Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp3038674ybe; Sun, 8 Sep 2019 05:58:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqwzZdHrArSiU1DWf2KcR9eP5jDRr4ICR2mfZCS5aSrq70uEj/4PUA6RFFH1s7Pl5Q/lDV6Y X-Received: by 2002:a17:902:76c2:: with SMTP id j2mr19174492plt.305.1567947516477; Sun, 08 Sep 2019 05:58:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567947516; cv=none; d=google.com; s=arc-20160816; b=SX/Jj6YbZfRVgQv4tACzK2N1gQc/egDfTJxjznupLgg0FTU+MHz8vLefYmryeepNn8 8pByPQ0ypVvhhleOAB+R1uph8h/u9sh2jeQMTFUJfW+SV7+8MiKtia2Zt4zZWG1PPFwM CKAuz2P0MaMA+Ot25icbn9oJYEp3Nc4IYRCW1NfbDlDIFtNAqLLf7uOkKzQ8t0Ze/Fe3 yrnv0Vz2yVBbo2G/NwSYEvi3G7oW4oFJOsFIXUJ33dW9EmiNe8Y35x8CvqEMRzmsGkF6 /3UoBb1zxf/YBnB70P9GaZdVm1ev0tQcyjU44Hf8WtGytQYBFLsEg3VRXyJd3Kh9SehZ WQ+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=tDUlvgh3TJNH+HOn7EG167U749zEBUbsuQdh4Cjmd8A=; b=y5A7rQ3EgrLXblfnaNcaf6WJpP6nFBzeaiAGxkQnrwHp1goEN65kgpHTfKjM+KKzT3 gGdO2LYYspt4OJv/P4RVsVA308HjeGJDO03MAq7K3uMYOc+cMIcs+Zag++IP9ho9Pkir xahF0/zWCuhSLzNI1tFpDUEWG63bq1wc6nZishNpYBTrODyD4Lc+axvSf1y5dWpiMxAZ DDC6Dq2zJb7rguNTeT2eDW+EGCjZj8S3bGmFLnMfBDH/Y97H41d4RrXAwavhGeCYkFy/ zBx8QxD7gzrUCBkXxqvMz5qVxpXcDy3aj9bUPIiIifVqFdrfq8nOy5M37swietcc0fpY lTuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r38si10249692pgl.498.2019.09.08.05.58.21; Sun, 08 Sep 2019 05:58:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726799AbfIHIUt (ORCPT + 99 others); Sun, 8 Sep 2019 04:20:49 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49656 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726438AbfIHIUt (ORCPT ); Sun, 8 Sep 2019 04:20:49 -0400 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 89EF6793E5 for ; Sun, 8 Sep 2019 08:20:48 +0000 (UTC) Received: by mail-ed1-f70.google.com with SMTP id a7so2121674edt.13 for ; Sun, 08 Sep 2019 01:20:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=tDUlvgh3TJNH+HOn7EG167U749zEBUbsuQdh4Cjmd8A=; b=fHrs9Wa19oC2tf6GmUNbhLSKfwPLkzPYVepw1OV3qx87rOO9xWoMPRJqPBIFq6gw3P WS/93q4mRGTN+ArisWXP4NjqB9Dynx1bA/0wVdAzCy9QG3GjMydyfOuIq2JNXEv4F49g QNh64RDzF+NSyzaK9iBuoZ8K15VvBrlOC/0lZb2Xoo0ima8JXj7kpET5FGY2asWwjxVj GCMgBgnxMwsrlF7Cntxk9dNpNsmGTwtWy5Y5bj9PXN06t0/EH4LIJN3YCiBTE+uO9ssf 0qv87vm+QkVQ4fnK66JHYPI9LENuZDLt98XsoOrmHYu7XhPMlOy9/64M6P+qtDFi2US2 5/uQ== X-Gm-Message-State: APjAAAXFMYYmUUH8rEDLxey7aSIOMgZSJ9yNuAg7LtYEPS5xKic3DAdQ 1Qe0e3nYJCBK5pcBGwPCEm24FR59OFa3itEtEFH4F6DcYhlDW7tsoic3QZST0kJh1bIxksBQLqn O/YxIvyJgcGWr2mqdThwyF9+M X-Received: by 2002:aa7:da18:: with SMTP id r24mr18610333eds.37.1567930847320; Sun, 08 Sep 2019 01:20:47 -0700 (PDT) X-Received: by 2002:aa7:da18:: with SMTP id r24mr18610313eds.37.1567930847128; Sun, 08 Sep 2019 01:20:47 -0700 (PDT) Received: from alrua-x1.borgediget.toke.dk (borgediget.toke.dk. [85.204.121.218]) by smtp.gmail.com with ESMTPSA id t21sm1364896ejs.37.2019.09.08.01.20.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Sep 2019 01:20:46 -0700 (PDT) Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id 0F739180615; Sun, 8 Sep 2019 09:20:44 +0100 (WEST) From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= To: make-wifi-fast@lists.bufferbloat.net, linux-wireless@vger.kernel.org, ast@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net, davem@davemloft.net, hawk@kernel.org, jakub.kicinski@netronome.com, john.fastabend@gmail.com, kafai@fb.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, songliubraving@fb.com, syzkaller-bugs@googlegroups.com, yhs@fb.com Cc: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , syzbot+4e7a85b1432052e8d6f8@syzkaller.appspotmail.com Subject: [PATCH bpf-next] xdp: Fix race in dev_map_hash_update_elem() when replacing element Date: Sun, 8 Sep 2019 09:20:16 +0100 Message-Id: <20190908082016.17214-1-toke@redhat.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <0000000000005091a70591d3e1d9@google.com> References: <0000000000005091a70591d3e1d9@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org syzbot found a crash in dev_map_hash_update_elem(), when replacing an element with a new one. Jesper correctly identified the cause of the crash as a race condition between the initial lookup in the map (which is done before taking the lock), and the removal of the old element. Rather than just add a second lookup into the hashmap after taking the lock, fix this by reworking the function logic to take the lock before the initial lookup. Fixes: 6f9d451ab1a3 ("xdp: Add devmap_hash map type for looking up devices by hashed index") Reported-and-tested-by: syzbot+4e7a85b1432052e8d6f8@syzkaller.appspotmail.com Signed-off-by: Toke Høiland-Jørgensen --- kernel/bpf/devmap.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 9af048a932b5..d27f3b60ff6d 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -650,19 +650,22 @@ static int __dev_map_hash_update_elem(struct net *net, struct bpf_map *map, u32 ifindex = *(u32 *)value; u32 idx = *(u32 *)key; unsigned long flags; + int err = -EEXIST; if (unlikely(map_flags > BPF_EXIST || !ifindex)) return -EINVAL; + spin_lock_irqsave(&dtab->index_lock, flags); + old_dev = __dev_map_hash_lookup_elem(map, idx); if (old_dev && (map_flags & BPF_NOEXIST)) - return -EEXIST; + goto out_err; dev = __dev_map_alloc_node(net, dtab, ifindex, idx); - if (IS_ERR(dev)) - return PTR_ERR(dev); - - spin_lock_irqsave(&dtab->index_lock, flags); + if (IS_ERR(dev)) { + err = PTR_ERR(dev); + goto out_err; + } if (old_dev) { hlist_del_rcu(&old_dev->index_hlist); @@ -683,6 +686,10 @@ static int __dev_map_hash_update_elem(struct net *net, struct bpf_map *map, call_rcu(&old_dev->rcu, __dev_map_entry_free); return 0; + +out_err: + spin_unlock_irqrestore(&dtab->index_lock, flags); + return err; } static int dev_map_hash_update_elem(struct bpf_map *map, void *key, void *value, -- 2.23.0