Message ID | c3d55cfd8ce7ed989c997d1e3ea2678879227300.1686166633.git.kjlx@templeofstupid.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | bpf: fix NULL dereference during extable search | expand |
On 6/7/23 2:04 PM, Krister Johansen wrote: > In certain situations a program with subprograms may have a NULL > extable entry. This should not happen, and when it does, it turns a > single trap into multiple. Add a test case for further debugging and to > prevent regressions. N.b: without any other patches this can panic or > oops a kernel. > > Signed-off-by: Krister Johansen <kjlx@templeofstupid.com> > --- > .../bpf/prog_tests/subprogs_extable.c | 35 +++++++++ > .../bpf/progs/test_subprogs_extable.c | 71 +++++++++++++++++++ > 2 files changed, 106 insertions(+) > create mode 100644 tools/testing/selftests/bpf/prog_tests/subprogs_extable.c > create mode 100644 tools/testing/selftests/bpf/progs/test_subprogs_extable.c > > diff --git a/tools/testing/selftests/bpf/prog_tests/subprogs_extable.c b/tools/testing/selftests/bpf/prog_tests/subprogs_extable.c > new file mode 100644 > index 000000000000..18169b7eedf8 > --- /dev/null > +++ b/tools/testing/selftests/bpf/prog_tests/subprogs_extable.c > @@ -0,0 +1,35 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* Copyright (c) 2020 Facebook */ This copyright is not correct. > + > +#include <test_progs.h> > +#include <stdbool.h> stdbool.h is not needed. > +#include "test_subprogs_extable.skel.h" > + > +static int duration; > + > +void test_subprogs_extable(void) > +{ > + const int READ_SZ = 456; > + struct test_subprogs_extable *skel; > + int err; > + > + skel = test_subprogs_extable__open(); > + if (CHECK(!skel, "skel_open", "failed to open skeleton\n")) > + return; Please use ASSERT_* macros instead of CHECK macro. The same for below. See some examples in prog_tests directory. > + > + err = test_subprogs_extable__load(skel); > + if (CHECK(err, "skel_load", "failed to load skeleton\n")) > + return; goto cleanup; > + > + err = test_subprogs_extable__attach(skel); > + if (CHECK(err, "skel_attach", "skeleton attach failed: %d\n", err)) > + goto cleanup; > + > + /* trigger tracepoint */ > + ASSERT_OK(trigger_module_test_read(READ_SZ), "trigger_read"); > + > + test_subprogs_extable__detach(skel); > + > +cleanup: > + test_subprogs_extable__destroy(skel); > +} > diff --git a/tools/testing/selftests/bpf/progs/test_subprogs_extable.c b/tools/testing/selftests/bpf/progs/test_subprogs_extable.c > new file mode 100644 > index 000000000000..408137eaaa07 > --- /dev/null > +++ b/tools/testing/selftests/bpf/progs/test_subprogs_extable.c > @@ -0,0 +1,71 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* Copyright (c) 2020 Facebook */ the above copyright is not correct. > + > +#include "vmlinux.h" > +#include <bpf/bpf_helpers.h> > +#include <bpf/bpf_tracing.h> > +#include <bpf/bpf_core_read.h> There is no CORE related operation in the program. The above header is not needed. > +#include "../bpf_testmod/bpf_testmod.h" This one is not needed too. > + > +struct { > + __uint(type, BPF_MAP_TYPE_ARRAY); > + __uint(max_entries, 8); > + __type(key, __u32); > + __type(value, __u64); > +} test_array SEC(".maps"); > + > +static __u64 test_cb(struct bpf_map *map, __u32 *key, __u64 *val, void *data) > +{ > + return 1; > +} > + > +static __u64 test_cb2(struct bpf_map *map, __u32 *key, __u64 *val, void *data) > +{ > + return 1; > +} > + > +static __u64 test_cb3(struct bpf_map *map, __u32 *key, __u64 *val, void *data) > +{ > + return 1; > +} We can just have one test_cb and used for all programs, right? Or more subprograms increase the chance of the test failure? > + > +SEC("fexit/bpf_testmod_return_ptr") > +int BPF_PROG(handle_fexit_ret_subprogs, int arg, struct file *ret) > +{ > + long buf = 0; > + > + bpf_probe_read_kernel(&buf, 8, ret); > + bpf_probe_read_kernel(&buf, 8, (char *)ret + 256); The above bpf_probe_read_kernel() things are not necessary, right? > + *(volatile long long *)ret; just 'volatile long' should be enough. > + *(volatile int *)&ret->f_mode; > + bpf_for_each_map_elem(&test_array, test_cb, NULL, 0); > + return 0; > +} > + > +SEC("fexit/bpf_testmod_return_ptr") > +int BPF_PROG(handle_fexit_ret_subprogs2, int arg, struct file *ret) > +{ > + long buf = 0; > + > + bpf_probe_read_kernel(&buf, 8, ret); > + bpf_probe_read_kernel(&buf, 8, (char *)ret + 256); > + *(volatile long long *)ret; > + *(volatile int *)&ret->f_mode; > + bpf_for_each_map_elem(&test_array, test_cb2, NULL, 0); > + return 0; > +} > + > +SEC("fexit/bpf_testmod_return_ptr") > +int BPF_PROG(handle_fexit_ret_subprogs3, int arg, struct file *ret) > +{ > + long buf = 0; > + > + bpf_probe_read_kernel(&buf, 8, ret); > + bpf_probe_read_kernel(&buf, 8, (char *)ret + 256); > + *(volatile long long *)ret; > + *(volatile int *)&ret->f_mode; > + bpf_for_each_map_elem(&test_array, test_cb3, NULL, 0); > + return 0; > +} > + > +char _license[] SEC("license") = "GPL";
On 6/7/23 2:04 PM, Krister Johansen wrote: > In certain situations a program with subprograms may have a NULL > extable entry. This should not happen, and when it does, it turns a > single trap into multiple. Add a test case for further debugging and to > prevent regressions. N.b: without any other patches this can panic or > oops a kernel. Also, it would be great if you can show the kernel oops stack trace. > > Signed-off-by: Krister Johansen <kjlx@templeofstupid.com> > --- > .../bpf/prog_tests/subprogs_extable.c | 35 +++++++++ > .../bpf/progs/test_subprogs_extable.c | 71 +++++++++++++++++++ > 2 files changed, 106 insertions(+) > create mode 100644 tools/testing/selftests/bpf/prog_tests/subprogs_extable.c > create mode 100644 tools/testing/selftests/bpf/progs/test_subprogs_extable.c > [...]
On Thu, Jun 8, 2023 at 10:40 AM Yonghong Song <yhs@meta.com> wrote: > > > > On 6/7/23 2:04 PM, Krister Johansen wrote: > > In certain situations a program with subprograms may have a NULL > > extable entry. This should not happen, and when it does, it turns a > > single trap into multiple. Add a test case for further debugging and to > > prevent regressions. N.b: without any other patches this can panic or > > oops a kernel. > > Also, it would be great if you can show the kernel oops stack trace. +1 Also please reorder the patches. patch 1 - fix patch 2 - test for the fix.
diff --git a/tools/testing/selftests/bpf/prog_tests/subprogs_extable.c b/tools/testing/selftests/bpf/prog_tests/subprogs_extable.c new file mode 100644 index 000000000000..18169b7eedf8 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/subprogs_extable.c @@ -0,0 +1,35 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2020 Facebook */ + +#include <test_progs.h> +#include <stdbool.h> +#include "test_subprogs_extable.skel.h" + +static int duration; + +void test_subprogs_extable(void) +{ + const int READ_SZ = 456; + struct test_subprogs_extable *skel; + int err; + + skel = test_subprogs_extable__open(); + if (CHECK(!skel, "skel_open", "failed to open skeleton\n")) + return; + + err = test_subprogs_extable__load(skel); + if (CHECK(err, "skel_load", "failed to load skeleton\n")) + return; + + err = test_subprogs_extable__attach(skel); + if (CHECK(err, "skel_attach", "skeleton attach failed: %d\n", err)) + goto cleanup; + + /* trigger tracepoint */ + ASSERT_OK(trigger_module_test_read(READ_SZ), "trigger_read"); + + test_subprogs_extable__detach(skel); + +cleanup: + test_subprogs_extable__destroy(skel); +} diff --git a/tools/testing/selftests/bpf/progs/test_subprogs_extable.c b/tools/testing/selftests/bpf/progs/test_subprogs_extable.c new file mode 100644 index 000000000000..408137eaaa07 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/test_subprogs_extable.c @@ -0,0 +1,71 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2020 Facebook */ + +#include "vmlinux.h" +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_tracing.h> +#include <bpf/bpf_core_read.h> +#include "../bpf_testmod/bpf_testmod.h" + +struct { + __uint(type, BPF_MAP_TYPE_ARRAY); + __uint(max_entries, 8); + __type(key, __u32); + __type(value, __u64); +} test_array SEC(".maps"); + +static __u64 test_cb(struct bpf_map *map, __u32 *key, __u64 *val, void *data) +{ + return 1; +} + +static __u64 test_cb2(struct bpf_map *map, __u32 *key, __u64 *val, void *data) +{ + return 1; +} + +static __u64 test_cb3(struct bpf_map *map, __u32 *key, __u64 *val, void *data) +{ + return 1; +} + +SEC("fexit/bpf_testmod_return_ptr") +int BPF_PROG(handle_fexit_ret_subprogs, int arg, struct file *ret) +{ + long buf = 0; + + bpf_probe_read_kernel(&buf, 8, ret); + bpf_probe_read_kernel(&buf, 8, (char *)ret + 256); + *(volatile long long *)ret; + *(volatile int *)&ret->f_mode; + bpf_for_each_map_elem(&test_array, test_cb, NULL, 0); + return 0; +} + +SEC("fexit/bpf_testmod_return_ptr") +int BPF_PROG(handle_fexit_ret_subprogs2, int arg, struct file *ret) +{ + long buf = 0; + + bpf_probe_read_kernel(&buf, 8, ret); + bpf_probe_read_kernel(&buf, 8, (char *)ret + 256); + *(volatile long long *)ret; + *(volatile int *)&ret->f_mode; + bpf_for_each_map_elem(&test_array, test_cb2, NULL, 0); + return 0; +} + +SEC("fexit/bpf_testmod_return_ptr") +int BPF_PROG(handle_fexit_ret_subprogs3, int arg, struct file *ret) +{ + long buf = 0; + + bpf_probe_read_kernel(&buf, 8, ret); + bpf_probe_read_kernel(&buf, 8, (char *)ret + 256); + *(volatile long long *)ret; + *(volatile int *)&ret->f_mode; + bpf_for_each_map_elem(&test_array, test_cb3, NULL, 0); + return 0; +} + +char _license[] SEC("license") = "GPL";
In certain situations a program with subprograms may have a NULL extable entry. This should not happen, and when it does, it turns a single trap into multiple. Add a test case for further debugging and to prevent regressions. N.b: without any other patches this can panic or oops a kernel. Signed-off-by: Krister Johansen <kjlx@templeofstupid.com> --- .../bpf/prog_tests/subprogs_extable.c | 35 +++++++++ .../bpf/progs/test_subprogs_extable.c | 71 +++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/subprogs_extable.c create mode 100644 tools/testing/selftests/bpf/progs/test_subprogs_extable.c