| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41b5f919-3155-5bd4-2774-84efd58650e2@iogearbox.net>
Date: Tue, 17 Jul 2018 00:30:18 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Roman Gushchin <guro@...com>, netdev@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, kernel-team@...com,
Alexei Starovoitov <ast@...nel.org>
Subject: Re: [PATCH v2 bpf 3/5] bpf: bpf_prog_array_free() should take a
generic non-rcu pointer
On 07/13/2018 09:41 PM, Roman Gushchin wrote:
> bpf_prog_array_free() should take a generic non-rcu pointer
> as an argument, as freeing the objects assumes that we're
> holding an exclusive rights on it.
>
> rcu_access_pointer() can be used to convert a __rcu pointer to
> a generic pointer before passing it to bpf_prog_array_free(),
> if necessary.
>
> This patch eliminates the following sparse warning:
> kernel/bpf/core.c:1556:9: warning: incorrect type in argument 1 (different address spaces)
> kernel/bpf/core.c:1556:9: expected struct callback_head *head
> kernel/bpf/core.c:1556:9: got struct callback_head [noderef] <asn:4>*<noident>
>
> Fixes: 324bda9e6c5a ("bpf: multi program support for cgroup+bpf")
> Signed-off-by: Roman Gushchin <guro@...com>
> Cc: Alexei Starovoitov <ast@...nel.org>
> Cc: Daniel Borkmann <daniel@...earbox.net>
> ---
> drivers/media/rc/bpf-lirc.c | 6 +++---
> include/linux/bpf.h | 2 +-
> kernel/bpf/cgroup.c | 11 ++++++-----
> kernel/bpf/core.c | 5 ++---
> kernel/trace/bpf_trace.c | 8 ++++----
> 5 files changed, 16 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c
> index fcfab6635f9c..509b262aa0dc 100644
> --- a/drivers/media/rc/bpf-lirc.c
> +++ b/drivers/media/rc/bpf-lirc.c
> @@ -135,7 +135,7 @@ static int lirc_bpf_attach(struct rc_dev *rcdev, struct bpf_prog *prog)
> goto unlock;
>
> rcu_assign_pointer(raw->progs, new_array);
> - bpf_prog_array_free(old_array);
> + bpf_prog_array_free(rcu_access_pointer(old_array));
Taking this one as an example, why can't we already do the rcu_dereference() on the
'old_array = raw->progs' where we fetch the old_array initially? Then we also wouldn't
need the rcu_access_pointer() on bpf_prog_array_free() and yet another rcu_dereference()
inside the bpf_prog_array_copy() from your later patch?
Regarding former, rcu_access_pointer() should also only be used for testing the pointer
value, but deeper in bpf_prog_array_free() we also deref it, etc.
> unlock:
> mutex_unlock(&ir_raw_handler_lock);
> @@ -173,7 +173,7 @@ static int lirc_bpf_detach(struct rc_dev *rcdev, struct bpf_prog *prog)
> goto unlock;
>
> rcu_assign_pointer(raw->progs, new_array);
> - bpf_prog_array_free(old_array);
> + bpf_prog_array_free(rcu_access_pointer(old_array));
> unlock:
> mutex_unlock(&ir_raw_handler_lock);
> return ret;
> @@ -204,7 +204,7 @@ void lirc_bpf_free(struct rc_dev *rcdev)
> while (*progs)
> bpf_prog_put(*progs++);
>
> - bpf_prog_array_free(rcdev->raw->progs);
> + bpf_prog_array_free(rcu_access_pointer(rcdev->raw->progs));
> }
Powered by blists - more mailing lists