From: Greg Kroah-Hartman Date: Tue, 22 Apr 2025 12:30:18 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.1.135~46 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cc949b781b998e59e9e980bc2c52c4bdfe0dbd89;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch --- diff --git a/queue-6.6/series b/queue-6.6/series index 40fe91f18f..512256c3bb 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -382,3 +382,4 @@ wifi-rtw89-pci-disable-pcie-wake-bit-when-pcie-deinit.patch drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch landlock-add-the-errata-interface.patch nvmet-fc-remove-unused-functions.patch +xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch diff --git a/queue-6.6/xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch b/queue-6.6/xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch new file mode 100644 index 0000000000..3296f7a233 --- /dev/null +++ b/queue-6.6/xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch @@ -0,0 +1,64 @@ +From bigeasy@linutronix.de Tue Apr 22 12:41:17 2025 +From: Sebastian Andrzej Siewior +Date: Mon, 17 Mar 2025 14:38:13 +0100 +Subject: [PATCH stable] xdp: Reset bpf_redirect_info before running a xdp's BPF prog. +To: Greg KH , stable@vger.kernel.org +Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, "Ricardo Cañuelo Navarro" , "Alexei Starovoitov" , "Andrii Nakryiko" , "Daniel Borkmann" , "David S. Miller" , "Jakub Kicinski" , "Jesper Dangaard Brouer" , "John Fastabend" , "Thomas Gleixner" , "Toke Høiland-Jørgensen" +Message-ID: <20250317133813.OwHVKUKe@linutronix.de> +Content-Disposition: inline + +From: Sebastian Andrzej Siewior + +Ricardo reported a KASAN discovered use after free in v6.6-stable. + +The syzbot starts a BPF program via xdp_test_run_batch() which assigns +ri->tgt_value via dev_hash_map_redirect() and the return code isn't +XDP_REDIRECT it looks like nonsense. So the output in +bpf_warn_invalid_xdp_action() appears once. +Then the TUN driver runs another BPF program (on the same CPU) which +returns XDP_REDIRECT without setting ri->tgt_value first. It invokes +bpf_trace_printk() to print four characters and obtain the required +return value. This is enough to get xdp_do_redirect() invoked which +then accesses the pointer in tgt_value which might have been already +deallocated. + +This problem does not affect upstream because since commit + 401cb7dae8130 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") + +the per-CPU variable is referenced via task's task_struct and exists on +the stack during NAPI callback. Therefore it is cleared once before the +first invocation and remains valid within the RCU section of the NAPI +callback. + +Instead of performing the huge backport of the commit (plus its fix ups) +here is an alternative version which only resets the variable in +question prior invoking the BPF program. + +Acked-by: Toke Høiland-Jørgensen +Reported-by: Ricardo Cañuelo Navarro +Closes: https://lore.kernel.org/all/20250226-20250204-kasan-slab-use-after-free-read-in-dev_map_enqueue__submit-v3-0-360efec441ba@igalia.com/ +Fixes: 97f91a7cf04ff ("bpf: add bpf_redirect_map helper routine") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Greg Kroah-Hartman +--- + include/net/xdp.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/include/net/xdp.h ++++ b/include/net/xdp.h +@@ -486,7 +486,14 @@ static __always_inline u32 bpf_prog_run_ + * under local_bh_disable(), which provides the needed RCU protection + * for accessing map entries. + */ +- u32 act = __bpf_prog_run(prog, xdp, BPF_DISPATCHER_FUNC(xdp)); ++ struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info); ++ u32 act; ++ ++ if (ri->map_id || ri->map_type) { ++ ri->map_id = 0; ++ ri->map_type = BPF_MAP_TYPE_UNSPEC; ++ } ++ act = __bpf_prog_run(prog, xdp, BPF_DISPATCHER_FUNC(xdp)); + + if (static_branch_unlikely(&bpf_master_redirect_enabled_key)) { + if (act == XDP_TX && netif_is_bond_slave(xdp->rxq->dev))