On Tue, Jul 25, 2023 at 06:08 PM -07, Yan Zhai wrote:
skb_do_redirect returns various of values: error code (negative), 0 (success), and some positive status code, e.g. NET_XMIT_CN, NET_RX_DROP. Commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") didn't check the return code correctly, so positive values are propagated back along call chain:
ip_finish_output2 -> bpf_xmit -> run_lwt_bpf -> skb_do_redirect
Inside ip_finish_output2, redirected skb will continue to neighbor subsystem as if LWTUNNEL_XMIT_CONTINUE is returned, despite that this skb could have been freed. The bug can trigger use-after-free warning and crashes kernel afterwards:
https://gist.github.com/zhaiyan920/8fbac245b261fe316a7ef04c9b1eba48
Convert positive statuses from skb_do_redirect eliminates this issue.
Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") Tested-by: Jakub Sitnicki jakub@cloudflare.com Suggested-by: Markus Elfring Markus.Elfring@web.de Suggested-by: Stanislav Fomichev sdf@google.com Reported-by: Jordan Griege jgriege@cloudflare.com Signed-off-by: Yan Zhai yan@cloudflare.com
Reviewed-by: Jakub Sitnicki jakub@cloudflare.com