Jiri Olsa 4b7de80160 bpf: Fix prog_array_map_poke_run map poke update ... Lee pointed out issue found by syscaller [0] hitting BUG in prog array map poke update in prog_array_map_poke_run function due to error value returned from bpf_arch_text_poke function. There's race window where bpf_arch_text_poke can fail due to missing bpf program kallsym symbols, which is accounted for with check for -EINVAL in that BUG_ON call. The problem is that in such case we won't update the tail call jump and cause imbalance for the next tail call update check which will fail with -EBUSY in bpf_arch_text_poke. I'm hitting following race during the program load: CPU 0 CPU 1 bpf_prog_load bpf_check do_misc_fixups prog_array_map_poke_track map_update_elem bpf_fd_array_map_update_elem prog_array_map_poke_run bpf_arch_text_poke returns -EINVAL bpf_prog_kallsyms_add After bpf_arch_text_poke (CPU 1) fails to update the tail call jump, the next poke update fails on expected jump instruction check in bpf_arch_text_poke with -EBUSY and triggers the BUG_ON in prog_array_map_poke_run. Similar race exists on the program unload. Fixing this by moving the update to bpf_arch_poke_desc_update function which makes sure we call __bpf_arch_text_poke that skips the bpf address check. Each architecture has slightly different approach wrt looking up bpf address in bpf_arch_text_poke, so instead of splitting the function or adding new 'checkip' argument in previous version, it seems best to move the whole map_poke_run update as arch specific code. [0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810 Fixes: ebf7d1f508 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT") Reported-by: syzbot+97a4fe20470e9bc30810@syzkaller.appspotmail.com Signed-off-by: Jiri Olsa <jolsa@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yonghong.song@linux.dev> Cc: Lee Jones <lee@kernel.org> Cc: Maciej Fijalkowski <maciej.fijalkowski@intel.com> Link: https://lore.kernel.org/bpf/20231206083041.1306660-2-jolsa@kernel.org		2023-12-06 22:40:16 +01:00
..
preload
arraymap.c	bpf: Fix prog_array_map_poke_run map poke update	2023-12-06 22:40:16 +01:00
bloom_filter.c
bpf_cgrp_storage.c
bpf_inode_storage.c
bpf_iter.c	bpf: Add __bpf_kfunc_{start,end}_defs macros	2023-11-01 22:33:53 -07:00
bpf_local_storage.c
bpf_lru_list.c
bpf_lru_list.h
bpf_lsm.c
bpf_struct_ops.c
bpf_struct_ops_types.h
bpf_task_storage.c
btf.c
cgroup.c	for-6.7/io_uring-sockopt-2023-10-30	2023-11-01 11:16:34 -10:00
cgroup_iter.c	bpf: Let verifier consider {task,cgroup} is trusted in bpf_iter_reg	2023-11-07 15:24:25 -08:00
core.c	bpf: Fix a verifier bug due to incorrect branch offset comparison with cpu=v4	2023-12-01 15:41:50 -08:00
cpumap.c
cpumask.c	bpf: Add __bpf_kfunc_{start,end}_defs macros	2023-11-01 22:33:53 -07:00
devmap.c
disasm.c
disasm.h
dispatcher.c
hashtab.c	bpf: Fix unnecessary -EBUSY from htab_lock_bucket	2023-10-24 14:25:55 +02:00
helpers.c	bpf: Check map->usercnt after timer->timer is assigned	2023-11-01 22:37:31 -07:00
inode.c	bpf: convert to new timestamp accessors	2023-10-18 14:08:30 +02:00
Kconfig
link_iter.c
local_storage.c
log.c
lpm_trie.c
Makefile
map_in_map.c
map_in_map.h
map_iter.c	bpf: Add __bpf_kfunc_{start,end}_defs macros	2023-11-01 22:33:53 -07:00
memalloc.c	bpf: Add missed allocation hint for bpf_mem_cache_alloc_flags()	2023-11-26 18:00:26 -08:00
mmap_unlock_work.h
mprog.c
net_namespace.c
offload.c
percpu_freelist.c
percpu_freelist.h
prog_iter.c
queue_stack_maps.c
reuseport_array.c
ringbuf.c	bpf: Fold smp_mb__before_atomic() into atomic_set_release()	2023-10-24 14:26:07 +02:00
stackmap.c
syscall.c	netkit, bpf: Add bpf programmable net device	2023-10-24 16:06:03 -07:00
sysfs_btf.c
task_iter.c	bpf: Let verifier consider {task,cgroup} is trusted in bpf_iter_reg	2023-11-07 15:24:25 -08:00
tcx.c	bpf, tcx: Get rid of tcx_link_const	2023-10-23 15:01:53 -07:00
tnum.c
trampoline.c
verifier.c	bpf: keep track of max number of bpf_loop callback iterations	2023-11-20 18:36:40 -08:00