* [PATCH] bpf_lru_list: Read double-checked variable once without lock
@ 2021-02-09 11:27 Marco Elver
2021-02-10 5:59 ` Martin KaFai Lau
2021-02-11 0:00 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 4+ messages in thread
From: Marco Elver @ 2021-02-09 11:27 UTC (permalink / raw)
To: elver, ast, daniel, andrii, kafai, songliubraving, yhs,
john.fastabend, kpsingh, netdev, bpf, linux-kernel
Cc: kasan-dev, paulmck, dvyukov, syzbot+3536db46dfa58c573458,
syzbot+516acdb03d3e27d91bcd
For double-checked locking in bpf_common_lru_push_free(), node->type is
read outside the critical section and then re-checked under the lock.
However, concurrent writes to node->type result in data races.
For example, the following concurrent access was observed by KCSAN:
write to 0xffff88801521bc22 of 1 bytes by task 10038 on cpu 1:
__bpf_lru_node_move_in kernel/bpf/bpf_lru_list.c:91
__local_list_flush kernel/bpf/bpf_lru_list.c:298
...
read to 0xffff88801521bc22 of 1 bytes by task 10043 on cpu 0:
bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:507
bpf_lru_push_free kernel/bpf/bpf_lru_list.c:555
...
Fix the data races where node->type is read outside the critical section
(for double-checked locking) by marking the access with READ_ONCE() as
well as ensuring the variable is only accessed once.
Reported-by: syzbot+3536db46dfa58c573458@syzkaller.appspotmail.com
Reported-by: syzbot+516acdb03d3e27d91bcd@syzkaller.appspotmail.com
Signed-off-by: Marco Elver <elver@google.com>
---
Detailed reports:
https://groups.google.com/g/syzkaller-upstream-moderation/c/PwsoQ7bfi8k/m/NH9Ni2WxAQAJ
https://groups.google.com/g/syzkaller-upstream-moderation/c/-fXQO9ehxSM/m/RmQEcI2oAQAJ
---
kernel/bpf/bpf_lru_list.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c
index 1b6b9349cb85..d99e89f113c4 100644
--- a/kernel/bpf/bpf_lru_list.c
+++ b/kernel/bpf/bpf_lru_list.c
@@ -502,13 +502,14 @@ struct bpf_lru_node *bpf_lru_pop_free(struct bpf_lru *lru, u32 hash)
static void bpf_common_lru_push_free(struct bpf_lru *lru,
struct bpf_lru_node *node)
{
+ u8 node_type = READ_ONCE(node->type);
unsigned long flags;
- if (WARN_ON_ONCE(node->type == BPF_LRU_LIST_T_FREE) ||
- WARN_ON_ONCE(node->type == BPF_LRU_LOCAL_LIST_T_FREE))
+ if (WARN_ON_ONCE(node_type == BPF_LRU_LIST_T_FREE) ||
+ WARN_ON_ONCE(node_type == BPF_LRU_LOCAL_LIST_T_FREE))
return;
- if (node->type == BPF_LRU_LOCAL_LIST_T_PENDING) {
+ if (node_type == BPF_LRU_LOCAL_LIST_T_PENDING) {
struct bpf_lru_locallist *loc_l;
loc_l = per_cpu_ptr(lru->common_lru.local_list, node->cpu);
--
2.30.0.478.g8a0d178c01-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] bpf_lru_list: Read double-checked variable once without lock
2021-02-09 11:27 [PATCH] bpf_lru_list: Read double-checked variable once without lock Marco Elver
@ 2021-02-10 5:59 ` Martin KaFai Lau
2021-02-10 23:56 ` Andrii Nakryiko
2021-02-11 0:00 ` patchwork-bot+netdevbpf
1 sibling, 1 reply; 4+ messages in thread
From: Martin KaFai Lau @ 2021-02-10 5:59 UTC (permalink / raw)
To: Marco Elver
Cc: ast, daniel, andrii, songliubraving, yhs, john.fastabend,
kpsingh, netdev, bpf, linux-kernel, kasan-dev, paulmck, dvyukov,
syzbot+3536db46dfa58c573458, syzbot+516acdb03d3e27d91bcd
On Tue, Feb 09, 2021 at 12:27:01PM +0100, Marco Elver wrote:
> For double-checked locking in bpf_common_lru_push_free(), node->type is
> read outside the critical section and then re-checked under the lock.
> However, concurrent writes to node->type result in data races.
>
> For example, the following concurrent access was observed by KCSAN:
>
> write to 0xffff88801521bc22 of 1 bytes by task 10038 on cpu 1:
> __bpf_lru_node_move_in kernel/bpf/bpf_lru_list.c:91
> __local_list_flush kernel/bpf/bpf_lru_list.c:298
> ...
> read to 0xffff88801521bc22 of 1 bytes by task 10043 on cpu 0:
> bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:507
> bpf_lru_push_free kernel/bpf/bpf_lru_list.c:555
> ...
>
> Fix the data races where node->type is read outside the critical section
> (for double-checked locking) by marking the access with READ_ONCE() as
> well as ensuring the variable is only accessed once.
>
> Reported-by: syzbot+3536db46dfa58c573458@syzkaller.appspotmail.com
> Reported-by: syzbot+516acdb03d3e27d91bcd@syzkaller.appspotmail.com
> Signed-off-by: Marco Elver <elver@google.com>
> ---
> Detailed reports:
> https://groups.google.com/g/syzkaller-upstream-moderation/c/PwsoQ7bfi8k/m/NH9Ni2WxAQAJ
> https://groups.google.com/g/syzkaller-upstream-moderation/c/-fXQO9ehxSM/m/RmQEcI2oAQAJ
> ---
> kernel/bpf/bpf_lru_list.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c
> index 1b6b9349cb85..d99e89f113c4 100644
> --- a/kernel/bpf/bpf_lru_list.c
> +++ b/kernel/bpf/bpf_lru_list.c
> @@ -502,13 +502,14 @@ struct bpf_lru_node *bpf_lru_pop_free(struct bpf_lru *lru, u32 hash)
> static void bpf_common_lru_push_free(struct bpf_lru *lru,
> struct bpf_lru_node *node)
> {
> + u8 node_type = READ_ONCE(node->type);
> unsigned long flags;
>
> - if (WARN_ON_ONCE(node->type == BPF_LRU_LIST_T_FREE) ||
> - WARN_ON_ONCE(node->type == BPF_LRU_LOCAL_LIST_T_FREE))
> + if (WARN_ON_ONCE(node_type == BPF_LRU_LIST_T_FREE) ||
> + WARN_ON_ONCE(node_type == BPF_LRU_LOCAL_LIST_T_FREE))
> return;
>
> - if (node->type == BPF_LRU_LOCAL_LIST_T_PENDING) {
> + if (node_type == BPF_LRU_LOCAL_LIST_T_PENDING) {
I think this can be bpf-next.
Acked-by: Martin KaFai Lau <kafai@fb.com>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] bpf_lru_list: Read double-checked variable once without lock
2021-02-10 5:59 ` Martin KaFai Lau
@ 2021-02-10 23:56 ` Andrii Nakryiko
0 siblings, 0 replies; 4+ messages in thread
From: Andrii Nakryiko @ 2021-02-10 23:56 UTC (permalink / raw)
To: Martin KaFai Lau
Cc: Marco Elver, Alexei Starovoitov, Daniel Borkmann,
Andrii Nakryiko, Song Liu, Yonghong Song, john fastabend,
KP Singh, Networking, bpf, open list, kasan-dev,
Paul E . McKenney, Dmitry Vyukov, syzbot+3536db46dfa58c573458,
syzbot+516acdb03d3e27d91bcd
On Tue, Feb 9, 2021 at 10:00 PM Martin KaFai Lau <kafai@fb.com> wrote:
>
> On Tue, Feb 09, 2021 at 12:27:01PM +0100, Marco Elver wrote:
> > For double-checked locking in bpf_common_lru_push_free(), node->type is
> > read outside the critical section and then re-checked under the lock.
> > However, concurrent writes to node->type result in data races.
> >
> > For example, the following concurrent access was observed by KCSAN:
> >
> > write to 0xffff88801521bc22 of 1 bytes by task 10038 on cpu 1:
> > __bpf_lru_node_move_in kernel/bpf/bpf_lru_list.c:91
> > __local_list_flush kernel/bpf/bpf_lru_list.c:298
> > ...
> > read to 0xffff88801521bc22 of 1 bytes by task 10043 on cpu 0:
> > bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:507
> > bpf_lru_push_free kernel/bpf/bpf_lru_list.c:555
> > ...
> >
> > Fix the data races where node->type is read outside the critical section
> > (for double-checked locking) by marking the access with READ_ONCE() as
> > well as ensuring the variable is only accessed once.
> >
> > Reported-by: syzbot+3536db46dfa58c573458@syzkaller.appspotmail.com
> > Reported-by: syzbot+516acdb03d3e27d91bcd@syzkaller.appspotmail.com
> > Signed-off-by: Marco Elver <elver@google.com>
> > ---
> > Detailed reports:
> > https://groups.google.com/g/syzkaller-upstream-moderation/c/PwsoQ7bfi8k/m/NH9Ni2WxAQAJ
> > https://groups.google.com/g/syzkaller-upstream-moderation/c/-fXQO9ehxSM/m/RmQEcI2oAQAJ
> > ---
> > kernel/bpf/bpf_lru_list.c | 7 ++++---
> > 1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c
> > index 1b6b9349cb85..d99e89f113c4 100644
> > --- a/kernel/bpf/bpf_lru_list.c
> > +++ b/kernel/bpf/bpf_lru_list.c
> > @@ -502,13 +502,14 @@ struct bpf_lru_node *bpf_lru_pop_free(struct bpf_lru *lru, u32 hash)
> > static void bpf_common_lru_push_free(struct bpf_lru *lru,
> > struct bpf_lru_node *node)
> > {
> > + u8 node_type = READ_ONCE(node->type);
> > unsigned long flags;
> >
> > - if (WARN_ON_ONCE(node->type == BPF_LRU_LIST_T_FREE) ||
> > - WARN_ON_ONCE(node->type == BPF_LRU_LOCAL_LIST_T_FREE))
> > + if (WARN_ON_ONCE(node_type == BPF_LRU_LIST_T_FREE) ||
> > + WARN_ON_ONCE(node_type == BPF_LRU_LOCAL_LIST_T_FREE))
> > return;
> >
> > - if (node->type == BPF_LRU_LOCAL_LIST_T_PENDING) {
> > + if (node_type == BPF_LRU_LOCAL_LIST_T_PENDING) {
> I think this can be bpf-next.
>
> Acked-by: Martin KaFai Lau <kafai@fb.com>
Added Fixes: 3a08c2fd7634 ("bpf: LRU List") and applied to bpf-next, thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] bpf_lru_list: Read double-checked variable once without lock
2021-02-09 11:27 [PATCH] bpf_lru_list: Read double-checked variable once without lock Marco Elver
2021-02-10 5:59 ` Martin KaFai Lau
@ 2021-02-11 0:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-02-11 0:00 UTC (permalink / raw)
To: Marco Elver
Cc: ast, daniel, andrii, kafai, songliubraving, yhs, john.fastabend,
kpsingh, netdev, bpf, linux-kernel, kasan-dev, paulmck, dvyukov,
syzbot+3536db46dfa58c573458, syzbot+516acdb03d3e27d91bcd
Hello:
This patch was applied to bpf/bpf-next.git (refs/heads/master):
On Tue, 9 Feb 2021 12:27:01 +0100 you wrote:
> For double-checked locking in bpf_common_lru_push_free(), node->type is
> read outside the critical section and then re-checked under the lock.
> However, concurrent writes to node->type result in data races.
>
> For example, the following concurrent access was observed by KCSAN:
>
> write to 0xffff88801521bc22 of 1 bytes by task 10038 on cpu 1:
> __bpf_lru_node_move_in kernel/bpf/bpf_lru_list.c:91
> __local_list_flush kernel/bpf/bpf_lru_list.c:298
> ...
> read to 0xffff88801521bc22 of 1 bytes by task 10043 on cpu 0:
> bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:507
> bpf_lru_push_free kernel/bpf/bpf_lru_list.c:555
> ...
>
> [...]
Here is the summary with links:
- bpf_lru_list: Read double-checked variable once without lock
https://git.kernel.org/bpf/bpf-next/c/6df8fb83301d
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-02-11 0:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-09 11:27 [PATCH] bpf_lru_list: Read double-checked variable once without lock Marco Elver
2021-02-10 5:59 ` Martin KaFai Lau
2021-02-10 23:56 ` Andrii Nakryiko
2021-02-11 0:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).