From: Andrii Nakryiko <andrii.nakryiko@gmail.com>
To: Yonghong Song <yhs@fb.com>
Cc: bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Kernel Team <kernel-team@fb.com>,
syzbot+7ee5c2c09c284495371f@syzkaller.appspotmail.com
Subject: Re: [PATCH bpf v4] bpf: add rcu read_lock in bpf_get_current_[ancestor_]cgroup_id() helpers
Date: Wed, 11 Aug 2021 11:46:51 -0700 [thread overview]
Message-ID: <CAEf4BzbJgCHox451DA1p3KFNNyKMf1uomDOmPfdMK9zvbvgbgA@mail.gmail.com> (raw)
In-Reply-To: <20210810230537.2864668-1-yhs@fb.com>
On Tue, Aug 10, 2021 at 4:05 PM Yonghong Song <yhs@fb.com> wrote:
>
> Currently, if bpf_get_current_cgroup_id() or
> bpf_get_current_ancestor_cgroup_id() helper is
> called with sleepable programs e.g., sleepable
> fentry/fmod_ret/fexit/lsm programs, a rcu warning
> may appear. For example, if I added the following
> hack to test_progs/test_lsm sleepable fentry program
> test_sys_setdomainname:
>
> --- a/tools/testing/selftests/bpf/progs/lsm.c
> +++ b/tools/testing/selftests/bpf/progs/lsm.c
> @@ -168,6 +168,10 @@ int BPF_PROG(test_sys_setdomainname, struct pt_regs *regs)
> int buf = 0;
> long ret;
>
> + __u64 cg_id = bpf_get_current_cgroup_id();
> + if (cg_id == 1000)
> + copy_test++;
> +
> ret = bpf_copy_from_user(&buf, sizeof(buf), ptr);
> if (len == -2 && ret == 0 && buf == 1234)
> copy_test++;
>
> I will hit the following rcu warning:
>
> include/linux/cgroup.h:481 suspicious rcu_dereference_check() usage!
> other info that might help us debug this:
> rcu_scheduler_active = 2, debug_locks = 1
> 1 lock held by test_progs/260:
> #0: ffffffffa5173360 (rcu_read_lock_trace){....}-{0:0}, at: __bpf_prog_enter_sleepable+0x0/0xa0
> stack backtrace:
> CPU: 1 PID: 260 Comm: test_progs Tainted: G O 5.14.0-rc2+ #176
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
> Call Trace:
> dump_stack_lvl+0x56/0x7b
> bpf_get_current_cgroup_id+0x9c/0xb1
> bpf_prog_a29888d1c6706e09_test_sys_setdomainname+0x3e/0x89c
> bpf_trampoline_6442469132_0+0x2d/0x1000
> __x64_sys_setdomainname+0x5/0x110
> do_syscall_64+0x3a/0x80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> I can get similar warning using bpf_get_current_ancestor_cgroup_id() helper.
> syzbot reported a similar issue in [1] for syscall program. Helper
> bpf_get_current_cgroup_id() or bpf_get_current_ancestor_cgroup_id()
> has the following callchain:
> task_dfl_cgroup
> task_css_set
> task_css_set_check
> and we have
> #define task_css_set_check(task, __c) \
> rcu_dereference_check((task)->cgroups, \
> lockdep_is_held(&cgroup_mutex) || \
> lockdep_is_held(&css_set_lock) || \
> ((task)->flags & PF_EXITING) || (__c))
> Since cgroup_mutex/css_set_lock is not held and the task
> is not existing and rcu read_lock is not held, a warning
> will be issued. Note that bpf sleepable program is protected by
> rcu_read_lock_trace().
>
> The above sleepable bpf programs are already protected
> by migrate_disable(). Adding rcu_read_lock() in these
> two helpers will silence the above warning.
> I marked the patch fixing 95b861a7935b
> ("bpf: Allow bpf_get_current_ancestor_cgroup_id for tracing")
> which added bpf_get_current_ancestor_cgroup_id() to tracing programs
> in 5.14. I think backporting 5.14 is probably good enough as sleepable
> progrems are not widely used.
>
> This patch should fix [1] as well since syscall program is a sleepable
> program protected with migrate_disable().
>
> [1] https://lore.kernel.org/bpf/0000000000006d5cab05c7d9bb87@google.com/
>
> Reported-by: syzbot+7ee5c2c09c284495371f@syzkaller.appspotmail.com
> Fixes: 95b861a7935b ("bpf: Allow bpf_get_current_ancestor_cgroup_id for tracing")
> Signed-off-by: Yonghong Song <yhs@fb.com>
> ---
> kernel/bpf/helpers.c | 22 ++++++++++++++++------
> 1 file changed, 16 insertions(+), 6 deletions(-)
>
> Changelog:
> v3 -> v4:
> - ensure rcu_read_lock() region enclosing all accesses to cgroup.
Applied to bpf, thanks!
> v2 -> v3:
> - use rcu_read_lock() protection for
> bpf_get_current_[ancestor_]cgroup_id() helper.
> v1 -> v2:
> - disallow bpf_get_current_[ancestor_]cgroup_id() helper.
>
[...]
prev parent reply other threads:[~2021-08-11 18:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-10 23:05 [PATCH bpf v4] bpf: add rcu read_lock in bpf_get_current_[ancestor_]cgroup_id() helpers Yonghong Song
2021-08-11 18:46 ` Andrii Nakryiko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEf4BzbJgCHox451DA1p3KFNNyKMf1uomDOmPfdMK9zvbvgbgA@mail.gmail.com \
--to=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@fb.com \
--cc=syzbot+7ee5c2c09c284495371f@syzkaller.appspotmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.