From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jiri Olsa <jolsa@kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 5.12 12/43] bpf: Add deny list of btf ids check for tracing programs
Date: Thu, 3 Jun 2021 13:07:02 -0400 [thread overview]
Message-ID: <20210603170734.3168284-12-sashal@kernel.org> (raw)
In-Reply-To: <20210603170734.3168284-1-sashal@kernel.org>
From: Jiri Olsa <jolsa@kernel.org>
[ Upstream commit 35e3815fa8102fab4dee75f3547472c66581125d ]
The recursion check in __bpf_prog_enter and __bpf_prog_exit
leaves some (not inlined) functions unprotected:
In __bpf_prog_enter:
- migrate_disable is called before prog->active is checked
In __bpf_prog_exit:
- migrate_enable,rcu_read_unlock_strict are called after
prog->active is decreased
When attaching trampoline to them we get panic like:
traps: PANIC: double fault, error_code: 0x0
double fault: 0000 [#1] SMP PTI
RIP: 0010:__bpf_prog_enter+0x4/0x50
...
Call Trace:
<IRQ>
bpf_trampoline_6442466513_0+0x18/0x1000
migrate_disable+0x5/0x50
__bpf_prog_enter+0x9/0x50
bpf_trampoline_6442466513_0+0x18/0x1000
migrate_disable+0x5/0x50
__bpf_prog_enter+0x9/0x50
bpf_trampoline_6442466513_0+0x18/0x1000
migrate_disable+0x5/0x50
__bpf_prog_enter+0x9/0x50
bpf_trampoline_6442466513_0+0x18/0x1000
migrate_disable+0x5/0x50
...
Fixing this by adding deny list of btf ids for tracing
programs and checking btf id during program verification.
Adding above functions to this list.
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20210429114712.43783-1-jolsa@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 21247e49fe82..99d13c29af7f 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12556,6 +12556,17 @@ int bpf_check_attach_target(struct bpf_verifier_log *log,
return 0;
}
+BTF_SET_START(btf_id_deny)
+BTF_ID_UNUSED
+#ifdef CONFIG_SMP
+BTF_ID(func, migrate_disable)
+BTF_ID(func, migrate_enable)
+#endif
+#if !defined CONFIG_PREEMPT_RCU && !defined CONFIG_TINY_RCU
+BTF_ID(func, rcu_read_unlock_strict)
+#endif
+BTF_SET_END(btf_id_deny)
+
static int check_attach_btf_id(struct bpf_verifier_env *env)
{
struct bpf_prog *prog = env->prog;
@@ -12615,6 +12626,9 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
ret = bpf_lsm_verify_prog(&env->log, prog);
if (ret < 0)
return ret;
+ } else if (prog->type == BPF_PROG_TYPE_TRACING &&
+ btf_id_set_contains(&btf_id_deny, btf_id)) {
+ return -EINVAL;
}
key = bpf_trampoline_compute_key(tgt_prog, prog->aux->attach_btf, btf_id);
--
2.30.2
next prev parent reply other threads:[~2021-06-03 17:08 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-03 17:06 [PATCH AUTOSEL 5.12 01/43] ASoC: max98088: fix ni clock divider calculation Sasha Levin
2021-06-03 17:06 ` Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 02/43] ASoC: amd: fix for pcm_read() error Sasha Levin
2021-06-03 17:06 ` Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 03/43] spi: Fix spi device unregister flow Sasha Levin
2021-06-06 11:10 ` Lukas Wunner
2021-06-10 17:55 ` Sasha Levin
2021-06-10 19:22 ` Saravana Kannan
2021-06-10 19:26 ` Lukas Wunner
2021-06-10 19:30 ` Saravana Kannan
2021-06-10 22:29 ` Lukas Wunner
2021-06-10 23:01 ` Saravana Kannan
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 04/43] spi: spi-zynq-qspi: Fix stack violation bug Sasha Levin
2021-06-03 17:06 ` Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 05/43] bpf: Forbid trampoline attach for functions with variable arguments Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 06/43] ASoC: codecs: lpass-rx-macro: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-03 17:06 ` Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 07/43] ASoC: codecs: lpass-tx-macro: " Sasha Levin
2021-06-03 17:06 ` Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 08/43] net/nfc/rawsock.c: fix a permission check bug Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 09/43] usb: cdns3: Fix runtime PM imbalance on error Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 10/43] ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet Sasha Levin
2021-06-03 17:07 ` Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 11/43] ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet Sasha Levin
2021-06-03 17:07 ` Sasha Levin
2021-06-03 17:07 ` Sasha Levin [this message]
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 13/43] vfio-ccw: Reset FSM state to IDLE inside FSM Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 14/43] vfio-ccw: Serialize FSM IDLE state with I/O completion Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 15/43] ASoC: sti-sas: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-03 17:07 ` Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 16/43] spi: sprd: Add " Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 17/43] usb: chipidea: udc: assign interrupt number to USB gadget structure Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 18/43] isdn: mISDN: netjet: Fix crash in nj_probe: Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 19/43] bonding: init notify_work earlier to avoid uninitialized use Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 20/43] netlink: disable IRQs for netlink_lock_table() Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 21/43] net: mdiobus: get rid of a BUG_ON() Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 22/43] cgroup: disable controllers at parse time Sasha Levin
2021-06-03 17:07 ` Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 23/43] wq: handle VM suspension in stall detection Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 24/43] net/qla3xxx: fix schedule while atomic in ql_sem_spinlock Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 25/43] RDS tcp loopback connection can hang Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 26/43] net:sfc: fix non-freed irq in legacy irq mode Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 27/43] scsi: bnx2fc: Return failure if io_req is already in ABTS processing Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 28/43] scsi: vmw_pvscsi: Set correct residual data length Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 29/43] scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 30/43] scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 31/43] net: macb: ensure the device is available before accessing GEMGXL control registers Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 32/43] net: appletalk: cops: Fix data race in cops_probe1 Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 33/43] net: dsa: microchip: enable phy errata workaround on 9567 Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 34/43] Makefile: LTO: have linker check -Wframe-larger-than Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 35/43] nvme-fabrics: decode host pathing error for connect Sasha Levin
2021-06-03 17:07 ` Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 36/43] MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 37/43] bpf, selftests: Adjust few selftest result_unpriv outcomes Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 38/43] dm verity: fix require_signatures module_param permissions Sasha Levin
2021-06-03 17:07 ` [dm-devel] " Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 39/43] bnx2x: Fix missing error code in bnx2x_iov_init_one() Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 40/43] nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME Sasha Levin
2021-06-03 17:07 ` Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 41/43] nvmet: fix false keep-alive timeout when a controller is torn down Sasha Levin
2021-06-03 17:07 ` Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 42/43] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 42/43] powerpc/fsl: set fsl, i2c-erratum-a004447 " Sasha Levin
2021-06-04 0:42 ` [PATCH AUTOSEL 5.12 42/43] powerpc/fsl: set fsl,i2c-erratum-a004447 " Michael Ellerman
2021-06-04 0:42 ` Michael Ellerman
2021-06-04 0:58 ` Chris Packham
2021-06-10 22:00 ` Sasha Levin
2021-06-10 22:00 ` Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 43/43] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 " Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 43/43] powerpc/fsl: set fsl, i2c-erratum-a004447 " Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210603170734.3168284-12-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.