All of lore.kernel.org
 help / color / mirror / Atom feed
From: Lee Jones <lee@kernel.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: "Jiri Olsa" <jolsa@kernel.org>,
	stable@vger.kernel.org, "Alexei Starovoitov" <ast@kernel.org>,
	"Daniel Borkmann" <daniel@iogearbox.net>,
	"Andrii Nakryiko" <andrii@kernel.org>,
	"Maciej Fijalkowski" <maciej.fijalkowski@intel.com>,
	syzbot+97a4fe20470e9bc30810@syzkaller.appspotmail.com,
	"Yonghong Song" <yonghong.song@linux.dev>,
	bpf@vger.kernel.org, "Martin KaFai Lau" <kafai@fb.com>,
	"Song Liu" <songliubraving@fb.com>, "Yonghong Song" <yhs@fb.com>,
	"John Fastabend" <john.fastabend@gmail.com>,
	"KP Singh" <kpsingh@chromium.org>,
	"Stanislav Fomichev" <sdf@google.com>,
	"Hao Luo" <haoluo@google.com>, "Xu Kuohai" <xukuohai@huawei.com>,
	"Will Deacon" <will@kernel.org>,
	"Nathan Chancellor" <nathan@kernel.org>,
	"Pu Lehui" <pulehui@huawei.com>, "Björn Töpel" <bjorn@kernel.org>,
	"Ilya Leoshkevich" <iii@linux.ibm.com>
Subject: Re: [PATCHv4 bpf 1/2] bpf: Fix prog_array_map_poke_run map poke update
Date: Thu, 21 Dec 2023 09:55:22 +0000	[thread overview]
Message-ID: <20231221095522.GB10102@google.com> (raw)
In-Reply-To: <2023122113-thirsting-county-ca67@gregkh>

On Thu, 21 Dec 2023, Greg KH wrote:

> On Thu, Dec 21, 2023 at 09:07:45AM +0000, Lee Jones wrote:
> > Dear Stable,
> > 
> > > Lee pointed out issue found by syscaller [0] hitting BUG in prog array
> > > map poke update in prog_array_map_poke_run function due to error value
> > > returned from bpf_arch_text_poke function.
> > > 
> > > There's race window where bpf_arch_text_poke can fail due to missing
> > > bpf program kallsym symbols, which is accounted for with check for
> > > -EINVAL in that BUG_ON call.
> > > 
> > > The problem is that in such case we won't update the tail call jump
> > > and cause imbalance for the next tail call update check which will
> > > fail with -EBUSY in bpf_arch_text_poke.
> > > 
> > > I'm hitting following race during the program load:
> > > 
> > >   CPU 0                             CPU 1
> > > 
> > >   bpf_prog_load
> > >     bpf_check
> > >       do_misc_fixups
> > >         prog_array_map_poke_track
> > > 
> > >                                     map_update_elem
> > >                                       bpf_fd_array_map_update_elem
> > >                                         prog_array_map_poke_run
> > > 
> > >                                           bpf_arch_text_poke returns -EINVAL
> > > 
> > >     bpf_prog_kallsyms_add
> > > 
> > > After bpf_arch_text_poke (CPU 1) fails to update the tail call jump, the next
> > > poke update fails on expected jump instruction check in bpf_arch_text_poke
> > > with -EBUSY and triggers the BUG_ON in prog_array_map_poke_run.
> > > 
> > > Similar race exists on the program unload.
> > > 
> > > Fixing this by moving the update to bpf_arch_poke_desc_update function which
> > > makes sure we call __bpf_arch_text_poke that skips the bpf address check.
> > > 
> > > Each architecture has slightly different approach wrt looking up bpf address
> > > in bpf_arch_text_poke, so instead of splitting the function or adding new
> > > 'checkip' argument in previous version, it seems best to move the whole
> > > map_poke_run update as arch specific code.
> > > 
> > > [0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810
> > > 
> > > Cc: Lee Jones <lee@kernel.org>
> > > Cc: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
> > > Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
> > > Reported-by: syzbot+97a4fe20470e9bc30810@syzkaller.appspotmail.com
> > > Acked-by: Yonghong Song <yonghong.song@linux.dev>
> > > Signed-off-by: Jiri Olsa <jolsa@kernel.org>
> > > ---
> > >  arch/x86/net/bpf_jit_comp.c | 46 +++++++++++++++++++++++++++++
> > >  include/linux/bpf.h         |  3 ++
> > >  kernel/bpf/arraymap.c       | 58 +++++++------------------------------
> > >  3 files changed, 59 insertions(+), 48 deletions(-)
> > 
> > Please could we have this backported?
> > 
> > Guided by the Fixes: tag.
> 
> <formletter>
> 
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree.  Please read:
>     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this properly.
> 
> </formletter>

Apologies.

Commit ID: 4b7de801606e504e69689df71475d27e35336fb3
Subject:   bpf: Fix prog_array_map_poke_run map poke update
Reason:    Fixes a race condition in BPF.
Versions:  linux-5.10.y+, as specified by the Fixes: tag above

Thanks.

-- 
Lee Jones [李琼斯]

  reply	other threads:[~2023-12-21  9:55 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-06  8:30 [PATCHv4 bpf 0/2] bpf: Fix map poke update Jiri Olsa
2023-12-06  8:30 ` [PATCHv4 bpf 1/2] bpf: Fix prog_array_map_poke_run " Jiri Olsa
2023-12-21  9:07   ` Lee Jones
2023-12-21  9:34     ` Greg KH
2023-12-21  9:55       ` Lee Jones [this message]
2023-12-21 10:02         ` Greg KH
2023-12-21 10:17           ` Lee Jones
2023-12-21 14:00             ` Jiri Olsa
2023-12-21 14:34               ` Lee Jones
2023-12-06  8:30 ` [PATCHv4 bpf 2/2] selftests/bpf: Add test for early update in prog_array_map_poke_run Jiri Olsa
2023-12-06 21:50 ` [PATCHv4 bpf 0/2] bpf: Fix map poke update patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231221095522.GB10102@google.com \
    --to=lee@kernel.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bjorn@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=haoluo@google.com \
    --cc=iii@linux.ibm.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kafai@fb.com \
    --cc=kpsingh@chromium.org \
    --cc=maciej.fijalkowski@intel.com \
    --cc=nathan@kernel.org \
    --cc=pulehui@huawei.com \
    --cc=sdf@google.com \
    --cc=songliubraving@fb.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+97a4fe20470e9bc30810@syzkaller.appspotmail.com \
    --cc=will@kernel.org \
    --cc=xukuohai@huawei.com \
    --cc=yhs@fb.com \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.