From: Alexei Starovoitov <ast@kernel.org>
To: <davem@davemloft.net>
Cc: <daniel@iogearbox.net>, <x86@kernel.org>,
<netdev@vger.kernel.org>, <bpf@vger.kernel.org>,
<kernel-team@fb.com>
Subject: [PATCH v2 bpf-next 12/17] bpf: Fix race in btf_resolve_helper_id()
Date: Wed, 6 Nov 2019 21:46:39 -0800 [thread overview]
Message-ID: <20191107054644.1285697-13-ast@kernel.org> (raw)
In-Reply-To: <20191107054644.1285697-1-ast@kernel.org>
btf_resolve_helper_id() caching logic is racy, since under root the verifier
can verify several programs in parallel. Fix it with extra spin_lock.
Fixes: a7658e1a4164 ("bpf: Check types of arguments passed into helpers")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
include/linux/bpf.h | 3 ++-
kernel/bpf/btf.c | 34 +++++++++++++++++++++++++++++++++-
kernel/bpf/verifier.c | 6 +-----
3 files changed, 36 insertions(+), 7 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 9206b7e86dde..c287dfce2a17 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -874,7 +874,8 @@ int btf_struct_access(struct bpf_verifier_log *log,
const struct btf_type *t, int off, int size,
enum bpf_access_type atype,
u32 *next_btf_id);
-u32 btf_resolve_helper_id(struct bpf_verifier_log *log, void *, int);
+u32 btf_resolve_helper_id(struct bpf_verifier_log *log,
+ const struct bpf_func_proto *fn, int);
int btf_distill_func_proto(struct bpf_verifier_log *log,
struct btf *btf,
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 78d9ceaabc00..7155787a0b13 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -3584,7 +3584,8 @@ int btf_struct_access(struct bpf_verifier_log *log,
return -EINVAL;
}
-u32 btf_resolve_helper_id(struct bpf_verifier_log *log, void *fn, int arg)
+static u32 __btf_resolve_helper_id(struct bpf_verifier_log *log, void *fn,
+ int arg)
{
char fnname[KSYM_SYMBOL_LEN + 4] = "btf_";
const struct btf_param *args;
@@ -3652,6 +3653,37 @@ u32 btf_resolve_helper_id(struct bpf_verifier_log *log, void *fn, int arg)
return btf_id;
}
+static DEFINE_SPINLOCK(btf_resolve_lock);
+
+u32 btf_resolve_helper_id(struct bpf_verifier_log *log,
+ const struct bpf_func_proto *fn, int arg)
+{
+ u32 *btf_id = &fn->btf_id[arg];
+ u32 ret;
+
+ if (fn->arg_type[arg] != ARG_PTR_TO_BTF_ID)
+ return -EINVAL;
+
+ if (*btf_id)
+ /* ok to do without lock. It only set once */
+ return *btf_id;
+ /* ok to race the search. The result is the same */
+ ret = __btf_resolve_helper_id(log, fn->func, arg);
+ if (!ret) {
+ bpf_log(log, "BTF resolution bug\n");
+ return -EFAULT;
+ }
+ spin_lock(&btf_resolve_lock);
+ if (*btf_id) {
+ ret = *btf_id;
+ goto out;
+ }
+ *btf_id = ret;
+out:
+ spin_unlock(&btf_resolve_lock);
+ return ret;
+}
+
static int __get_type_size(struct btf *btf, u32 btf_id,
const struct btf_type **bad_type)
{
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 36542edd4936..c4fd11a27d81 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4147,11 +4147,7 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
meta.func_id = func_id;
/* check args */
for (i = 0; i < 5; i++) {
- if (fn->arg_type[i] == ARG_PTR_TO_BTF_ID) {
- if (!fn->btf_id[i])
- fn->btf_id[i] = btf_resolve_helper_id(&env->log, fn->func, i);
- meta.btf_id = fn->btf_id[i];
- }
+ meta.btf_id = btf_resolve_helper_id(&env->log, fn, i);
err = check_func_arg(env, BPF_REG_1 + i, fn->arg_type[i], &meta);
if (err)
return err;
--
2.23.0
next prev parent reply other threads:[~2019-11-07 5:47 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-07 5:46 [PATCH v2 bpf-next 00/17] Introduce BPF trampoline Alexei Starovoitov
2019-11-07 5:46 ` [PATCH v2 bpf-next 01/17] bpf: refactor x86 JIT into helpers Alexei Starovoitov
2019-11-07 17:05 ` Song Liu
2019-11-07 5:46 ` [PATCH v2 bpf-next 02/17] bpf: Add bpf_arch_text_poke() helper Alexei Starovoitov
2019-11-07 17:20 ` Song Liu
2019-11-07 17:50 ` Alexei Starovoitov
2019-11-07 17:54 ` Alexei Starovoitov
2019-11-07 18:04 ` Song Liu
2019-11-07 5:46 ` [PATCH v2 bpf-next 03/17] bpf: Introduce BPF trampoline Alexei Starovoitov
2019-11-07 22:37 ` Song Liu
2019-11-07 22:55 ` Alexei Starovoitov
2019-11-07 23:07 ` Song Liu
2019-11-07 23:09 ` Alexei Starovoitov
2019-11-07 23:16 ` Song Liu
2019-11-08 0:09 ` Alexei Starovoitov
2019-11-08 1:10 ` Song Liu
2019-11-08 3:11 ` Alexei Starovoitov
2019-11-08 4:06 ` Song Liu
2019-11-08 4:08 ` Alexei Starovoitov
2019-11-07 5:46 ` [PATCH v2 bpf-next 04/17] libbpf: Add support to attach to fentry/fexit tracing progs Alexei Starovoitov
2019-11-07 22:51 ` Song Liu
2019-11-07 23:07 ` Alexei Starovoitov
2019-11-07 23:13 ` Song Liu
2019-11-07 5:46 ` [PATCH v2 bpf-next 05/17] selftest/bpf: Simple test for fentry/fexit Alexei Starovoitov
2019-11-07 23:22 ` Song Liu
2019-11-07 5:46 ` [PATCH v2 bpf-next 06/17] bpf: Add kernel test functions for fentry testing Alexei Starovoitov
2019-11-07 23:28 ` Song Liu
2019-11-07 5:46 ` [PATCH v2 bpf-next 07/17] selftests/bpf: Add test for BPF trampoline Alexei Starovoitov
2019-11-08 1:17 ` Song Liu
2019-11-08 2:33 ` Alexei Starovoitov
2019-11-07 5:46 ` [PATCH v2 bpf-next 08/17] selftests/bpf: Add fexit tests " Alexei Starovoitov
2019-11-08 1:22 ` Song Liu
2019-11-07 5:46 ` [PATCH v2 bpf-next 09/17] selftests/bpf: Add combined fentry/fexit test Alexei Starovoitov
2019-11-07 5:46 ` [PATCH v2 bpf-next 10/17] selftests/bpf: Add stress test for maximum number of progs Alexei Starovoitov
2019-11-07 5:46 ` [PATCH v2 bpf-next 11/17] bpf: Reserver space for BPF trampoline in BPF programs Alexei Starovoitov
2019-11-08 5:03 ` Andrii Nakryiko
2019-11-07 5:46 ` Alexei Starovoitov [this message]
2019-11-08 5:13 ` [PATCH v2 bpf-next 12/17] bpf: Fix race in btf_resolve_helper_id() Andrii Nakryiko
2019-11-08 5:31 ` Alexei Starovoitov
2019-11-07 5:46 ` [PATCH v2 bpf-next 13/17] bpf: Compare BTF types of functions arguments with actual types Alexei Starovoitov
2019-11-07 5:46 ` [PATCH v2 bpf-next 14/17] bpf: Support attaching tracing BPF program to other BPF programs Alexei Starovoitov
2019-11-07 5:46 ` [PATCH v2 bpf-next 15/17] selftests/bpf: Extend test_pkt_access test Alexei Starovoitov
2019-11-07 5:46 ` [PATCH v2 bpf-next 16/17] libbpf: Add support for attaching BPF programs to other BPF programs Alexei Starovoitov
2019-11-07 14:33 ` Alexei Starovoitov
2019-11-07 5:46 ` [PATCH v2 bpf-next 17/17] selftests/bpf: Add a test for attaching BPF prog to another BPF prog and subprog Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191107054644.1285697-13-ast@kernel.org \
--to=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=kernel-team@fb.com \
--cc=netdev@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.