The documentation for find_vpid() clearly states:
"Must be called with the tasklist_lock or rcu_read_lock() held."
Presently we do neither.
Cc: Jiri Olsa <[email protected]>
Cc: Alexei Starovoitov <[email protected]>
Cc: Daniel Borkmann <[email protected]>
Cc: John Fastabend <[email protected]>
Cc: Andrii Nakryiko <[email protected]>
Cc: Martin KaFai Lau <[email protected]>
Cc: Song Liu <[email protected]>
Cc: Yonghong Song <[email protected]>
Cc: KP Singh <[email protected]>
Cc: Stanislav Fomichev <[email protected]>
Cc: Hao Luo <[email protected]>
Cc: [email protected]
Fixes: 41bdc4b40ed6f ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY")
Signed-off-by: Lee Jones <[email protected]>
---
v2 => v3:
* Changed strategy from find_get_pid() to rcu_read_{un}lock()
* Removed Jiri's Ack
v1 => v2:
* Commit log update - no code differences
kernel/bpf/syscall.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 69be1c612daa5..d5c77c021c043 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -4399,7 +4399,9 @@ static int bpf_task_fd_query(const union bpf_attr *attr,
if (attr->task_fd_query.flags != 0)
return -EINVAL;
+ rcu_read_lock();
task = get_pid_task(find_vpid(pid), PIDTYPE_PID);
+ rcu_read_unlock();
if (!task)
return -ENOENT;
--
2.37.2.789.g6183377224-goog
On Mon, 12 Sep 2022, Yonghong Song wrote:
> On 9/12/22 2:38 PM, Lee Jones wrote:
> > The documentation for find_vpid() clearly states:
> >
>
> No need for the above extra line.
The intentional blank formatting line?
The commit message would look worse without it.
Is this really a blocker?
> > "Must be called with the tasklist_lock or rcu_read_lock() held."
> >
> > Presently we do neither.
>
> Presently we do neither for find_vpid() instance in bpf_task_fd_query().
> Add proper rcu_read_lock/unlock() to fix the issue.
I can expand this.
> > Cc: Jiri Olsa <[email protected]>
> > Cc: Alexei Starovoitov <[email protected]>
> > Cc: Daniel Borkmann <[email protected]>
> > Cc: John Fastabend <[email protected]>
> > Cc: Andrii Nakryiko <[email protected]>
> > Cc: Martin KaFai Lau <[email protected]>
> > Cc: Song Liu <[email protected]>
> > Cc: Yonghong Song <[email protected]>
> > Cc: KP Singh <[email protected]>
> > Cc: Stanislav Fomichev <[email protected]>
> > Cc: Hao Luo <[email protected]>
> > Cc: [email protected]
> > Fixes: 41bdc4b40ed6f ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY")
> > Signed-off-by: Lee Jones <[email protected]>
>
> Ack with above a few suggestions for the commit message.
>
> Acked-by: Yonghong Song <[email protected]>
--
Lee Jones [李琼斯]
On 9/12/22 2:38 PM, Lee Jones wrote:
> The documentation for find_vpid() clearly states:
>
No need for the above extra line.
> "Must be called with the tasklist_lock or rcu_read_lock() held."
>
> Presently we do neither.
Presently we do neither for find_vpid() instance in bpf_task_fd_query().
Add proper rcu_read_lock/unlock() to fix the issue.
>
> Cc: Jiri Olsa <[email protected]>
> Cc: Alexei Starovoitov <[email protected]>
> Cc: Daniel Borkmann <[email protected]>
> Cc: John Fastabend <[email protected]>
> Cc: Andrii Nakryiko <[email protected]>
> Cc: Martin KaFai Lau <[email protected]>
> Cc: Song Liu <[email protected]>
> Cc: Yonghong Song <[email protected]>
> Cc: KP Singh <[email protected]>
> Cc: Stanislav Fomichev <[email protected]>
> Cc: Hao Luo <[email protected]>
> Cc: [email protected]
> Fixes: 41bdc4b40ed6f ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY")
> Signed-off-by: Lee Jones <[email protected]>
Ack with above a few suggestions for the commit message.
Acked-by: Yonghong Song <[email protected]>
On 9/12/22 4:14 PM, Lee Jones wrote:
> On Mon, 12 Sep 2022, Yonghong Song wrote:
>> On 9/12/22 2:38 PM, Lee Jones wrote:
>>> The documentation for find_vpid() clearly states:
>>>
>>
>> No need for the above extra line.
>
> The intentional blank formatting line?
>
> The commit message would look worse without it.
>
> Is this really a blocker?
Not a blocker. Just a suggestion. I won't enforce it
if you do have this extra line.
>
>>> "Must be called with the tasklist_lock or rcu_read_lock() held."
>>>
>>> Presently we do neither.
>>
>> Presently we do neither for find_vpid() instance in bpf_task_fd_query().
>> Add proper rcu_read_lock/unlock() to fix the issue.
>
> I can expand this.
>
>>> Cc: Jiri Olsa <[email protected]>
>>> Cc: Alexei Starovoitov <[email protected]>
>>> Cc: Daniel Borkmann <[email protected]>
>>> Cc: John Fastabend <[email protected]>
>>> Cc: Andrii Nakryiko <[email protected]>
>>> Cc: Martin KaFai Lau <[email protected]>
>>> Cc: Song Liu <[email protected]>
>>> Cc: Yonghong Song <[email protected]>
>>> Cc: KP Singh <[email protected]>
>>> Cc: Stanislav Fomichev <[email protected]>
>>> Cc: Hao Luo <[email protected]>
>>> Cc: [email protected]
>>> Fixes: 41bdc4b40ed6f ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY")
>>> Signed-off-by: Lee Jones <[email protected]>
>>
>> Ack with above a few suggestions for the commit message.
>>
>> Acked-by: Yonghong Song <[email protected]>
>
Hello:
This patch was applied to bpf/bpf.git (master)
by Daniel Borkmann <[email protected]>:
On Mon, 12 Sep 2022 14:38:55 +0100 you wrote:
> The documentation for find_vpid() clearly states:
>
> "Must be called with the tasklist_lock or rcu_read_lock() held."
>
> Presently we do neither.
>
> Cc: Jiri Olsa <[email protected]>
> Cc: Alexei Starovoitov <[email protected]>
> Cc: Daniel Borkmann <[email protected]>
> Cc: John Fastabend <[email protected]>
> Cc: Andrii Nakryiko <[email protected]>
> Cc: Martin KaFai Lau <[email protected]>
> Cc: Song Liu <[email protected]>
> Cc: Yonghong Song <[email protected]>
> Cc: KP Singh <[email protected]>
> Cc: Stanislav Fomichev <[email protected]>
> Cc: Hao Luo <[email protected]>
> Cc: [email protected]
> Fixes: 41bdc4b40ed6f ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY")
> Signed-off-by: Lee Jones <[email protected]>
>
> [...]
Here is the summary with links:
- [v3,1/1] bpf: Ensure correct locking around vulnerable function find_vpid()
https://git.kernel.org/bpf/bpf/c/83c10cc362d9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html