All of lore.kernel.org
 help / color / mirror / Atom feed
From: Hou Tao <houtao@huaweicloud.com>
To: bpf@vger.kernel.org, Song Liu <songliubraving@fb.com>
Cc: Hao Sun <sunhao.th@gmail.com>,
	Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	Andrii Nakryiko <andrii@kernel.org>, Yonghong Song <yhs@fb.com>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Martin KaFai Lau <kafai@fb.com>, KP Singh <kpsingh@kernel.org>,
	"David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	John Fastabend <john.fastabend@gmail.com>,
	Lorenz Bauer <oss@lmb.io>,
	houtao1@huawei.com
Subject: [PATCH 3/3] bpf: Propagate error from htab_lock_bucket() to userspace
Date: Sun, 21 Aug 2022 11:32:23 +0800	[thread overview]
Message-ID: <20220821033223.2598791-4-houtao@huaweicloud.com> (raw)
In-Reply-To: <20220821033223.2598791-1-houtao@huaweicloud.com>

From: Hou Tao <houtao1@huawei.com>

In __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns
-EBUSY, it will go to next bucket. Going to next bucket may not only
skip the elements in current bucket silently, but also incur
out-of-bound memory access or expose kernel memory to userspace if
current bucket_cnt is greater than bucket_size or zero.

Fixing it by stopping batch operation and returning -EBUSY when
htab_lock_bucket() fails, and the application can retry or skip the busy
batch as needed.

Reported-by: Hao Sun <sunhao.th@gmail.com>
Signed-off-by: Hou Tao <houtao1@huawei.com>
---
 kernel/bpf/hashtab.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 3ef7a853c737..ffd39048e6da 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -1711,8 +1711,11 @@ __htab_map_lookup_and_delete_batch(struct bpf_map *map,
 	/* do not grab the lock unless need it (bucket_cnt > 0). */
 	if (locked) {
 		ret = htab_lock_bucket(htab, b, batch, &flags);
-		if (ret)
-			goto next_batch;
+		if (ret) {
+			rcu_read_unlock();
+			bpf_enable_instrumentation();
+			goto after_loop;
+		}
 	}
 
 	bucket_cnt = 0;
-- 
2.29.2


  parent reply	other threads:[~2022-08-21  3:14 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-21  3:32 [PATCH 0/3] fixes for concurrent htab updates Hou Tao
2022-08-21  3:32 ` [PATCH 1/3] bpf: Disable preemption when increasing per-cpu map_locked Hou Tao
2022-08-21 16:42   ` Hao Luo
2022-08-22  1:27     ` Hou Tao
2022-08-22  3:21       ` Hao Luo
2022-08-22 12:07         ` Hou Tao
2022-08-22 18:01           ` Hao Luo
2022-08-23  0:56             ` Hao Luo
2022-08-23  1:29               ` Alexei Starovoitov
2022-08-23  2:57                 ` Hou Tao
2022-08-23  4:50                   ` Alexei Starovoitov
2022-08-23  6:41                     ` Hou Tao
2022-08-23  2:54               ` Hou Tao
2022-08-22  8:13   ` Sebastian Andrzej Siewior
2022-08-22 12:09     ` Hou Tao
2022-08-22 15:30       ` Sebastian Andrzej Siewior
2022-08-21  3:32 ` [PATCH 2/3] bpf: Allow normally concurrent map updates for !htab_use_raw_lock() case Hou Tao
2022-08-21  3:32 ` Hou Tao [this message]
2022-08-22  1:21 ` [PATCH 0/3] fixes for concurrent htab updates Hou Tao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220821033223.2598791-4-houtao@huaweicloud.com \
    --to=houtao@huaweicloud.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bigeasy@linutronix.de \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=haoluo@google.com \
    --cc=houtao1@huawei.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kafai@fb.com \
    --cc=kpsingh@kernel.org \
    --cc=kuba@kernel.org \
    --cc=oss@lmb.io \
    --cc=sdf@google.com \
    --cc=songliubraving@fb.com \
    --cc=sunhao.th@gmail.com \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.