| Message ID | 20220122102936.1219518-1-hefengqing@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | BPF |
| Headers | show |
| Series | [bpf-next] bpf: Fix possible race in inc_misses_counter | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Clearly marked for bpf-next |
| netdev/fixes_present | success | Fixes tag not required for -next series |
| netdev/subject_prefix | success | Link |
| netdev/cover_letter | success | Single patches do not need cover letters |
| netdev/patch_count | success | Link |
| netdev/header_inline | success | No static functions without inline keyword in header files |
| netdev/build_32bit | success | Errors and warnings before: 2 this patch: 2 |
| netdev/cc_maintainers | success | CCed 10 of 10 maintainers |
| netdev/build_clang | success | Errors and warnings before: 22 this patch: 22 |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Signed-off-by tag matches author and committer |
| netdev/verify_fixes | success | Fixes tag looks correct |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 7 this patch: 7 |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 14 lines checked |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/source_inline | success | Was 0 now: 0 |
| bpf/vmtest-bpf-next-PR | fail | PR summary |
| bpf/vmtest-bpf-next | fail | VM_Test |
He Fengqing wrote: > It seems inc_misses_counter() suffers from same issue fixed in > the commit d979617aa84d ("bpf: Fixes possible race in update_prog_stats() > for 32bit arches"): > As it can run while interrupts are enabled, it could > be re-entered and the u64_stats syncp could be mangled. > > Fixes: 9ed9e9ba2337 ("bpf: Count the number of times recursion was prevented") > Signed-off-by: He Fengqing <hefengqing@huawei.com> > --- > kernel/bpf/trampoline.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) Appears possible through sleepable progs. Acked-by: John Fastabend <john.fastabend@gmail.com> > diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c > index 4b6974a195c1..5e7edf913060 100644 > --- a/kernel/bpf/trampoline.c > +++ b/kernel/bpf/trampoline.c > @@ -550,11 +550,12 @@ static __always_inline u64 notrace bpf_prog_start_time(void) > static void notrace inc_misses_counter(struct bpf_prog *prog) > { > struct bpf_prog_stats *stats; > + unsigned int flags; > > stats = this_cpu_ptr(prog->stats); > - u64_stats_update_begin(&stats->syncp); > + flags = u64_stats_update_begin_irqsave(&stats->syncp); > u64_stats_inc(&stats->misses); > - u64_stats_update_end(&stats->syncp); > + u64_stats_update_end_irqrestore(&stats->syncp, flags); > } > > /* The logic is similar to bpf_prog_run(), but with an explicit > -- > 2.25.1 >
diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c index 4b6974a195c1..5e7edf913060 100644 --- a/kernel/bpf/trampoline.c +++ b/kernel/bpf/trampoline.c @@ -550,11 +550,12 @@ static __always_inline u64 notrace bpf_prog_start_time(void) static void notrace inc_misses_counter(struct bpf_prog *prog) { struct bpf_prog_stats *stats; + unsigned int flags; stats = this_cpu_ptr(prog->stats); - u64_stats_update_begin(&stats->syncp); + flags = u64_stats_update_begin_irqsave(&stats->syncp); u64_stats_inc(&stats->misses); - u64_stats_update_end(&stats->syncp); + u64_stats_update_end_irqrestore(&stats->syncp, flags); } /* The logic is similar to bpf_prog_run(), but with an explicit
It seems inc_misses_counter() suffers from same issue fixed in the commit d979617aa84d ("bpf: Fixes possible race in update_prog_stats() for 32bit arches"): As it can run while interrupts are enabled, it could be re-entered and the u64_stats syncp could be mangled. Fixes: 9ed9e9ba2337 ("bpf: Count the number of times recursion was prevented") Signed-off-by: He Fengqing <hefengqing@huawei.com> --- kernel/bpf/trampoline.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)