| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200929225013.930-1-songliubraving@fb.com>
Date: Tue, 29 Sep 2020 15:50:13 -0700
From: Song Liu <songliubraving@...com>
To: <netdev@...r.kernel.org>, <bpf@...r.kernel.org>
CC: <kernel-team@...com>, <ast@...nel.org>, <daniel@...earbox.net>,
<john.fastabend@...il.com>, <kpsingh@...omium.org>,
Song Liu <songliubraving@...com>
Subject: [PATCH bpf-next] bpf: fix raw_tp test run in preempt kernel
In preempt kernel, BPF_PROG_TEST_RUN on raw_tp triggers:
[ 35.874974] BUG: using smp_processor_id() in preemptible [00000000]
code: new_name/87
[ 35.893983] caller is bpf_prog_test_run_raw_tp+0xd4/0x1b0
[ 35.900124] CPU: 1 PID: 87 Comm: new_name Not tainted 5.9.0-rc6-g615bd02bf #1
[ 35.907358] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1ubuntu1 04/01/2014
[ 35.916941] Call Trace:
[ 35.919660] dump_stack+0x77/0x9b
[ 35.923273] check_preemption_disabled+0xb4/0xc0
[ 35.928376] bpf_prog_test_run_raw_tp+0xd4/0x1b0
[ 35.933872] ? selinux_bpf+0xd/0x70
[ 35.937532] __do_sys_bpf+0x6bb/0x21e0
[ 35.941570] ? find_held_lock+0x2d/0x90
[ 35.945687] ? vfs_write+0x150/0x220
[ 35.949586] do_syscall_64+0x2d/0x40
[ 35.953443] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fix this by calling migrate_disable() before smp_processor_id().
Fixes: 1b4d60ec162f ("bpf: Enable BPF_PROG_TEST_RUN for raw_tracepoint")
Reported-by: Alexei Starovoitov <ast@...nel.org>
Signed-off-by: Song Liu <songliubraving@...com>
---
net/bpf/test_run.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index fde5db93507c4..3ea05a5daf544 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -251,11 +251,7 @@ __bpf_prog_test_run_raw_tp(void *data)
{
struct bpf_raw_tp_test_run_info *info = data;
- rcu_read_lock();
- migrate_disable();
info->retval = BPF_PROG_RUN(info->prog, info->ctx);
- migrate_enable();
- rcu_read_unlock();
}
int bpf_prog_test_run_raw_tp(struct bpf_prog *prog,
@@ -293,27 +289,27 @@ int bpf_prog_test_run_raw_tp(struct bpf_prog *prog,
info.prog = prog;
+ rcu_read_lock();
+ migrate_disable();
if ((kattr->test.flags & BPF_F_TEST_RUN_ON_CPU) == 0 ||
cpu == smp_processor_id()) {
__bpf_prog_test_run_raw_tp(&info);
- } else {
+ } else if (cpu >= nr_cpu_ids || !cpu_online(cpu)) {
/* smp_call_function_single() also checks cpu_online()
* after csd_lock(). However, since cpu is from user
* space, let's do an extra quick check to filter out
* invalid value before smp_call_function_single().
*/
- if (cpu >= nr_cpu_ids || !cpu_online(cpu)) {
err = -ENXIO;
- goto out;
- }
-
+ } else {
err = smp_call_function_single(cpu, __bpf_prog_test_run_raw_tp,
&info, 1);
- if (err)
- goto out;
}
+ migrate_enable();
+ rcu_read_unlock();
- if (copy_to_user(&uattr->test.retval, &info.retval, sizeof(u32)))
+ if (err == 0 &&
+ copy_to_user(&uattr->test.retval, &info.retval, sizeof(u32)))
err = -EFAULT;
out:
--
2.24.1
Powered by blists - more mailing lists