netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Toshiaki Makita <toshiaki.makita1@gmail.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Sasha Levin <sashal@kernel.org>,
	netdev@vger.kernel.org, xdp-newbies@vger.kernel.org,
	bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 5.1 68/95] bpf, devmap: Fix premature entry free on destroying map
Date: Wed, 26 Jun 2019 20:29:53 -0400	[thread overview]
Message-ID: <20190627003021.19867-68-sashal@kernel.org> (raw)
In-Reply-To: <20190627003021.19867-1-sashal@kernel.org>

From: Toshiaki Makita <toshiaki.makita1@gmail.com>

[ Upstream commit d4dd153d551634683fccf8881f606fa9f3dfa1ef ]

dev_map_free() waits for flush_needed bitmap to be empty in order to
ensure all flush operations have completed before freeing its entries.
However the corresponding clear_bit() was called before using the
entries, so the entries could be used after free.

All access to the entries needs to be done before clearing the bit.
It seems commit a5e2da6e9787 ("bpf: netdev is never null in
__dev_map_flush") accidentally changed the clear_bit() and memory access
order.

Note that the problem happens only in __dev_map_flush(), not in
dev_map_flush_old(). dev_map_flush_old() is called only after nulling
out the corresponding netdev_map entry, so dev_map_free() never frees
the entry thus no such race happens there.

Fixes: a5e2da6e9787 ("bpf: netdev is never null in __dev_map_flush")
Signed-off-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/bpf/devmap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 1e525d70f833..e001fb1a96b1 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -291,10 +291,10 @@ void __dev_map_flush(struct bpf_map *map)
 		if (unlikely(!dev))
 			continue;
 
-		__clear_bit(bit, bitmap);
-
 		bq = this_cpu_ptr(dev->bulkq);
 		bq_xmit_all(dev, bq, XDP_XMIT_FLUSH, true);
+
+		__clear_bit(bit, bitmap);
 	}
 }
 
-- 
2.20.1


  parent reply	other threads:[~2019-06-27  0:51 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20190627003021.19867-1-sashal@kernel.org>
2019-06-27  0:28 ` [PATCH AUTOSEL 5.1 08/95] bpf: fix out-of-bounds read in __bpf_skc_lookup Sasha Levin
2019-06-27  0:28 ` [PATCH AUTOSEL 5.1 09/95] samples, bpf: fix to change the buffer size for read() Sasha Levin
2019-06-27  0:28 ` [PATCH AUTOSEL 5.1 10/95] samples, bpf: suppress compiler warning Sasha Levin
2019-06-27  0:28 ` [PATCH AUTOSEL 5.1 11/95] bpf, riscv: clear target register high 32-bits for and/or/xor on ALU32 Sasha Levin
2019-06-27  0:28 ` [PATCH AUTOSEL 5.1 12/95] bpf: sockmap, restore sk_write_space when psock gets dropped Sasha Levin
2019-06-27  0:28 ` [PATCH AUTOSEL 5.1 13/95] mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he() Sasha Levin
2019-06-27  0:28 ` [PATCH AUTOSEL 5.1 14/95] bpf: sockmap, fix use after free from sleep in psock backlog workqueue Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 19/95] mac80211: mesh: fix RCU warning Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 20/95] mac80211: free peer keys before vif down in mesh Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 22/95] mwifiex: Fix possible buffer overflows at parsing bss descriptor Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 23/95] mwifiex: Abort at too short BSS descriptor element Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 24/95] bpf, riscv: clear high 32 bits for ALU32 add/sub/neg/lsh/rsh/arsh Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 25/95] iwlwifi: fix load in rfkill flow for unified firmware Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 26/95] iwlwifi: clear persistence bit according to device family Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 27/95] iwlwifi: fix AX201 killer sku loading firmware issue Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 28/95] iwlwifi: Fix double-free problems in iwl_req_fw_callback() Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 29/95] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 30/95] bpf: udp: ipv6: Avoid running reuseport's bpf_prog from __udp6_lib_err Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 31/95] bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 32/95] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 33/95] tools: bpftool: Fix JSON output when lookup fails Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 36/95] netfilter: ipv6: nf_defrag: accept duplicate fragments again Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 37/95] dt-bindings: can: mcp251x: add mcp25625 support Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 38/95] can: mcp251x: add support for mcp25625 Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 39/95] can: m_can: implement errata "Needless activation of MRAF irq" Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 40/95] can: af_can: Fix error path of can_init() Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 41/95] can: flexcan: Remove unneeded registration message Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 42/95] net: phy: rename Asix Electronics PHY driver Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 43/95] ibmvnic: Do not close unopened driver during reset Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 44/95] ibmvnic: Refresh device multicast list after reset Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 45/95] ibmvnic: Fix unchecked return codes of memory allocations Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 48/95] bpf: lpm_trie: check left child of last leftmost node for NULL Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 54/95] xdp: check device pointer before clearing Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 56/95] mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 58/95] bpf: fix div64 overflow tests to properly detect errors Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 64/95] mac80211: only warn once on chanctx_conf being NULL Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 65/95] mac80211: do not start any work during reconfigure flow Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 66/95] cfg80211: util: fix bit count off by one Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 67/95] cfg80211: report measurement start TSF correctly Sasha Levin
2019-06-27  0:29 ` Sasha Levin [this message]
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 69/95] bpf, devmap: Add missing bulk queue free Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 70/95] bpf, devmap: Add missing RCU read lock on flush Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 71/95] bpf, x64: fix stack layout of JITed bpf code Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 72/95] qmi_wwan: add support for QMAP padding in the RX path Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 73/95] qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode Sasha Levin
2019-06-27  0:29 ` [PATCH AUTOSEL 5.1 74/95] qmi_wwan: extend permitted QMAP mux_id value range Sasha Levin
2019-06-27  0:30 ` [PATCH AUTOSEL 5.1 75/95] bpf: fix nested bpf tracepoints with per-cpu data Sasha Levin
2019-06-27  0:30 ` [PATCH AUTOSEL 5.1 84/95] bnx2x: Check if transceiver implements DDM before access Sasha Levin
2019-06-27  0:30 ` [PATCH AUTOSEL 5.1 86/95] ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL Sasha Levin
2019-06-27  0:30 ` [PATCH AUTOSEL 5.1 87/95] net: lio_core: fix potential sign-extension overflow on large shift Sasha Levin
2019-06-27  0:30 ` [PATCH AUTOSEL 5.1 92/95] net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() Sasha Levin
2019-06-27  0:30 ` [PATCH AUTOSEL 5.1 95/95] net :sunrpc :clnt :Fix xps refcount imbalance on the error path Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190627003021.19867-68-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=toshiaki.makita1@gmail.com \
    --cc=xdp-newbies@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).