From: John Fastabend <john.fastabend@gmail.com>
To: Daniel Borkmann <daniel@iogearbox.net>, ast@kernel.org
Cc: netdev@vger.kernel.org, davem@davemloft.net
Subject: Re: [PATCH bpf-next v6 1/4] bpf: sockmap, refactor sockmap routines to work with hashmap
Date: Wed, 16 May 2018 14:46:33 -0700 [thread overview]
Message-ID: <daf91cc6-a8cc-89aa-1450-9a10ea9a0728@gmail.com> (raw)
In-Reply-To: <954e3b7f-9001-e528-c6ab-f8f69c84cfd8@iogearbox.net>
On 05/15/2018 12:19 PM, Daniel Borkmann wrote:
> On 05/14/2018 07:00 PM, John Fastabend wrote:
> [...]
[...]
>
> As you say in the comment above the function wrt locking notes that the
> __sock_map_ctx_update_elem() can be called concurrently.
>
> All operations operate on sock_map using cmpxchg and xchg operations to ensure we
> do not get stale references. Any reads into the map must be done with READ_ONCE()
> because of this.
>
> You initially use the READ_ONCE() on the verdict/parse/tx_msg, but later on when
> grabbing the reference you use again progs->bpf_verdict/bpf_parse/bpf_tx_msg which
> would potentially refetch it, but if updates would happen concurrently e.g. to the
> three progs, they could be NULL in the mean-time, no? bpf_prog_inc_not_zero() would
> then crash. Why are not the ones used that you fetched previously via READ_ONCE()
> for taking the ref?
Nice catch. We should use the reference fetched by READ_ONCE in all cases.
>
> The second question I had is that verdict/parse/tx_msg are updated independently
> from each other and each could be NULL or non-NULL. What if, say, parse is NULL
> and verdict as well as tx_msg is non-NULL and the bpf_prog_inc_not_zero() on the
> tx_msg prog fails. Doesn't this cause a use-after-free since a ref on verdict wasn't
> taken earlier but the bpf_prog_put() will cause accidental misbalance/free of the
> progs?
Also good catch. I'll send patches for both now. Thanks.
>
> It would probably help to clarify the locking comment a bit more if indeed the
> above should be okay as is.
>
> Thanks,
> Daniel
>
next prev parent reply other threads:[~2018-05-16 21:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-14 17:00 [PATCH bpf-next v6 0/4] Hash support for sock John Fastabend
2018-05-14 17:00 ` [PATCH bpf-next v6 1/4] bpf: sockmap, refactor sockmap routines to work with hashmap John Fastabend
2018-05-15 19:19 ` Daniel Borkmann
2018-05-16 21:46 ` John Fastabend [this message]
2018-05-14 17:00 ` [PATCH bpf-next v6 2/4] bpf: sockmap, add hash map support John Fastabend
2018-05-15 19:01 ` Daniel Borkmann
2018-05-15 21:09 ` Y Song
2018-05-16 20:08 ` Daniel Borkmann
2018-05-14 17:00 ` [PATCH bpf-next v6 3/4] bpf: selftest additions for SOCKHASH John Fastabend
2018-05-14 17:00 ` [PATCH bpf-next v6 4/4] bpf: bpftool, support for sockhash John Fastabend
2018-05-15 18:55 ` [PATCH bpf-next v6 0/4] Hash support for sock Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=daf91cc6-a8cc-89aa-1450-9a10ea9a0728@gmail.com \
--to=john.fastabend@gmail.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.