linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-11-01 17:08:10 +00:00

History

Marco Elver 4dcfd93603 bpf_lru_list: Read double-checked variable once without lock [ Upstream commit `6df8fb8330` ] For double-checked locking in bpf_common_lru_push_free(), node->type is read outside the critical section and then re-checked under the lock. However, concurrent writes to node->type result in data races. For example, the following concurrent access was observed by KCSAN: write to 0xffff88801521bc22 of 1 bytes by task 10038 on cpu 1: __bpf_lru_node_move_in kernel/bpf/bpf_lru_list.c:91 __local_list_flush kernel/bpf/bpf_lru_list.c:298 ... read to 0xffff88801521bc22 of 1 bytes by task 10043 on cpu 0: bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:507 bpf_lru_push_free kernel/bpf/bpf_lru_list.c:555 ... Fix the data races where node->type is read outside the critical section (for double-checked locking) by marking the access with READ_ONCE() as well as ensuring the variable is only accessed once. Fixes: `3a08c2fd76` ("bpf: LRU List") Reported-by: syzbot+3536db46dfa58c573458@syzkaller.appspotmail.com Reported-by: syzbot+516acdb03d3e27d91bcd@syzkaller.appspotmail.com Signed-off-by: Marco Elver <elver@google.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Martin KaFai Lau <kafai@fb.com> Link: https://lore.kernel.org/bpf/20210209112701.3341724-1-elver@google.com Signed-off-by: Sasha Levin <sashal@kernel.org>		2021-03-04 10:26:16 +01:00
..
arraymap.c
bpf_lru_list.c	bpf_lru_list: Read double-checked variable once without lock	2021-03-04 10:26:16 +01:00
bpf_lru_list.h
btf.c	bpf: Explicitly memset some bpf info structures declared on the stack	2020-04-02 15:11:01 +02:00
cgroup.c	bpf, cgroup: Fix problematic bounds check	2021-02-10 09:25:27 +01:00
core.c	bpf: Don't rely on GCC __attribute__((optimize)) to disable GCSE	2020-11-18 19:20:26 +01:00
cpumap.c	cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled	2020-05-02 08:48:51 +02:00
devmap.c	devmap: Use bpf_map_area_alloc() for allocating hash buckets	2020-06-30 15:36:56 -04:00
disasm.c
disasm.h
hashtab.c	bpf: Zero-fill re-used per-cpu map element	2020-11-18 19:20:26 +01:00
helpers.c	bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback	2021-01-23 15:57:56 +01:00
inode.c	bpf: Fix a rcu warning for bpffs map pretty-print	2020-10-01 13:18:19 +02:00
local_storage.c
lpm_trie.c
Makefile	bpf: Don't rely on GCC __attribute__((optimize)) to disable GCSE	2020-11-18 19:20:26 +01:00
map_in_map.c
map_in_map.h
offload.c
percpu_freelist.c
percpu_freelist.h
queue_stack_maps.c
reuseport_array.c
stackmap.c	bpf: Check for integer overflow when using roundup_pow_of_two()	2021-02-17 10:35:16 +01:00
syscall.c	bpf: sockmap: Require attach_bpf_fd when detaching a program	2020-08-07 09:34:02 +02:00
sysfs_btf.c	bpf: Fix sysfs export of empty BTF section	2020-10-14 10:32:58 +02:00
tnum.c
verifier.c	bpf: Fix truncation handling for mod32 dst reg wrt zero	2021-02-26 10:10:26 +01:00
xskmap.c