[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <331af4d8-5479-39b0-b835-a0e7144135e7@fb.com>
Date: Thu, 23 Jul 2020 11:32:28 -0700
From: Yonghong Song <yhs@...com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
CC: <bpf@...r.kernel.org>, <netdev@...r.kernel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, <kernel-team@...com>,
Martin KaFai Lau <kafai@...com>
Subject: Re: [PATCH bpf-next v3 00/13] bpf: implement bpf iterator for map
elements
On 7/22/20 11:53 PM, Alexei Starovoitov wrote:
> On Wed, Jul 22, 2020 at 11:15:33PM -0700, Yonghong Song wrote:
>> Bpf iterator has been implemented for task, task_file,
>> bpf_map, ipv6_route, netlink, tcp and udp so far.
>>
>> For map elements, there are two ways to traverse all elements from
>> user space:
>> 1. using BPF_MAP_GET_NEXT_KEY bpf subcommand to get elements
>> one by one.
>> 2. using BPF_MAP_LOOKUP_BATCH bpf subcommand to get a batch of
>> elements.
>> Both these approaches need to copy data from kernel to user space
>> in order to do inspection.
>>
>> This patch implements bpf iterator for map elements.
>> User can have a bpf program in kernel to run with each map element,
>> do checking, filtering, aggregation, modifying values etc.
>> without copying data to user space.
>>
>> Patch #1 and #2 are refactoring. Patch #3 implements readonly/readwrite
>> buffer support in verifier. Patches #4 - #7 implements map element
>> support for hash, percpu hash, lru hash lru percpu hash, array,
>> percpu array and sock local storage maps. Patches #8 - #9 are libbpf
>> and bpftool support. Patches #10 - #13 are selftests for implemented
>> map element iterators.
>
> kasan is not happy:
>
> [ 16.896170] ==================================================================
> [ 16.896994] BUG: KASAN: use-after-free in __do_sys_bpf+0x34f3/0x3860
> [ 16.897657] Read of size 4 at addr ffff8881f105b208 by task test_progs/1958
> [ 16.898416]
> [ 16.898577] CPU: 0 PID: 1958 Comm: test_progs Not tainted 5.8.0-rc4-01920-g6276000cd38e #2828
> [ 16.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
> [ 16.900405] Call Trace:
> [ 16.900679] dump_stack+0x7d/0xb0
> [ 16.901068] print_address_description.constprop.0+0x3a/0x60
> [ 16.901689] ? __do_sys_bpf+0x34f3/0x3860
> [ 16.902125] kasan_report.cold+0x1f/0x37
> [ 16.902595] ? __do_sys_bpf+0x34f3/0x3860
> [ 16.903029] __do_sys_bpf+0x34f3/0x3860
> [ 16.903494] ? bpf_trace_run2+0xd1/0x210
> [ 16.903971] ? bpf_link_get_from_fd+0xe0/0xe0
> [ 16.907802] do_syscall_64+0x38/0x60
> [ 16.908187] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 16.908730] RIP: 0033:0x7f014cdfe7f9
> [ 16.909148] Code: Bad RIP value.
> [ 16.909524] RSP: 002b:00007ffe1d1e8b28 EFLAGS: 00000206 ORIG_RAX: 0000000000000141
> [ 16.910345] RAX: ffffffffffffffda RBX: 00007f014dd27690 RCX: 00007f014cdfe7f9
> [ 16.911058] RDX: 0000000000000078 RSI: 00007ffe1d1e8b60 RDI: 000000000000001e
> [ 16.911820] RBP: 00007ffe1d1e8b40 R08: 00007ffe1d1e8b40 R09: 00007ffe1d1e8b60
> [ 16.912575] R10: 0000000000000044 R11: 0000000000000206 R12: 0000000000000002
> [ 16.913304] R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000002
> [ 16.914026]
> [ 16.914189] Allocated by task 1958:
> [ 16.914562] save_stack+0x1b/0x40
> [ 16.914944] __kasan_kmalloc.constprop.0+0xc2/0xd0
> [ 16.915476] bpf_iter_link_attach+0x235/0x4e0
> [ 16.915975] __do_sys_bpf+0x1832/0x3860
> [ 16.916371] do_syscall_64+0x38/0x60
> [ 16.916750] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 16.917338]
> [ 16.917524] Freed by task 1958:
> [ 16.917874] save_stack+0x1b/0x40
> [ 16.918241] __kasan_slab_free+0x12f/0x180
> [ 16.918681] kfree+0xc6/0x280
> [ 16.919024] bpf_iter_link_attach+0x3e3/0x4e0
> [ 16.919488] __do_sys_bpf+0x1832/0x3860
> [ 16.919915] do_syscall_64+0x38/0x60
> [ 16.920301] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Thanks for reporting the bug. The gcc on my system is 8.2 and the
requirement for kasan support is gcc 8.3. Using clang, I am able
to see the issue. Will fix and re-submit. Thanks!
>
> To reproduce:
> ./test_progs -n 5
> #5 bpf_obj_id:OK
> Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
>
> ./test_progs -n 4/18
> #4/18 bpf_hash_map:OK
> #4 bpf_iter:OK
> Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
>
> ./test_progs -n 5
> [ 37.569154] ==================================================================
> [ 37.570020] BUG: KASAN: use-after-free in __do_sys_bpf+0x34f3/0x3860
>
Powered by blists - more mailing lists