2051
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 8eef6ac
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c5d2bac
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c5d2bac
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c5d2bac
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=913470
version: 1

kxxt added 2 commits December 20, 2024 11:34
@kxxt
skmsg: return copied bytes in sk_msg_memcopy_from_iter
374fc96 
Previously sk_msg_memcopy_from_iter returns the copied bytes from the
last copy_from_iter{,_nocache} call upon success.

This commit changes it to return the total number of copied bytes on
success.

Signed-off-by: Levi Zim <[email protected]>
@kxxt
tcp_bpf: fix copied value in tcp_bpf_sendmsg
72f6add 
bpf kselftest sockhash::test_txmsg_cork_hangs in test_sockmap.c triggers a
kernel NULL pointer dereference:

BUG: kernel NULL pointer dereference, address: 0000000000000008
 ? __die_body+0x6e/0xb0
 ? __die+0x8b/0xa0
 ? page_fault_oops+0x358/0x3c0
 ? local_clock+0x19/0x30
 ? lock_release+0x11b/0x440
 ? kernelmode_fixup_or_oops+0x54/0x60
 ? __bad_area_nosemaphore+0x4f/0x210
 ? mmap_read_unlock+0x13/0x30
 ? bad_area_nosemaphore+0x16/0x20
 ? do_user_addr_fault+0x6fd/0x740
 ? prb_read_valid+0x1d/0x30
 ? exc_page_fault+0x55/0xd0
 ? asm_exc_page_fault+0x2b/0x30
 ? splice_to_socket+0x52e/0x630
 ? shmem_file_splice_read+0x2b1/0x310
 direct_splice_actor+0x47/0x70
 splice_direct_to_actor+0x133/0x300
 ? do_splice_direct+0x90/0x90
 do_splice_direct+0x64/0x90
 ? __ia32_sys_tee+0x30/0x30
 do_sendfile+0x214/0x300
 __se_sys_sendfile64+0x8e/0xb0
 __x64_sys_sendfile64+0x25/0x30
 x64_sys_call+0xb82/0x2840
 do_syscall_64+0x75/0x110
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

This is caused by tcp_bpf_sendmsg() returning a larger value(12289) than
size (8192), which causes the while loop in splice_to_socket() to release
an uninitialized pipe buf.

The underlying cause is that this code assumes sk_msg_memcopy_from_iter()
will copy all bytes upon success but it actually might only copy part of
it.

This commit changes it to use the real copied bytes.

Signed-off-by: Levi Zim <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=913470 irrelevant now. Closing PR.

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot deleted the series/913470=>bpf-next branch December 20, 2024 22:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
accepted bpf-next V1-ci-pass V1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kxxt