From: Leon Hwang <hffilwlqm@gmail.com>
To: bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
toke@redhat.com, hffilwlqm@gmail.com
Subject: [RFC PATCH bpf-next 0/2] bpf: Fix updating attached freplace to PROG_ARRAY map
Date: Sun, 2 Jun 2024 20:24:19 +0800 [thread overview]
Message-ID: <20240602122421.50892-1-hffilwlqm@gmail.com> (raw)
When I try to run selftests to confirm that I fix the tailcall hierarchy
issue[0], it hits a kernel NULL pointer dereference BUG.
[309049.036402] BUG: kernel NULL pointer dereference, address: 0000000000000004
[309049.036419] #PF: supervisor read access in kernel mode
[309049.036426] #PF: error_code(0x0000) - not-present page
[309049.036432] PGD 0 P4D 0
[309049.036437] Oops: 0000 [#1] PREEMPT SMP NOPTI
[309049.036444] CPU: 2 PID: 788148 Comm: test_progs Not tainted 6.8.0-31-generic #31-Ubuntu
[309049.036465] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
[309049.036477] RIP: 0010:bpf_prog_map_compatible+0x2a/0x140
[309049.036488] Code: 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 49 89 fe 41 55 41 54 53 44 8b 6e 04 48 89 f3 41 83 fd 1c 75 0c 48 8b 46 38 48 8b 40 70 <44> 8b 68 04 f6 43 03 01 75 1c 48 8b 43 38 44 0f b6 a0 89 00 00 00
[309049.036505] RSP: 0018:ffffb2e080fd7ce0 EFLAGS: 00010246
[309049.036513] RAX: 0000000000000000 RBX: ffffb2e0807c1000 RCX: 0000000000000000
[309049.036521] RDX: 0000000000000000 RSI: ffffb2e0807c1000 RDI: ffff990290259e00
[309049.036528] RBP: ffffb2e080fd7d08 R08: 0000000000000000 R09: 0000000000000000
[309049.036536] R10: 0000000000000000 R11: 0000000000000000 R12: ffff990290259e00
[309049.036543] R13: 000000000000001c R14: ffff990290259e00 R15: ffff99028e29c400
[309049.036551] FS: 00007b82cbc28140(0000) GS:ffff9903b3f00000(0000) knlGS:0000000000000000
[309049.036559] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[309049.036566] CR2: 0000000000000004 CR3: 0000000101286002 CR4: 00000000003706f0
[309049.036573] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[309049.036581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[309049.036588] Call Trace:
[309049.036592] <TASK>
[309049.036597] ? show_regs+0x6d/0x80
[309049.036604] ? __die+0x24/0x80
[309049.036619] ? page_fault_oops+0x99/0x1b0
[309049.036628] ? do_user_addr_fault+0x2ee/0x6b0
[309049.036634] ? exc_page_fault+0x83/0x1b0
[309049.036641] ? asm_exc_page_fault+0x27/0x30
[309049.036649] ? bpf_prog_map_compatible+0x2a/0x140
[309049.036656] prog_fd_array_get_ptr+0x2c/0x70
[309049.036664] bpf_fd_array_map_update_elem+0x37/0x130
[309049.036671] bpf_map_update_value+0x1d3/0x260
[309049.036677] map_update_elem+0x1fa/0x360
[309049.036683] __sys_bpf+0x54c/0xa10
[309049.036689] __x64_sys_bpf+0x1a/0x30
[309049.036694] x64_sys_call+0x1936/0x25c0
[309049.036700] do_syscall_64+0x7f/0x180
[309049.036706] ? do_syscall_64+0x8c/0x180
[309049.036712] ? do_syscall_64+0x8c/0x180
[309049.036717] ? irqentry_exit+0x43/0x50
[309049.036723] ? common_interrupt+0x54/0xb0
[309049.036729] entry_SYSCALL_64_after_hwframe+0x73/0x7b
It causes by these two commits:
- commit 1c123c567fb1 ("bpf: Resolve fext program type when checking map compatibility")
- commit 3aac1ead5eb6 ("bpf: Move prog->aux->linked_prog and trampoline into bpf_link on attach")
After freplace attachment, 'prog->aux->dst_prog' is set as NULL. Then,
when to update freplace prog to PROG_ARRAY map, 'resolve_prog_type()'
resolves freplace prog type by 'prog->aux->dst_prog->type'. Finally, the
BUG hits.
This patchset resolves freplace prog type by
'prog->aux->saved_dst_prog_type' to avoid the BUG.
However, it does not resolve this issue thoroughly, because the prog type
of freplace prog is not stable as freplace prog can attach to different
types of prog.
So, I raise an RFC PATCH to discuss how to resolve it thoroughly.
Links:
[0] https://lore.kernel.org/bpf/6203dd01-789d-f02c-5293-def4c1b18aef@gmail.com/
Leon Hwang (2):
bpf: Fix updating attached freplace to PROG_ARRAY map
selftests/bpf: Add testcase for updating attached freplace prog to
PROG_ARRAY map
include/linux/bpf_verifier.h | 2 +-
.../selftests/bpf/prog_tests/tailcalls.c | 82 +++++++++++++++++++
.../selftests/bpf/progs/tailcall_freplace.c | 34 ++++++++
.../testing/selftests/bpf/progs/tc_bpf2bpf.c | 21 +++++
4 files changed, 138 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/bpf/progs/tailcall_freplace.c
create mode 100644 tools/testing/selftests/bpf/progs/tc_bpf2bpf.c
base-commit: c939103fc8ef1df0984b8665f157ff88e51373fe
--
2.44.0
next reply other threads:[~2024-06-02 12:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-02 12:24 Leon Hwang [this message]
2024-06-02 12:24 ` [RFC PATCH bpf-next 1/2] bpf: Fix updating attached freplace to PROG_ARRAY map Leon Hwang
2024-07-22 14:43 ` Leon Hwang
2024-07-22 23:53 ` Alexei Starovoitov
2024-06-02 12:24 ` [RFC PATCH bpf-next 2/2] selftests/bpf: Add testcase for updating attached freplace prog " Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240602122421.50892-1-hffilwlqm@gmail.com \
--to=hffilwlqm@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=toke@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox