On 05/13, Eric Dumazet wrote:
> Various things in eBPF really require us to disable preemption
> before running an eBPF program.
>
> syzbot reported :
>
> BUG: assuming atomic context at net/core/flow_dissector.c:737
> in_atomic(): 0, irqs_disabled(): 0, pid: 24710, name: syz-executor.3
> 2 locks held by syz-executor.3/24710:
> #0: 00000000e81a4bf1 (&tfile->napi_mutex){+.+.}, at: tun_get_user+0x168e/0x3ff0 drivers/net/tun.c:1850
> #1: 00000000254afebd (rcu_read_lock){....}, at: __skb_flow_dissect+0x1e1/0x4bb0 net/core/flow_dissector.c:822
> CPU: 1 PID: 24710 Comm: syz-executor.3 Not tainted 5.1.0+ #6
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x172/0x1f0 lib/dump_stack.c:113
> __cant_sleep kernel/sched/core.c:6165 [inline]
> __cant_sleep.cold+0xa3/0xbb kernel/sched/core.c:6142
> bpf_flow_dissect+0xfe/0x390 net/core/flow_dissector.c:737
> __skb_flow_dissect+0x362/0x4bb0 net/core/flow_dissector.c:853
> skb_flow_dissect_flow_keys_basic include/linux/skbuff.h:1322 [inline]
> skb_probe_transport_header include/linux/skbuff.h:2500 [inline]
> skb_probe_transport_header include/linux/skbuff.h:2493 [inline]
> tun_get_user+0x2cfe/0x3ff0 drivers/net/tun.c:1940
> tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037
> call_write_iter include/linux/fs.h:1872 [inline]
> do_iter_readv_writev+0x5fd/0x900 fs/read_write.c:693
> do_iter_write fs/read_write.c:970 [inline]
> do_iter_write+0x184/0x610 fs/read_write.c:951
> vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
> do_writev+0x15b/0x330 fs/read_write.c:1058
> __do_sys_writev fs/read_write.c:1131 [inline]
> __se_sys_writev fs/read_write.c:1128 [inline]
> __x64_sys_writev+0x75/0xb0 fs/read_write.c:1128
> do_syscall_64+0x103/0x670 arch/x86/entry/common.c:298
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
> Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
> Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
> Cc: Petar Penkov <ppenkov@xxxxxxxxxx>
> Cc: Stanislav Fomichev <sdf@xxxxxxxxxx>
> ---
> net/core/flow_dissector.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> index 9ca784c592ac8c9c58282289a81889fbe4658a9e..548f39dde30711ac5be9e921993a6d8e53f74161 100644
> --- a/net/core/flow_dissector.c
> +++ b/net/core/flow_dissector.c
> @@ -734,7 +734,9 @@ bool bpf_flow_dissect(struct bpf_prog *prog, struct bpf_flow_dissector *ctx,
> flow_keys->nhoff = nhoff;
> flow_keys->thoff = flow_keys->nhoff;
>
> + preempt_disable();
> result = BPF_PROG_RUN(prog, ctx);
> + preempt_enable();
>
> flow_keys->nhoff = clamp_t(u16, flow_keys->nhoff, nhoff, hlen);
> flow_keys->thoff = clamp_t(u16, flow_keys->thoff,
> --
> 2.21.0.1020.gf2820cf01a-goog
>
Reviewed-by: Stanislav Fomichev <sdf@xxxxxxxxxx>
Thanks!
