On Tue, Apr 08, 2025 at 10:12:14AM -0700, Kuniyuki Iwashima wrote:
> From: Breno Leitao <[email protected]>
> Date: Tue, 8 Apr 2025 10:01:05 -0700
> > On Tue, Apr 08, 2025 at 09:16:51AM -0600, David Ahern wrote:
> > > On 4/8/25 8:27 AM, Breno Leitao wrote:
> > > >
> > > > SEC("tracepoint/tcp/tcp_sendmsg_locked")
> > >
> > > Try `raw_tracepoint/tcp/tcp_sendmsg_locked`.
> > >
> > > This is the form I use for my tracepoint based packet capture (not tied
> > > to this tracepoint, but traces inside our driver) and it works fine.
> >
> > Thanks. I was not able to get this crashing as well. In fact, the
> > following program fails to be loaded:
> >
> > SEC("raw_tracepoint/tcp/tcp_sendmsg_locked")
>
> Try SEC("tp_btf/tcp_sendmsg_locked") and access the raw argument
> (struct sk_buff *skb) instead of bpf_raw_tracepoint_args.
Nice, I was able to crash the host, with the following code:
SEC("tp_btf/tcp_sendmsg_locked")
int BPF_PROG(tcp_sendmsg_locked, struct sock *sk, struct msghdr *msg,
struct sk_buff *skb, int size_goal)
{
bpf_printk("skb->len %d\n", skb->len);
return 0;
}
This is the unusually expected stacktrace. :-)
BUG: kernel NULL pointer dereference, address: 0000000000000070
#PF: supervisor read access in kernel mode
"virtme-ng" 11:03 08-Apr-25
#PF: error_code(0x0000) - not-present page
PGD 10ca78067 P4D 0
Oops: Oops: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
CPU: 13 UID: 0 PID: 1020 Comm: nc Tainted: G E N
6.14.0-upstream-05880-g14fbb7a1a500 #73 PREEMPT(undef)
Tainted: [E]=UNSIGNED_MODULE, [N]=TEST
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:bpf_prog_5b31430a4390397c_tcp_sendmsg_locked+0x18/0x37
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e
fa 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 f3 0f 1e fa 48 8b 7f 10 <8b> 57 70 48 bf
d8 d9 03 06 01 00 11 ff be 0d 00 00 00 e8 15 f4 4c
RSP: 0018:ffa0000003c03bd0 EFLAGS: 00010282
RAX: 5aab7562e1de3200 RBX: ffa0000003be4000 RCX: 0000000000000018
RDX: 0000000000000000 RSI: ffa0000003be4048 RDI: 0000000000000000
RBP: ffa0000003c03bd0 R08: 000000000006043d R09: ffffffffffffffff
R10: 0000000000000000 R11: ffffffffa000096c R12: ff11000104ae5b00
R13: ff1100010610a3c0 R14: ffffffff814d34ef R15: 0000000000000000
FS: 00007fd67d550740(0000) GS:ff110005a40a9000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000070 CR3: 000000010d9ec002 CR4: 0000000000771ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body+0xaf/0xc0
? page_fault_oops+0x35b/0x3c0
? do_user_addr_fault+0x6d4/0x730
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x5f/0xe0
? asm_exc_page_fault+0x26/0x30
? bpf_trace_run4+0xbf/0x240
? 0xffffffffa000096c
? bpf_prog_5b31430a4390397c_tcp_sendmsg_locked+0x18/0x37
bpf_trace_run4+0x14c/0x240
? trace_event_raw_event_tcp_sendmsg_locked+0xc3/0xf0
__traceiter_tcp_sendmsg_locked+0x44/0x60
tcp_sendmsg_locked+0x10c8/0x15b0
? __local_bh_enable_ip+0x166/0x1c0
? srso_alias_return_thunk+0x5/0xfbef5
tcp_sendmsg+0x2c/0x50
? __pfx_inet6_sendmsg+0x10/0x10
sock_sendmsg_nosec+0xa0/0x100
__sys_sendto+0x1b4/0x1f0
__x64_sys_sendto+0x26/0x30
do_syscall_64+0x83/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
