BPF Archive on lore.kernel.org
 help / color / Atom feed
From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Yonghong Song <yhs@fb.com>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@fb.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	kernel-team@fb.com
Subject: Re: [PATCH bpf 1/2] bpf: fix a bug when getting subprog 0 jited image in check_attach_btf_id
Date: Wed, 4 Dec 2019 21:33:51 -0800
Message-ID: <20191205053349.y2jqc3kvehjj3luq@ast-mbp.dhcp.thefacebook.com> (raw)
In-Reply-To: <20191205010606.177774-1-yhs@fb.com>

On Wed, Dec 04, 2019 at 05:06:06PM -0800, Yonghong Song wrote:
> For jited bpf program, if the subprogram count is 1, i.e.,
> there is no callees in the program, prog->aux->func will be NULL
> and prog->bpf_func points to image address of the program.
> 
> If there is more than one subprogram, prog->aux->func is populated,
> and subprogram 0 can be accessed through either prog->bpf_func or
> prog->aux->func[0]. Other subprograms should be accessed through
> prog->aux->func[subprog_id].
> 
> This patch fixed a bug in check_attach_btf_id(), where
> prog->aux->func[subprog_id] is used to access any subprogram which
> caused a segfault like below:
>   [79162.619208] BUG: kernel NULL pointer dereference, address:
>   0000000000000000
>   ......
>   [79162.634255] Call Trace:
>   [79162.634974]  ? _cond_resched+0x15/0x30
>   [79162.635686]  ? kmem_cache_alloc_trace+0x162/0x220
>   [79162.636398]  ? selinux_bpf_prog_alloc+0x1f/0x60
>   [79162.637111]  bpf_prog_load+0x3de/0x690
>   [79162.637809]  __do_sys_bpf+0x105/0x1740
>   [79162.638488]  do_syscall_64+0x5b/0x180
>   [79162.639147]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
>   ......
> 
> Fixes: 5b92a28aae4d ("bpf: Support attaching tracing BPF program to other BPF programs")
> Reported-by: Eelco Chaudron <echaudro@redhat.com>
> Signed-off-by: Yonghong Song <yhs@fb.com>
> ---
>  kernel/bpf/verifier.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index a0482e1c4a77..034ef81f935b 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -9636,7 +9636,10 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
>  				ret = -EINVAL;
>  				goto out;
>  			}
> -			addr = (long) tgt_prog->aux->func[subprog]->bpf_func;
> +			if (subprog == 0)
> +				addr = (long) tgt_prog->bpf_func;
> +			else
> +				addr = (long) tgt_prog->aux->func[subprog]->bpf_func;

That is exactly the code I had while developing, but then decided to simplify
it, since tgt_prog->aux->func[0]->bpf_func == tgt_prog->bpf_func.
Oh well.
Thanks for the fix!


  reply index

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-05  1:06 [PATCH bpf 0/2] fix a verifier bug in check_attach_btf_id() Yonghong Song
2019-12-05  1:06 ` [PATCH bpf 1/2] bpf: fix a bug when getting subprog 0 jited image in check_attach_btf_id Yonghong Song
2019-12-05  5:33   ` Alexei Starovoitov [this message]
2019-12-05  1:06 ` [PATCH bpf 2/2] selftests/bpf: add a fexit/bpf2bpf test with target bpf prog no callees Yonghong Song
2019-12-05  5:37   ` Alexei Starovoitov

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191205053349.y2jqc3kvehjj3luq@ast-mbp.dhcp.thefacebook.com \
    --to=alexei.starovoitov@gmail.com \
    --cc=ast@fb.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=kernel-team@fb.com \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

BPF Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/bpf/0 bpf/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 bpf bpf/ https://lore.kernel.org/bpf \
		bpf@vger.kernel.org
	public-inbox-index bpf

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.bpf


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git