mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-30 14:19:16 +00:00
Code Issues Releases Wiki Activity
linux-stable/include
History
Jiri Olsa 13578b4ea4 bpf: Fix prog_array_map_poke_run map poke update 
commit 4b7de80160 upstream.

Lee pointed out issue found by syscaller [0] hitting BUG in prog array
map poke update in prog_array_map_poke_run function due to error value
returned from bpf_arch_text_poke function.

There's race window where bpf_arch_text_poke can fail due to missing
bpf program kallsym symbols, which is accounted for with check for
-EINVAL in that BUG_ON call.

The problem is that in such case we won't update the tail call jump
and cause imbalance for the next tail call update check which will
fail with -EBUSY in bpf_arch_text_poke.

I'm hitting following race during the program load:

  CPU 0                             CPU 1

  bpf_prog_load
    bpf_check
      do_misc_fixups
        prog_array_map_poke_track

                                    map_update_elem
                                      bpf_fd_array_map_update_elem
                                        prog_array_map_poke_run

                                          bpf_arch_text_poke returns -EINVAL

    bpf_prog_kallsyms_add

After bpf_arch_text_poke (CPU 1) fails to update the tail call jump, the next
poke update fails on expected jump instruction check in bpf_arch_text_poke
with -EBUSY and triggers the BUG_ON in prog_array_map_poke_run.

Similar race exists on the program unload.

Fixing this by moving the update to bpf_arch_poke_desc_update function which
makes sure we call __bpf_arch_text_poke that skips the bpf address check.

Each architecture has slightly different approach wrt looking up bpf address
in bpf_arch_text_poke, so instead of splitting the function or adding new
'checkip' argument in previous version, it seems best to move the whole
map_poke_run update as arch specific code.

  [0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810

Fixes: ebf7d1f508 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
Reported-by: syzbot+97a4fe20470e9bc30810@syzkaller.appspotmail.com
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Cc: Lee Jones <lee@kernel.org>
Cc: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://lore.kernel.org/bpf/20231206083041.1306660-2-jolsa@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-01-05 15:13:40 +01:00
..
acpi ACPI: utils: Fix acpi_evaluate_dsm_typed() redefinition error 2023-07-23 13:47:18 +02:00
asm-generic asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation 2023-12-20 15:17:40 +01:00
clocksource
crypto crypto: api - Use work queue in crypto_destroy_instance 2023-09-19 12:22:33 +02:00
drm drm/mipi-dsi: Create devm device attachment 2023-11-20 11:08:19 +01:00
dt-bindings
keys KEYS: trusted: allow use of kernel RNG for key material 2023-10-19 23:05:33 +02:00
kunit
kvm
linux bpf: Fix prog_array_map_poke_run map poke update 2024-01-05 15:13:40 +01:00
math-emu
media media: v4l2-mem2mem: add lock to protect parameter num_rdy 2023-08-26 14:23:23 +02:00
memory
misc
net Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE 2024-01-05 15:13:34 +01:00
pcmcia
ras
rdma RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz 2023-12-13 18:36:40 +01:00
scsi scsi: core: Rename scsi_mq_done() into scsi_done() and export it 2023-10-19 23:05:32 +02:00
soc
sound ASoC: soc-card: Add storage for PCI SSID 2023-11-28 16:56:17 +00:00
target scsi: target: Fix multiple LUN_RESET handling 2023-05-11 23:00:26 +09:00
trace afs: Use refcount_t rather than atomic_t 2024-01-05 15:13:30 +01:00
uapi perf/core: Add a new read format to get a number of lost samples 2023-12-13 18:36:47 +01:00
vdso
video
xen ACPI: processor: Fix evaluating _PDC method when running as Xen dom0 2023-05-11 23:00:22 +09:00