leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b9aff38de2cb166476988020428985c5f7412ffc
linux/kernel
History
Yonghong Song b9aff38de2 bpf: Fix a potential deadlock with bpf_map_do_batch 
Commit 057996380a ("bpf: Add batch ops to all htab bpf map")
added lookup_and_delete batch operation for hash table.
The current implementation has bpf_lru_push_free() inside
the bucket lock, which may cause a deadlock.

syzbot reports:
   -> #2 (&htab->buckets[i].lock#2){....}:
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:159
       htab_lru_map_delete_node+0xce/0x2f0 kernel/bpf/hashtab.c:593
       __bpf_lru_list_shrink_inactive kernel/bpf/bpf_lru_list.c:220 [inline]
       __bpf_lru_list_shrink+0xf9/0x470 kernel/bpf/bpf_lru_list.c:266
       bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:340 [inline]
       bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline]
       bpf_lru_pop_free+0x87c/0x1670 kernel/bpf/bpf_lru_list.c:499
       prealloc_lru_pop+0x2c/0xa0 kernel/bpf/hashtab.c:132
       __htab_lru_percpu_map_update_elem+0x67e/0xa90 kernel/bpf/hashtab.c:1069
       bpf_percpu_hash_update+0x16e/0x210 kernel/bpf/hashtab.c:1585
       bpf_map_update_value.isra.0+0x2d7/0x8e0 kernel/bpf/syscall.c:181
       generic_map_update_batch+0x41f/0x610 kernel/bpf/syscall.c:1319
       bpf_map_do_batch+0x3f5/0x510 kernel/bpf/syscall.c:3348
       __do_sys_bpf+0x9b7/0x41e0 kernel/bpf/syscall.c:3460
       __se_sys_bpf kernel/bpf/syscall.c:3355 [inline]
       __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:3355
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

   -> #0 (&loc_l->lock){....}:
       check_prev_add kernel/locking/lockdep.c:2475 [inline]
       check_prevs_add kernel/locking/lockdep.c:2580 [inline]
       validate_chain kernel/locking/lockdep.c:2970 [inline]
       __lock_acquire+0x2596/0x4a00 kernel/locking/lockdep.c:3954
       lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4484
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:159
       bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:516 [inline]
       bpf_lru_push_free+0x250/0x5b0 kernel/bpf/bpf_lru_list.c:555
       __htab_map_lookup_and_delete_batch+0x8d4/0x1540 kernel/bpf/hashtab.c:1374
       htab_lru_map_lookup_and_delete_batch+0x34/0x40 kernel/bpf/hashtab.c:1491
       bpf_map_do_batch+0x3f5/0x510 kernel/bpf/syscall.c:3348
       __do_sys_bpf+0x1f7d/0x41e0 kernel/bpf/syscall.c:3456
       __se_sys_bpf kernel/bpf/syscall.c:3355 [inline]
       __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:3355
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

    Possible unsafe locking scenario:

          CPU0                    CPU2
          ----                    ----
     lock(&htab->buckets[i].lock#2);
                                  lock(&l->lock);
                                  lock(&htab->buckets[i].lock#2);
     lock(&loc_l->lock);

    *** DEADLOCK ***

To fix the issue, for htab_lru_map_lookup_and_delete_batch() in CPU0,
let us do bpf_lru_push_free() out of the htab bucket lock. This can
avoid the above deadlock scenario.

Fixes: 057996380a ("bpf: Add batch ops to all htab bpf map")
Reported-by: syzbot+a38ff3d9356388f2fb83@syzkaller.appspotmail.com
Reported-by: syzbot+122b5421d14e68f29cd1@syzkaller.appspotmail.com
Suggested-by: Hillf Danton <hdanton@sina.com>
Suggested-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Acked-by: Brian Vazquez <brianvv@google.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/bpf/20200219234757.3544014-1-yhs@fb.com
2020-02-19 16:01:25 -08:00
..
bpf
bpf: Fix a potential deadlock with bpf_map_do_batch
2020-02-19 16:01:25 -08:00
cgroup
Merge branch 'merge.nfs-fs_parse.1' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2020-02-08 13:26:41 -08:00
configs
debug
Revert "kdb: Get rid of confusing diag msg from "rd" if current task has no regs"
2020-02-06 11:40:09 +00:00
dma
lib/genalloc.c: rename addr_in_gen_pool to gen_pool_has_addr
2019-12-04 19:44:13 -08:00
events
Merge tag 'trace-v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
2020-02-06 07:12:11 +00:00
gcov
Revert "um: Enable CONFIG_CONSTRUCTORS"
2020-01-19 22:42:06 +01:00
irq
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
livepatch
Merge tag 'trace-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
2019-11-27 11:42:01 -08:00
locking
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
power
Merge back new material related to system-wide PM for v5.6.
2020-01-23 16:00:56 +01:00
printk
printk: fix exclusive_console replaying
2020-01-02 16:15:04 +01:00
rcu
rcu: Forgive slow expedited grace periods at boot time
2020-01-25 12:00:40 -08:00
sched
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
time
Merge tag 'y2038-drivers-for-v5.6-signed' of git://git.kernel.org:/pub/scm/linux/kernel/git/arnd/playground
2020-01-29 14:55:47 -08:00
trace
Merge tag 'trace-v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
2020-02-06 07:12:11 +00:00
.gitignore
Provide in-kernel headers to make extending kernel easier
2019-04-29 16:48:03 +02:00
acct.c
acct: stop using get_seconds()
2019-12-18 18:07:31 +01:00
async.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
2019-06-05 17:37:17 +02:00
audit_fsnotify.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157
2019-05-30 11:26:37 -07:00
audit_tree.c
fsnotify: switch send_to_group() and ->handle_event to const struct qstr *
2019-04-26 13:51:03 -04:00
audit_watch.c
audit_get_nd(): don't unlock parent too early
2019-11-10 11:56:55 -05:00
audit.c
audit: Add __rcu annotation to RCU pointer
2019-12-09 15:19:03 -05:00
audit.h
Merge tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2019-07-08 18:55:42 -07:00
auditfilter.c
Merge tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2019-07-08 18:55:42 -07:00
auditsc.c
Revert "bpf: Emit audit messages upon successful prog load and unload"
2019-11-23 09:56:02 -08:00
backtracetest.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
2019-06-05 17:37:17 +02:00
bounds.c
capability.c
compat.c
y2038: itimer: compat handling to itimer.c
2019-11-15 14:38:30 +01:00
configs.c
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
context_tracking.c
context_tracking: Rename context_tracking_is_enabled() => context_tracking_enabled()
2019-10-29 10:01:12 +01:00
cpu_pm.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282
2019-06-05 17:36:37 +02:00
cpu.c
Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2020-01-28 10:07:09 -08:00
crash_core.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 230
2019-06-19 17:09:06 +02:00
crash_dump.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
cred.c
Merge branch 'dhowells' (patches from DavidH)
2020-01-14 09:56:31 -08:00
delayacct.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 25
2019-05-21 11:52:39 +02:00
dma.c
elfcore.c
kernel/elfcore.c: include proper prototypes
2019-09-25 17:51:39 -07:00
exec_domain.c
exit.c
Merge tag 'for-linus-2020-01-03' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
2020-01-03 11:17:14 -08:00
extable.c
bpf: Allow to resolve bpf trampoline and dispatcher in unwind
2020-01-25 07:12:40 -08:00
fail_function.c
fail_function: no need to check return value of debugfs_create functions
2019-06-03 15:49:06 +02:00
fork.c
Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
2020-01-29 19:56:50 -08:00
freezer.c
Revert "libata, freezer: avoid block device removal while system is frozen"
2019-10-06 09:11:37 -06:00
futex.c
futex: Fix kernel-doc notation warning
2020-01-09 13:23:40 +01:00
gen_kheaders.sh
kheaders: explain why include/config/autoconf.h is excluded from md5sum
2019-11-11 20:10:01 +09:00
groups.c
hung_task.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
iomem.c
mm/nvdimm: add is_ioremap_addr and use that to check ioremap address
2019-07-12 11:05:40 -07:00
irq_work.c
irq_work: Fix IRQ_WORK_BUSY bit clearing
2019-11-15 10:48:37 +01:00
jump_label.c
jump_label: Don't warn on __exit jump entries
2019-08-29 15:10:10 +01:00
kallsyms.c
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
kcmp.c
Kconfig.freezer
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
Kconfig.hz
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
Kconfig.locks
sched/rt, locking: Use CONFIG_PREEMPTION
2019-12-08 14:37:36 +01:00
Kconfig.preempt
sched/Kconfig: Fix spelling mistake in user-visible help text
2019-11-12 11:35:32 +01:00
kcov.c
kcov: remote coverage support
2019-12-04 19:44:14 -08:00
kexec_core.c
kexec: add machine_kexec_post_load()
2020-01-08 16:32:55 +00:00
kexec_elf.c
kexec_elf: support 32 bit ELF files
2019-09-06 23:58:44 +02:00
kexec_file.c
kexec: add machine_kexec_post_load()
2020-01-08 16:32:55 +00:00
kexec_internal.h
kexec: add machine_kexec_post_load()
2020-01-08 16:32:55 +00:00
kexec.c
kexec: add machine_kexec_post_load()
2020-01-08 16:32:55 +00:00
kheaders.c
kheaders: Move from proc to sysfs
2019-05-24 20:16:01 +02:00
kmod.c
kprobes.c
kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic
2020-01-09 12:40:13 +01:00
ksysfs.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 170
2019-05-30 11:26:39 -07:00
kthread.c
kthread: make __kthread_queue_delayed_work static
2019-10-16 09:20:58 -07:00
latencytop.c
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
Makefile
kcov: ignore fault-inject and stacktrace
2020-01-31 10:30:41 -08:00
module_signature.c
MODSIGN: Export module signature definitions
2019-08-05 18:39:56 -04:00
module_signing.c
MODSIGN: Export module signature definitions
2019-08-05 18:39:56 -04:00
module-internal.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36
2019-05-24 17:27:11 +02:00
module.c
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
notifier.c
kernel/notifier.c: remove blocking_notifier_chain_cond_register()
2019-12-04 19:44:12 -08:00
nsproxy.c
ns: Introduce Time Namespace
2020-01-14 12:20:48 +01:00
padata.c
padata: update documentation
2019-12-11 16:37:02 +08:00
panic.c
locking/refcount: Remove unused 'refcount_error_report()' function
2019-11-25 09:15:42 +01:00
params.c
lockdown: Lock down module params that specify hardware parameters (eg. ioport)
2019-08-19 21:54:16 -07:00
pid_namespace.c
fork: extend clone3() to support setting a PID
2019-11-15 23:49:22 +01:00
pid.c
pid: Implement pidfd_getfd syscall
2020-01-13 21:49:36 +01:00
profile.c
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
ptrace.c
ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
2020-01-18 13:51:39 +01:00
range.c
reboot.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
relay.c
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-03-12 13:27:20 -07:00
resource.c
mm/memory_hotplug.c: use PFN_UP / PFN_DOWN in walk_system_ram_range()
2019-09-24 15:54:09 -07:00
rseq.c
rseq: Reject unknown flags on rseq unregister
2019-12-25 10:41:20 +01:00
seccomp.c
seccomp: Check that seccomp_notif is zeroed out by the user
2020-01-02 13:03:45 -08:00
signal.c
sched.h: Annotate sighand_struct with __rcu
2020-01-26 10:54:47 +01:00
smp.c
smp: Remove allocation mask from on_each_cpu_cond.*()
2020-01-24 20:40:09 +01:00
smpboot.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
smpboot.h
softirq.c
Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2019-07-08 11:01:13 -07:00
stackleak.c
stacktrace.c
stacktrace: Get rid of unneeded '!!' pattern
2019-11-11 10:30:59 +01:00
stop_machine.c
stop_machine: Make stop_cpus() static
2020-01-17 10:19:21 +01:00
sys_ni.c
y2038: allow disabling time32 system calls
2019-11-15 14:38:30 +01:00
sys.c
prctl: PR_{G,S}ET_IO_FLUSHER to support controlling memory reclaim
2020-01-28 10:09:51 +01:00
sysctl_binary.c
sysctl: Remove the sysctl system call
2019-11-26 13:03:56 -06:00
sysctl-test.c
kunit: allow kunit tests to be loaded as a module
2020-01-09 16:42:29 -07:00
sysctl.c
rcu: Make PREEMPT_RCU be a modifier to TREE_RCU
2019-12-09 12:37:51 -08:00
task_work.c
taskstats.c
taskstats: fix data-race
2019-12-04 15:18:39 +01:00
test_kprobes.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 25
2019-05-21 11:52:39 +02:00
torture.c
torture: Remove exporting of internal functions
2019-08-01 14:30:22 -07:00
tracepoint.c
Merge tag 'trace-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
2019-07-18 11:51:00 -07:00
tsacct.c
tsacct: add 64-bit btime field
2019-12-18 18:07:31 +01:00
ucount.c
proc/sysctl: add shared variables for range check
2019-07-18 17:08:07 -07:00
uid16.c
uid16.h
umh.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
up.c
smp: Remove allocation mask from on_each_cpu_cond.*()
2020-01-24 20:40:09 +01:00
user_namespace.c
Merge tag 'keys-namespace-20190627' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
2019-07-08 19:36:47 -07:00
user-return-notifier.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
user.c
Merge tag 'keys-namespace-20190627' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
2019-07-08 19:36:47 -07:00
utsname_sysctl.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
2019-06-05 17:37:17 +02:00
utsname.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
2019-06-05 17:37:17 +02:00
watchdog_hld.c
kernel/watchdog_hld.c: hard lockup message should end with a newline
2019-04-19 09:46:05 -07:00
watchdog.c
watchdog/softlockup: Enforce that timestamp is valid on boot
2020-01-17 11:19:22 +01:00
workqueue_internal.h
sched/core, workqueues: Distangle worker accounting from rq lock
2019-04-16 16:55:15 +02:00
workqueue.c
Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2020-01-28 10:07:09 -08:00