diff options
| author | Jiri Olsa <jolsa@kernel.org> | 2023-12-06 09:30:40 +0100 | 
|---|---|---|
| committer | Daniel Borkmann <daniel@iogearbox.net> | 2023-12-06 22:40:16 +0100 | 
| commit | 4b7de801606e504e69689df71475d27e35336fb3 (patch) | |
| tree | 1ab3b1d4f0d0bad6e845121d2cee745cb32d064e /lib/netdev-notifier-error-inject.c | |
| parent | e4d008d49a7135214e0ee70537405b6a069e3a3f (diff) | |
bpf: Fix prog_array_map_poke_run map poke update
Lee pointed out issue found by syscaller [0] hitting BUG in prog array
map poke update in prog_array_map_poke_run function due to error value
returned from bpf_arch_text_poke function.
There's race window where bpf_arch_text_poke can fail due to missing
bpf program kallsym symbols, which is accounted for with check for
-EINVAL in that BUG_ON call.
The problem is that in such case we won't update the tail call jump
and cause imbalance for the next tail call update check which will
fail with -EBUSY in bpf_arch_text_poke.
I'm hitting following race during the program load:
  CPU 0                             CPU 1
  bpf_prog_load
    bpf_check
      do_misc_fixups
        prog_array_map_poke_track
                                    map_update_elem
                                      bpf_fd_array_map_update_elem
                                        prog_array_map_poke_run
                                          bpf_arch_text_poke returns -EINVAL
    bpf_prog_kallsyms_add
After bpf_arch_text_poke (CPU 1) fails to update the tail call jump, the next
poke update fails on expected jump instruction check in bpf_arch_text_poke
with -EBUSY and triggers the BUG_ON in prog_array_map_poke_run.
Similar race exists on the program unload.
Fixing this by moving the update to bpf_arch_poke_desc_update function which
makes sure we call __bpf_arch_text_poke that skips the bpf address check.
Each architecture has slightly different approach wrt looking up bpf address
in bpf_arch_text_poke, so instead of splitting the function or adding new
'checkip' argument in previous version, it seems best to move the whole
map_poke_run update as arch specific code.
  [0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810
Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
Reported-by: syzbot+97a4fe20470e9bc30810@syzkaller.appspotmail.com
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Cc: Lee Jones <lee@kernel.org>
Cc: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://lore.kernel.org/bpf/20231206083041.1306660-2-jolsa@kernel.org
Diffstat (limited to 'lib/netdev-notifier-error-inject.c')
0 files changed, 0 insertions, 0 deletions
