diff mbox series

bpf: cgroup: remove WARN_ON at bpf_cgroup_link_release

Message ID 20220227134009.1298488-1-dzm91@hust.edu.cn (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series bpf: cgroup: remove WARN_ON at bpf_cgroup_link_release | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
bpf/vmtest-bpf-next success VM_Test
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Dongliang Mu Feb. 27, 2022, 1:40 p.m. UTC
From: Dongliang Mu <mudongliangabcd@gmail.com>

When syzkaller injects fault into memory allocation at
bpf_prog_array_alloc, the kernel encounters a memory failure and
returns non-zero, thus leading to one WARN_ON at
bpf_cgroup_link_release. The stack trace is as follows:

 __kmalloc+0x7e/0x3d0
 bpf_prog_array_alloc+0x4f/0x60
 compute_effective_progs+0x132/0x580
 ? __sanitizer_cov_trace_pc+0x1a/0x40
 update_effective_progs+0x5e/0x260
 __cgroup_bpf_detach+0x293/0x760
 bpf_cgroup_link_release+0xad/0x400
 bpf_link_free+0xca/0x190
 bpf_link_put+0x161/0x1b0
 bpf_link_release+0x33/0x40
 __fput+0x286/0x9f0

Fix this by removing the WARN_ON for __cgroup_bpf_detach.

Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
---
 kernel/bpf/cgroup.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Daniel Borkmann March 1, 2022, 4:28 p.m. UTC | #1
On 2/27/22 2:40 PM, Dongliang Mu wrote:
> From: Dongliang Mu <mudongliangabcd@gmail.com>
> 
> When syzkaller injects fault into memory allocation at
> bpf_prog_array_alloc, the kernel encounters a memory failure and
> returns non-zero, thus leading to one WARN_ON at
> bpf_cgroup_link_release. The stack trace is as follows:
> 
>   __kmalloc+0x7e/0x3d0
>   bpf_prog_array_alloc+0x4f/0x60
>   compute_effective_progs+0x132/0x580
>   ? __sanitizer_cov_trace_pc+0x1a/0x40
>   update_effective_progs+0x5e/0x260
>   __cgroup_bpf_detach+0x293/0x760
>   bpf_cgroup_link_release+0xad/0x400
>   bpf_link_free+0xca/0x190
>   bpf_link_put+0x161/0x1b0
>   bpf_link_release+0x33/0x40
>   __fput+0x286/0x9f0
> 
> Fix this by removing the WARN_ON for __cgroup_bpf_detach.
> 
> Reported-by: syzkaller <syzkaller@googlegroups.com>
> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
> ---
>   kernel/bpf/cgroup.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index 514b4681a90a..fdbdcee6c9fa 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
> @@ -896,8 +896,8 @@ static void bpf_cgroup_link_release(struct bpf_link *link)
>   		return;
>   	}
>   
> -	WARN_ON(__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
> -				    cg_link->type));
> +	__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
> +				    cg_link->type);

"Fixing" by removing WARN_ON is just papering over the issue which in this case as
mentioned is allocation failure on detach/teardown when allocating and recomputing
effective prog arrays..

>   	cg = cg_link->cgroup;
>   	cg_link->cgroup = NULL;
>
Dongliang Mu March 2, 2022, 5:46 a.m. UTC | #2
On Wed, Mar 2, 2022 at 12:28 AM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 2/27/22 2:40 PM, Dongliang Mu wrote:
> > From: Dongliang Mu <mudongliangabcd@gmail.com>
> >
> > When syzkaller injects fault into memory allocation at
> > bpf_prog_array_alloc, the kernel encounters a memory failure and
> > returns non-zero, thus leading to one WARN_ON at
> > bpf_cgroup_link_release. The stack trace is as follows:
> >
> >   __kmalloc+0x7e/0x3d0
> >   bpf_prog_array_alloc+0x4f/0x60
> >   compute_effective_progs+0x132/0x580
> >   ? __sanitizer_cov_trace_pc+0x1a/0x40
> >   update_effective_progs+0x5e/0x260
> >   __cgroup_bpf_detach+0x293/0x760
> >   bpf_cgroup_link_release+0xad/0x400
> >   bpf_link_free+0xca/0x190
> >   bpf_link_put+0x161/0x1b0
> >   bpf_link_release+0x33/0x40
> >   __fput+0x286/0x9f0
> >
> > Fix this by removing the WARN_ON for __cgroup_bpf_detach.
> >
> > Reported-by: syzkaller <syzkaller@googlegroups.com>
> > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
> > ---
> >   kernel/bpf/cgroup.c | 4 ++--
> >   1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> > index 514b4681a90a..fdbdcee6c9fa 100644
> > --- a/kernel/bpf/cgroup.c
> > +++ b/kernel/bpf/cgroup.c
> > @@ -896,8 +896,8 @@ static void bpf_cgroup_link_release(struct bpf_link *link)
> >               return;
> >       }
> >
> > -     WARN_ON(__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
> > -                                 cg_link->type));
> > +     __cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
> > +                                 cg_link->type);
>
> "Fixing" by removing WARN_ON is just papering over the issue which in this case as
> mentioned is allocation failure on detach/teardown when allocating and recomputing
> effective prog arrays..

Hi Daniel,

you're right. This is not a good fix, any idea to fix the underlying
bug perfectly?

>
> >       cg = cg_link->cgroup;
> >       cg_link->cgroup = NULL;
> >
>
diff mbox series

Patch

diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 514b4681a90a..fdbdcee6c9fa 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -896,8 +896,8 @@  static void bpf_cgroup_link_release(struct bpf_link *link)
 		return;
 	}
 
-	WARN_ON(__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
-				    cg_link->type));
+	__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
+				    cg_link->type);
 
 	cg = cg_link->cgroup;
 	cg_link->cgroup = NULL;