[PATCH net 0/2] bpf: fix two bugs

[PATCH net 0/2] bpf: fix two bugs

[Alexei Starovoitov]

Michael Holzheu caught two issues (in bpf syscall and in the test).
Fix them. Details in corresponding patches.

Alexei Starovoitov (2):
  bpf: rcu lock must not be held when calling copy_to_user()
  samples: bpf: relax test_maps check

 kernel/bpf/syscall.c    |   25 +++++++++++++++++--------
 samples/bpf/test_maps.c |    4 ++--
 2 files changed, 19 insertions(+), 10 deletions(-)

-- 
1.7.9.5

[PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user()

[Alexei Starovoitov]

BUG: sleeping function called from invalid context at mm/memory.c:3732
in_atomic(): 0, irqs_disabled(): 0, pid: 671, name: test_maps
1 lock held by test_maps/671:
 #0:  (rcu_read_lock){......}, at: [<0000000000264190>] map_lookup_elem+0xe8/0x260
Call Trace:
([<0000000000115b7e>] show_trace+0x12e/0x150)
 [<0000000000115c40>] show_stack+0xa0/0x100
 [<00000000009b163c>] dump_stack+0x74/0xc8
 [<000000000017424a>] ___might_sleep+0x23a/0x248
 [<00000000002b58e8>] might_fault+0x70/0xe8
 [<0000000000264230>] map_lookup_elem+0x188/0x260
 [<0000000000264716>] SyS_bpf+0x20e/0x840

Fix it by allocating temporary buffer to store map element value.

Fixes: db20fd2b0108 ("bpf: add lookup/update/delete/iterate methods to BPF maps")
Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
---
 kernel/bpf/syscall.c |   25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 088ac0b..536edc2 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -150,7 +150,7 @@ static int map_lookup_elem(union bpf_attr *attr)
 	int ufd = attr->map_fd;
 	struct fd f = fdget(ufd);
 	struct bpf_map *map;
-	void *key, *value;
+	void *key, *value, *ptr;
 	int err;
 
 	if (CHECK_ATTR(BPF_MAP_LOOKUP_ELEM))
@@ -169,20 +169,29 @@ static int map_lookup_elem(union bpf_attr *attr)
 	if (copy_from_user(key, ukey, map->key_size) != 0)
 		goto free_key;
 
-	err = -ENOENT;
-	rcu_read_lock();
-	value = map->ops->map_lookup_elem(map, key);
+	err = -ENOMEM;
+	value = kmalloc(map->value_size, GFP_USER);
 	if (!value)
-		goto err_unlock;
+		goto free_key;
+
+	rcu_read_lock();
+	ptr = map->ops->map_lookup_elem(map, key);
+	if (ptr)
+		memcpy(value, ptr, map->value_size);
+	rcu_read_unlock();
+
+	err = -ENOENT;
+	if (!ptr)
+		goto free_value;
 
 	err = -EFAULT;
 	if (copy_to_user(uvalue, value, map->value_size) != 0)
-		goto err_unlock;
+		goto free_value;
 
 	err = 0;
 
-err_unlock:
-	rcu_read_unlock();
+free_value:
+	kfree(value);
 free_key:
 	kfree(key);
 err_put:
-- 
1.7.9.5

[PATCH net 2/2] samples: bpf: relax test_maps check

[Alexei Starovoitov]

hash map is unordered, so get_next_key() iterator shouldn't
rely on particular order of elements. So relax this test.

Fixes: ffb65f27a155 ("bpf: add a testsuite for eBPF maps")
Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
---
 samples/bpf/test_maps.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/samples/bpf/test_maps.c b/samples/bpf/test_maps.c
index e286b42..6299ee9 100644
--- a/samples/bpf/test_maps.c
+++ b/samples/bpf/test_maps.c
@@ -69,9 +69,9 @@ static void test_hashmap_sanity(int i, void *data)
 
 	/* iterate over two elements */
 	assert(bpf_get_next_key(map_fd, &key, &next_key) == 0 &&
-	       next_key == 2);
+	       (next_key == 1 || next_key == 2));
 	assert(bpf_get_next_key(map_fd, &next_key, &next_key) == 0 &&
-	       next_key == 1);
+	       (next_key == 1 || next_key == 2));
 	assert(bpf_get_next_key(map_fd, &next_key, &next_key) == -1 &&
 	       errno == ENOENT);
 
-- 
1.7.9.5

Re: [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user()

[Daniel Borkmann]

On 01/23/2015 02:11 AM, Alexei Starovoitov wrote:
> BUG: sleeping function called from invalid context at mm/memory.c:3732
> in_atomic(): 0, irqs_disabled(): 0, pid: 671, name: test_maps
> 1 lock held by test_maps/671:
>   #0:  (rcu_read_lock){......}, at: [<0000000000264190>] map_lookup_elem+0xe8/0x260
> Call Trace:
> ([<0000000000115b7e>] show_trace+0x12e/0x150)
>   [<0000000000115c40>] show_stack+0xa0/0x100
>   [<00000000009b163c>] dump_stack+0x74/0xc8
>   [<000000000017424a>] ___might_sleep+0x23a/0x248
>   [<00000000002b58e8>] might_fault+0x70/0xe8
>   [<0000000000264230>] map_lookup_elem+0x188/0x260
>   [<0000000000264716>] SyS_bpf+0x20e/0x840
>
> Fix it by allocating temporary buffer to store map element value.
>
> Fixes: db20fd2b0108 ("bpf: add lookup/update/delete/iterate methods to BPF maps")
> Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>

Looks good to me.

Acked-by: Daniel Borkmann <dborkman@redhat.com>

Re: [PATCH net 2/2] samples: bpf: relax test_maps check

[Daniel Borkmann]

On 01/23/2015 02:11 AM, Alexei Starovoitov wrote:
> hash map is unordered, so get_next_key() iterator shouldn't
> rely on particular order of elements. So relax this test.
>
> Fixes: ffb65f27a155 ("bpf: add a testsuite for eBPF maps")
> Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>

Acked-by: Daniel Borkmann <dborkman@redhat.com>

Re: [PATCH net 0/2] bpf: fix two bugs

[David Miller]

From: Alexei Starovoitov <ast@plumgrid.com>
Date: Thu, 22 Jan 2015 17:11:07 -0800

> Michael Holzheu caught two issues (in bpf syscall and in the test).
> Fix them. Details in corresponding patches.

Series applied, thanks.