* [PATCH bpf v2] bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach
@ 2025-11-10 7:17 Pu Lehui
2025-11-10 9:27 ` Pu Lehui
0 siblings, 1 reply; 2+ messages in thread
From: Pu Lehui @ 2025-11-10 7:17 UTC (permalink / raw)
To: Eduard Zingerman, bpf
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Alan Maguire,
Pu Lehui, Pu Lehui
From: Pu Lehui <pulehui@huawei.com>
Syzkaller triggers an invalid memory access issue following fault
injection in update_effective_progs. The issue can be described as
follows:
__cgroup_bpf_detach
update_effective_progs
compute_effective_progs
bpf_prog_array_alloc <-- fault inject
purge_effective_progs
/* change to dummy_bpf_prog */
array->items[index] = &dummy_bpf_prog.prog
---softirq start---
__do_softirq
...
__cgroup_bpf_run_filter_skb
__bpf_prog_run_save_cb
bpf_prog_run
stats = this_cpu_ptr(prog->stats)
/* invalid memory access */
flags = u64_stats_update_begin_irqsave(&stats->syncp)
---softirq end---
static_branch_dec(&cgroup_bpf_enabled_key[atype])
The reason is that fault injection caused update_effective_progs to fail
and then changed the original prog into dummy_bpf_prog.prog in
purge_effective_progs. Then a softirq came, and accessing the stats of
dummy_bpf_prog.prog in the softirq triggers invalid mem access.
To fix it, we can use static per-cpu variables to initialize the stats
of dummy_bpf_prog.prog.
Fixes: 4c46091ee985 ("bpf: Fix KASAN use-after-free Read in compute_effective_progs")
Signed-off-by: Pu Lehui <pulehui@huawei.com>
---
v2:
- Use static per-cpu variables to initialize the stats of
dummy_bpf_prog.prog suggested by Eduard.
v1: https://lore.kernel.org/all/20251105100302.2968475-1-pulehui@huaweicloud.com
kernel/bpf/core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index d595fe512498..c7c9c78f171a 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2536,11 +2536,14 @@ static unsigned int __bpf_prog_ret1(const void *ctx,
return 1;
}
+DEFINE_PER_CPU(struct bpf_prog_stats, __dummy_stats);
+
static struct bpf_prog_dummy {
struct bpf_prog prog;
} dummy_bpf_prog = {
.prog = {
.bpf_func = __bpf_prog_ret1,
+ .stats = &__dummy_stats,
},
};
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH bpf v2] bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach
2025-11-10 7:17 [PATCH bpf v2] bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach Pu Lehui
@ 2025-11-10 9:27 ` Pu Lehui
0 siblings, 0 replies; 2+ messages in thread
From: Pu Lehui @ 2025-11-10 9:27 UTC (permalink / raw)
To: Pu Lehui, Eduard Zingerman, bpf
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Alan Maguire
CI report the following warning, and I've post new version [0]. Sorry
for the noise.
warning: symbol '__pcpu_scope___dummy_stats' was not declared. Should it
be static?
Link:
https://lore.kernel.org/bpf/20251110092536.4082324-1-pulehui@huaweicloud.com/
[0]
On 2025/11/10 15:17, Pu Lehui wrote:
> From: Pu Lehui <pulehui@huawei.com>
>
> Syzkaller triggers an invalid memory access issue following fault
> injection in update_effective_progs. The issue can be described as
> follows:
>
> __cgroup_bpf_detach
> update_effective_progs
> compute_effective_progs
> bpf_prog_array_alloc <-- fault inject
> purge_effective_progs
> /* change to dummy_bpf_prog */
> array->items[index] = &dummy_bpf_prog.prog
>
> ---softirq start---
> __do_softirq
> ...
> __cgroup_bpf_run_filter_skb
> __bpf_prog_run_save_cb
> bpf_prog_run
> stats = this_cpu_ptr(prog->stats)
> /* invalid memory access */
> flags = u64_stats_update_begin_irqsave(&stats->syncp)
> ---softirq end---
>
> static_branch_dec(&cgroup_bpf_enabled_key[atype])
>
> The reason is that fault injection caused update_effective_progs to fail
> and then changed the original prog into dummy_bpf_prog.prog in
> purge_effective_progs. Then a softirq came, and accessing the stats of
> dummy_bpf_prog.prog in the softirq triggers invalid mem access.
>
> To fix it, we can use static per-cpu variables to initialize the stats
> of dummy_bpf_prog.prog.
>
> Fixes: 4c46091ee985 ("bpf: Fix KASAN use-after-free Read in compute_effective_progs")
> Signed-off-by: Pu Lehui <pulehui@huawei.com>
> ---
> v2:
> - Use static per-cpu variables to initialize the stats of
> dummy_bpf_prog.prog suggested by Eduard.
>
> v1: https://lore.kernel.org/all/20251105100302.2968475-1-pulehui@huaweicloud.com
>
> kernel/bpf/core.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> index d595fe512498..c7c9c78f171a 100644
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -2536,11 +2536,14 @@ static unsigned int __bpf_prog_ret1(const void *ctx,
> return 1;
> }
>
> +DEFINE_PER_CPU(struct bpf_prog_stats, __dummy_stats);
> +
> static struct bpf_prog_dummy {
> struct bpf_prog prog;
> } dummy_bpf_prog = {
> .prog = {
> .bpf_func = __bpf_prog_ret1,
> + .stats = &__dummy_stats,
> },
> };
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-10 9:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-10 7:17 [PATCH bpf v2] bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach Pu Lehui
2025-11-10 9:27 ` Pu Lehui
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox