From: "Leon Hwang" <leon.hwang@linux.dev>
To: "Yonghong Song" <yonghong.song@linux.dev>, bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
toke@redhat.com, martin.lau@kernel.org, eddyz87@gmail.com,
wutengda@huaweicloud.com, kernel-patches-bot@fb.com
Subject: Re: [PATCH bpf-next 1/2] bpf: Fix updating attached freplace prog to PROG_ARRAY map
Date: Fri, 26 Jul 2024 07:31:21 +0000 [thread overview]
Message-ID: <62cecceacbc0ea9d59445c828857f6af195e542c@linux.dev> (raw)
In-Reply-To: <1a31ef08-e252-46ec-9cd5-a3ddcb895dfd@linux.dev>
26 July 2024 at 14:15, "Yonghong Song" <yonghong.song@linux.dev> wrote:
>
> On 7/25/24 8:27 PM, leon.hwang@linux.dev wrote:
>
> >
> > 26 July 2024 at 04:58, "Yonghong Song" <yonghong.song@linux.dev> wrote:
> >
> > >
> > > On 7/24/24 5:32 PM, Leon Hwang wrote:
> > >
> >
> > The commit f7866c3587337731 ("bpf: Fix null pointer dereference in
> >
> > resolve_prog_type() for BPF_PROG_TYPE_EXT") fixed the following panic,
> >
> > which was caused by updating attached freplace prog to PROG_ARRAY map.
> >
> > >
> > > I am confused here. You mentioned that commit f7866c3587337731
> > >
> > > fixed the panic below. But looking at commit message:
> > >
> > > https://lore.kernel.org/bpf/20240711145819.254178-2-wutengda@huaweicloud.com
> > >
> > > it does not seem the case.
> > >
> >
> > The commit fixed this panic meanwhile.
> >
> > This panic seems confusing. I'll remove it in patch v2.
> >
>
> [...]
>
> >
> > ---
> >
> > include/linux/bpf_verifier.h | 4 ++--
> >
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
> >
> > index 5cea15c81b8a8..387e034e73d0e 100644
> >
> > --- a/include/linux/bpf_verifier.h
> >
> > +++ b/include/linux/bpf_verifier.h
> >
> > @@ -874,8 +874,8 @@ static inline u32 type_flag(u32 type)
> >
> > /* only use after check_attach_btf_id() */
> >
> > static inline enum bpf_prog_type resolve_prog_type(const struct bpf_prog *prog)
> >
> > {
> >
> > - return (prog->type == BPF_PROG_TYPE_EXT && prog->aux->dst_prog) ?
> >
> > - prog->aux->dst_prog->type : prog->type;
> >
> > + return prog->type == BPF_PROG_TYPE_EXT ?
> >
> > + prog->aux->saved_dst_prog_type : prog->type;
> >
> > >
> > > If prog->aux->dst_prog is NULL, is it possible that prog->aux->saved_dst_prog_type
> > >
> > > (0, corresponding to BPF_PROG_TYPE_UNSPEC) could be returned? Do we need to do
> > >
> > > return (prog->type == BPF_PROG_TYPE_EXT && prog->aux->saved_dst_prog_type) ?
> > >
> > > prog->aux->saved_dst_prog_type : prog->type;
> > >
> > > Maybe I missed something here?
> > >
> >
> > It seems better to check prog->aux->saved_dst_prog_type. But I don't think so.
> >
> > prog->aux->saved_dst_prog_type is set in check_attach_btf_id(). And there is no
> >
> > resolve_prog_type() before check_attach_btf_id() in bpf_check().
> >
> > Therefore, resolve_prog_type() must be called after check_attach_btf_id().
> >
>
> In check_attach_btf_id(), I see
>
> if (tgt_prog) {
>
> prog->aux->saved_dst_prog_type = tgt_prog->type;
>
> prog->aux->saved_dst_attach_type = tgt_prog->expected_attach_type;
>
> }
>
> So it is possible prog->aux->saved_dst_prog_type is 0 (default value).
>
> I don't know that if tgt_prog is NULL, whether later resolve_prog_type()
>
> will be called or not. Need more checking here.
>
This is the case that commit f7866c3587337731 ("bpf: Fix null pointer dereference
in resolve_prog_type() for BPF_PROG_TYPE_EXT") fixed, which is loading freplace
prog without tgt_prog.
With this patch, while loading freplace prog without tgt_prog, resolve_prog_type()
returns 0 instead of BPF_PROG_TYPE_EXT.
It's better to return a meaningful prog type in resolve_prog_type() anyway.
I accept your suggestion.
Thanks,
Leon
next prev parent reply other threads:[~2024-07-26 7:31 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-25 0:32 [PATCH bpf-next 0/2] bpf: Fix updating attached freplace prog to PROG_ARRAY map Leon Hwang
2024-07-25 0:32 ` [PATCH bpf-next 1/2] " Leon Hwang
2024-07-25 20:58 ` Yonghong Song
2024-07-26 3:27 ` leon.hwang
2024-07-26 6:15 ` Yonghong Song
2024-07-26 7:31 ` Leon Hwang [this message]
2024-07-25 0:32 ` [PATCH bpf-next 2/2] selftests/bpf: Add testcase for " Leon Hwang
2024-07-25 21:11 ` Yonghong Song
2024-07-26 3:33 ` leon.hwang
2024-07-26 6:16 ` Yonghong Song
2024-07-26 7:33 ` Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=62cecceacbc0ea9d59445c828857f6af195e542c@linux.dev \
--to=leon.hwang@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kernel-patches-bot@fb.com \
--cc=martin.lau@kernel.org \
--cc=toke@redhat.com \
--cc=wutengda@huaweicloud.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.