Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3330219rwa; Tue, 23 Aug 2022 03:00:20 -0700 (PDT) X-Google-Smtp-Source: AA6agR5Y9kdAvDV69MObOrzGQvtbmOFORTkGGvsSWsjSVSJdbMu8WChkppRqC7p78BwBDfeq4/wb X-Received: by 2002:a17:907:a068:b0:73d:5d21:7ed3 with SMTP id ia8-20020a170907a06800b0073d5d217ed3mr10674310ejc.685.1661248819936; Tue, 23 Aug 2022 03:00:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661248819; cv=none; d=google.com; s=arc-20160816; b=UZ0cVQhNUnZW5kFfhXH6JoQDPKfPiKTl80nxXR+njSt7KfepYON62fSbwrE8NTMUp3 Bsx50TxUMUK+8RBIG8HkgoR1a0+eaNBt5g3zIVDX1QLNx88tsBIyoAT3fZhlNunQWsKo /gVwbflrMjsko7QCzqf5Brdn/2UbANCpIX6o2sSu7PanXWbq2yRC8R6cZXFF9v0lmOrs mHeqVqfD+40MAJubvqe9kkF4otakE9PBE9RwvQL+PRb7l1ybG1QWbBrp20HPAHILefbN scV8PLr+JwFTclyULZSRx7XqHuTnBBgP6IKG89uXYj8C+ROWI1PZ0U+r+ryCjUMqiWCB KdVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/5pd5AbphItq45/XveUFr92i7He2XjemfpKGnla4BVc=; b=aozCDxB1x6qVLieieRtHNKaPrkXq516vphPuIxX70Jc/cD+QwObHGtlhDw7ZFavVZs Hy7tJE+mRzNbmgcoxqDbJjKyyEim7eXbOp79GRrL1KuXdwsAsgpuHnCjXSBLs2umoFqK tQI9LKmgBiEE5kY2KRbCiUaPorvBbwRghZokd/uWvsiVdak/pizjyaJm6bCcQyN7+ho1 4H4oPPeCcKNBqP7geZ1/ev+clv4ew1COMfnnENV9StckGItF3dPopQEzArIq+EzMivDn I0IFWcVHI59ctdlqOMFQVBKhPZVbbIyvi2QLM/RGtpa/y60O8cqDCn/GBRANyFNVPDDw 2qJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=UGk9kucJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hp35-20020a1709073e2300b0073d8087a846si5724574ejc.96.2022.08.23.02.59.48; Tue, 23 Aug 2022 03:00:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=UGk9kucJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242644AbiHWJsw (ORCPT + 99 others); Tue, 23 Aug 2022 05:48:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50196 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352412AbiHWJqY (ORCPT ); Tue, 23 Aug 2022 05:46:24 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E43112ABA; Tue, 23 Aug 2022 01:43:30 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D8892B81C5A; Tue, 23 Aug 2022 08:42:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 387CFC433D6; Tue, 23 Aug 2022 08:42:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661244146; bh=tCIZSBHSTdC7kRiDBIByJknVqxiKMBmDybpMDbx77pM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UGk9kucJUIBYz5lndRokMFoPMHAGqlPSq9WsaOIrKUtl9bHWlBMJVbyIM5Wk1Xfec iz0WseAWJs3EJm2N592adXQNPR2TPwm1rl+bWa5AANwMtgZFcovGSdODahMotTESNU ojIEZZwV0cxeZCNNTjFdMiLtuIDzn4mJgE4Nbtz8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yonghong Song , Kumar Kartikeya Dwivedi , Martin KaFai Lau , Alexei Starovoitov Subject: [PATCH 5.15 043/244] bpf: Dont reinit map value in prealloc_lru_pop Date: Tue, 23 Aug 2022 10:23:22 +0200 Message-Id: <20220823080100.501638085@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080059.091088642@linuxfoundation.org> References: <20220823080059.091088642@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kumar Kartikeya Dwivedi commit 275c30bcee66a27d1aa97a215d607ad6d49804cb upstream. The LRU map that is preallocated may have its elements reused while another program holds a pointer to it from bpf_map_lookup_elem. Hence, only check_and_free_fields is appropriate when the element is being deleted, as it ensures proper synchronization against concurrent access of the map value. After that, we cannot call check_and_init_map_value again as it may rewrite bpf_spin_lock, bpf_timer, and kptr fields while they can be concurrently accessed from a BPF program. This is safe to do as when the map entry is deleted, concurrent access is protected against by check_and_free_fields, i.e. an existing timer would be freed, and any existing kptr will be released by it. The program can create further timers and kptrs after check_and_free_fields, but they will eventually be released once the preallocated items are freed on map destruction, even if the item is never reused again. Hence, the deleted item sitting in the free list can still have resources attached to it, and they would never leak. With spin_lock, we never touch the field at all on delete or update, as we may end up modifying the state of the lock. Since the verifier ensures that a bpf_spin_lock call is always paired with bpf_spin_unlock call, the program will eventually release the lock so that on reuse the new user of the value can take the lock. Essentially, for the preallocated case, we must assume that the map value may always be in use by the program, even when it is sitting in the freelist, and handle things accordingly, i.e. use proper synchronization inside check_and_free_fields, and never reinitialize the special fields when it is reused on update. Fixes: 68134668c17f ("bpf: Add map side support for bpf timers.") Acked-by: Yonghong Song Signed-off-by: Kumar Kartikeya Dwivedi Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/r/20220809213033.24147-3-memxor@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/hashtab.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -291,12 +291,8 @@ static struct htab_elem *prealloc_lru_po struct htab_elem *l; if (node) { - u32 key_size = htab->map.key_size; - l = container_of(node, struct htab_elem, lru_node); - memcpy(l->key, key, key_size); - check_and_init_map_value(&htab->map, - l->key + round_up(key_size, 8)); + memcpy(l->key, key, htab->map.key_size); return l; }