[PATCH bpf-next v2] bpf: Move out synchronize_rcu_tasks

BPF List
 help / color / mirror / Atom feed

* [PATCH bpf-next v2] bpf: Move out synchronize_rcu_tasks_trace from mutex CS
@ 2025-01-04  1:39 Pu Lehui
  2025-01-08 11:26 ` Jiri Olsa
  2025-01-08 17:50 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 4+ messages in thread
From: Pu Lehui @ 2025-01-04  1:39 UTC (permalink / raw)
  To: bpf
  Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
	John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
	Jann Horn, Pu Lehui, Pu Lehui

From: Pu Lehui <pulehui@huawei.com>

Commit ef1b808e3b7c ("bpf: Fix UAF via mismatching bpf_prog/attachment
RCU flavors") resolved a possible UAF issue in uprobes that attach
non-sleepable bpf prog by explicitly waiting for a tasks-trace-RCU grace
period. But, in the current implementation, synchronize_rcu_tasks_trace
is included within the mutex critical section, which increases the
length of the critical section and may affect performance. So let's move
out synchronize_rcu_tasks_trace from mutex CS.

Signed-off-by: Pu Lehui <pulehui@huawei.com>
---
v2: Simplify code logic. (Jiri)

 kernel/trace/bpf_trace.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 48db147c6c7d..a90880f475af 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -2245,6 +2245,7 @@ void perf_event_detach_bpf_prog(struct perf_event *event)
 {
 	struct bpf_prog_array *old_array;
 	struct bpf_prog_array *new_array;
+	struct bpf_prog *prog = NULL;
 	int ret;
 
 	mutex_lock(&bpf_event_mutex);
@@ -2265,18 +2266,22 @@ void perf_event_detach_bpf_prog(struct perf_event *event)
 	}
 
 put:
-	/*
-	 * It could be that the bpf_prog is not sleepable (and will be freed
-	 * via normal RCU), but is called from a point that supports sleepable
-	 * programs and uses tasks-trace-RCU.
-	 */
-	synchronize_rcu_tasks_trace();
-
-	bpf_prog_put(event->prog);
+	prog = event->prog;
 	event->prog = NULL;
 
 unlock:
 	mutex_unlock(&bpf_event_mutex);
+
+	if (prog) {
+		/*
+		 * It could be that the bpf_prog is not sleepable (and will be freed
+		 * via normal RCU), but is called from a point that supports sleepable
+		 * programs and uses tasks-trace-RCU.
+		 */
+		synchronize_rcu_tasks_trace();
+
+		bpf_prog_put(prog);
+	}
 }
 
 int perf_event_query_prog_array(struct perf_event *event, void __user *info)
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf-next v2] bpf: Move out synchronize_rcu_tasks_trace from mutex CS
  2025-01-04  1:39 [PATCH bpf-next v2] bpf: Move out synchronize_rcu_tasks_trace from mutex CS Pu Lehui
@ 2025-01-08 11:26 ` Jiri Olsa
  2025-01-08 12:50   ` Peter Zijlstra
  2025-01-08 17:50 ` patchwork-bot+netdevbpf
  1 sibling, 1 reply; 4+ messages in thread
From: Jiri Olsa @ 2025-01-08 11:26 UTC (permalink / raw)
  To: Pu Lehui, Peter Zijlstra
  Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
	John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jann Horn,
	Pu Lehui

On Sat, Jan 04, 2025 at 01:39:46AM +0000, Pu Lehui wrote:
> From: Pu Lehui <pulehui@huawei.com>
> 
> Commit ef1b808e3b7c ("bpf: Fix UAF via mismatching bpf_prog/attachment
> RCU flavors") resolved a possible UAF issue in uprobes that attach
> non-sleepable bpf prog by explicitly waiting for a tasks-trace-RCU grace
> period. But, in the current implementation, synchronize_rcu_tasks_trace
> is included within the mutex critical section, which increases the
> length of the critical section and may affect performance. So let's move
> out synchronize_rcu_tasks_trace from mutex CS.

lgtm, adding peter

Reviewed-by: Jiri Olsa <jolsa@kernel.org>

jirka

> 
> Signed-off-by: Pu Lehui <pulehui@huawei.com>
> ---
> v2: Simplify code logic. (Jiri)
> 
>  kernel/trace/bpf_trace.c | 21 +++++++++++++--------
>  1 file changed, 13 insertions(+), 8 deletions(-)
> 
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 48db147c6c7d..a90880f475af 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -2245,6 +2245,7 @@ void perf_event_detach_bpf_prog(struct perf_event *event)
>  {
>  	struct bpf_prog_array *old_array;
>  	struct bpf_prog_array *new_array;
> +	struct bpf_prog *prog = NULL;
>  	int ret;
>  
>  	mutex_lock(&bpf_event_mutex);
> @@ -2265,18 +2266,22 @@ void perf_event_detach_bpf_prog(struct perf_event *event)
>  	}
>  
>  put:
> -	/*
> -	 * It could be that the bpf_prog is not sleepable (and will be freed
> -	 * via normal RCU), but is called from a point that supports sleepable
> -	 * programs and uses tasks-trace-RCU.
> -	 */
> -	synchronize_rcu_tasks_trace();
> -
> -	bpf_prog_put(event->prog);
> +	prog = event->prog;
>  	event->prog = NULL;
>  
>  unlock:
>  	mutex_unlock(&bpf_event_mutex);
> +
> +	if (prog) {
> +		/*
> +		 * It could be that the bpf_prog is not sleepable (and will be freed
> +		 * via normal RCU), but is called from a point that supports sleepable
> +		 * programs and uses tasks-trace-RCU.
> +		 */
> +		synchronize_rcu_tasks_trace();
> +
> +		bpf_prog_put(prog);
> +	}
>  }
>  
>  int perf_event_query_prog_array(struct perf_event *event, void __user *info)
> -- 
> 2.34.1
> 
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf-next v2] bpf: Move out synchronize_rcu_tasks_trace from mutex CS
  2025-01-08 11:26 ` Jiri Olsa
@ 2025-01-08 12:50   ` Peter Zijlstra
  0 siblings, 0 replies; 4+ messages in thread
From: Peter Zijlstra @ 2025-01-08 12:50 UTC (permalink / raw)
  To: Jiri Olsa
  Cc: Pu Lehui, bpf, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, Martin KaFai Lau, Eduard Zingerman, Song Liu,
	Yonghong Song, John Fastabend, KP Singh, Stanislav Fomichev,
	Hao Luo, Jann Horn, Pu Lehui

On Wed, Jan 08, 2025 at 12:26:07PM +0100, Jiri Olsa wrote:
> On Sat, Jan 04, 2025 at 01:39:46AM +0000, Pu Lehui wrote:
> > From: Pu Lehui <pulehui@huawei.com>
> > 
> > Commit ef1b808e3b7c ("bpf: Fix UAF via mismatching bpf_prog/attachment
> > RCU flavors") resolved a possible UAF issue in uprobes that attach
> > non-sleepable bpf prog by explicitly waiting for a tasks-trace-RCU grace
> > period. But, in the current implementation, synchronize_rcu_tasks_trace
> > is included within the mutex critical section, which increases the
> > length of the critical section and may affect performance. So let's move
> > out synchronize_rcu_tasks_trace from mutex CS.
> 
> lgtm, adding peter

Yeah, I don't immediately see anything funny there either. Carry on.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf-next v2] bpf: Move out synchronize_rcu_tasks_trace from mutex CS
  2025-01-04  1:39 [PATCH bpf-next v2] bpf: Move out synchronize_rcu_tasks_trace from mutex CS Pu Lehui
  2025-01-08 11:26 ` Jiri Olsa
@ 2025-01-08 17:50 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-01-08 17:50 UTC (permalink / raw)
  To: Pu Lehui
  Cc: bpf, ast, daniel, andrii, martin.lau, eddyz87, song,
	yonghong.song, john.fastabend, kpsingh, sdf, haoluo, jolsa, jannh,
	pulehui

Hello:

This patch was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Sat,  4 Jan 2025 01:39:46 +0000 you wrote:
> From: Pu Lehui <pulehui@huawei.com>
> 
> Commit ef1b808e3b7c ("bpf: Fix UAF via mismatching bpf_prog/attachment
> RCU flavors") resolved a possible UAF issue in uprobes that attach
> non-sleepable bpf prog by explicitly waiting for a tasks-trace-RCU grace
> period. But, in the current implementation, synchronize_rcu_tasks_trace
> is included within the mutex critical section, which increases the
> length of the critical section and may affect performance. So let's move
> out synchronize_rcu_tasks_trace from mutex CS.
> 
> [...]

Here is the summary with links:
  - [bpf-next,v2] bpf: Move out synchronize_rcu_tasks_trace from mutex CS
    https://git.kernel.org/bpf/bpf-next/c/ca3c4f646a9f

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-01-08 17:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-04  1:39 [PATCH bpf-next v2] bpf: Move out synchronize_rcu_tasks_trace from mutex CS Pu Lehui
2025-01-08 11:26 ` Jiri Olsa
2025-01-08 12:50   ` Peter Zijlstra
2025-01-08 17:50 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox