* [PATCH v2 bpf-next 0/2] bpf: Fix an issue in bpf_iter_task
@ 2024-02-17 11:41 Yafang Shao
2024-02-17 11:41 ` [PATCH v2 bpf-next 1/2] bpf: Fix an issue due to uninitialized bpf_iter_task Yafang Shao
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Yafang Shao @ 2024-02-17 11:41 UTC (permalink / raw)
To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song,
yonghong.song, kpsingh, sdf, haoluo, jolsa
Cc: bpf, Yafang Shao
The uninitialized bpf_iter_task variable poses a risk of triggering a
kernel panic. To fix this potential issue, it's imperative to ensure proper
initialization of the variable. This problem surfaced during the
implementation phase of the bits iterator [0].
[0]. https://lwn.net/ml/bpf/CALOAHbDJWHOB+viBz6SUqdeF+Nkxmh4gLZo5Ad_keQXjBWHAsQ@mail.gmail.com
v1->v2:
- Correct the fixes tag (Chuyi)
Yafang Shao (2):
bpf: Fix an issue due to uninitialized bpf_iter_task
selftests/bpf: Add negtive test cases for task iter
kernel/bpf/task_iter.c | 2 ++
tools/testing/selftests/bpf/prog_tests/iters.c | 1 +
tools/testing/selftests/bpf/progs/iters_task.c | 12 +++++++++++-
3 files changed, 14 insertions(+), 1 deletion(-)
--
2.39.1
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH v2 bpf-next 1/2] bpf: Fix an issue due to uninitialized bpf_iter_task 2024-02-17 11:41 [PATCH v2 bpf-next 0/2] bpf: Fix an issue in bpf_iter_task Yafang Shao @ 2024-02-17 11:41 ` Yafang Shao 2024-02-17 12:03 ` Oleg Nesterov 2024-02-17 11:41 ` [PATCH v2 bpf-next 2/2] selftests/bpf: Add negtive test cases for task iter Yafang Shao 2024-02-19 11:40 ` [PATCH v2 bpf-next 0/2] bpf: Fix an issue in bpf_iter_task patchwork-bot+netdevbpf 2 siblings, 1 reply; 7+ messages in thread From: Yafang Shao @ 2024-02-17 11:41 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa Cc: bpf, Yafang Shao, Chuyi Zhou, Oleg Nesterov Failure to initialize it->pos, coupled with the presence of an invalid value in the flags variable, can lead to it->pos referencing an invalid task, potentially resulting in a kernel panic. To mitigate this risk, it's crucial to ensure proper initialization of it->pos to NULL. Fixes: ac8148d957f5 ("bpf: bpf_iter_task_next: use next_task(kit->task) rather than next_task(kit->pos)") Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Cc: Chuyi Zhou <zhouchuyi@bytedance.com> Cc: Oleg Nesterov <oleg@redhat.com> --- kernel/bpf/task_iter.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c index e5c3500443c6..ec4e97c61eef 100644 --- a/kernel/bpf/task_iter.c +++ b/kernel/bpf/task_iter.c @@ -978,6 +978,8 @@ __bpf_kfunc int bpf_iter_task_new(struct bpf_iter_task *it, BUILD_BUG_ON(__alignof__(struct bpf_iter_task_kern) != __alignof__(struct bpf_iter_task)); + kit->pos = NULL; + switch (flags) { case BPF_TASK_ITER_ALL_THREADS: case BPF_TASK_ITER_ALL_PROCS: -- 2.39.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 bpf-next 1/2] bpf: Fix an issue due to uninitialized bpf_iter_task 2024-02-17 11:41 ` [PATCH v2 bpf-next 1/2] bpf: Fix an issue due to uninitialized bpf_iter_task Yafang Shao @ 2024-02-17 12:03 ` Oleg Nesterov 2024-02-17 13:11 ` Yafang Shao 0 siblings, 1 reply; 7+ messages in thread From: Oleg Nesterov @ 2024-02-17 12:03 UTC (permalink / raw) To: Yafang Shao Cc: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, bpf, Chuyi Zhou On 02/17, Yafang Shao wrote: > > Failure to initialize it->pos, coupled with the presence of an invalid > value in the flags variable, can lead to it->pos referencing an invalid > task, potentially resulting in a kernel panic. To mitigate this risk, it's > crucial to ensure proper initialization of it->pos to NULL. > > Fixes: ac8148d957f5 ("bpf: bpf_iter_task_next: use next_task(kit->task) rather than next_task(kit->pos)") Confused... Does this mean that bpf_iter_task_next() (the only user of ->pos) can be called even if bpf_iter_task_new() returns -EINVAL ? Oleg. > Signed-off-by: Yafang Shao <laoar.shao@gmail.com> > Acked-by: Yonghong Song <yonghong.song@linux.dev> > Cc: Chuyi Zhou <zhouchuyi@bytedance.com> > Cc: Oleg Nesterov <oleg@redhat.com> > --- > kernel/bpf/task_iter.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c > index e5c3500443c6..ec4e97c61eef 100644 > --- a/kernel/bpf/task_iter.c > +++ b/kernel/bpf/task_iter.c > @@ -978,6 +978,8 @@ __bpf_kfunc int bpf_iter_task_new(struct bpf_iter_task *it, > BUILD_BUG_ON(__alignof__(struct bpf_iter_task_kern) != > __alignof__(struct bpf_iter_task)); > > + kit->pos = NULL; > + > switch (flags) { > case BPF_TASK_ITER_ALL_THREADS: > case BPF_TASK_ITER_ALL_PROCS: > -- > 2.39.1 > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 bpf-next 1/2] bpf: Fix an issue due to uninitialized bpf_iter_task 2024-02-17 12:03 ` Oleg Nesterov @ 2024-02-17 13:11 ` Yafang Shao 2024-02-17 16:43 ` Oleg Nesterov 0 siblings, 1 reply; 7+ messages in thread From: Yafang Shao @ 2024-02-17 13:11 UTC (permalink / raw) To: Oleg Nesterov Cc: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, bpf, Chuyi Zhou On Sat, Feb 17, 2024 at 8:05 PM Oleg Nesterov <oleg@redhat.com> wrote: > > On 02/17, Yafang Shao wrote: > > > > Failure to initialize it->pos, coupled with the presence of an invalid > > value in the flags variable, can lead to it->pos referencing an invalid > > task, potentially resulting in a kernel panic. To mitigate this risk, it's > > crucial to ensure proper initialization of it->pos to NULL. > > > > Fixes: ac8148d957f5 ("bpf: bpf_iter_task_next: use next_task(kit->task) rather than next_task(kit->pos)") > > Confused... > > Does this mean that bpf_iter_task_next() (the only user of ->pos) can be > called even if bpf_iter_task_new() returns -EINVAL ? Right. The bpf_for_each() doesn't check the return value of bpf_iter_task_new (), see also https://lore.kernel.org/bpf/20240208090906.56337-4-laoar.shao@gmail.com/ Even if we check the return value of bpf_iter_task_new() in bpf_for_each(), we still need to fix it in the kernel. > > Oleg. > > > Signed-off-by: Yafang Shao <laoar.shao@gmail.com> > > Acked-by: Yonghong Song <yonghong.song@linux.dev> > > Cc: Chuyi Zhou <zhouchuyi@bytedance.com> > > Cc: Oleg Nesterov <oleg@redhat.com> > > --- > > kernel/bpf/task_iter.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c > > index e5c3500443c6..ec4e97c61eef 100644 > > --- a/kernel/bpf/task_iter.c > > +++ b/kernel/bpf/task_iter.c > > @@ -978,6 +978,8 @@ __bpf_kfunc int bpf_iter_task_new(struct bpf_iter_task *it, > > BUILD_BUG_ON(__alignof__(struct bpf_iter_task_kern) != > > __alignof__(struct bpf_iter_task)); > > > > + kit->pos = NULL; > > + > > switch (flags) { > > case BPF_TASK_ITER_ALL_THREADS: > > case BPF_TASK_ITER_ALL_PROCS: > > -- > > 2.39.1 > > > -- Regards Yafang ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 bpf-next 1/2] bpf: Fix an issue due to uninitialized bpf_iter_task 2024-02-17 13:11 ` Yafang Shao @ 2024-02-17 16:43 ` Oleg Nesterov 0 siblings, 0 replies; 7+ messages in thread From: Oleg Nesterov @ 2024-02-17 16:43 UTC (permalink / raw) To: Yafang Shao Cc: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, bpf, Chuyi Zhou On 02/17, Yafang Shao wrote: > > On Sat, Feb 17, 2024 at 8:05 PM Oleg Nesterov <oleg@redhat.com> wrote: > > > > > Fixes: ac8148d957f5 ("bpf: bpf_iter_task_next: use next_task(kit->task) rather than next_task(kit->pos)") > > > > Confused... > > > > Does this mean that bpf_iter_task_next() (the only user of ->pos) can be > > called even if bpf_iter_task_new() returns -EINVAL ? > > Right. The bpf_for_each() doesn't check the return value of bpf_iter_task_new > (), see also https://lore.kernel.org/bpf/20240208090906.56337-4-laoar.shao@gmail.com/ > > Even if we check the return value of bpf_iter_task_new() in > bpf_for_each(), we still need to fix it in the kernel. Hmm, OK. Somehow I naively thought there must be an in-kernel check that would that prevent bpf_iter_task_next() if bpf_iter_task_new() failed. Thanks for your explanations. FWIW, Acked-by: Oleg Nesterov <oleg@redhat.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 bpf-next 2/2] selftests/bpf: Add negtive test cases for task iter 2024-02-17 11:41 [PATCH v2 bpf-next 0/2] bpf: Fix an issue in bpf_iter_task Yafang Shao 2024-02-17 11:41 ` [PATCH v2 bpf-next 1/2] bpf: Fix an issue due to uninitialized bpf_iter_task Yafang Shao @ 2024-02-17 11:41 ` Yafang Shao 2024-02-19 11:40 ` [PATCH v2 bpf-next 0/2] bpf: Fix an issue in bpf_iter_task patchwork-bot+netdevbpf 2 siblings, 0 replies; 7+ messages in thread From: Yafang Shao @ 2024-02-17 11:41 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa Cc: bpf, Yafang Shao, Chuyi Zhou Incorporate a test case to assess the handling of invalid flags or task__nullable parameters passed to bpf_iter_task_new(). Prior to the preceding commit, this scenario could potentially trigger a kernel panic. However, with the previous commit, this test case is expected to function correctly. Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Cc: Chuyi Zhou <zhouchuyi@bytedance.com> --- tools/testing/selftests/bpf/prog_tests/iters.c | 1 + tools/testing/selftests/bpf/progs/iters_task.c | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/prog_tests/iters.c b/tools/testing/selftests/bpf/prog_tests/iters.c index bf84d4a1d9ae..3c440370c1f0 100644 --- a/tools/testing/selftests/bpf/prog_tests/iters.c +++ b/tools/testing/selftests/bpf/prog_tests/iters.c @@ -193,6 +193,7 @@ static void subtest_task_iters(void) ASSERT_EQ(skel->bss->procs_cnt, 1, "procs_cnt"); ASSERT_EQ(skel->bss->threads_cnt, thread_num + 1, "threads_cnt"); ASSERT_EQ(skel->bss->proc_threads_cnt, thread_num + 1, "proc_threads_cnt"); + ASSERT_EQ(skel->bss->invalid_cnt, 0, "invalid_cnt"); pthread_mutex_unlock(&do_nothing_mutex); for (int i = 0; i < thread_num; i++) ASSERT_OK(pthread_join(thread_ids[i], &ret), "pthread_join"); diff --git a/tools/testing/selftests/bpf/progs/iters_task.c b/tools/testing/selftests/bpf/progs/iters_task.c index c9b4055cd410..e4d53e40ff20 100644 --- a/tools/testing/selftests/bpf/progs/iters_task.c +++ b/tools/testing/selftests/bpf/progs/iters_task.c @@ -10,7 +10,7 @@ char _license[] SEC("license") = "GPL"; pid_t target_pid; -int procs_cnt, threads_cnt, proc_threads_cnt; +int procs_cnt, threads_cnt, proc_threads_cnt, invalid_cnt; void bpf_rcu_read_lock(void) __ksym; void bpf_rcu_read_unlock(void) __ksym; @@ -26,6 +26,16 @@ int iter_task_for_each_sleep(void *ctx) procs_cnt = threads_cnt = proc_threads_cnt = 0; bpf_rcu_read_lock(); + bpf_for_each(task, pos, NULL, ~0U) { + /* Below instructions shouldn't be executed for invalid flags */ + invalid_cnt++; + } + + bpf_for_each(task, pos, NULL, BPF_TASK_ITER_PROC_THREADS) { + /* Below instructions shouldn't be executed for invalid task__nullable */ + invalid_cnt++; + } + bpf_for_each(task, pos, NULL, BPF_TASK_ITER_ALL_PROCS) if (pos->pid == target_pid) procs_cnt++; -- 2.39.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 bpf-next 0/2] bpf: Fix an issue in bpf_iter_task 2024-02-17 11:41 [PATCH v2 bpf-next 0/2] bpf: Fix an issue in bpf_iter_task Yafang Shao 2024-02-17 11:41 ` [PATCH v2 bpf-next 1/2] bpf: Fix an issue due to uninitialized bpf_iter_task Yafang Shao 2024-02-17 11:41 ` [PATCH v2 bpf-next 2/2] selftests/bpf: Add negtive test cases for task iter Yafang Shao @ 2024-02-19 11:40 ` patchwork-bot+netdevbpf 2 siblings, 0 replies; 7+ messages in thread From: patchwork-bot+netdevbpf @ 2024-02-19 11:40 UTC (permalink / raw) To: Yafang Shao Cc: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, bpf Hello: This series was applied to bpf/bpf.git (master) by Daniel Borkmann <daniel@iogearbox.net>: On Sat, 17 Feb 2024 19:41:50 +0800 you wrote: > The uninitialized bpf_iter_task variable poses a risk of triggering a > kernel panic. To fix this potential issue, it's imperative to ensure proper > initialization of the variable. This problem surfaced during the > implementation phase of the bits iterator [0]. > > [0]. https://lwn.net/ml/bpf/CALOAHbDJWHOB+viBz6SUqdeF+Nkxmh4gLZo5Ad_keQXjBWHAsQ@mail.gmail.com > > [...] Here is the summary with links: - [v2,bpf-next,1/2] bpf: Fix an issue due to uninitialized bpf_iter_task https://git.kernel.org/bpf/bpf/c/5f2ae606cb5a - [v2,bpf-next,2/2] selftests/bpf: Add negtive test cases for task iter https://git.kernel.org/bpf/bpf/c/5c138a8a4abe You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-02-19 11:40 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-02-17 11:41 [PATCH v2 bpf-next 0/2] bpf: Fix an issue in bpf_iter_task Yafang Shao 2024-02-17 11:41 ` [PATCH v2 bpf-next 1/2] bpf: Fix an issue due to uninitialized bpf_iter_task Yafang Shao 2024-02-17 12:03 ` Oleg Nesterov 2024-02-17 13:11 ` Yafang Shao 2024-02-17 16:43 ` Oleg Nesterov 2024-02-17 11:41 ` [PATCH v2 bpf-next 2/2] selftests/bpf: Add negtive test cases for task iter Yafang Shao 2024-02-19 11:40 ` [PATCH v2 bpf-next 0/2] bpf: Fix an issue in bpf_iter_task patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox