Netdev Archive on lore.kernel.org
 help / color / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Toshiaki Makita <toshiaki.makita1@gmail.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Sasha Levin <sashal@kernel.org>,
	netdev@vger.kernel.org, xdp-newbies@vger.kernel.org,
	bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 42/60] bpf, devmap: Fix premature entry free on destroying map
Date: Wed, 26 Jun 2019 20:35:57 -0400
Message-ID: <20190627003616.20767-42-sashal@kernel.org> (raw)
In-Reply-To: <20190627003616.20767-1-sashal@kernel.org>

From: Toshiaki Makita <toshiaki.makita1@gmail.com>

[ Upstream commit d4dd153d551634683fccf8881f606fa9f3dfa1ef ]

dev_map_free() waits for flush_needed bitmap to be empty in order to
ensure all flush operations have completed before freeing its entries.
However the corresponding clear_bit() was called before using the
entries, so the entries could be used after free.

All access to the entries needs to be done before clearing the bit.
It seems commit a5e2da6e9787 ("bpf: netdev is never null in
__dev_map_flush") accidentally changed the clear_bit() and memory access
order.

Note that the problem happens only in __dev_map_flush(), not in
dev_map_flush_old(). dev_map_flush_old() is called only after nulling
out the corresponding netdev_map entry, so dev_map_free() never frees
the entry thus no such race happens there.

Fixes: a5e2da6e9787 ("bpf: netdev is never null in __dev_map_flush")
Signed-off-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/bpf/devmap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 2faad033715f..99353ac28cd4 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -291,10 +291,10 @@ void __dev_map_flush(struct bpf_map *map)
 		if (unlikely(!dev))
 			continue;
 
-		__clear_bit(bit, bitmap);
-
 		bq = this_cpu_ptr(dev->bulkq);
 		bq_xmit_all(dev, bq, XDP_XMIT_FLUSH, true);
+
+		__clear_bit(bit, bitmap);
 	}
 }
 
-- 
2.20.1


  parent reply index

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20190627003616.20767-1-sashal@kernel.org>
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 04/60] samples, bpf: fix to change the buffer size for read() Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 05/60] samples, bpf: suppress compiler warning Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 06/60] mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he() Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 07/60] bpf: sockmap, fix use after free from sleep in psock backlog workqueue Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 11/60] mac80211: mesh: fix RCU warning Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 12/60] mac80211: free peer keys before vif down in mesh Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 13/60] mwifiex: Fix possible buffer overflows at parsing bss descriptor Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 14/60] mwifiex: Abort at too short BSS descriptor element Sasha Levin
2019-06-28 22:58   ` Brian Norris
2019-07-10 14:51     ` Sasha Levin
2019-07-10 21:12       ` Brian Norris
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 15/60] iwlwifi: Fix double-free problems in iwl_req_fw_callback() Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 16/60] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 17/60] bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 18/60] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 20/60] netfilter: ipv6: nf_defrag: accept duplicate fragments again Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 21/60] dt-bindings: can: mcp251x: add mcp25625 support Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 22/60] can: mcp251x: add support for mcp25625 Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 23/60] can: m_can: implement errata "Needless activation of MRAF irq" Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 24/60] can: af_can: Fix error path of can_init() Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 25/60] net: phy: rename Asix Electronics PHY driver Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 26/60] ibmvnic: Do not close unopened driver during reset Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 27/60] ibmvnic: Refresh device multicast list after reset Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 28/60] ibmvnic: Fix unchecked return codes of memory allocations Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 31/60] bpf: lpm_trie: check left child of last leftmost node for NULL Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 37/60] mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 40/60] mac80211: only warn once on chanctx_conf being NULL Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 41/60] mac80211: do not start any work during reconfigure flow Sasha Levin
2019-06-27  0:35 ` Sasha Levin [this message]
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 43/60] bpf, devmap: Add missing bulk queue free Sasha Levin
2019-06-27  0:35 ` [PATCH AUTOSEL 4.19 44/60] bpf, devmap: Add missing RCU read lock on flush Sasha Levin
2019-06-27  0:36 ` [PATCH AUTOSEL 4.19 45/60] bpf, x64: fix stack layout of JITed bpf code Sasha Levin
2019-06-27  0:36 ` [PATCH AUTOSEL 4.19 46/60] qmi_wwan: add support for QMAP padding in the RX path Sasha Levin
2019-06-27  0:36 ` [PATCH AUTOSEL 4.19 47/60] qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode Sasha Levin
2019-06-27  0:36 ` [PATCH AUTOSEL 4.19 48/60] qmi_wwan: extend permitted QMAP mux_id value range Sasha Levin
2019-06-27  0:36 ` [PATCH AUTOSEL 4.19 49/60] bpf: fix nested bpf tracepoints with per-cpu data Sasha Levin
2019-06-27  0:36 ` [PATCH AUTOSEL 4.19 52/60] bnx2x: Check if transceiver implements DDM before access Sasha Levin
2019-06-27  0:36 ` [PATCH AUTOSEL 4.19 54/60] ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL Sasha Levin
2019-06-27  0:36 ` [PATCH AUTOSEL 4.19 55/60] net: lio_core: fix potential sign-extension overflow on large shift Sasha Levin
2019-06-27  0:36 ` [PATCH AUTOSEL 4.19 58/60] net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() Sasha Levin
2019-06-27  0:36 ` [PATCH AUTOSEL 4.19 60/60] net :sunrpc :clnt :Fix xps refcount imbalance on the error path Sasha Levin

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190627003616.20767-42-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=toshiaki.makita1@gmail.com \
    --cc=xdp-newbies@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org netdev@archiver.kernel.org
	public-inbox-index netdev


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/ public-inbox