WARNING: attempt to execute device eBPF program on the host!

* WARNING: attempt to execute device eBPF program on the host!
@ 2023-01-11  4:02 Hao Sun
  0 siblings, 0 replies; only message in thread
From: Hao Sun @ 2023-01-11  4:02 UTC (permalink / raw)
  To: bpf
  Cc: ast, daniel, john.fastabend, andrii, martin.lau, song, yhs,
	kpsingh, sdf, haoluo, jolsa, davem, linux-kernel, Hao Sun

Hi,

The following warning can be triggered with the C reproducer in
the link. The syz repro may be more readable:
# {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:false Sysctl:true UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}

r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)={0xf, 0x4, 0x4, 0x8}, 0x48)
r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x6, 0xb, &(0x7f0000000000)={{@imm, @map_fd={0x18, 0x6, 0x1, 0x0, r0}, @map_fd={0x18, 0x7, 0x1, 0x0, r0}, @map_fd={0x18, 0x8, 0x1, 0x0, r0}, @map_fd={0x18, 0x9, 0x1, 0x0, r0}}}, &(0x7f0000000080)}, 0x80)
r2 = bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000240)={r1, 0xf}, 0x10)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x5, 0x81c, 0x630, 0x8, 0x0, 0x1}, 0x48)
r3 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000380)={0x6, 0xb, &(0x7f00000002c0)={{@imm, @imm, @imm, @imm, @imm}}, &(0x7f0000000340), 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x46}, 0x80)
bpf$BPF_LINK_UPDATE(0x1d, &(0x7f0000000840)={r2, r3, 0x4, r1}, 0x10)

This can be reproduced on:
HEAD commit:    6d0c4b11e743 ("libbpf: Poison strlcpy()")
git tree:       bpf-next
console output: https://pastebin.com/raw/DwdHsbS5
kernel config : https://pastebin.com/raw/AZCHdEbK
C reproducer  : https://pastebin.com/raw/tE08i586

------------[ cut here ]------------
attempt to execute device eBPF program on the host!
WARNING: CPU: 5 PID: 4498 at kernel/bpf/offload.c:252 bpf_prog_warn_on_exec+0x15/0x20 kernel/bpf/offload.c:252
Modules linked in:
CPU: 5 PID: 4498 Comm: kworker/5:3 Not tainted 6.2.0-rc2-00302-g6d0c4b11e743 #153
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:bpf_prog_warn_on_exec+0x15/0x20 kernel/bpf/offload.c:252
Code: e1 35 2f 00 eb c8 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa e8 b7 10 df ff 48 c7 c7 a0 c6 55 8a e8 95 53 20 08 <0f> 0b 31 c0 c3 66 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 41
RSP: 0018:ffffc900009a09a8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888027587100 RCX: 0000000000000000
RDX: ffff8881066c9d80 RSI: ffffffff81671400 RDI: fffff52000134127
RBP: ffff888013c47890 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000101 R11: ffffffff90d3f143 R12: ffff888027587156
R13: ffff888027587000 R14: ffffc900009a0a20 R15: ffff888013c47900
FS:  0000000000000000(0000) GS:ffff888135d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056006aaf00c0 CR3: 00000000264a0000 CR4: 0000000000750ee0
PKRU: 55555554
Call Trace:
 <IRQ>
 __bpf_prog_run include/linux/filter.h:600 [inline]
 bpf_prog_run_xdp include/linux/filter.h:775 [inline]
 veth_xdp_rcv_skb+0x8a2/0x21a0 drivers/net/veth.c:824
 veth_xdp_rcv.constprop.0+0x3f2/0xb20 drivers/net/veth.c:939
 veth_poll+0x141/0x8c0 drivers/net/veth.c:975
 __napi_poll.constprop.0+0xb0/0x440 net/core/dev.c:6485
 napi_poll net/core/dev.c:6552 [inline]
 net_rx_action+0x8f8/0xd50 net/core/dev.c:6663
 __do_softirq+0x1f7/0xaf6 kernel/softirq.c:571
 do_softirq kernel/softirq.c:472 [inline]
 do_softirq+0x10e/0x160 kernel/softirq.c:459
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0xf8/0x120 kernel/softirq.c:396
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:834 [inline]
 ip6_finish_output2+0x634/0x1aa0 net/ipv6/ip6_output.c:135
 __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
 ip6_finish_output+0x485/0x11c0 net/ipv6/ip6_output.c:206
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x243/0x820 net/ipv6/ip6_output.c:227
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK.constprop.0+0xfa/0x4c0 include/linux/netfilter.h:302
 ndisc_send_skb+0x9e8/0x1320 net/ipv6/ndisc.c:508
 ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666
 addrconf_dad_work+0xc6b/0x1300 net/ipv6/addrconf.c:4171
 process_one_work+0xa33/0x1720 kernel/workqueue.c:2289
 worker_thread+0x67d/0x10e0 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>

^ permalink raw reply	[flat|nested] only message in thread