Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-26 06:02:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
f83e38fc9f
linux/kernel/bpf
History
Kumar Kartikeya Dwivedi a6fcd19d7e bpf: Defer work in bpf_timer_cancel_and_free 
Currently, the same case as previous patch (two timer callbacks trying
to cancel each other) can be invoked through bpf_map_update_elem as
well, or more precisely, freeing map elements containing timers. Since
this relies on hrtimer_cancel as well, it is prone to the same deadlock
situation as the previous patch.

It would be sufficient to use hrtimer_try_to_cancel to fix this problem,
as the timer cannot be enqueued after async_cancel_and_free. Once
async_cancel_and_free has been done, the timer must be reinitialized
before it can be armed again. The callback running in parallel trying to
arm the timer will fail, and freeing bpf_hrtimer without waiting is
sufficient (given kfree_rcu), and bpf_timer_cb will return
HRTIMER_NORESTART, preventing the timer from being rearmed again.

However, there exists a UAF scenario where the callback arms the timer
before entering this function, such that if cancellation fails (due to
timer callback invoking this routine, or the target timer callback
running concurrently). In such a case, if the timer expiration is
significantly far in the future, the RCU grace period expiration
happening before it will free the bpf_hrtimer state and along with it
the struct hrtimer, that is enqueued.

Hence, it is clear cancellation needs to occur after
async_cancel_and_free, and yet it cannot be done inline due to deadlock
issues. We thus modify bpf_timer_cancel_and_free to defer work to the
global workqueue, adding a work_struct alongside rcu_head (both used at
_different_ points of time, so can share space).

Update existing code comments to reflect the new state of affairs.

Fixes: b00628b1c7 ("bpf: Introduce bpf timers.")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20240709185440.1104957-3-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2024-07-10 15:59:44 -07:00
..
preload
arena.c bpf: Fix remap of arena. 2024-06-18 17:19:46 +02:00
arraymap.c bpf: Do not walk twice the map on free 2024-04-30 16:28:33 +02:00
bloom_filter.c bpf: Check bloom filter map value size 2024-03-27 09:56:17 -07:00
bpf_cgrp_storage.c bpf: Enable bpf_cgrp_storage for cgroup1 non-attach case 2023-12-08 17:08:18 -08:00
bpf_inode_storage.c
bpf_iter.c bpf: move sleepable flag from bpf_prog_aux to bpf_prog 2024-03-11 16:41:25 -07:00
bpf_local_storage.c bpf: fix order of args in call to bpf_map_kvcalloc 2024-07-10 15:31:19 -07:00
bpf_lru_list.c
bpf_lru_list.h bpf: lru: Remove unused declaration bpf_lru_promote() 2023-08-08 17:21:42 -07:00
bpf_lsm.c bpf: Minor clean-up to sleepable_lsm_hooks BTF set 2024-02-01 18:37:45 +01:00
bpf_struct_ops.c bpf: Check return from set_memory_rox() 2024-03-18 14:18:47 -07:00
bpf_task_storage.c
btf.c bpf: Add support for kprobe session context 2024-04-30 09:45:53 -07:00
cgroup_iter.c bpf: Let verifier consider {task,cgroup} is trusted in bpf_iter_reg 2023-11-07 15:24:25 -08:00
cgroup.c bpf: Allow helper bpf_get_[ns_]current_pid_tgid() for all prog types 2024-03-19 14:24:07 -07:00
core.c kallsyms: rework symbol lookup return codes 2024-06-27 17:43:40 +02:00
cpumap.c bpf: report RCU QS in cpumap kthread 2024-03-20 21:05:43 -07:00
cpumask.c bpf: Allow invoking kfuncs from BPF_PROG_TYPE_SYSCALL progs 2024-04-05 10:56:09 -07:00
crypto.c bpf: make common crypto API for TC/XDP programs 2024-04-24 16:01:10 -07:00
devmap.c bpf, devmap: Remove unnecessary if check in for loop 2024-06-03 17:09:23 +02:00
disasm.c bpf: add special internal-only MOV instruction to resolve per-CPU addrs 2024-04-03 10:29:55 -07:00
disasm.h
dispatcher.c bpf: Use arch_bpf_trampoline_size 2023-12-06 17:17:20 -08:00
hashtab.c bpf: Do not walk twice the hash map on free 2024-04-30 16:28:46 +02:00
helpers.c bpf: Defer work in bpf_timer_cancel_and_free 2024-07-10 15:59:44 -07:00
inode.c bpf: Support symbolic BPF FS delegation mount options 2024-01-24 16:21:02 -08:00
Kconfig bpf: remove CONFIG_BPF_JIT dependency on CONFIG_MODULES of 2024-05-14 00:36:29 -07:00
link_iter.c
local_storage.c
log.c bpf: Replace deprecated strncpy with strscpy 2024-04-03 16:57:41 +02:00
lpm_trie.c bpf: Avoid kfree_rcu() under lock in bpf_lpm_trie. 2024-03-29 11:10:41 -07:00
Makefile bpf: crypto: fix build when CONFIG_CRYPTO=m 2024-05-01 13:32:26 -07:00
map_in_map.c bpf: save extended inner map info for percpu array maps as well 2024-05-15 09:34:54 -07:00
map_in_map.h bpf: Add map and need_defer parameters to .map_fd_put_ptr() 2023-12-04 17:50:26 -08:00
map_iter.c bpf: treewide: Annotate BPF kfuncs in BTF 2024-01-31 20:40:56 -08:00
memalloc.c mm: memcg: add NULL check to obj_cgroup_put() 2024-04-25 20:55:43 -07:00
mmap_unlock_work.h
mprog.c bpf: Handle bpf_mprog_query with NULL entry 2023-10-06 17:11:20 -07:00
net_namespace.c
offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-09-21 21:49:45 +02:00
percpu_freelist.c
percpu_freelist.h
prog_iter.c
queue_stack_maps.c bpf: Avoid deadlock when using queue and stack maps from NMI 2023-09-11 19:04:49 -07:00
reuseport_array.c
ringbuf.c bpf: Fix overrunning reservations in ringbuf 2024-06-21 13:04:21 -07:00
stackmap.c bpf: Fix stackmap overflow check on 32-bit arches 2024-03-07 20:06:25 -08:00
syscall.c bpf: Fix a potential use-after-free in bpf_link_free() 2024-06-03 18:16:19 +02:00
sysfs_btf.c btf: Avoid weak external references 2024-04-16 16:35:13 +02:00
task_iter.c bpf: Fix an issue due to uninitialized bpf_iter_task 2024-02-19 12:28:15 +01:00
tcx.c bpf, tcx: Get rid of tcx_link_const 2023-10-23 15:01:53 -07:00
tnum.c bpf: simplify tnum output if a fully known constant 2023-12-02 11:36:51 -08:00
token.c bpf,token: Use BIT_ULL() to convert the bit mask 2024-01-29 20:04:55 -08:00
trampoline.c Networking changes for 6.10. 2024-05-14 19:42:24 -07:00
verifier.c bpf: Fix may_goto with negative offset. 2024-06-24 13:44:02 +02:00