Re: unregistering tcp_ca struct_ops can cause kernel page fault

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Martin KaFai Lau <martin.lau@linux.dev>
To: rtm@csail.mit.edu
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: unregistering tcp_ca struct_ops can cause kernel page fault
Date: Fri, 13 Dec 2024 16:56:59 -0800	[thread overview]
Message-ID: <ac054b6e-2120-4598-b960-ddd275714218@linux.dev> (raw)
In-Reply-To: <96319.1733959698@localhost>

On 12/11/24 3:28 PM, rtm@csail.mit.edu wrote:
> Martin,
> 
> When I build from bpf-next/master with a default .config, I do not get
> the crash.
> 
> When I disable CONFIG_MODULES, I do get a crash from tcpbps12a.c.

During make:

"WARN: resolve_btfids: unresolved symbol module"

Without going into the details, the bpf_try_module_get failed to bump the refcnt 
because of missing the "struct module" btf_id.

With a quick thought, I see bpf_struct_ops should be able to work around this 
CONFIG_MODULES=n.

I don't think it should though. The bpf_tcp_ca is using the "struct 
tcp_congestion_ops" which can be implemented by a kernel module and the kconfig 
wants nothing other than the built-in tcp-cc. I don't think the bpf_struct_ops 
should be a way to work around that. I think the right thing to do here is to 
also disallow attaching bpf_struct_ops when CONFIG_MODULES=n to fix this UAF issue.

     prev parent reply	other threads:[~2024-12-14  0:57 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-08 14:59 unregistering tcp_ca struct_ops can cause kernel page fault rtm
2024-12-09 21:56 ` Martin KaFai Lau
2024-12-11 23:28   ` rtm
2024-12-14  0:56     ` Martin KaFai Lau [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ac054b6e-2120-4598-b960-ddd275714218@linux.dev \
    --to=martin.lau@linux.dev \
    --cc=bpf@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=rtm@csail.mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.