Re: [PATCH v3] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap

[bot+bpf-ci]

> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -989,6 +989,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
>  	u32 tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
>  	struct net *net = current->nsproxy->net_ns;
>  	struct net_device *dev = net->loopback_dev;
> +	struct dst_entry bpf_test_run_lwt_xmit_dst;
>  	u32 headroom = NET_SKB_PAD + NET_IP_ALIGN;

[ ... ]

> @@ -1156,6 +1157,12 @@
>  		skb->ip_summed = CHECKSUM_COMPLETE;
>  	}
>
> +	if (prog->type == BPF_PROG_TYPE_LWT_XMIT) {
> +		dst_init(&bpf_test_run_lwt_xmit_dst, NULL, NULL,
> +			 DST_OBSOLETE_NONE, DST_NOCOUNT);
> +		bpf_test_run_lwt_xmit_dst.dev = dev;
> +		skb_dst_set_noref(skb, &bpf_test_run_lwt_xmit_dst);
> +	}

Will skb_dst_set_noref() trigger a WARN_ON here? Looking at the function
in include/linux/skbuff.h:

    static inline void skb_dst_set_noref(struct sk_buff *skb, struct dst_entry *dst)
    {
        skb_dst_check_unset(skb);
        WARN_ON(!rcu_read_lock_held() && !rcu_read_lock_bh_held());
        ...
    }

This code runs from syscall context in bpf_prog_test_run_skb() before
bpf_test_run() is called. At this point, neither rcu_read_lock() nor
local_bh_disable() is held - local_bh_disable() is only called inside
bpf_test_run().

Should the dst setup be wrapped with rcu_read_lock()/rcu_read_unlock(),
or moved inside bpf_test_run() where RCU-bh context is already held?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21740645384

AI-authorship-score: low
AI-authorship-explanation: The commit shows human authorship with real bug reporters from HUST, actual crash stack trace, self-aware comment using Temporarily, and author from kylinos.cn Linux distribution company.
issues-found: 1
issue-severity-score: low
issue-severity-explanation: WARN_ON will trigger in skb_dst_set_noref due to missing RCU context, causing kernel log warnings but no functional impact.