seg6: Ensure that seg6_bpf_srh_states can only be accessed from input_action_end_bpf()
Initially I assumed that the per-CPU variable is `seg6_bpf_srh_states' is first initialized in input_action_end_bpf() and then accessed during the bpf_prog_run_save_cb() invocation by the eBPF via the BPF callbacks. syzbot demonstrated that is possible to invoke the BPF callbacks (and access `seg6_bpf_srh_states') without entering input_action_end_bpf() first. The valid path via input_action_end_bpf() is invoked within NAPI context which means it has bpf_net_context set. This can be used to identify the "valid" calling path. Set in input_action_end_bpf() the BPF_RI_F_SEG6_STATE bit to signal the valid calling path and clear it at the end. Check for the context and the bit in bpf_lwt_seg6.*() and abort if missing. Reported-by:<syzbot+608a2acde8c5a101d07d@syzkaller.appspotmail.com> Fixes: d1542d4ae4dfd ("seg6: Use nested-BH locking for seg6_bpf_srh_states.") Link: https://lore.kernel.org/r/20240705104133.NU9AwKDS@linutronix.de Signed-off-by:
Loading
Please register or sign in to comment