| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Sep 2020 17:00:07 -0700
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Song Liu <songliubraving@...com>
Cc: netdev@...r.kernel.org, bpf@...r.kernel.org, kernel-team@...com,
ast@...nel.org, daniel@...earbox.net, john.fastabend@...il.com,
kpsingh@...omium.org
Subject: Re: [PATCH bpf-next] bpf: fix raw_tp test run in preempt kernel
On Tue, Sep 29, 2020 at 03:50:13PM -0700, Song Liu wrote:
> In preempt kernel, BPF_PROG_TEST_RUN on raw_tp triggers:
>
> [ 35.874974] BUG: using smp_processor_id() in preemptible [00000000]
> code: new_name/87
> [ 35.893983] caller is bpf_prog_test_run_raw_tp+0xd4/0x1b0
> [ 35.900124] CPU: 1 PID: 87 Comm: new_name Not tainted 5.9.0-rc6-g615bd02bf #1
> [ 35.907358] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1ubuntu1 04/01/2014
> [ 35.916941] Call Trace:
> [ 35.919660] dump_stack+0x77/0x9b
> [ 35.923273] check_preemption_disabled+0xb4/0xc0
> [ 35.928376] bpf_prog_test_run_raw_tp+0xd4/0x1b0
> [ 35.933872] ? selinux_bpf+0xd/0x70
> [ 35.937532] __do_sys_bpf+0x6bb/0x21e0
> [ 35.941570] ? find_held_lock+0x2d/0x90
> [ 35.945687] ? vfs_write+0x150/0x220
> [ 35.949586] do_syscall_64+0x2d/0x40
> [ 35.953443] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Fix this by calling migrate_disable() before smp_processor_id().
>
> Fixes: 1b4d60ec162f ("bpf: Enable BPF_PROG_TEST_RUN for raw_tracepoint")
> Reported-by: Alexei Starovoitov <ast@...nel.org>
> Signed-off-by: Song Liu <songliubraving@...com>
> ---
> net/bpf/test_run.c | 20 ++++++++------------
> 1 file changed, 8 insertions(+), 12 deletions(-)
>
> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> index fde5db93507c4..3ea05a5daf544 100644
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -251,11 +251,7 @@ __bpf_prog_test_run_raw_tp(void *data)
> {
> struct bpf_raw_tp_test_run_info *info = data;
>
> - rcu_read_lock();
> - migrate_disable();
> info->retval = BPF_PROG_RUN(info->prog, info->ctx);
> - migrate_enable();
> - rcu_read_unlock();
I would keep rcu_read_lock here, since there is no need to expand its scope.
> }
>
> int bpf_prog_test_run_raw_tp(struct bpf_prog *prog,
> @@ -293,27 +289,27 @@ int bpf_prog_test_run_raw_tp(struct bpf_prog *prog,
>
> info.prog = prog;
>
> + rcu_read_lock();
> + migrate_disable();
> if ((kattr->test.flags & BPF_F_TEST_RUN_ON_CPU) == 0 ||
> cpu == smp_processor_id()) {
may be use get_cpu/put_cpu instead?
> __bpf_prog_test_run_raw_tp(&info);
> - } else {
> + } else if (cpu >= nr_cpu_ids || !cpu_online(cpu)) {
> /* smp_call_function_single() also checks cpu_online()
> * after csd_lock(). However, since cpu is from user
> * space, let's do an extra quick check to filter out
> * invalid value before smp_call_function_single().
> */
> - if (cpu >= nr_cpu_ids || !cpu_online(cpu)) {
> err = -ENXIO;
> - goto out;
> - }
> -
> + } else {
> err = smp_call_function_single(cpu, __bpf_prog_test_run_raw_tp,
> &info, 1);
> - if (err)
> - goto out;
> }
> + migrate_enable();
> + rcu_read_unlock();
>
> - if (copy_to_user(&uattr->test.retval, &info.retval, sizeof(u32)))
> + if (err == 0 &&
!err would be canonical.
> + copy_to_user(&uattr->test.retval, &info.retval, sizeof(u32)))
> err = -EFAULT;
>
> out:
> --
> 2.24.1
>
Powered by blists - more mailing lists