[PATCH net/bpf] bpf: add bpf_prog_run_data_pointers()
12 views
Skip to first unread message
Eric Dumazet
Nov 12, 2025, 7:55:31 AMNov 12
to Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, David S . Miller, Jakub Kicinski, Paolo Abeni, net...@vger.kernel.org, b...@vger.kernel.org, Simon Horman, Jamal Hadi Salim, Victor Nogueira, Cong Wang, Jiri Pirko, Toke Høiland-Jørgensen, eric.d...@gmail.com, Eric Dumazet, syzbot, Paul Blakey
syzbot found that cls_bpf_classify() is able to change
tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
Extend qdisc control block with tc control block"), which added a wrong
interaction with db58ba459202 ("bpf: wire in data and data_end for
cls_act_bpf").
drop_reason was added later.
Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
storage colliding with BPF data_meta/data_end.
Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block")
Reported-by: syzbot <syzk...@googlegroups.com>
Closes: https://lore.kernel.org/netdev/6913437c.a70a022...@google.com/
Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: Paul Blakey <pa...@nvidia.com>
---
include/linux/filter.h | 20 ++++++++++++++++++++
net/sched/act_bpf.c | 7 +++----
net/sched/cls_bpf.c | 6 ++----
3 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index f5c859b8131a3e5fa5111b60cc291cedd44f096d..973233b82dc1fd422f26ac221eeb46c66c47767a 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -901,6 +901,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb)
cb->data_end = skb->data + skb_headlen(skb);
}
+static inline int bpf_prog_run_data_pointers(
+ const struct bpf_prog *prog,
+ struct sk_buff *skb)
+{
+ struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb;
+ void *save_data_meta, *save_data_end;
+ int res;
+
+ save_data_meta = cb->data_meta;
+ save_data_end = cb->data_end;
+
+ bpf_compute_data_pointers(skb);
+ res = bpf_prog_run(prog, skb);
+
+ cb->data_meta = save_data_meta;
+ cb->data_end = save_data_end;
+
+ return res;
+}
+
/* Similar to bpf_compute_data_pointers(), except that save orginal
* data in cb->data and cb->meta_data for restore.
*/
diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
index 396b576390d00aad56bca6a18b7796e5324c0aef..3f5a5dc55c29433525b319f1307725d7feb015c6 100644
--- a/net/sched/act_bpf.c
+++ b/net/sched/act_bpf.c
@@ -47,13 +47,12 @@ TC_INDIRECT_SCOPE int tcf_bpf_act(struct sk_buff *skb,
filter = rcu_dereference(prog->filter);
if (at_ingress) {
__skb_push(skb, skb->mac_len);
- bpf_compute_data_pointers(skb);
- filter_res = bpf_prog_run(filter, skb);
+ filter_res = bpf_prog_run_data_pointers(filter, skb);
__skb_pull(skb, skb->mac_len);
} else {
- bpf_compute_data_pointers(skb);
- filter_res = bpf_prog_run(filter, skb);
+ filter_res = bpf_prog_run_data_pointers(filter, skb);
}
+
if (unlikely(!skb->tstamp && skb->tstamp_type))
skb->tstamp_type = SKB_CLOCK_REALTIME;
if (skb_sk_is_prefetched(skb) && filter_res != TC_ACT_OK)
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 7fbe42f0e5c2b7aca0a28c34cd801c3a767c804e..a32754a2658bb7d21e8ceb62c67d6684ed4f9fcc 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -97,12 +97,10 @@ TC_INDIRECT_SCOPE int cls_bpf_classify(struct sk_buff *skb,
} else if (at_ingress) {
/* It is safe to push/pull even if skb_shared() */
__skb_push(skb, skb->mac_len);
- bpf_compute_data_pointers(skb);
- filter_res = bpf_prog_run(prog->filter, skb);
+ filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
__skb_pull(skb, skb->mac_len);
} else {
- bpf_compute_data_pointers(skb);
- filter_res = bpf_prog_run(prog->filter, skb);
+ filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
}
if (unlikely(!skb->tstamp && skb->tstamp_type))
skb->tstamp_type = SKB_CLOCK_REALTIME;
--
2.51.2.1041.gc1ab5b90ca-goog
tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
Extend qdisc control block with tc control block"), which added a wrong
interaction with db58ba459202 ("bpf: wire in data and data_end for
cls_act_bpf").
drop_reason was added later.
Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
storage colliding with BPF data_meta/data_end.
Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block")
Reported-by: syzbot <syzk...@googlegroups.com>
Closes: https://lore.kernel.org/netdev/6913437c.a70a022...@google.com/
Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: Paul Blakey <pa...@nvidia.com>
---
include/linux/filter.h | 20 ++++++++++++++++++++
net/sched/act_bpf.c | 7 +++----
net/sched/cls_bpf.c | 6 ++----
3 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index f5c859b8131a3e5fa5111b60cc291cedd44f096d..973233b82dc1fd422f26ac221eeb46c66c47767a 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -901,6 +901,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb)
cb->data_end = skb->data + skb_headlen(skb);
}
+static inline int bpf_prog_run_data_pointers(
+ const struct bpf_prog *prog,
+ struct sk_buff *skb)
+{
+ struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb;
+ void *save_data_meta, *save_data_end;
+ int res;
+
+ save_data_meta = cb->data_meta;
+ save_data_end = cb->data_end;
+
+ bpf_compute_data_pointers(skb);
+ res = bpf_prog_run(prog, skb);
+
+ cb->data_meta = save_data_meta;
+ cb->data_end = save_data_end;
+
+ return res;
+}
+
/* Similar to bpf_compute_data_pointers(), except that save orginal
* data in cb->data and cb->meta_data for restore.
*/
diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
index 396b576390d00aad56bca6a18b7796e5324c0aef..3f5a5dc55c29433525b319f1307725d7feb015c6 100644
--- a/net/sched/act_bpf.c
+++ b/net/sched/act_bpf.c
@@ -47,13 +47,12 @@ TC_INDIRECT_SCOPE int tcf_bpf_act(struct sk_buff *skb,
filter = rcu_dereference(prog->filter);
if (at_ingress) {
__skb_push(skb, skb->mac_len);
- bpf_compute_data_pointers(skb);
- filter_res = bpf_prog_run(filter, skb);
+ filter_res = bpf_prog_run_data_pointers(filter, skb);
__skb_pull(skb, skb->mac_len);
} else {
- bpf_compute_data_pointers(skb);
- filter_res = bpf_prog_run(filter, skb);
+ filter_res = bpf_prog_run_data_pointers(filter, skb);
}
+
if (unlikely(!skb->tstamp && skb->tstamp_type))
skb->tstamp_type = SKB_CLOCK_REALTIME;
if (skb_sk_is_prefetched(skb) && filter_res != TC_ACT_OK)
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 7fbe42f0e5c2b7aca0a28c34cd801c3a767c804e..a32754a2658bb7d21e8ceb62c67d6684ed4f9fcc 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -97,12 +97,10 @@ TC_INDIRECT_SCOPE int cls_bpf_classify(struct sk_buff *skb,
} else if (at_ingress) {
/* It is safe to push/pull even if skb_shared() */
__skb_push(skb, skb->mac_len);
- bpf_compute_data_pointers(skb);
- filter_res = bpf_prog_run(prog->filter, skb);
+ filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
__skb_pull(skb, skb->mac_len);
} else {
- bpf_compute_data_pointers(skb);
- filter_res = bpf_prog_run(prog->filter, skb);
+ filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
}
if (unlikely(!skb->tstamp && skb->tstamp_type))
skb->tstamp_type = SKB_CLOCK_REALTIME;
--
2.51.2.1041.gc1ab5b90ca-goog
Victor Nogueira
Nov 13, 2025, 11:18:35 AMNov 13
to Eric Dumazet, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, David S . Miller, Jakub Kicinski, Paolo Abeni, net...@vger.kernel.org, b...@vger.kernel.org, Simon Horman, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Toke Høiland-Jørgensen, eric.d...@gmail.com, syzbot, Paul Blakey
On Wed, Nov 12, 2025 at 9:55 AM Eric Dumazet <edum...@google.com> wrote:
>
> syzbot found that cls_bpf_classify() is able to change
> tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
>
> WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
> WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
>
> struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
> Extend qdisc control block with tc control block"), which added a wrong
> interaction with db58ba459202 ("bpf: wire in data and data_end for
> cls_act_bpf").
>
> drop_reason was added later.
>
> Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
> storage colliding with BPF data_meta/data_end.
>
> Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block")
> Reported-by: syzbot <syzk...@googlegroups.com>
> Closes: https://lore.kernel.org/netdev/6913437c.a70a022...@google.com/
> Signed-off-by: Eric Dumazet <edum...@google.com>
> Cc: Paul Blakey <pa...@nvidia.com>
Reviewed-by: Victor Nogueira <vic...@mojatatu.com>
>
> syzbot found that cls_bpf_classify() is able to change
> tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
>
> WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
> WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
>
> struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
> Extend qdisc control block with tc control block"), which added a wrong
> interaction with db58ba459202 ("bpf: wire in data and data_end for
> cls_act_bpf").
>
> drop_reason was added later.
>
> Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
> storage colliding with BPF data_meta/data_end.
>
> Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block")
> Reported-by: syzbot <syzk...@googlegroups.com>
> Closes: https://lore.kernel.org/netdev/6913437c.a70a022...@google.com/
> Signed-off-by: Eric Dumazet <edum...@google.com>
> Cc: Paul Blakey <pa...@nvidia.com>
Thanks!
Jamal Hadi Salim
Nov 13, 2025, 12:55:19 PMNov 13
to Victor Nogueira, Eric Dumazet, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, David S . Miller, Jakub Kicinski, Paolo Abeni, net...@vger.kernel.org, b...@vger.kernel.org, Simon Horman, Cong Wang, Jiri Pirko, Toke Høiland-Jørgensen, eric.d...@gmail.com, syzbot, Paul Blakey
patchwork-b...@kernel.org
Nov 14, 2025, 12:12:33 PMNov 14
to Eric Dumazet, a...@kernel.org, dan...@iogearbox.net, and...@kernel.org, da...@davemloft.net, ku...@kernel.org, pab...@redhat.com, net...@vger.kernel.org, b...@vger.kernel.org, ho...@kernel.org, j...@mojatatu.com, vic...@mojatatu.com, xiyou.w...@gmail.com, ji...@resnulli.us, to...@redhat.com, eric.d...@gmail.com, syzk...@googlegroups.com, pa...@nvidia.com
Hello:
This patch was applied to bpf/bpf.git (master)
by Martin KaFai Lau <marti...@kernel.org>:
On Wed, 12 Nov 2025 12:55:16 +0000 you wrote:
> syzbot found that cls_bpf_classify() is able to change
> tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
>
> WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
> WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
>
> struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
> Extend qdisc control block with tc control block"), which added a wrong
> interaction with db58ba459202 ("bpf: wire in data and data_end for
> cls_act_bpf").
>
> [...]
Here is the summary with links:
- [net/bpf] bpf: add bpf_prog_run_data_pointers()
https://git.kernel.org/bpf/bpf/c/4ef927436258
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
This patch was applied to bpf/bpf.git (master)
by Martin KaFai Lau <marti...@kernel.org>:
On Wed, 12 Nov 2025 12:55:16 +0000 you wrote:
> syzbot found that cls_bpf_classify() is able to change
> tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
>
> WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
> WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
>
> struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
> Extend qdisc control block with tc control block"), which added a wrong
> interaction with db58ba459202 ("bpf: wire in data and data_end for
> cls_act_bpf").
>
Here is the summary with links:
- [net/bpf] bpf: add bpf_prog_run_data_pointers()
https://git.kernel.org/bpf/bpf/c/4ef927436258
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Reply all
Reply to author
Forward
0 new messages