Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/kernel/bpf
History
Maciej Fijalkowski 7d4a3d040e bpf: fix OOB devmap writes when deleting elements 
commit ab244dd7cf4c291f82faacdc50b45cc0f55b674d upstream.

Jordy reported issue against XSKMAP which also applies to DEVMAP - the
index used for accessing map entry, due to being a signed integer,
causes the OOB writes. Fix is simple as changing the type from int to
u32, however, when compared to XSKMAP case, one more thing needs to be
addressed.

When map is released from system via dev_map_free(), we iterate through
all of the entries and an iterator variable is also an int, which
implies OOB accesses. Again, change it to be u32.

Example splat below:

[  160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000
[  160.731662] #PF: supervisor read access in kernel mode
[  160.736876] #PF: error_code(0x0000) - not-present page
[  160.742095] PGD 0 P4D 0
[  160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP
[  160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487
[  160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
[  160.767642] Workqueue: events_unbound bpf_map_free_deferred
[  160.773308] RIP: 0010:dev_map_free+0x77/0x170
[  160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff
[  160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202
[  160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024
[  160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000
[  160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001
[  160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122
[  160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000
[  160.838310] FS:  0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000
[  160.846528] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0
[  160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  160.874092] PKRU: 55555554
[  160.876847] Call Trace:
[  160.879338]  <TASK>
[  160.881477]  ? __die+0x20/0x60
[  160.884586]  ? page_fault_oops+0x15a/0x450
[  160.888746]  ? search_extable+0x22/0x30
[  160.892647]  ? search_bpf_extables+0x5f/0x80
[  160.896988]  ? exc_page_fault+0xa9/0x140
[  160.900973]  ? asm_exc_page_fault+0x22/0x30
[  160.905232]  ? dev_map_free+0x77/0x170
[  160.909043]  ? dev_map_free+0x58/0x170
[  160.912857]  bpf_map_free_deferred+0x51/0x90
[  160.917196]  process_one_work+0x142/0x370
[  160.921272]  worker_thread+0x29e/0x3b0
[  160.925082]  ? rescuer_thread+0x4b0/0x4b0
[  160.929157]  kthread+0xd4/0x110
[  160.932355]  ? kthread_park+0x80/0x80
[  160.936079]  ret_from_fork+0x2d/0x50
[  160.943396]  ? kthread_park+0x80/0x80
[  160.950803]  ret_from_fork_asm+0x11/0x20
[  160.958482]  </TASK>

Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references")
CC: stable@vger.kernel.org
Reported-by: Jordy Zomer <jordyzomer@google.com>
Suggested-by: Jordy Zomer <jordyzomer@google.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://lore.kernel.org/r/20241122121030.716788-3-maciej.fijalkowski@intel.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-12-17 13:24:29 +01:00
..
preload Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
arraymap.c Revert "bpf: Check percpu map value size first" 2024-11-24 00:22:59 +01:00
bpf_inode_storage.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bpf_iter.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bpf_local_storage.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bpf_lru_list.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bpf_lru_list.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bpf_lsm.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bpf_struct_ops.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bpf_struct_ops_types.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
btf.c bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o 2024-11-23 23:20:08 +01:00
cgroup.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
core.c bpf: Detect IP == ksym.end as part of BPF program 2024-11-18 11:43:12 +01:00
cpumap.c bpf: report RCU QS in cpumap kthread 2024-11-19 08:45:00 +01:00
devmap.c bpf: fix OOB devmap writes when deleting elements 2024-12-17 13:24:29 +01:00
disasm.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
disasm.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dispatcher.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hashtab.c Revert "bpf: Check percpu map value size first" 2024-11-24 00:22:59 +01:00
helpers.c Revert "bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit" 2024-11-24 00:23:22 +01:00
inode.c Revert "fs: add file and path permissions helpers" 2024-11-19 13:30:21 +01:00
local_storage.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
lpm_trie.c bpf: Fix exact match conditions in trie_get_next_key() 2024-12-17 13:24:28 +01:00
Makefile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
map_in_map.c bpf: Add map and need_defer parameters to .map_fd_put_ptr() 2024-11-18 12:13:12 +01:00
map_in_map.h bpf: Add map and need_defer parameters to .map_fd_put_ptr() 2024-11-18 12:13:12 +01:00
map_iter.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
net_namespace.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
offload.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
percpu_freelist.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
percpu_freelist.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
prog_iter.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
queue_stack_maps.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
reuseport_array.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ringbuf.c bpf: Fix overrunning reservations in ringbuf 2024-11-19 14:19:51 +01:00
stackmap.c bpf: Fix stackmap overflow check on 32-bit arches 2024-11-19 08:44:49 +01:00
syscall.c bpf: In bpf_task_fd_query use fget_task 2024-11-19 12:27:27 +01:00
sysfs_btf.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
task_iter.c file: Replace fcheck_files with files_lookup_fd_rcu 2024-11-19 12:27:27 +01:00
tnum.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
trampoline.c Revert "x86/ibt,ftrace: Search for __fentry__ location" 2024-11-24 00:23:31 +01:00
verifier.c bpf: use kvzmalloc to allocate BPF verifier environment 2024-11-30 02:33:27 +01:00