Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3697721ybv; Mon, 10 Feb 2020 04:55:28 -0800 (PST) X-Google-Smtp-Source: APXvYqwzyVIiLxjmXsmS2GKN/u6adjqnPutG3rIXY6bgA8ou8lsij3pGYU4sMrcGQvhpjNzJAC2g X-Received: by 2002:a05:6808:a9c:: with SMTP id q28mr730194oij.176.1581339328363; Mon, 10 Feb 2020 04:55:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581339328; cv=none; d=google.com; s=arc-20160816; b=eh6ZExxVWAPYKkv+ftVPiuujYTWaWYFhx1rqhxNfoEU9u9LgorQOWghJG4WTXcxFRr zY4/8z+rlR5ifyVXtJoFqL/FFH6EngjvKgyEU5jF0SDKlXPJbV8H+KJrjrIiVqfn5hT8 Txt8lLUfmiLYbleBY7n3hw0+SThwe2xNC5D2aOMw0yuvaCs2YKOiuyv5PNoRtPyKwC5H xUatjoWdmb5FVjvHYNJy3355cyaoosOIALwO42N8YxHA/q20fFPXoQFsJLExROUmS18L fYr4+Qss5NhadJsXdQpD4E7NcAeAFQoE6F0BuEEYeSpAC1RRqpWgg2+CYb99pY9raBNa VJWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BbWgVVHRimK+FP+WhnxI843qHCZUEAcSFKuY19+XZwM=; b=vFT59kg6zk/L8f2X1IZLJdlvNQu2EsundRgTLkfjV8htMyS8KS26WV4IBY/TnRTogO GFy1KXJ1ZaUL1HKv1N/n5n6/blnWw6MeCdz/8DW6Y6l/7n4aKBxrAikdx79gDVs8sRoe l8cUX8UTzySYiomHpV3FMx3gdox+Qrn4ez5sApdYrPgasiGVMoua3TGKelqSPOwfGget 6/rg7ap6AGGzVu0WBvej44gVTosNzjtgoJpddn0mG2wYKN5fC5aZizfAh6Fb2PXK4NM9 2sUUa9AeumFAiR1r00wu5hWolYzOzd4vZCDn1LsHL5Slsvx33sjYcHJK9wdc5jA7c1HX SK2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QLKRFVoC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g10si137766otn.12.2020.02.10.04.55.17; Mon, 10 Feb 2020 04:55:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QLKRFVoC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729521AbgBJMzP (ORCPT + 99 others); Mon, 10 Feb 2020 07:55:15 -0500 Received: from mail.kernel.org ([198.145.29.99]:44958 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729450AbgBJMlu (ORCPT ); Mon, 10 Feb 2020 07:41:50 -0500 Received: from localhost (unknown [209.37.97.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BA02120873; Mon, 10 Feb 2020 12:41:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581338509; bh=dwcmcIpGV9GdIWie3gTAFRZcpkR3vYKkvQkwcTyPkDk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QLKRFVoCs+1ZYYqchOQfanYTqFIBlWiKenSC0Aictv2KnAe8E1M1J88iyiiHqeV8V 5htre7USAWt/bD54dY4GnneG3hlr3e2TTbRXbpSFNgfI0EmDH097rHU3iT3Syerb4s QCDRxJF/oNuUWrBCLL/su81lCTC6vkh+KfrY6R9c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Alexei Starovoitov , Daniel Borkmann , "Paul E. McKenney" Subject: [PATCH 5.5 313/367] bpf: Fix trampoline usage in preempt Date: Mon, 10 Feb 2020 04:33:46 -0800 Message-Id: <20200210122452.143886749@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200210122423.695146547@linuxfoundation.org> References: <20200210122423.695146547@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexei Starovoitov commit 05d57f1793fb250c85028c9952c3720010baa853 upstream. Though the second half of trampoline page is unused a task could be preempted in the middle of the first half of trampoline and two updates to trampoline would change the code from underneath the preempted task. Hence wait for tasks to voluntarily schedule or go to userspace. Add similar wait before freeing the trampoline. Fixes: fec56f5890d9 ("bpf: Introduce BPF trampoline") Reported-by: Jann Horn Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Acked-by: Paul E. McKenney Link: https://lore.kernel.org/bpf/20200121032231.3292185-1-ast@kernel.org Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/trampoline.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/kernel/bpf/trampoline.c +++ b/kernel/bpf/trampoline.c @@ -150,6 +150,14 @@ static int bpf_trampoline_update(struct if (fexit_cnt) flags = BPF_TRAMP_F_CALL_ORIG | BPF_TRAMP_F_SKIP_FRAME; + /* Though the second half of trampoline page is unused a task could be + * preempted in the middle of the first half of trampoline and two + * updates to trampoline would change the code from underneath the + * preempted task. Hence wait for tasks to voluntarily schedule or go + * to userspace. + */ + synchronize_rcu_tasks(); + err = arch_prepare_bpf_trampoline(new_image, &tr->func.model, flags, fentry, fentry_cnt, fexit, fexit_cnt, @@ -240,6 +248,8 @@ void bpf_trampoline_put(struct bpf_tramp goto out; if (WARN_ON_ONCE(!hlist_empty(&tr->progs_hlist[BPF_TRAMP_FEXIT]))) goto out; + /* wait for tasks to get out of trampoline before freeing it */ + synchronize_rcu_tasks(); bpf_jit_free_exec(tr->image); hlist_del(&tr->hlist); kfree(tr);