Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3355398iob; Mon, 16 May 2022 20:29:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyVA4BgOUNIw1bXVi2XVolfIn5R2gqDsxWtsPLdwVzPt/4FzJEoOoN/ZpwUeH2Cky03To9T X-Received: by 2002:a05:6402:90d:b0:428:c1ad:1e74 with SMTP id g13-20020a056402090d00b00428c1ad1e74mr16736273edz.345.1652758196778; Mon, 16 May 2022 20:29:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652758196; cv=none; d=google.com; s=arc-20160816; b=fvkAsogKPFQyNy6YNeShCQWvFIc2v2magoVZcqZGtYgFapQgH+nmhT52qRJuUK2BHZ N2AR6cPibZgTogClRYEQSPlGw4mZ6iPxZbPDBmZlnRwuOTOqjHt961zWHDONuCDJKlvn DmXCc0IXL4JCUUQKgQi277652+eUAdGywWeXBrVTry3IgtCyPKItEflNj5J9KStArsbs b/Lyd7O5Fgw7oD4e3+W62gnP1TLnGpUjjwYKAfVjL52kC6FoT1fCUOp81DzCbz+1M8PY vnBQyoHhSZyiEREGXv3ZyRZcVAtTj47G/AzIHaZzsKAC4PR8o1MA1eXzxnPYDAk7FEiH GIvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id:dkim-signature; bh=SW/UVWzWsdpJtnPhkcqrIpoiIUSTo1h+7uoKjNI2+sQ=; b=0BZpPYH44huXeUkBz4WIKvk6drAJteP3SEpTQVhs2Rq7xSxo/1J0ZqalHUWQf7kjUU 4FFJVnaC+rU2FChYnA3DlbKXIkZOQIxE3K8DDOA6Xisp8DBVNuRe/wN0+mEYYwexGidw s3q7MdTkpz+zKv3iXLBhaNQWtJOcNjB+XDQ3COBF7X5b1JrG+cYX1P6A/EfMGmI9bbWb qrJdbhTUUb212oq7zLdNbGr9uNVRKzQ+JBxX9kkaXzZMvRcY8f8hXuKHno/ONthv+Klr gGRFFGMB6nwbIpiXpwRHJ0YAkvI8qU1dilGbKfsQ+/+7bnikiZ7F0NuqymHiz6D6WzkD mAEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=EvEOYmoN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hp30-20020a1709073e1e00b006fa740cee4bsi1427635ejc.23.2022.05.16.20.29.31; Mon, 16 May 2022 20:29:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=EvEOYmoN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346236AbiEPXfM (ORCPT + 99 others); Mon, 16 May 2022 19:35:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55018 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347272AbiEPXfK (ORCPT ); Mon, 16 May 2022 19:35:10 -0400 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6069F3FBCC for ; Mon, 16 May 2022 16:35:08 -0700 (PDT) Received: by mail-pl1-x62c.google.com with SMTP id q7so4475532plx.3 for ; Mon, 16 May 2022 16:35:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=message-id:date:mime-version:user-agent:content-language:to:cc :references:from:subject:in-reply-to:content-transfer-encoding; bh=SW/UVWzWsdpJtnPhkcqrIpoiIUSTo1h+7uoKjNI2+sQ=; b=EvEOYmoNSLO0F/CcduL33KGkB1dDXrs0mafz3naiC3Dca5nTLoBgRdodtmP1lB7IPT qheWKdsw9O7nI9FVnktp0GhXxiTwqOcSPSxamYPQyroUlLiT2NEDcDMcMxIk0OTkNEFK /+0KcO/3FdiAxEF+vMSkP6pxPzWQ7DCgbAAIkHNXhanU2Ao8T9HlBRdhVKYW+3FeKPQ2 drS9RMj6vOH4cHprgKeR5oJvUU7v5fZeH2EvdjmG34hm9465T9vpHBSLZZJcDuOKRSvh ATJZRzaXCigEJr3VtTPmbOf5v9njTq4uM1nOx6DpISa/YbJVb0hD9t1hokEVX5HA7QRN lj7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:subject:in-reply-to :content-transfer-encoding; bh=SW/UVWzWsdpJtnPhkcqrIpoiIUSTo1h+7uoKjNI2+sQ=; b=xgPcvgpFxdzld6JdhpkmvmAol3yPRNwetR4P39ycTPpRSA/fg0tRzrnUp+gQlCzkNK Re68n/LJeggBMRdxw2haFJNRVIv5eGtIUe615J0hkwRoHljOiXPY7+FIF8OoxiDeyPwU V7e1t9Kd8OlrATjMnoyVsuqsdc06DCMZ6reoxOOc22/D7IvRcmVJbQaLmrUcM2wO9IWb dNU1gUQtc4N4/OxSF/Ha3JDbgcz/8XLkuz24o68m5D14IAw/bhBuP45dNut+FW00JpR4 sWLbEJEUnhXPp9ghLzs4eKq7O0MoOevyPr6vwQTVwTGjT+w5M4VLrIInT2beh5XpHfo2 50Rg== X-Gm-Message-State: AOAM532tvLyoO/gAbBkNovlSNFVYdPIhgtYaRlu7wKtuS5eMdCVj2BFz R14EuTz5ZsBIyIwdb4pyqxXpuw== X-Received: by 2002:a17:90a:528f:b0:1dc:9a7c:4a3 with SMTP id w15-20020a17090a528f00b001dc9a7c04a3mr21607865pjh.112.1652744107892; Mon, 16 May 2022 16:35:07 -0700 (PDT) Received: from [192.168.254.17] ([50.39.160.154]) by smtp.gmail.com with ESMTPSA id j6-20020a17090adc8600b001df3a251cc2sm259493pjv.4.2022.05.16.16.35.06 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 16 May 2022 16:35:07 -0700 (PDT) Message-ID: <2fcdbecf-5352-ea81-ee42-ee10fbe2f72e@linaro.org> Date: Mon, 16 May 2022 16:35:06 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0 Content-Language: en-US To: Andrii Nakryiko Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Networking , bpf , linux- stable , open list , syzbot+f264bffdfbd5614f3bb2@syzkaller.appspotmail.com References: <20220513190821.431762-1-tadeusz.struk@linaro.org> From: Tadeusz Struk Subject: Re: [PATCH v3] bpf: Fix KASAN use-after-free Read in compute_effective_progs In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/16/22 16:16, Andrii Nakryiko wrote: > On Fri, May 13, 2022 at 12:08 PM Tadeusz Struk wrote: >> kernel/bpf/cgroup.c | 64 +++++++++++++++++++++++++++++++++++++++------ >> 1 file changed, 56 insertions(+), 8 deletions(-) >> >> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c >> index 128028efda64..9d3af4d6c055 100644 >> --- a/kernel/bpf/cgroup.c >> +++ b/kernel/bpf/cgroup.c >> @@ -681,6 +681,57 @@ static struct bpf_prog_list *find_detach_entry(struct list_head *progs, >> return ERR_PTR(-ENOENT); >> } >> >> +/** >> + * purge_effective_progs() - After compute_effective_progs fails to alloc new >> + * cgrp->bpf.inactive table we can recover by >> + * recomputing the array in place. >> + * >> + * @cgrp: The cgroup which descendants to traverse >> + * @link: A link to detach >> + * @atype: Type of detach operation >> + */ >> +static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog *prog, >> + enum cgroup_bpf_attach_type atype) >> +{ >> + struct cgroup_subsys_state *css; >> + struct bpf_prog_array_item *item; >> + struct bpf_prog *tmp; >> + struct bpf_prog_array *array; >> + int index = 0, index_purge = -1; >> + >> + if (!prog) >> + return; >> + >> + /* recompute effective prog array in place */ >> + css_for_each_descendant_pre(css, &cgrp->self) { >> + struct cgroup *desc = container_of(css, struct cgroup, self); >> + >> + array = desc->bpf.effective[atype]; > > ../kernel/bpf/cgroup.c:748:23: warning: incorrect type in assignment > (different address spaces) > ../kernel/bpf/cgroup.c:748:23: expected struct bpf_prog_array *array > ../kernel/bpf/cgroup.c:748:23: got struct bpf_prog_array [noderef] __rcu * > > > you need rcu_dereference here? but also see suggestions below to avoid > iterating effective directly (it's ambiguous to search by prog only) I didn't check it with sparse so I didn't see this warning. Will fix in the next version. > >> + item = &array->items[0]; >> + >> + /* Find the index of the prog to purge */ >> + while ((tmp = READ_ONCE(item->prog))) { >> + if (tmp == prog) { > > I think comparing just prog isn't always correct, as the same program > can be in effective array multiple times if attached through bpf_link. > > Looking at replace_effective_prog() I think we can do a very similar > (and tested) approach: > > 1. restore original pl state in __cgroup_bpf_detach (so we can find it > by comparing pl->prog == prog && pl->link == link) > 2. use replace_effective_prog's approach to find position of pl in > effective array (using this nested for loop over cgroup parents and > list_for_each_entry inside) > 3. then instead of replacing one prog with another do > bpf_prog_array_delete_safe_at ? > > I'd feel more comfortable using the same tested overall approach of > replace_effective_prog. Ok, I can try that. > >> + index_purge = index; >> + break; >> + } >> + item++; >> + index++; >> + } >> + >> + /* Check if we found what's needed for removing the prog */ >> + if (index_purge == -1 || index_purge == index - 1) >> + continue; > > the search shouldn't fail, should it? I wasn't if the prog will be present in all parents so I decided to add this check to make sure it is found. > >> + >> + /* Remove the program from the array */ >> + WARN_ONCE(bpf_prog_array_delete_safe_at(array, index_purge), >> + "Failed to purge a prog from array at index %d", index_purge); >> + >> + index = 0; >> + index_purge = -1; >> + } >> +} >> + >> /** >> * __cgroup_bpf_detach() - Detach the program or link from a cgroup, and >> * propagate the change to descendants >> @@ -723,8 +774,11 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog, >> pl->link = NULL; >> >> err = update_effective_progs(cgrp, atype); >> - if (err) >> - goto cleanup; >> + if (err) { >> + struct bpf_prog *prog_purge = prog ? prog : link->link.prog; >> + > > so here we shouldn't forget link, instead pass both link and prog (one > of them will have to be NULL) into purge_effective_progs ok, I will pass in both. -- Thanks, Tadeusz