Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp737248imm; Fri, 10 Aug 2018 22:04:09 -0700 (PDT) X-Google-Smtp-Source: AA+uWPyP+2vg2hdmqqg9CADTaYwzprb4SuDIUV1okK/lbaFFVbAsW7HHL0HT8W6ctIAQSkdOUdNJ X-Received: by 2002:a65:4384:: with SMTP id m4-v6mr9004523pgp.265.1533963849203; Fri, 10 Aug 2018 22:04:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533963849; cv=none; d=google.com; s=arc-20160816; b=LsdSlJv6/O63tno54yIaM7rzP2PjJ6GI5Fw+68bMPAJmNhg5ZHW6dFIPG0wfiR2OvE 1618tYYaVh4egFqXRWrfbzFXNCjmRR4BIZ+M3hfVc7/F+f1FrTZ6kkGWUzcfojjX63SO +RYsdvblDjesLofjp6GHE8iesg/vwNuVWlg6ptOUD0o9gyx0UH08qmlkqMOtXtmbcDwz hHP6RP3UgHqg3USRiHfwHIX7fgRogz9VqHB9bXnsi9C8NgdLO0bwm0fLMiV+IGPH8hXO 2vaRBFk+vGY1wNUhLIZc+de9Q4qcBRngsexgTWmbJRhlKHHJHZ4IMoSeGBH0gxGbxXm1 8Jpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=ZC8+1yclx5WDaSPytBCKjdTzkJ9PyCnM2cGCx68V9F8=; b=v2ZG0CiTIcKNMcB082dy3WUgvIVdEONITijcoxEKh8lie5kVu3vJEBYRNqLX8eRjua mo826Ztjze+enaWwjAewvWePXpBde+gtLkQ8uSVVdJ1y7PPiBwEWBy/sct4O1BbR1ZR4 eksm7nL8zT1/aQ9TJwILbTEezdlSlbXcqfZk0c6puJO3fhPdMfWiUrW6eFV/FGK+U0j0 tIqJxUcHBozh5fezFawKRU3FxKq1/GG5vJG61qltaYRyjzzYp1nnocpTzqJ6g8qcF1pA +NxKU/LRfJ6jiAT3bis0RP6vvgmWx+Q15o/yq2R6DDygkKEJOvGerW/ljM/vmjuYl+Hy 3I2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=SvciDqjc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cc6-v6si10621262plb.458.2018.08.10.22.03.41; Fri, 10 Aug 2018 22:04:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=SvciDqjc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727268AbeHKHfG (ORCPT + 99 others); Sat, 11 Aug 2018 03:35:06 -0400 Received: from mail-ua1-f66.google.com ([209.85.222.66]:45754 "EHLO mail-ua1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726858AbeHKHfG (ORCPT ); Sat, 11 Aug 2018 03:35:06 -0400 Received: by mail-ua1-f66.google.com with SMTP id k8-v6so4086569uaq.12; Fri, 10 Aug 2018 22:02:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZC8+1yclx5WDaSPytBCKjdTzkJ9PyCnM2cGCx68V9F8=; b=SvciDqjcf/LasIuocpLlDc6+UH+0MkbdhUkqTPjZfA0lv1fTr6v+3DCH6KvmEpvZsR N7Ff62udRQPezz0fzsfRaOoIaPI7EOnyPFJYvhVsYstTSoX4bajSM+6KaBTczRlUZ+Xp wdhpXz97yeTVHeH7naiYfwxpbBGqERwpk+oXinCwwmGXOPzxVYD5B47CSpGgy6zw/69V kAGOJGZLjk6ScN4dD1m70N1HCxH5otiOFlOECHqm0G7EjtZqJR0aKT7Yvjzhd48ihBYK RdH3punV7Uv3QgC5qlm4NxC6JHnzHHGmGNd6cP1kUgkUOCQJUllBI9xVefrHA6rwmn3N Saaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZC8+1yclx5WDaSPytBCKjdTzkJ9PyCnM2cGCx68V9F8=; b=YI+sr3cZoe8KlScRsNf1ZuRH1uGuFpmxP86h4selC1r/mleX+zqHehGeLHSzYZHsfz 0jJoF269I6idqyHSa2YY9T19KJrWkFODrS53acrLitbqankJ4+R70731NtHPiK1pfRWj gUY4fs4O+504kfxlu1W21xAU2BGjAUZclwsUMEI/s4pqO0tsH1tJdCC8hNe3tvJFOkbx nTfKSBXfEMpNx7OSiTK14L8XrynZ+hxTYN3rPJAHLigpvrreqD2ZmfIvUBTk8Jpwu1TY kN+kfl4fwK4rQoQvd1bhte0LZkh4Tn1vqV6lCZpTKmmIRVgNNWTY88ryIB+kuzFY3bBL MEEA== X-Gm-Message-State: AOUpUlGozgSHhzblPzvO4xwPQzJuDhur7d9oF29m8hPKXPtoqS80rHhP hQ50W0Ch3LofT73XZdTAJ7nuVKfpaiIyZUwDZZY= X-Received: by 2002:ab0:1c1a:: with SMTP id a26-v6mr6228724uaj.142.1533963733777; Fri, 10 Aug 2018 22:02:13 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a67:7f52:0:0:0:0:0 with HTTP; Fri, 10 Aug 2018 22:01:33 -0700 (PDT) In-Reply-To: <4f9a083d-1498-8cfb-b54c-614abccb193e@gmail.com> References: <65830741-bf35-4d32-e365-c32fc17c25cb@gmail.com> <97aa2e6b-1863-f123-af2c-24a2e6333ba5@iogearbox.net> <4f9a083d-1498-8cfb-b54c-614abccb193e@gmail.com> From: Y Song Date: Fri, 10 Aug 2018 22:01:33 -0700 Message-ID: Subject: Re: [BUG] bpf: syscall: a possible sleep-in-atomic-context bug in map_update_elem() To: Jia-Ju Bai Cc: Daniel Borkmann , Alexei Starovoitov , netdev , Linux Kernel Mailing List , Jesper Dangaard Brouer Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 10, 2018 at 6:57 PM, Jia-Ju Bai wrote: > > > On 2018/8/10 22:22, Daniel Borkmann wrote: >> >> On 08/10/2018 04:07 PM, Jia-Ju Bai wrote: >>> >>> The kernel may sleep with holding a rcu read lock. >>> >>> The function call paths (from bottom to top) in Linux-4.16 are: >>> >>> [FUNC] kmalloc(GFP_KERNEL) >>> kernel/kthread.c, 283: kmalloc in __kthread_create_on_node >>> kernel/kthread.c, 365: __kthread_create_on_node in kthread_create_on_node >>> kernel/bpf/cpumap.c, 368: kthread_create_on_node in __cpu_map_entry_alloc >>> kernel/bpf/cpumap.c, 490: __cpu_map_entry_alloc in cpu_map_update_elem >>> kernel/bpf/syscall.c, 724: [FUNC_PTR]cpu_map_update_elem in >>> map_update_elem >>> kernel/bpf/syscall.c, 723: rcu_read_lock in map_update_elem >>> >>> Note that [FUNC_PTR] means a function pointer call is used. >>> >>> I do not find a good way to fix it, so I only report. >>> This is found by my static analysis tool (DSAC). Maybe your static analysis tool have false positives in this case? >> >> Thanks for the report Jia-Ju! In the map_update_elem() from syscall >> path there's a check map->map_type == BPF_MAP_TYPE_CPUMAP, where we >> call the cpumap's map->ops->map_update_elem() while /not/ being under >> rcu_read_lock() as in other cases, so looks okay to me. Could you point >> out the case for being under rcu_read_lock() more specifically which >> the tool found? > > > Thanks for your reply :) > My tool cannot accurately track the case of map->map_type at present... > > According to my code review, there is a indeed check on line 697 in > Linux-4.16: > else if (map->map_type == BPF_MAP_TYPE_CPUMAP) { > err = map->ops->map_update_elem(map, key, value, attr->flags); > goto out; > } > But there is a call to map->ops->map_update_elem() that is under > rcu_read_lock on line 724: > rcu_read_lock(); > err = map->ops->map_update_elem(map, key, value, attr->flags); > rcu_read_unlock(); > > So I think if map->map_type is not equal to BPF_MAP_TYPE_CPUMAP, > map->ops->map_update_elem() can still be called under rcu_read_lock, is it > right? map->ops->map_update_elem() can be called under rcu_read_lock(), but since it is not type cpumap, the function should not be cpu_map_update_elem(). Could you double check your static analysis tool? > > > Best wishes, > Jia-Ju Bai