From: Sasha Levin <sashal@kernel.org>
To: Stanislav Fomichev <sdf@google.com>
Cc: stable@vger.kernel.org, Yonghong Song <yhs@fb.com>,
Alexei Starovoitov <ast@kernel.org>, Roman Gushchin <guro@fb.com>
Subject: Re: [PATCH 5.10.y] bpf: Fix NULL pointer dereference in bpf_get_local_storage() helper
Date: Thu, 26 Aug 2021 14:30:50 -0400 [thread overview]
Message-ID: <YSfd2tZll1We6vse@sashalap> (raw)
In-Reply-To: <552c822eac5fb168f94570056ccd8a4b790db2bf.1629740134.git.sdf@google.com>
On Mon, Aug 23, 2021 at 10:36:46AM -0700, Stanislav Fomichev wrote:
>From: Yonghong Song <yhs@fb.com>
>
>commit b910eaaaa4b89976ef02e5d6448f3f73dc671d91 upstream.
>
>Jiri Olsa reported a bug ([1]) in kernel where cgroup local
>storage pointer may be NULL in bpf_get_local_storage() helper.
>There are two issues uncovered by this bug:
> (1). kprobe or tracepoint prog incorrectly sets cgroup local storage
> before prog run,
> (2). due to change from preempt_disable to migrate_disable,
> preemption is possible and percpu storage might be overwritten
> by other tasks.
>
>This issue (1) is fixed in [2]. This patch tried to address issue (2).
>The following shows how things can go wrong:
> task 1: bpf_cgroup_storage_set() for percpu local storage
> preemption happens
> task 2: bpf_cgroup_storage_set() for percpu local storage
> preemption happens
> task 1: run bpf program
>
>task 1 will effectively use the percpu local storage setting by task 2
>which will be either NULL or incorrect ones.
>
>Instead of just one common local storage per cpu, this patch fixed
>the issue by permitting 8 local storages per cpu and each local
>storage is identified by a task_struct pointer. This way, we
>allow at most 8 nested preemption between bpf_cgroup_storage_set()
>and bpf_cgroup_storage_unset(). The percpu local storage slot
>is released (calling bpf_cgroup_storage_unset()) by the same task
>after bpf program finished running.
>bpf_test_run() is also fixed to use the new bpf_cgroup_storage_set()
>interface.
>
>The patch is tested on top of [2] with reproducer in [1].
>Without this patch, kernel will emit error in 2-3 minutes.
>With this patch, after one hour, still no error.
>
> [1] https://lore.kernel.org/bpf/CAKH8qBuXCfUz=w8L+Fj74OaUpbosO29niYwTki7e3Ag044_aww@mail.gmail.com/T
> [2] https://lore.kernel.org/bpf/20210309185028.3763817-1-yhs@fb.com
>
>Signed-off-by: Yonghong Song <yhs@fb.com>
>Signed-off-by: Alexei Starovoitov <ast@kernel.org>
>Acked-by: Roman Gushchin <guro@fb.com>
>Link: https://lore.kernel.org/bpf/20210323055146.3334476-1-yhs@fb.com
>Cc: <stable@vger.kernel.org> # 5.10.x
>Change-Id: I0bff719d0bfbaa819316de26391b4b2e4e60faed
>Signed-off-by: Stanislav Fomichev <sdf@google.com>
Queued up, thanks!
--
Thanks,
Sasha
prev parent reply other threads:[~2021-08-26 18:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-23 17:36 [PATCH 5.10.y] bpf: Fix NULL pointer dereference in bpf_get_local_storage() helper Stanislav Fomichev
2021-08-26 18:30 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YSfd2tZll1We6vse@sashalap \
--to=sashal@kernel.org \
--cc=ast@kernel.org \
--cc=guro@fb.com \
--cc=sdf@google.com \
--cc=stable@vger.kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox