* [PATCH net 0/2] bpf: fix two bugs
@ 2015-01-23 1:11 Alexei Starovoitov
2015-01-23 1:11 ` [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() Alexei Starovoitov
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Alexei Starovoitov @ 2015-01-23 1:11 UTC (permalink / raw)
To: David S. Miller; +Cc: Michael Holzheu, Martin Schwidefsky, netdev, linux-kernel
Michael Holzheu caught two issues (in bpf syscall and in the test).
Fix them. Details in corresponding patches.
Alexei Starovoitov (2):
bpf: rcu lock must not be held when calling copy_to_user()
samples: bpf: relax test_maps check
kernel/bpf/syscall.c | 25 +++++++++++++++++--------
samples/bpf/test_maps.c | 4 ++--
2 files changed, 19 insertions(+), 10 deletions(-)
--
1.7.9.5
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() 2015-01-23 1:11 [PATCH net 0/2] bpf: fix two bugs Alexei Starovoitov @ 2015-01-23 1:11 ` Alexei Starovoitov 2015-01-23 10:15 ` Daniel Borkmann 2015-01-23 1:11 ` [PATCH net 2/2] samples: bpf: relax test_maps check Alexei Starovoitov 2015-01-27 1:21 ` [PATCH net 0/2] bpf: fix two bugs David Miller 2 siblings, 1 reply; 6+ messages in thread From: Alexei Starovoitov @ 2015-01-23 1:11 UTC (permalink / raw) To: David S. Miller; +Cc: Michael Holzheu, Martin Schwidefsky, netdev, linux-kernel BUG: sleeping function called from invalid context at mm/memory.c:3732 in_atomic(): 0, irqs_disabled(): 0, pid: 671, name: test_maps 1 lock held by test_maps/671: #0: (rcu_read_lock){......}, at: [<0000000000264190>] map_lookup_elem+0xe8/0x260 Call Trace: ([<0000000000115b7e>] show_trace+0x12e/0x150) [<0000000000115c40>] show_stack+0xa0/0x100 [<00000000009b163c>] dump_stack+0x74/0xc8 [<000000000017424a>] ___might_sleep+0x23a/0x248 [<00000000002b58e8>] might_fault+0x70/0xe8 [<0000000000264230>] map_lookup_elem+0x188/0x260 [<0000000000264716>] SyS_bpf+0x20e/0x840 Fix it by allocating temporary buffer to store map element value. Fixes: db20fd2b0108 ("bpf: add lookup/update/delete/iterate methods to BPF maps") Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> --- kernel/bpf/syscall.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 088ac0b..536edc2 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -150,7 +150,7 @@ static int map_lookup_elem(union bpf_attr *attr) int ufd = attr->map_fd; struct fd f = fdget(ufd); struct bpf_map *map; - void *key, *value; + void *key, *value, *ptr; int err; if (CHECK_ATTR(BPF_MAP_LOOKUP_ELEM)) @@ -169,20 +169,29 @@ static int map_lookup_elem(union bpf_attr *attr) if (copy_from_user(key, ukey, map->key_size) != 0) goto free_key; - err = -ENOENT; - rcu_read_lock(); - value = map->ops->map_lookup_elem(map, key); + err = -ENOMEM; + value = kmalloc(map->value_size, GFP_USER); if (!value) - goto err_unlock; + goto free_key; + + rcu_read_lock(); + ptr = map->ops->map_lookup_elem(map, key); + if (ptr) + memcpy(value, ptr, map->value_size); + rcu_read_unlock(); + + err = -ENOENT; + if (!ptr) + goto free_value; err = -EFAULT; if (copy_to_user(uvalue, value, map->value_size) != 0) - goto err_unlock; + goto free_value; err = 0; -err_unlock: - rcu_read_unlock(); +free_value: + kfree(value); free_key: kfree(key); err_put: -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() 2015-01-23 1:11 ` [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() Alexei Starovoitov @ 2015-01-23 10:15 ` Daniel Borkmann 0 siblings, 0 replies; 6+ messages in thread From: Daniel Borkmann @ 2015-01-23 10:15 UTC (permalink / raw) To: Alexei Starovoitov Cc: David S. Miller, Michael Holzheu, Martin Schwidefsky, netdev, linux-kernel On 01/23/2015 02:11 AM, Alexei Starovoitov wrote: > BUG: sleeping function called from invalid context at mm/memory.c:3732 > in_atomic(): 0, irqs_disabled(): 0, pid: 671, name: test_maps > 1 lock held by test_maps/671: > #0: (rcu_read_lock){......}, at: [<0000000000264190>] map_lookup_elem+0xe8/0x260 > Call Trace: > ([<0000000000115b7e>] show_trace+0x12e/0x150) > [<0000000000115c40>] show_stack+0xa0/0x100 > [<00000000009b163c>] dump_stack+0x74/0xc8 > [<000000000017424a>] ___might_sleep+0x23a/0x248 > [<00000000002b58e8>] might_fault+0x70/0xe8 > [<0000000000264230>] map_lookup_elem+0x188/0x260 > [<0000000000264716>] SyS_bpf+0x20e/0x840 > > Fix it by allocating temporary buffer to store map element value. > > Fixes: db20fd2b0108 ("bpf: add lookup/update/delete/iterate methods to BPF maps") > Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> > Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Looks good to me. Acked-by: Daniel Borkmann <dborkman@redhat.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH net 2/2] samples: bpf: relax test_maps check 2015-01-23 1:11 [PATCH net 0/2] bpf: fix two bugs Alexei Starovoitov 2015-01-23 1:11 ` [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() Alexei Starovoitov @ 2015-01-23 1:11 ` Alexei Starovoitov 2015-01-23 10:58 ` Daniel Borkmann 2015-01-27 1:21 ` [PATCH net 0/2] bpf: fix two bugs David Miller 2 siblings, 1 reply; 6+ messages in thread From: Alexei Starovoitov @ 2015-01-23 1:11 UTC (permalink / raw) To: David S. Miller; +Cc: Michael Holzheu, Martin Schwidefsky, netdev, linux-kernel hash map is unordered, so get_next_key() iterator shouldn't rely on particular order of elements. So relax this test. Fixes: ffb65f27a155 ("bpf: add a testsuite for eBPF maps") Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> --- samples/bpf/test_maps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/samples/bpf/test_maps.c b/samples/bpf/test_maps.c index e286b42..6299ee9 100644 --- a/samples/bpf/test_maps.c +++ b/samples/bpf/test_maps.c @@ -69,9 +69,9 @@ static void test_hashmap_sanity(int i, void *data) /* iterate over two elements */ assert(bpf_get_next_key(map_fd, &key, &next_key) == 0 && - next_key == 2); + (next_key == 1 || next_key == 2)); assert(bpf_get_next_key(map_fd, &next_key, &next_key) == 0 && - next_key == 1); + (next_key == 1 || next_key == 2)); assert(bpf_get_next_key(map_fd, &next_key, &next_key) == -1 && errno == ENOENT); -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net 2/2] samples: bpf: relax test_maps check 2015-01-23 1:11 ` [PATCH net 2/2] samples: bpf: relax test_maps check Alexei Starovoitov @ 2015-01-23 10:58 ` Daniel Borkmann 0 siblings, 0 replies; 6+ messages in thread From: Daniel Borkmann @ 2015-01-23 10:58 UTC (permalink / raw) To: Alexei Starovoitov Cc: David S. Miller, Michael Holzheu, Martin Schwidefsky, netdev, linux-kernel On 01/23/2015 02:11 AM, Alexei Starovoitov wrote: > hash map is unordered, so get_next_key() iterator shouldn't > rely on particular order of elements. So relax this test. > > Fixes: ffb65f27a155 ("bpf: add a testsuite for eBPF maps") > Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> > Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Acked-by: Daniel Borkmann <dborkman@redhat.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net 0/2] bpf: fix two bugs 2015-01-23 1:11 [PATCH net 0/2] bpf: fix two bugs Alexei Starovoitov 2015-01-23 1:11 ` [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() Alexei Starovoitov 2015-01-23 1:11 ` [PATCH net 2/2] samples: bpf: relax test_maps check Alexei Starovoitov @ 2015-01-27 1:21 ` David Miller 2 siblings, 0 replies; 6+ messages in thread From: David Miller @ 2015-01-27 1:21 UTC (permalink / raw) To: ast; +Cc: holzheu, schwidefsky, netdev, linux-kernel From: Alexei Starovoitov <ast@plumgrid.com> Date: Thu, 22 Jan 2015 17:11:07 -0800 > Michael Holzheu caught two issues (in bpf syscall and in the test). > Fix them. Details in corresponding patches. Series applied, thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-01-27 1:21 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-01-23 1:11 [PATCH net 0/2] bpf: fix two bugs Alexei Starovoitov 2015-01-23 1:11 ` [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() Alexei Starovoitov 2015-01-23 10:15 ` Daniel Borkmann 2015-01-23 1:11 ` [PATCH net 2/2] samples: bpf: relax test_maps check Alexei Starovoitov 2015-01-23 10:58 ` Daniel Borkmann 2015-01-27 1:21 ` [PATCH net 0/2] bpf: fix two bugs David Miller
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.