Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp963349lqd; Thu, 25 Apr 2024 01:51:15 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU/Pgb/ouxyoFqKC8DLqxLQUDX+/YEYoGl4fNmSob3g3zAA4PCdbU8KxlgG6SOSoriWNOKqlG5on6kVUxO64PpDFiXSzgZXe7U+QZsDaA== X-Google-Smtp-Source: AGHT+IHp5pwDSrr5wqGV4Z88wqtDXv8oo6NPqSZ74uTC/vB0ix0fXUICGywESOw7/I+SjL3NFBrl X-Received: by 2002:a05:6a00:a0e:b0:6ea:b818:f499 with SMTP id p14-20020a056a000a0e00b006eab818f499mr6006158pfh.19.1714035075530; Thu, 25 Apr 2024 01:51:15 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714035075; cv=pass; d=google.com; s=arc-20160816; b=kJmagpogRcQ4nzLKLMFIgkBDWOQWC2Er0Z8qNfyvZNn06Uwc+v7r6dFtXqH5Be8NiM QhKshoyVL1QuCyz5mFoi+IH+kyxpG4NPc15T4UOCAw8FHDxrRfaEXH03by3gCiTFLyN9 WBtdEEQa+0ca4vzFJ2BU/4uEipLUp2UGIj/ciCxZ75z5Jci+wKLgwkgIjN1CSfkZ0d/M bRfimHzR19BDl0kjNWv4By7t1rcsqElqa/1WEGrXMdsu+wtPEywCIZNneox2pvhWS6xO bEvS8kX2AflN14aCGg7nvuSBRzBuNNxtq2hlG3Y+tipFrMTBNiZjGhxXzvHmVndxDkxX MILg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=M8M9AKdyesGS6r3+8h/AEy0kViieS8YlBnsG+uKRna4=; fh=q4UXWtcyd1MFDR47RrPgEwGOSJCQezDRAV0OMmsdobo=; b=KZ44Po77bf7vpxfl928rKzgz2UaWLJnRCcZn6gkvLuMA8UgmyzrMlpexEmgMgzEB1J 3RSJHiMfJg0q+DbsIYDKhhgvCcxAZu8Kb5cXTmAiPG//EqyEv/WHyXRkOEInYHwAF8m5 S2c8meqxtcZ0KKERynxDdu3p7jbx8ewag/l+q4Pxe6b1OgqTqMdt9J5oyBjgp4xoMOwJ +2DxX7PsjI7QtVCi3zddf8U0avlZKfamItqaTx3QurBV4WmNSMCwgdmzLgxGwarn7uOf ZzJ+i3NLdGML7C32ee9Df5mAQfn6DLz3s9LfIystdx7D4wSkkXuXYgwdsO5wmP4pxzz+ 1w4g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=PWLRYv8J; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-158215-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-158215-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id u73-20020a63794c000000b005e42b580aadsi8057907pgc.393.2024.04.25.01.51.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Apr 2024 01:51:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-158215-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=PWLRYv8J; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-158215-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-158215-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 1BE8B28916D for ; Thu, 25 Apr 2024 08:51:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 85C8F84D05; Thu, 25 Apr 2024 08:50:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PWLRYv8J" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A96F83CD2; Thu, 25 Apr 2024 08:50:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714035050; cv=none; b=dYYkxl1gzBV6Y9UIXL+Y5PHcoaBkDlIW5KEAUyg3qVyeLWrcl1Jl0b9292gB58pvrZE8PVZNT6W/teFm+olsISmYEmbNESJgVMT7HWxnzvYR2nCNiaunBct4QWbGF+mTTnJQcHItDEN59TJm0Oe3o1UNqxRvZxKSgyfuvSWQ5Po= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714035050; c=relaxed/simple; bh=Ykyc1m6fUbjPL+SvZ1UaIcoFtggZytlQ0SlPkOJ/8aU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=lurUOeS026MbLWDG0nWYe2y3hA01JY9eniROafA7xeoWImsTsVfJALEMGc1QCfosjKYL4FDzq1DYUVf30N1cPfgzmu37eFoTkXQwQk2wwEClJhVBA03VCDXOY/tq170L2ZB2OKk7fAlV/VE4tlrlYXEar8rKBD8kTGiIuxQEJ7Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PWLRYv8J; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4E590C2BBFC; Thu, 25 Apr 2024 08:50:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1714035050; bh=Ykyc1m6fUbjPL+SvZ1UaIcoFtggZytlQ0SlPkOJ/8aU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=PWLRYv8J+fJlpc5+N7ecHfJH4vNKOw3AeItSmvtb8mJi50tcoG6g2wzD2MTmYwk/o JlFCScJnKyonQ3s1MZ+6a9zXKD1bcmjnz3wh5bKzorOPzWBtwdDiKtDwLKplSbOVWR j/CfTOIv5qqmirc/TMf5P96/65QNmlpbISXOm0+8UYQRnnIYwONy8LqFOL32asCAjw 05dxTy//HVWp8Zj5LWL5W/Zv8NC7Q0S+I0WA8Q3LOKGwKr8T0mAb52p8afoKtqTnef B6UlK87h7P21b/w8lcKfXig1lJFgi9/q0Pap17Mgti5FQl5/ZvsTBlexTotN5fUjG/ 7Fm58wmOqwZmA== Date: Thu, 25 Apr 2024 10:50:43 +0200 From: Benjamin Tissoires To: Alexei Starovoitov Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Mykola Lysenko , Shuah Khan , bpf , LKML , "open list:KERNEL SELFTEST FRAMEWORK" Subject: Re: [PATCH bpf-next v2 11/16] bpf: wq: add bpf_wq_init Message-ID: References: <20240420-bpf_wq-v2-0-6c986a5a741f@kernel.org> <20240420-bpf_wq-v2-11-6c986a5a741f@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Apr 24 2024, Alexei Starovoitov wrote: > On Wed, Apr 24, 2024 at 8:06 AM Alexei Starovoitov > wrote: > > > > On Tue, Apr 23, 2024 at 7:55 PM Alexei Starovoitov > > wrote: > > > > > > On Sat, Apr 20, 2024 at 2:10 AM Benjamin Tissoires wrote: > > > > > > > > We need to teach the verifier about the second argument which is declared > > > > as void * but which is of type KF_ARG_PTR_TO_MAP. We could have dropped > > > > this extra case if we declared the second argument as struct bpf_map *, > > > > but that means users will have to do extra casting to have their program > > > > compile. > > > > > > > > We also need to duplicate the timer code for the checking if the map > > > > argument is matching the provided workqueue. > > > > > > > > Signed-off-by: Benjamin Tissoires > > > > > > > > --- > > > > > > > > FWIW, I still have one concern with this implementation: > > > > - bpf_wq_work() access ->prog without protection, but I think this might > > > > be racing with bpf_wq_set_callback(): if we have the following: > > > > > > > > CPU 0 CPU 1 > > > > bpf_wq_set_callback() > > > > bpf_start() > > > > bpf_wq_work(): > > > > prog = cb->prog; > > > > > > > > bpf_wq_set_callback() > > > > cb->prog = prog; > > > > bpf_prog_put(prev) > > > > rcu_assign_ptr(cb->callback_fn, > > > > callback_fn); > > > > callback = READ_ONCE(w->cb.callback_fn); > > > > > > > > As I understand callback_fn is fine, prog might be, but we clearly > > > > have an inconstency between "prog" and "callback_fn" as they can come > > > > from 2 different bpf_wq_set_callback() calls. > > > > > > > > IMO we should protect this by the async->lock, but I'm not sure if > > > > it's OK or not. > > > > > > I see the concern, but I think it's overkill. > > > Here 'prog' is used to pass it into __bpf_prog_enter_sleepable_recur() > > > to keep the standard pattern of calling into sleepable prog. > > > But it won't recurse. > > > We can open code migrate_disable,etc from there except this_cpu_inc_return, > > > but it's an overkill. > > > The passed 'prog' is irrelevant. > > > If somebody tries really hard by having two progs sharing the same > > > map with bpf_wq and racing to set_callback... I can see how > > > prog won't match callback, but it won't make a difference. > > > prog is not going trigger recursion check (unless somebody > > > tries is obsessed) and not going to UAF. > > > I imagine it's possible to attach somewhere in core wq callback > > > invocation path with fentry, set_callback to the same prog, > > > and technically it's kinda sorta recursion, but different subprogs, > > > so not a safety issue. > > > The code as-is is fine. imo. > > > > After sleeping on it, I realized that the use of > > __bpf_prog_enter_sleepable_recur() here is very much incorrect :( > > The tests are passing only because we don't inc prog->active > > when we run the prog via prog_run cmd. > > Adding the following: > > diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c > > index f6aad4ed2ab2..0732dfe22204 100644 > > --- a/net/bpf/test_run.c > > +++ b/net/bpf/test_run.c > > @@ -1514,7 +1514,9 @@ int bpf_prog_test_run_syscall(struct bpf_prog *prog, > > } > > > > rcu_read_lock_trace(); > > + this_cpu_inc_return(*(prog->active)); > > retval = bpf_prog_run_pin_on_cpu(prog, ctx); > > + this_cpu_dec(*(prog->active)); > > rcu_read_unlock_trace(); > > > > makes the test fail sporadically. > > Or 100% fail when the kernel is booted with 1 cpu. > > > > Could you send a quick follow up to > > replace __bpf_prog_enter_sleepable_recur() with > > rcu_read_lock_trace(); > > migrate_disable(); > > ? > > > > Or I'll do it in an hour or so. > > Considering two broken-build reports already > I've applied the following fix: > https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=dc92febf7b93da5049fe177804e6b1961fcc6bd7 > > that addresses the build issue on !JIT and fixes this recursion problem. Thanks a lot for fixing this on my behalf. I was slightly puzzled by the broken-build report but really I wasn't in position to think straight yesterday (got a pretty big muscular pain in the back and had to go to the doctor to get painkillers) I haven't forgoten about the double list walk in 9/16, I'll hopefully send the fix today. Cheers, Benjamin