LKML Archive on lore.kernel.org help / color / mirror / Atom feed
* [PATCH net 0/2] bpf: fix two bugs
@ 2015-01-23 1:11 Alexei Starovoitov
2015-01-23 1:11 ` [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() Alexei Starovoitov
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Alexei Starovoitov @ 2015-01-23 1:11 UTC (permalink / raw)
To: David S. Miller; +Cc: Michael Holzheu, Martin Schwidefsky, netdev, linux-kernel
Michael Holzheu caught two issues (in bpf syscall and in the test).
Fix them. Details in corresponding patches.
Alexei Starovoitov (2):
bpf: rcu lock must not be held when calling copy_to_user()
samples: bpf: relax test_maps check
kernel/bpf/syscall.c | 25 +++++++++++++++++--------
samples/bpf/test_maps.c | 4 ++--
2 files changed, 19 insertions(+), 10 deletions(-)
--
1.7.9.5
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() 2015-01-23 1:11 [PATCH net 0/2] bpf: fix two bugs Alexei Starovoitov @ 2015-01-23 1:11 ` Alexei Starovoitov 2015-01-23 10:15 ` Daniel Borkmann 2015-01-23 1:11 ` [PATCH net 2/2] samples: bpf: relax test_maps check Alexei Starovoitov 2015-01-27 1:21 ` [PATCH net 0/2] bpf: fix two bugs David Miller 2 siblings, 1 reply; 6+ messages in thread From: Alexei Starovoitov @ 2015-01-23 1:11 UTC (permalink / raw) To: David S. Miller; +Cc: Michael Holzheu, Martin Schwidefsky, netdev, linux-kernel BUG: sleeping function called from invalid context at mm/memory.c:3732 in_atomic(): 0, irqs_disabled(): 0, pid: 671, name: test_maps 1 lock held by test_maps/671: #0: (rcu_read_lock){......}, at: [<0000000000264190>] map_lookup_elem+0xe8/0x260 Call Trace: ([<0000000000115b7e>] show_trace+0x12e/0x150) [<0000000000115c40>] show_stack+0xa0/0x100 [<00000000009b163c>] dump_stack+0x74/0xc8 [<000000000017424a>] ___might_sleep+0x23a/0x248 [<00000000002b58e8>] might_fault+0x70/0xe8 [<0000000000264230>] map_lookup_elem+0x188/0x260 [<0000000000264716>] SyS_bpf+0x20e/0x840 Fix it by allocating temporary buffer to store map element value. Fixes: db20fd2b0108 ("bpf: add lookup/update/delete/iterate methods to BPF maps") Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> --- kernel/bpf/syscall.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 088ac0b..536edc2 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -150,7 +150,7 @@ static int map_lookup_elem(union bpf_attr *attr) int ufd = attr->map_fd; struct fd f = fdget(ufd); struct bpf_map *map; - void *key, *value; + void *key, *value, *ptr; int err; if (CHECK_ATTR(BPF_MAP_LOOKUP_ELEM)) @@ -169,20 +169,29 @@ static int map_lookup_elem(union bpf_attr *attr) if (copy_from_user(key, ukey, map->key_size) != 0) goto free_key; - err = -ENOENT; - rcu_read_lock(); - value = map->ops->map_lookup_elem(map, key); + err = -ENOMEM; + value = kmalloc(map->value_size, GFP_USER); if (!value) - goto err_unlock; + goto free_key; + + rcu_read_lock(); + ptr = map->ops->map_lookup_elem(map, key); + if (ptr) + memcpy(value, ptr, map->value_size); + rcu_read_unlock(); + + err = -ENOENT; + if (!ptr) + goto free_value; err = -EFAULT; if (copy_to_user(uvalue, value, map->value_size) != 0) - goto err_unlock; + goto free_value; err = 0; -err_unlock: - rcu_read_unlock(); +free_value: + kfree(value); free_key: kfree(key); err_put: -- 1.7.9.5 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() 2015-01-23 1:11 ` [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() Alexei Starovoitov @ 2015-01-23 10:15 ` Daniel Borkmann 0 siblings, 0 replies; 6+ messages in thread From: Daniel Borkmann @ 2015-01-23 10:15 UTC (permalink / raw) To: Alexei Starovoitov Cc: David S. Miller, Michael Holzheu, Martin Schwidefsky, netdev, linux-kernel On 01/23/2015 02:11 AM, Alexei Starovoitov wrote: > BUG: sleeping function called from invalid context at mm/memory.c:3732 > in_atomic(): 0, irqs_disabled(): 0, pid: 671, name: test_maps > 1 lock held by test_maps/671: > #0: (rcu_read_lock){......}, at: [<0000000000264190>] map_lookup_elem+0xe8/0x260 > Call Trace: > ([<0000000000115b7e>] show_trace+0x12e/0x150) > [<0000000000115c40>] show_stack+0xa0/0x100 > [<00000000009b163c>] dump_stack+0x74/0xc8 > [<000000000017424a>] ___might_sleep+0x23a/0x248 > [<00000000002b58e8>] might_fault+0x70/0xe8 > [<0000000000264230>] map_lookup_elem+0x188/0x260 > [<0000000000264716>] SyS_bpf+0x20e/0x840 > > Fix it by allocating temporary buffer to store map element value. > > Fixes: db20fd2b0108 ("bpf: add lookup/update/delete/iterate methods to BPF maps") > Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> > Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Looks good to me. Acked-by: Daniel Borkmann <dborkman@redhat.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH net 2/2] samples: bpf: relax test_maps check 2015-01-23 1:11 [PATCH net 0/2] bpf: fix two bugs Alexei Starovoitov 2015-01-23 1:11 ` [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() Alexei Starovoitov @ 2015-01-23 1:11 ` Alexei Starovoitov 2015-01-23 10:58 ` Daniel Borkmann 2015-01-27 1:21 ` [PATCH net 0/2] bpf: fix two bugs David Miller 2 siblings, 1 reply; 6+ messages in thread From: Alexei Starovoitov @ 2015-01-23 1:11 UTC (permalink / raw) To: David S. Miller; +Cc: Michael Holzheu, Martin Schwidefsky, netdev, linux-kernel hash map is unordered, so get_next_key() iterator shouldn't rely on particular order of elements. So relax this test. Fixes: ffb65f27a155 ("bpf: add a testsuite for eBPF maps") Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> --- samples/bpf/test_maps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/samples/bpf/test_maps.c b/samples/bpf/test_maps.c index e286b42..6299ee9 100644 --- a/samples/bpf/test_maps.c +++ b/samples/bpf/test_maps.c @@ -69,9 +69,9 @@ static void test_hashmap_sanity(int i, void *data) /* iterate over two elements */ assert(bpf_get_next_key(map_fd, &key, &next_key) == 0 && - next_key == 2); + (next_key == 1 || next_key == 2)); assert(bpf_get_next_key(map_fd, &next_key, &next_key) == 0 && - next_key == 1); + (next_key == 1 || next_key == 2)); assert(bpf_get_next_key(map_fd, &next_key, &next_key) == -1 && errno == ENOENT); -- 1.7.9.5 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net 2/2] samples: bpf: relax test_maps check 2015-01-23 1:11 ` [PATCH net 2/2] samples: bpf: relax test_maps check Alexei Starovoitov @ 2015-01-23 10:58 ` Daniel Borkmann 0 siblings, 0 replies; 6+ messages in thread From: Daniel Borkmann @ 2015-01-23 10:58 UTC (permalink / raw) To: Alexei Starovoitov Cc: David S. Miller, Michael Holzheu, Martin Schwidefsky, netdev, linux-kernel On 01/23/2015 02:11 AM, Alexei Starovoitov wrote: > hash map is unordered, so get_next_key() iterator shouldn't > rely on particular order of elements. So relax this test. > > Fixes: ffb65f27a155 ("bpf: add a testsuite for eBPF maps") > Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> > Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Acked-by: Daniel Borkmann <dborkman@redhat.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net 0/2] bpf: fix two bugs 2015-01-23 1:11 [PATCH net 0/2] bpf: fix two bugs Alexei Starovoitov 2015-01-23 1:11 ` [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() Alexei Starovoitov 2015-01-23 1:11 ` [PATCH net 2/2] samples: bpf: relax test_maps check Alexei Starovoitov @ 2015-01-27 1:21 ` David Miller 2 siblings, 0 replies; 6+ messages in thread From: David Miller @ 2015-01-27 1:21 UTC (permalink / raw) To: ast; +Cc: holzheu, schwidefsky, netdev, linux-kernel From: Alexei Starovoitov <ast@plumgrid.com> Date: Thu, 22 Jan 2015 17:11:07 -0800 > Michael Holzheu caught two issues (in bpf syscall and in the test). > Fix them. Details in corresponding patches. Series applied, thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-01-27 1:21 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-01-23 1:11 [PATCH net 0/2] bpf: fix two bugs Alexei Starovoitov 2015-01-23 1:11 ` [PATCH net 1/2] bpf: rcu lock must not be held when calling copy_to_user() Alexei Starovoitov 2015-01-23 10:15 ` Daniel Borkmann 2015-01-23 1:11 ` [PATCH net 2/2] samples: bpf: relax test_maps check Alexei Starovoitov 2015-01-23 10:58 ` Daniel Borkmann 2015-01-27 1:21 ` [PATCH net 0/2] bpf: fix two bugs David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).