From: Pu Lehui <pulehui@huawei.com>
To: Eduard Zingerman <eddyz87@gmail.com>,
Pu Lehui <pulehui@huaweicloud.com>, <bpf@vger.kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
Alan Maguire <alan.maguire@oracle.com>
Subject: Re: [PATCH bpf] bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach
Date: Mon, 10 Nov 2025 15:21:16 +0800 [thread overview]
Message-ID: <7a0110ae-c462-48e2-bc95-aa777d512a5e@huawei.com> (raw)
In-Reply-To: <6a8bb167-17af-471d-aaaa-9219a7c41583@huaweicloud.com>
On 2025/11/6 10:14, Pu Lehui wrote:
>
>
> On 2025/11/6 7:33, Eduard Zingerman wrote:
>> On Wed, 2025-11-05 at 10:03 +0000, Pu Lehui wrote:
>>> From: Pu Lehui <pulehui@huawei.com>
>>>
>>> Syzkaller triggers an invalid memory access issue following fault
>>> injection in update_effective_progs. The issue can be described as
>>> follows:
>>>
>>> __cgroup_bpf_detach
>>> update_effective_progs
>>> compute_effective_progs
>>> bpf_prog_array_alloc <-- fault inject
>>> purge_effective_progs
>>> /* change to dummy_bpf_prog */
>>> array->items[index] = &dummy_bpf_prog.prog
>>>
>>> ---softirq start---
>>> __do_softirq
>>> ...
>>> __cgroup_bpf_run_filter_skb
>>> __bpf_prog_run_save_cb
>>> bpf_prog_run
>>> stats = this_cpu_ptr(prog->stats)
>>> /* invalid memory access */
>>> flags = u64_stats_update_begin_irqsave(&stats->syncp)
>>> ---softirq end---
>>>
>>> static_branch_dec(&cgroup_bpf_enabled_key[atype])
>>>
>>> The reason is that fault injection caused update_effective_progs to fail
>>> and then changed the original prog into dummy_bpf_prog.prog in
>>> purge_effective_progs. Then a softirq came, and accessing the members of
>>> dummy_bpf_prog.prog in the softirq triggers invalid mem access.
>>>
>>> To fix it, we can skip executing the prog when it's dummy_bpf_prog.prog.
>>>
>>> Fixes: 4c46091ee985 ("bpf: Fix KASAN use-after-free Read in
>>> compute_effective_progs")
>>> Signed-off-by: Pu Lehui <pulehui@huawei.com>
>>
>> Is there a link for syzkaller report?
>
>
> Hi Eduard,
>
> This is a local syzkaller test, and I have attached the report at the
> end of the email.
>
>>
>> [...]
>>
>>> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
>>> index 248f517d66d0..baad33b34cef 100644
>>> --- a/kernel/bpf/cgroup.c
>>> +++ b/kernel/bpf/cgroup.c
>>> @@ -77,7 +77,9 @@ bpf_prog_run_array_cg(const struct cgroup_bpf *cgrp,
>>> item = &array->items[0];
>>> old_run_ctx = bpf_set_run_ctx(&run_ctx.run_ctx);
>>> while ((prog = READ_ONCE(item->prog))) {
>>> - run_ctx.prog_item = item;
>>> + run_ctx.prog_item = item++;
>>> + if (prog == &dummy_bpf_prog.prog)
>>> + continue;
>>
>> Will the following fix the issue?
>>
>> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
>> index d595fe512498..c7c9c78f171a 100644
>> --- a/kernel/bpf/core.c
>> +++ b/kernel/bpf/core.c
>> @@ -2536,11 +2536,14 @@ static unsigned int __bpf_prog_ret1(const
>> void *ctx,
>> return 1;
>> }
>>
>> +DEFINE_PER_CPU(struct bpf_prog_stats, __dummy_stats);
>> +
>> static struct bpf_prog_dummy {
>> struct bpf_prog prog;
>> } dummy_bpf_prog = {
>> .prog = {
>> .bpf_func = __bpf_prog_ret1,
>> + .stats = &__dummy_stats,
>> },
>> };
>>
>> Or that's too much memory wasted?
>
> In 160 cores system, it will waste 5K bytes for this dummy.
>
> And also, this solution will not suit for 5.10.0 or lower LTS version,
> as the bpf_prog_stats is embedded in struct bpf_prog_aux, and bpf->aux
> is empty at this time, which will trigger a null pointer access.
Hi Eduard,
I've reviewed the kernel usage of static per-CPU variables and believe
that 32 bytes per core is not a significant overhead. Moreover, similar
approaches can be applied to older versions. I've submitted the v2 based
on your suggestions.
https://lore.kernel.org/bpf/20251110071714.4069712-1-pulehui@huaweicloud.com/
Thanks.
prev parent reply other threads:[~2025-11-10 7:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-05 10:03 [PATCH bpf] bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach Pu Lehui
2025-11-05 23:33 ` Eduard Zingerman
2025-11-06 2:14 ` Pu Lehui
2025-11-10 7:21 ` Pu Lehui [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7a0110ae-c462-48e2-bc95-aa777d512a5e@huawei.com \
--to=pulehui@huawei.com \
--cc=alan.maguire@oracle.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=martin.lau@linux.dev \
--cc=pulehui@huaweicloud.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox