[PATCH AUTOSEL 5.12 12/43] bpf: Add deny list of btf ids check for tracing programs

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jiri Olsa <jolsa@kernel.org>, Alexei Starovoitov <ast@kernel.org>,
	Sasha Levin <sashal@kernel.org>,
	netdev@vger.kernel.org, bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 5.12 12/43] bpf: Add deny list of btf ids check for tracing programs
Date: Thu,  3 Jun 2021 13:07:02 -0400	[thread overview]
Message-ID: <20210603170734.3168284-12-sashal@kernel.org> (raw)
In-Reply-To: <20210603170734.3168284-1-sashal@kernel.org>

From: Jiri Olsa <jolsa@kernel.org>

[ Upstream commit 35e3815fa8102fab4dee75f3547472c66581125d ]

The recursion check in __bpf_prog_enter and __bpf_prog_exit
leaves some (not inlined) functions unprotected:

In __bpf_prog_enter:
  - migrate_disable is called before prog->active is checked

In __bpf_prog_exit:
  - migrate_enable,rcu_read_unlock_strict are called after
    prog->active is decreased

When attaching trampoline to them we get panic like:

  traps: PANIC: double fault, error_code: 0x0
  double fault: 0000 [#1] SMP PTI
  RIP: 0010:__bpf_prog_enter+0x4/0x50
  ...
  Call Trace:
   <IRQ>
   bpf_trampoline_6442466513_0+0x18/0x1000
   migrate_disable+0x5/0x50
   __bpf_prog_enter+0x9/0x50
   bpf_trampoline_6442466513_0+0x18/0x1000
   migrate_disable+0x5/0x50
   __bpf_prog_enter+0x9/0x50
   bpf_trampoline_6442466513_0+0x18/0x1000
   migrate_disable+0x5/0x50
   __bpf_prog_enter+0x9/0x50
   bpf_trampoline_6442466513_0+0x18/0x1000
   migrate_disable+0x5/0x50
   ...

Fixing this by adding deny list of btf ids for tracing
programs and checking btf id during program verification.
Adding above functions to this list.

Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20210429114712.43783-1-jolsa@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/bpf/verifier.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 21247e49fe82..99d13c29af7f 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12556,6 +12556,17 @@ int bpf_check_attach_target(struct bpf_verifier_log *log,
 	return 0;
 }
 
+BTF_SET_START(btf_id_deny)
+BTF_ID_UNUSED
+#ifdef CONFIG_SMP
+BTF_ID(func, migrate_disable)
+BTF_ID(func, migrate_enable)
+#endif
+#if !defined CONFIG_PREEMPT_RCU && !defined CONFIG_TINY_RCU
+BTF_ID(func, rcu_read_unlock_strict)
+#endif
+BTF_SET_END(btf_id_deny)
+
 static int check_attach_btf_id(struct bpf_verifier_env *env)
 {
 	struct bpf_prog *prog = env->prog;
@@ -12615,6 +12626,9 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
 		ret = bpf_lsm_verify_prog(&env->log, prog);
 		if (ret < 0)
 			return ret;
+	} else if (prog->type == BPF_PROG_TYPE_TRACING &&
+		   btf_id_set_contains(&btf_id_deny, btf_id)) {
+		return -EINVAL;
 	}
 
 	key = bpf_trampoline_compute_key(tgt_prog, prog->aux->attach_btf, btf_id);
-- 
2.30.2

next prev parent reply	other threads:[~2021-06-03 17:08 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-03 17:06 [PATCH AUTOSEL 5.12 01/43] ASoC: max98088: fix ni clock divider calculation Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 02/43] ASoC: amd: fix for pcm_read() error Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 03/43] spi: Fix spi device unregister flow Sasha Levin
2021-06-06 11:10   ` Lukas Wunner
2021-06-10 17:55     ` Sasha Levin
2021-06-10 19:22       ` Saravana Kannan
2021-06-10 19:26         ` Lukas Wunner
2021-06-10 19:30           ` Saravana Kannan
2021-06-10 22:29             ` Lukas Wunner
2021-06-10 23:01               ` Saravana Kannan
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 04/43] spi: spi-zynq-qspi: Fix stack violation bug Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 05/43] bpf: Forbid trampoline attach for functions with variable arguments Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 06/43] ASoC: codecs: lpass-rx-macro: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 07/43] ASoC: codecs: lpass-tx-macro: " Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 08/43] net/nfc/rawsock.c: fix a permission check bug Sasha Levin
2021-06-03 17:06 ` [PATCH AUTOSEL 5.12 09/43] usb: cdns3: Fix runtime PM imbalance on error Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 10/43] ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 11/43] ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet Sasha Levin
2021-06-03 17:07 ` Sasha Levin [this message]
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 13/43] vfio-ccw: Reset FSM state to IDLE inside FSM Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 14/43] vfio-ccw: Serialize FSM IDLE state with I/O completion Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 15/43] ASoC: sti-sas: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 16/43] spi: sprd: Add " Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 17/43] usb: chipidea: udc: assign interrupt number to USB gadget structure Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 18/43] isdn: mISDN: netjet: Fix crash in nj_probe: Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 19/43] bonding: init notify_work earlier to avoid uninitialized use Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 20/43] netlink: disable IRQs for netlink_lock_table() Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 21/43] net: mdiobus: get rid of a BUG_ON() Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 22/43] cgroup: disable controllers at parse time Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 23/43] wq: handle VM suspension in stall detection Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 24/43] net/qla3xxx: fix schedule while atomic in ql_sem_spinlock Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 25/43] RDS tcp loopback connection can hang Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 26/43] net:sfc: fix non-freed irq in legacy irq mode Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 27/43] scsi: bnx2fc: Return failure if io_req is already in ABTS processing Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 28/43] scsi: vmw_pvscsi: Set correct residual data length Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 29/43] scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 30/43] scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 31/43] net: macb: ensure the device is available before accessing GEMGXL control registers Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 32/43] net: appletalk: cops: Fix data race in cops_probe1 Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 33/43] net: dsa: microchip: enable phy errata workaround on 9567 Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 34/43] Makefile: LTO: have linker check -Wframe-larger-than Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 35/43] nvme-fabrics: decode host pathing error for connect Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 36/43] MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 37/43] bpf, selftests: Adjust few selftest result_unpriv outcomes Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 38/43] dm verity: fix require_signatures module_param permissions Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 39/43] bnx2x: Fix missing error code in bnx2x_iov_init_one() Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 40/43] nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 41/43] nvmet: fix false keep-alive timeout when a controller is torn down Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 42/43] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers Sasha Levin
2021-06-04  0:42   ` Michael Ellerman
2021-06-04  0:58     ` Chris Packham
2021-06-10 22:00       ` Sasha Levin
2021-06-03 17:07 ` [PATCH AUTOSEL 5.12 43/43] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 " Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:21247e49fe8 dfblob:99d13c29af7 )
 OR (
bs:"[PATCH AUTOSEL 5.12 12/43] bpf: Add deny list of btf ids check for tracing programs" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210603170734.3168284-12-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=jolsa@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox