[2/2] bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check.

Message ID	20230830080405.251926-3-bigeasy@linutronix.de (mailing list archive)
State	Accepted
Commit	6764e767f4af1e35f87f3497e1182d945de37f93
Delegated to:	BPF
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 358C11871 for <bpf@vger.kernel.org>; Wed, 30 Aug 2023 08:04:19 +0000 (UTC) From: Sebastian Andrzej Siewior <bigeasy@linutronix.de> To: bpf@vger.kernel.org Cc: Alexei Starovoitov <ast@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, John Fastabend <john.fastabend@gmail.com>, Andrii Nakryiko <andrii@kernel.org>, Martin KaFai Lau <martin.lau@linux.dev>, Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>, KP Singh <kpsingh@kernel.org>, Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>, Kui-Feng Lee <kuifeng@fb.com>, Thomas Gleixner <tglx@linutronix.de>, Sebastian Andrzej Siewior <bigeasy@linutronix.de> Subject: [PATCH 2/2] bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check. Date: Wed, 30 Aug 2023 10:04:05 +0200 Message-Id: <20230830080405.251926-3-bigeasy@linutronix.de> In-Reply-To: <20230830080405.251926-1-bigeasy@linutronix.de> References: <20230830080405.251926-1-bigeasy@linutronix.de> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	bpf: Recursion detection related fixes. \| expand [0/2] bpf: Recursion detection related fixes. [1/2] bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in kern_sys_bpf(). [2/2] bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check.

Context	Check	Description
bpf/vmtest-bpf-next-PR	success	PR summary
netdev/series_format	warning	Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 1332 this patch: 1332
netdev/cc_maintainers	warning	1 maintainers not CCed: yonghong.song@linux.dev
netdev/build_clang	success	Errors and warnings before: 1353 this patch: 1353
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 1355 this patch: 1355
netdev/checkpatch	warning	WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: e384c7b7b46d ("bpf, x86: Create bpf_tramp_run_ctx on the caller thread's stack")'
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-9	success	Logs for test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-8	success	Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-18	success	Logs for test_progs_no_alu32_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-19	success	Logs for test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-20	success	Logs for test_progs_no_alu32_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-21	success	Logs for test_progs_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-22	success	Logs for test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-23	success	Logs for test_progs_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-24	success	Logs for test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-25	success	Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-26	success	Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-27	success	Logs for test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-28	success	Logs for veristat
bpf/vmtest-bpf-next-VM_Test-10	fail	Logs for test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-13	fail	Logs for test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-12	fail	Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-16	fail	Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-14	fail	Logs for test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-17	fail	Logs for test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-11	fail	Logs for test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-15	fail	Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-0	success	Logs for ${{ matrix.test }} on ${{ matrix.arch }} with ${{ matrix.toolchain_full }}
bpf/vmtest-bpf-next-VM_Test-1	success	Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-3	fail	Logs for build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-2	success	Logs for build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-4	success	Logs for build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-5	success	Logs for build for x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-6	success	Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-7	success	Logs for veristat

Sebastian Andrzej Siewior Aug. 30, 2023, 8:04 a.m. UTC

__bpf_prog_enter() assigns bpf_tramp_run_ctx::saved_run_ctx before
performing the recursion check which means in case of a recursion
__bpf_prog_exit() uses the previously set
bpf_tramp_run_ctx::saved_run_ctx value.

__bpf_prog_enter_sleepable() assigns bpf_tramp_run_ctx::saved_run_ctx
after the recursion check which means in case of a recursion
__bpf_prog_exit_sleepable() uses an uninitialized value.
This does not look right. If I read the entry trampoline code right,
then bpf_tramp_run_ctx isn't initialized upfront.

Align __bpf_prog_enter_sleepable() with __bpf_prog_enter() and set
bpf_tramp_run_ctx::saved_run_ctx before the recursion check is made.
Remove the assignment of saved_run_ctx in kern_sys_bpf() since it
happens a few cycles later.

Fixes: e384c7b7b46d0 ("bpf, x86: Create bpf_tramp_run_ctx on the caller thread's stack")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 kernel/bpf/syscall.c    | 1 -
 kernel/bpf/trampoline.c | 5 ++---
 2 files changed, 2 insertions(+), 4 deletions(-)

Jiri Olsa Sept. 1, 2023, 2:13 p.m. UTC | #1

On Wed, Aug 30, 2023 at 10:04:05AM +0200, Sebastian Andrzej Siewior wrote:
> __bpf_prog_enter() assigns bpf_tramp_run_ctx::saved_run_ctx before

I guess you meant __bpf_prog_enter_recur right?

> performing the recursion check which means in case of a recursion
> __bpf_prog_exit() uses the previously set
> bpf_tramp_run_ctx::saved_run_ctx value.
> 
> __bpf_prog_enter_sleepable() assigns bpf_tramp_run_ctx::saved_run_ctx

__bpf_prog_enter_sleepable_recur ?

> after the recursion check which means in case of a recursion
> __bpf_prog_exit_sleepable() uses an uninitialized value.
> This does not look right. If I read the entry trampoline code right,
> then bpf_tramp_run_ctx isn't initialized upfront.
> 
> Align __bpf_prog_enter_sleepable() with __bpf_prog_enter() and set

ditto

> bpf_tramp_run_ctx::saved_run_ctx before the recursion check is made.
> Remove the assignment of saved_run_ctx in kern_sys_bpf() since it
> happens a few cycles later.
> 
> Fixes: e384c7b7b46d0 ("bpf, x86: Create bpf_tramp_run_ctx on the caller thread's stack")
> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

makes sense to me.. I ran selftests and all passed
CI seems to fail due to unrelated issues that are just being fixed

Acked-by: Jiri Olsa <jolsa@kernel.org>

jirka

> ---
>  kernel/bpf/syscall.c    | 1 -
>  kernel/bpf/trampoline.c | 5 ++---
>  2 files changed, 2 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index c925c270ed8b4..1480b6cf12f06 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -5304,7 +5304,6 @@ int kern_sys_bpf(int cmd, union bpf_attr *attr, unsigned int size)
>  		}
>  
>  		run_ctx.bpf_cookie = 0;
> -		run_ctx.saved_run_ctx = NULL;
>  		if (!__bpf_prog_enter_sleepable_recur(prog, &run_ctx)) {
>  			/* recursion detected */
>  			__bpf_prog_exit_sleepable_recur(prog, 0, &run_ctx);
> diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
> index 78acf28d48732..53ff50cac61ea 100644
> --- a/kernel/bpf/trampoline.c
> +++ b/kernel/bpf/trampoline.c
> @@ -926,13 +926,12 @@ u64 notrace __bpf_prog_enter_sleepable_recur(struct bpf_prog *prog,
>  	migrate_disable();
>  	might_fault();
>  
> +	run_ctx->saved_run_ctx = bpf_set_run_ctx(&run_ctx->run_ctx);
> +
>  	if (unlikely(this_cpu_inc_return(*(prog->active)) != 1)) {
>  		bpf_prog_inc_misses_counter(prog);
>  		return 0;
>  	}
> -
> -	run_ctx->saved_run_ctx = bpf_set_run_ctx(&run_ctx->run_ctx);
> -
>  	return bpf_prog_start_time();
>  }
>  
> -- 
> 2.40.1
>

Sebastian Andrzej Siewior Sept. 1, 2023, 2:19 p.m. UTC | #2

On 2023-09-01 16:13:04 [+0200], Jiri Olsa wrote:
> On Wed, Aug 30, 2023 at 10:04:05AM +0200, Sebastian Andrzej Siewior wrote:
> > __bpf_prog_enter() assigns bpf_tramp_run_ctx::saved_run_ctx before
> 
> I guess you meant __bpf_prog_enter_recur right?
> 
> > performing the recursion check which means in case of a recursion
> > __bpf_prog_exit() uses the previously set
> > bpf_tramp_run_ctx::saved_run_ctx value.
> > 
> > __bpf_prog_enter_sleepable() assigns bpf_tramp_run_ctx::saved_run_ctx
> 
> __bpf_prog_enter_sleepable_recur ?
> 
> > after the recursion check which means in case of a recursion
> > __bpf_prog_exit_sleepable() uses an uninitialized value.
> > This does not look right. If I read the entry trampoline code right,
> > then bpf_tramp_run_ctx isn't initialized upfront.
> > 
> > Align __bpf_prog_enter_sleepable() with __bpf_prog_enter() and set
> 
> ditto

Yes, in both cases. The ones I mentioned have no conditionals. Sorry.

> jirka

Sebastian

Daniel Borkmann Sept. 6, 2023, 8:52 a.m. UTC | #3

On 9/1/23 4:19 PM, Sebastian Andrzej Siewior wrote:
> On 2023-09-01 16:13:04 [+0200], Jiri Olsa wrote:
>> On Wed, Aug 30, 2023 at 10:04:05AM +0200, Sebastian Andrzej Siewior wrote:
>>> __bpf_prog_enter() assigns bpf_tramp_run_ctx::saved_run_ctx before
>>
>> I guess you meant __bpf_prog_enter_recur right?
>>
>>> performing the recursion check which means in case of a recursion
>>> __bpf_prog_exit() uses the previously set
>>> bpf_tramp_run_ctx::saved_run_ctx value.
>>>
>>> __bpf_prog_enter_sleepable() assigns bpf_tramp_run_ctx::saved_run_ctx
>>
>> __bpf_prog_enter_sleepable_recur ?
>>
>>> after the recursion check which means in case of a recursion
>>> __bpf_prog_exit_sleepable() uses an uninitialized value.
>>> This does not look right. If I read the entry trampoline code right,
>>> then bpf_tramp_run_ctx isn't initialized upfront.
>>>
>>> Align __bpf_prog_enter_sleepable() with __bpf_prog_enter() and set
>>
>> ditto
> 
> Yes, in both cases. The ones I mentioned have no conditionals. Sorry.

Sebastian, I fixed this up and also the __bpf_prog_exit*() presumably should
have been the _recur flavor.

https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=6764e767f4af1e35f87f3497e1182d945de37f93

Thanks,
Daniel

Sebastian Andrzej Siewior Sept. 7, 2023, 10:12 a.m. UTC | #4

On 2023-09-06 10:52:36 [+0200], Daniel Borkmann wrote:
> Sebastian, I fixed this up and also the __bpf_prog_exit*() presumably should
> have been the _recur flavor.

I'm sorry, for not following up in time. Thank you.

> https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=6764e767f4af1e35f87f3497e1182d945de37f93
> 
> Thanks,
> Daniel

Sebastian

[2/2] bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check.

Checks

Commit Message

Comments

Patch