From patchwork Fri Jul 21 10:34:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?54eV6Z2S5rSyKEVyaWMgWWFuKQ==?= X-Patchwork-Id: 13321839 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 67EC63D78 for ; Fri, 21 Jul 2023 10:34:48 +0000 (UTC) Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-sgaapc01on2078.outbound.protection.outlook.com [40.107.215.78]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 748F9E68; Fri, 21 Jul 2023 03:34:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TWScbyITTdwK5oyZspVKxRGPwfc9uejOZ7/ubeLuelETk5rFjLNwSJonCOMllqdPi5hRbpoqyKELnQ8mgMyHZEooflVLQxGk1TzOkEP4oMZuqnjKTVRB5bb6Xt9qRZDgvZAOdoKr/tfMCDK+n8Lu6LNZWTchLayIw+7/zxmj97XlkvndI+IMn0RUudztXiuc+QX9G8RULozjcHHcXWDu9dhQTfafPFgATt5brYJTcDxt37u/Ip0xkeG9+hRMHv3a4dVezNVZ3JZSBCLh1MByMgYGdp++HhRdWL9wAcgmEZqr2iNF5UOo9hbCjOuG11IUc9ceLkPNcyZMJU8KtcvVHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pgfy1Wrgq5+9oXXfX3RlJDfIHlxXnKo2bk6BTwTTACg=; b=f3KOoD6ESYRFaW88ihO1ldhZayBFXFOp5V+3uhtCuuFFArGFvkHHa/seTKPhvxY5+X9GPoN+zOrowO10EG0lTGXwmEY+Yu5EuqT0yG6Kwf8aCwv+z+dejho4muWnfxVz3OoGC3PhPH9PcVpJF9TFehhiHTDW8NI3S9oR/Pn79DVnFFTMFRLsXZDSZXYSIH1buy5Yo+t1L+f+K1mhnOUFBT6wiqDDHqVHhO20+9FwnVksK56qhoy50WBo4bekfUYbCl9mglJAqOxFuHSd8DcTF2/kFlJOv3t+VYLcXo+8jmY/7hLji51glMDffnTXwTDiaA8uncD47uojpt04NzxM2w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oppo.com; dmarc=pass action=none header.from=oppo.com; dkim=pass header.d=oppo.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oppo.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pgfy1Wrgq5+9oXXfX3RlJDfIHlxXnKo2bk6BTwTTACg=; b=NMZamdgSQgemdui84vBJi5jUObXTwB7nfW0ay1uY4IUKPumAPOVO4HHtEUBOga8sWv7BKINWj3MFyup7OtzF38fr+5BGJ2V7dqF5DkUyDlZna46DlavicHxQmcaFnYZ1DlQaDNnAzAIjyVbpfBCbgUlWHVY0uHmnRa6YWYaofRY= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=oppo.com; Received: from SG2PR02MB4378.apcprd02.prod.outlook.com (2603:1096:0:12::13) by SI2PR02MB4650.apcprd02.prod.outlook.com (2603:1096:4:100::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6609.28; Fri, 21 Jul 2023 10:34:25 +0000 Received: from SG2PR02MB4378.apcprd02.prod.outlook.com ([fe80::6bb:cf40:e543:68b8]) by SG2PR02MB4378.apcprd02.prod.outlook.com ([fe80::6bb:cf40:e543:68b8%7]) with mapi id 15.20.6588.031; Fri, 21 Jul 2023 10:34:25 +0000 From: Eric Yan To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev, song@kernel.org, yhs@fb.com, sdf@google.com, nathan@kernel.org, ndesaulniers@google.com, trix@redhat.com, keescook@chromium.org, samitolvanen@google.com, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, eric.yan@oppo.com Subject: [PATCH] CFI: fix panic in kernel bpf map traversal Date: Fri, 21 Jul 2023 18:34:11 +0800 Message-Id: <20230721103411.19535-1-eric.yan@oppo.com> X-Mailer: git-send-email 2.25.1 X-ClientProxiedBy: SI2PR01CA0044.apcprd01.prod.exchangelabs.com (2603:1096:4:193::8) To SG2PR02MB4378.apcprd02.prod.outlook.com (2603:1096:0:12::13) Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SG2PR02MB4378:EE_|SI2PR02MB4650:EE_ X-MS-Office365-Filtering-Correlation-Id: 65fe2a79-eb7a-421e-86f1-08db89d60dc8 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: e6P+mK7kYszKi3U4XMmT9Uv0efd0E5uIFYDUJHXhvGPPqreSnLUihKKK7/gSbaPnxrW/+HtoMZDdU71ziMs8KOfdh7mwPMRXLMoQXMQ8Cj8BtDTAGlotX7bzhwReHfcmlPRWxbVzj0/UHKQKdIvgt0xHEHHiozMmojbc7QU+QawVDa5kWRTRnLaRetCEfvCPxya5Eki9ePPBHj+fBaHHDBsycZEON4jVaJbbC/UvdMGkSfFZ1v13eVbjqTV7M0caNdq1BZzWmEB9Iag09X8MVvTjd2a3pluYy0hTyrbLn/gffLvNIrqWOGg4WtuMqcTWarNOehYn2Tl2ojQ0SafvBbOEQ3d/29unI3jFGWq4mv4+t+4Eeg2ClHcGeELjZRxrnRahZoXnTSd3FUA8zsbsmvd6IKWWgaGE+VvsextQDaIjSrTQydk/D8A/L/qahvvKeKsG42zz4S1O2jmosc1I+IKwFZRkBZAw6T19NJ+f8UxIHBoUeqQClERU3jceBcU3HYG1XkckbDze6Q6X5YCQmYSSwkWzWr4A09IPlpluo2OtGqxFBIntXAozWRiAR+YzDEJ4S0Xj+U7jN3LqwWJJhkdyigp33GKsW4zsUeuTzTjPqro4sJ88QW9IMCihD2zo X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SG2PR02MB4378.apcprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(39860400002)(376002)(396003)(366004)(136003)(346002)(451199021)(38350700002)(66556008)(66946007)(66476007)(38100700002)(2906002)(2616005)(921005)(86362001)(186003)(6666004)(52116002)(6486002)(1076003)(6512007)(6506007)(26005)(478600001)(36756003)(8676002)(8936002)(41300700001)(7416002)(44832011)(5660300002)(316002)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: RbJfTBdNlatGbXiqvNjCK8qhcjPgxqeZX/VbUVF+Ji88rtfM7YUiRcgHw3dCiaH07n3UkPc+LfM5hMT/ktCYCf1WNPxl4iuzPA/IduWoXK+vhTP86JqAvyYapch1buHhi5pOQ40WLhObfipGZOBc1eU47M2T1SwzKKCPh6wgi/6ylODo+qe38kVf7YSiIhz5l8CPDf5XpNByaDsVwYNPAfIT6PfzX6sfIV97oA7ab4Vl4zzoKMpij50yoDVN7YnHtIEC13rKjVQ9V85kn14wuq0/+/xfIajxa9/EcPuRrJtztjyI9DJqcD2wV08Sfy7o4+vF0KoCDrfqsNkcDTV4dY3CpipXU92j8SKZQh86m4M/wOofYFbJkgssMmhWMbpwu/cq6M/uvX2vEz2Ax7C95kqoWrg3OtAtIXvmBrA/fD/u32lPMXA3xIkeFyIjbXjGHYj3CJnzOWek7vKQTaJu+iVXIw2nUjwZ+XCzb1KZSR+UdoRwfYkRD4CvojybS8s/7X5oJWAF5laakiCwtVRtVDb4qfHRxgWI3S0vSYutnJBh5Zu/MFAolcPZLVVNUuGTcPfDB4Ae9IW8SBUN8Jtu7oI4CEXA6WFVj87xyRhpVeNUHAPipUZ/PIhRw1h2brbchfrA/yOJafb+XCmNVT63LH1GnqurPWogJfvxHNxkOP6PBdAv1PDzxd0SZCchd0/8AiVcPsmzI70Izm4RQGHMEmgOUYLwA8c4o7H4YDiAahn6z6kVKCZzzwYYQurxj+0/bcxnFvhMcN6/Gj30E7sexqOedfWwRUfI94iBzBqb3DRVy2QZzuMGkKSptGcceKYMDS9vHx0KjGWYKXDFhaPv6DgS6IpB5kQDtV5qy7Zt8Geo67J3aWmT7W/HVYRWmbLWwf0g7jO8JeXbXm8HfIUoc079ePA3v2t4UriLF6L7qgO/OvwS4nrmC4cCUOTIumZV+pJuS8FsxfNuIJYNli5BnW0QRxQH+z4X9BF7/ZPWompIV43cYi++YtiTuB1vTQfxyF+r987s+0knNsQWuZduM3buJGnBP/8K0Sa6DPPLbuj3C12h9EpoVoGrgHLYEeMZM+/qD+CJICM2zQL6S8aCTQ/dB6CCXxIy1wbQ3q7XHWz5NjJEqRQnkCMwDzYZwwrG0rJX5EedqASgzhAH+LnV0eVc+SCL3aGGo2R3D+wQqtV9LaQVb0Ts8Q28nHP7+oHrRizk9NGRDYw+WUioTbUnMPOxSMzMUtNCDZEZybqA11LiEnFRTXaZPMjTRbzKhZgk1fffrRAc7FHAhplLf88TkeCplV+02RLFe2GUOxAS8aANrCPaj8/+96rxaz90787FVEiSuKhXHfaKMt3BWp9RvwrAGhic+SeUtaMkBJmgEbpqpOMpJ4dLrC1JMyRIuwZpHK/1+EegdaYLmj9/qwVNVgCVSegJPEWU1tfTBIu1mFuwwAVpEhfrjQHj7nJkjT66ntvr8czHMPAffhQYM8adYaeCsN+AQ8DPn972BG/GTLluE6NFqba/ob6ylJ21lJ9QifDmkYiZoZWbqlYePbZgq9WQYsIof1GSrIvw2/XlFyFg0gKNGE/VigAddYJsi6HH X-OriginatorOrg: oppo.com X-MS-Exchange-CrossTenant-Network-Message-Id: 65fe2a79-eb7a-421e-86f1-08db89d60dc8 X-MS-Exchange-CrossTenant-AuthSource: SG2PR02MB4378.apcprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Jul 2023 10:34:25.1573 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f1905eb1-c353-41c5-9516-62b4a54b5ee6 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ljkaYO/R27GsH+fjLlo3Wnl+m+piWIqZ2iD+us1JrT49omqn4/GrIFUcdZ/ln/LaLS/WBNM95zZ+tOYtKr5nnQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SI2PR02MB4650 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Patchwork-Delegate: bpf@iogearbox.net During BPF map iterator test, 'bpf_for_each_map_elem' call failed on Android common kernel kernel5.15/6.1 with clang CFI enabled. It has been found that the "callback_fn" parameter received by bpf_for_each_map_elem is the address of the jitted BPF program code, which is not in the kernel text section, leads to kernel panic in __cfi_slowpath_diag check. so, just disable CFI for bpf map iterator. same crash message on a typical arm64 debian kernel is as follows: Kernel panic - not syncing: CFI failure (target: bpf_prog_xx+0x0/0x560) CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 5.15.0+ #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.cfi_jt+0x0/0x4 show_stack+0x30/0x3c __dump_stack+0x28/0x34 dump_stack_lvl+0x74/0xc0 dump_stack+0x14/0x1c panic+0x2b8/0x588 __cfi_slowpath_diag+0x0/0x78 __cfi_slowpath_diag+0x6c/0x78 bpf_for_each_hash_elem+0x228/0x304 bpf_for_each_map_elem+0xac/0xc0 bpf_prog_8aad3428fbe59598_F+0x184/0x6c4 bpf_dispatcher_nop_func.17066+0xc/0x14 bpf_trace_run1+0x1d4/0x208 __bpf_trace_sched_wakeup_template+0x4c/0x74 __traceiter_sched_wakeup+0x13c/0x170 trace_sched_wakeup+0xf4/0x108 ttwu_do_wakeup+0x58/0x17c sample bpf testing code: (based on ahttps://github.com/iovisor/bcc/blob/master/libbpf-tools/wakeuptime.bpf.c#L54) static long chk_item(struct bpf_map *map, const void *key, void *value, void *cttx) { bpf_printk("key: %llx\n", key); return 0; } static int wakeup(void *ctx, struct task_struct *p) { ... if (delta > 1000000) bpf_for_each_map_elem(&counts, chk_item, NULL, 0); } Signed-off-by: Eric Yan --- kernel/bpf/arraymap.c | 2 +- kernel/bpf/hashtab.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- 2.25.1 diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c index 2058e89b5ddd..4cd400082236 100644 --- a/kernel/bpf/arraymap.c +++ b/kernel/bpf/arraymap.c @@ -686,7 +686,7 @@ static const struct bpf_iter_seq_info iter_seq_info = { .seq_priv_size = sizeof(struct bpf_iter_seq_array_map_info), }; -static long bpf_for_each_array_elem(struct bpf_map *map, bpf_callback_t callback_fn, +static long __nocfi bpf_for_each_array_elem(struct bpf_map *map, bpf_callback_t callback_fn, void *callback_ctx, u64 flags) { u32 i, key, num_elems = 0; diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 56d3da7d0bc6..59e337f446d0 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -2132,7 +2132,7 @@ static const struct bpf_iter_seq_info iter_seq_info = { .seq_priv_size = sizeof(struct bpf_iter_seq_hash_map_info), }; -static long bpf_for_each_hash_elem(struct bpf_map *map, bpf_callback_t callback_fn, +static long __nocfi bpf_for_each_hash_elem(struct bpf_map *map, bpf_callback_t callback_fn, void *callback_ctx, u64 flags) { struct bpf_htab *htab = container_of(map, struct bpf_htab, map);