From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>
Cc: Kuniyuki Iwashima <kuniyu@amazon.com>,
Kuniyuki Iwashima <kuni1840@gmail.com>, <bpf@vger.kernel.org>,
<netdev@vger.kernel.org>
Subject: [PATCH v1 bpf 2/4] bpf: Fix data-races around bpf_jit_harden.
Date: Wed, 17 Aug 2022 21:23:37 -0700 [thread overview]
Message-ID: <20220818042339.82992-3-kuniyu@amazon.com> (raw)
In-Reply-To: <20220818042339.82992-1-kuniyu@amazon.com>
While reading bpf_jit_harden, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its readers.
Fixes: 4f3446bb809f ("bpf: add generic constant blinding for use in jits")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
include/linux/filter.h | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index ce8072626ccf..09566ad211bd 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -1090,6 +1090,8 @@ static inline bool bpf_prog_ebpf_jited(const struct bpf_prog *fp)
static inline bool bpf_jit_blinding_enabled(struct bpf_prog *prog)
{
+ int jit_harden = READ_ONCE(bpf_jit_harden);
+
/* These are the prerequisites, should someone ever have the
* idea to call blinding outside of them, we make sure to
* bail out.
@@ -1098,9 +1100,9 @@ static inline bool bpf_jit_blinding_enabled(struct bpf_prog *prog)
return false;
if (!prog->jit_requested)
return false;
- if (!bpf_jit_harden)
+ if (!jit_harden)
return false;
- if (bpf_jit_harden == 1 && capable(CAP_SYS_ADMIN))
+ if (jit_harden == 1 && capable(CAP_SYS_ADMIN))
return false;
return true;
@@ -1111,7 +1113,7 @@ static inline bool bpf_jit_kallsyms_enabled(void)
/* There are a couple of corner cases where kallsyms should
* not be enabled f.e. on hardening.
*/
- if (bpf_jit_harden)
+ if (READ_ONCE(bpf_jit_harden))
return false;
if (!bpf_jit_kallsyms)
return false;
--
2.30.2
next prev parent reply other threads:[~2022-08-18 4:24 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-18 4:23 [PATCH v1 bpf 0/4] bpf: sysctl: Fix data-races around net.core.bpf_XXX Kuniyuki Iwashima
2022-08-18 4:23 ` [PATCH v1 bpf 1/4] bpf: Fix data-races around bpf_jit_enable Kuniyuki Iwashima
2022-08-18 22:49 ` Alexei Starovoitov
2022-08-19 0:06 ` Kuniyuki Iwashima
2022-08-19 0:13 ` Alexei Starovoitov
2022-08-19 0:55 ` Kuniyuki Iwashima
2022-08-19 1:05 ` Alexei Starovoitov
2022-08-19 1:15 ` Kuniyuki Iwashima
2022-08-19 3:27 ` Alexei Starovoitov
2022-08-19 3:46 ` Kuniyuki Iwashima
2022-08-19 22:56 ` Alexei Starovoitov
2022-08-18 4:23 ` Kuniyuki Iwashima [this message]
2022-08-18 4:23 ` [PATCH v1 bpf 3/4] bpf: Fix data-races around bpf_jit_kallsyms Kuniyuki Iwashima
2022-08-18 4:23 ` [PATCH v1 bpf 4/4] bpf: Fix a data-race around bpf_jit_limit Kuniyuki Iwashima
2022-08-24 1:10 ` [PATCH v1 bpf 0/4] bpf: sysctl: Fix data-races around net.core.bpf_XXX dongdwdw
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220818042339.82992-3-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kuni1840@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox