From: Martin KaFai Lau <kafai@fb.com>
To: John Fastabend <john.fastabend@gmail.com>
Cc: <ast@kernel.org>, <daniel@iogearbox.net>, <netdev@vger.kernel.org>
Subject: Re: [bpf PATCH 2/2] bpf: parse and verdict prog attach may race with bpf map update
Date: Thu, 17 May 2018 09:16:20 -0700 [thread overview]
Message-ID: <20180517161618.5otrhliubvurnj5p@kafai-mbp.dhcp.thefacebook.com> (raw)
In-Reply-To: <20180516214656.6664.34077.stgit@john-Precision-Tower-5810>
On Wed, May 16, 2018 at 02:46:56PM -0700, John Fastabend wrote:
> In the sockmap design BPF programs (SK_SKB_STREAM_PARSER and
> SK_SKB_STREAM_VERDICT) are attached to the sockmap map type and when
> a sock is added to the map the programs are used by the socket.
> However, sockmap updates from both userspace and BPF programs can
> happen concurrently with the attach and detach of these programs.
>
> To resolve this we use the bpf_prog_inc_not_zero and a READ_ONCE()
> primitive to ensure the program pointer is not refeched and
> possibly NULL'd before the refcnt increment. This happens inside
> a RCU critical section so although the pointer reference in the map
> object may be NULL (by a concurrent detach operation) the reference
> from READ_ONCE will not be free'd until after grace period. This
> ensures the object returned by READ_ONCE() is valid through the
> RCU criticl section and safe to use as long as we "know" it may
> be free'd shortly.
>
> Daniel spotted a case in the sock update API where instead of using
> the READ_ONCE() program reference we used the pointer from the
> original map, stab->bpf_{verdict|parse}. The problem with this is
> the logic checks the object returned from the READ_ONCE() is not
> NULL and then tries to reference the object again but using the
> above map pointer, which may have already been NULL'd by a parallel
> detach operation. If this happened bpf_porg_inc_not_zero could
> dereference a NULL pointer.
>
> Fix this by using variable returned by READ_ONCE() that is checked
> for NULL.
>
> Fixes: 2f857d04601a ("bpf: sockmap, remove STRPARSER map_flags and add multi-map support")
> Reported-by: Daniel Borkmann <daniel@iogearbox.net>
> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
next prev parent reply other threads:[~2018-05-17 16:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-16 21:46 [bpf PATCH 1/2] bpf: sockmap update rollback on error can incorrectly dec prog refcnt John Fastabend
2018-05-16 21:46 ` [bpf PATCH 2/2] bpf: parse and verdict prog attach may race with bpf map update John Fastabend
2018-05-17 16:16 ` Martin KaFai Lau [this message]
2018-05-17 20:31 ` Daniel Borkmann
2018-05-17 21:06 ` John Fastabend
2018-05-17 16:15 ` [bpf PATCH 1/2] bpf: sockmap update rollback on error can incorrectly dec prog refcnt Martin KaFai Lau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180517161618.5otrhliubvurnj5p@kafai-mbp.dhcp.thefacebook.com \
--to=kafai@fb.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.