From: John Fastabend <john.fastabend@gmail.com>
To: Jakub Sitnicki <jakub@cloudflare.com>, bpf@vger.kernel.org
Cc: netdev@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
kernel-team@cloudflare.com, xingwei lee <xrivendell7@gmail.com>,
yue sun <samsun1006219@gmail.com>,
syzbot+bc922f476bd65abbd466@syzkaller.appspotmail.com,
syzbot+d4066896495db380182e@syzkaller.appspotmail.com,
John Fastabend <john.fastabend@gmail.com>,
Edward Adam Davis <eadavis@qq.com>,
Shung-Hsi Yu <shung-hsi.yu@suse.com>
Subject: RE: [PATCH bpf] bpf, sockmap: Prevent lock inversion deadlock in map delete elem
Date: Tue, 02 Apr 2024 07:09:42 -0700 [thread overview]
Message-ID: <660c11a6b3315_1cee208d3@john.notmuch> (raw)
In-Reply-To: <20240402104621.1050319-1-jakub@cloudflare.com>
Jakub Sitnicki wrote:
> syzkaller started using corpuses where a BPF tracing program deletes
> elements from a sockmap/sockhash map. Because BPF tracing programs can be
> invoked from any interrupt context, locks taken during a map_delete_elem
> operation must be hardirq-safe. Otherwise a deadlock due to lock inversion
> is possible, as reported by lockdep:
>
> CPU0 CPU1
> ---- ----
> lock(&htab->buckets[i].lock);
> local_irq_disable();
> lock(&host->lock);
> lock(&htab->buckets[i].lock);
> <Interrupt>
> lock(&host->lock);
>
> Locks in sockmap are hardirq-unsafe by design. We expects elements to be
> deleted from sockmap/sockhash only in task (normal) context with interrupts
> enabled, or in softirq context.
>
> Detect when map_delete_elem operation is invoked from a context which is
> _not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an
> error.
>
> Note that map updates are not affected by this issue. BPF verifier does not
> allow updating sockmap/sockhash from a BPF tracing program today.
>
> Reported-by: xingwei lee <xrivendell7@gmail.com>
> Reported-by: yue sun <samsun1006219@gmail.com>
> Reported-by: syzbot+bc922f476bd65abbd466@syzkaller.appspotmail.com
> Reported-and-tested-by: syzbot+d4066896495db380182e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d4066896495db380182e
> Closes: https://syzkaller.appspot.com/bug?extid=bc922f476bd65abbd466
> Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
> Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
> ---
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Edward Adam Davis <eadavis@qq.com>
> Cc: Shung-Hsi Yu <shung-hsi.yu@suse.com>
> ---
> net/core/sock_map.c | 6 ++++++
> 1 file changed, 6 insertions(+)
Agree.
Acked-by: John Fastabend <john.fastabend@gmail.com>
next prev parent reply other threads:[~2024-04-02 14:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-02 10:46 [PATCH bpf] bpf, sockmap: Prevent lock inversion deadlock in map delete elem Jakub Sitnicki
2024-04-02 14:09 ` John Fastabend [this message]
2024-04-02 14:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=660c11a6b3315_1cee208d3@john.notmuch \
--to=john.fastabend@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eadavis@qq.com \
--cc=jakub@cloudflare.com \
--cc=kernel-team@cloudflare.com \
--cc=netdev@vger.kernel.org \
--cc=samsun1006219@gmail.com \
--cc=shung-hsi.yu@suse.com \
--cc=syzbot+bc922f476bd65abbd466@syzkaller.appspotmail.com \
--cc=syzbot+d4066896495db380182e@syzkaller.appspotmail.com \
--cc=xrivendell7@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.