From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Martin KaFai Lau <martin.lau@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>
Subject: [PATCH 5.10 09/19] bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state
Date: Wed, 1 Mar 2023 19:08:38 +0100 [thread overview]
Message-ID: <20230301180652.715064125@linuxfoundation.org> (raw)
In-Reply-To: <20230301180652.316428563@linuxfoundation.org>
From: Martin KaFai Lau <martin.lau@kernel.org>
commit 1fe4850b34ab512ff911e2c035c75fb6438f7307 upstream.
The bpf_fib_lookup() helper does not only look up the fib (ie. route)
but it also looks up the neigh. Before returning the neigh, the helper
does not check for NUD_VALID. When a neigh state (neigh->nud_state)
is in NUD_FAILED, its dmac (neigh->ha) could be all zeros. The helper
still returns SUCCESS instead of NO_NEIGH in this case. Because of the
SUCCESS return value, the bpf prog directly uses the returned dmac
and ends up filling all zero in the eth header.
This patch checks for NUD_VALID and returns NO_NEIGH if the neigh is
not valid.
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20230217004150.2980689-3-martin.lau@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/filter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5401,7 +5401,7 @@ static int bpf_ipv4_fib_lookup(struct ne
neigh = __ipv6_neigh_lookup_noref_stub(dev, dst);
}
- if (!neigh)
+ if (!neigh || !(neigh->nud_state & NUD_VALID))
return BPF_FIB_LKUP_RET_NO_NEIGH;
return bpf_fib_set_fwd_params(params, neigh, dev);
@@ -5514,7 +5514,7 @@ static int bpf_ipv6_fib_lookup(struct ne
* not needed here.
*/
neigh = __ipv6_neigh_lookup_noref_stub(dev, dst);
- if (!neigh)
+ if (!neigh || !(neigh->nud_state & NUD_VALID))
return BPF_FIB_LKUP_RET_NO_NEIGH;
return bpf_fib_set_fwd_params(params, neigh, dev);
next prev parent reply other threads:[~2023-03-01 18:09 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-01 18:08 [PATCH 5.10 00/19] 5.10.171-rc1 review Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 01/19] Fix XFRM-I support for nested ESP tunnels Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 02/19] arm64: dts: rockchip: drop unused LED mode property from rk3328-roc-cc Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 03/19] ARM: dts: rockchip: add power-domains property to dp node on rk3288 Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 04/19] ACPI: NFIT: fix a potential deadlock during NFIT teardown Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 05/19] btrfs: send: limit number of clones and allocated memory size Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 06/19] IB/hfi1: Assign npages earlier Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 07/19] neigh: make sure used and confirmed times are valid Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 08/19] HID: core: Fix deadloop in hid_apply_multiplier Greg Kroah-Hartman
2023-03-01 18:08 ` Greg Kroah-Hartman [this message]
2023-03-01 18:08 ` [PATCH 5.10 10/19] net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues() Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 11/19] vc_screen: dont clobber return value in vcs_read Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 12/19] md: Flush workqueue md_rdev_misc_wq in md_alloc() Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 13/19] scripts/tags.sh: Invoke realpath via xargs Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 14/19] scripts/tags.sh: fix incompatibility with PCRE2 Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 15/19] drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 16/19] drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling Greg Kroah-Hartman
2023-03-02 16:52 ` Harshit Mogalapalli
2023-03-02 17:16 ` Dmitry Osipenko
2023-03-01 18:08 ` [PATCH 5.10 17/19] USB: serial: option: add support for VW/Skoda "Carstick LTE" Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 18/19] usb: gadget: u_serial: Add null pointer check in gserial_resume Greg Kroah-Hartman
2023-03-01 18:08 ` [PATCH 5.10 19/19] USB: core: Dont hold device lock while reading the "descriptors" sysfs file Greg Kroah-Hartman
2023-03-01 19:54 ` [PATCH 5.10 00/19] 5.10.171-rc1 review Florian Fainelli
2023-03-01 21:27 ` Slade Watkins
2023-03-01 22:03 ` Pavel Machek
2023-03-01 22:09 ` Slade Watkins
2023-03-02 5:03 ` Guenter Roeck
2023-03-02 7:39 ` Greg Kroah-Hartman
2023-03-02 1:48 ` Shuah Khan
2023-03-02 7:27 ` Jon Hunter
2023-03-02 11:34 ` Sudip Mukherjee (Codethink)
2023-03-02 12:48 ` Naresh Kamboju
2023-03-03 1:30 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230301180652.715064125@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel@iogearbox.net \
--cc=martin.lau@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.