On Wed, Nov 29, 2023 at 02:23:04PM +0100, Jiri Olsa wrote: > On Tue, Nov 28, 2023 at 11:44:33PM +0100, Ilya Leoshkevich wrote: > > On Tue, 2023-11-28 at 10:28 +0100, Jiri Olsa wrote: > > > hi, > > > this patchset fixes the issue reported in [0]. > > > > > > For the actual fix in patch 2 I'm changing bpf_arch_text_poke to > > > allow to skip > > > ip address check in patch 1. I considered adding separate function > > > for that, > > > but because each arch implementation is bit different, adding extra > > > arg seemed > > > like better option. > > > > > > v2 changes: > > > - make it work for other archs > > > > > > thanks, > > > jirka > > > > > > > > > [0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810 > > > --- > > > Jiri Olsa (2): > > > bpf: Add checkip argument to bpf_arch_text_poke > > > bpf, x64: Fix prog_array_map_poke_run map poke update > > > > > > arch/arm64/net/bpf_jit_comp.c | 3 ++- > > > arch/riscv/net/bpf_jit_comp64.c | 5 +++-- > > > arch/s390/net/bpf_jit_comp.c | 3 ++- > > > arch/x86/net/bpf_jit_comp.c | 24 +++++++++++++----------- > > > include/linux/bpf.h | 2 +- > > > kernel/bpf/arraymap.c | 31 +++++++++++-------------------- > > > kernel/bpf/core.c | 2 +- > > > kernel/bpf/trampoline.c | 12 ++++++------ > > > 8 files changed, 39 insertions(+), 43 deletions(-) > > > > Would it be possible to add a minimized version of the reproducer as a > > testcase? > > there's reproducer I used in here: > https://syzkaller.appspot.com/text?tag=ReproC&x=1397180f680000 > > I can try, but not sure I'll be able to come up with something that > would fit as testcase.. I'll check the test below reproduces it for me.. the only tricky part is that I need to repeat the loop 10 times to trigger that on my setup.. which is not terrible, but not great for a test I think jirka --- diff --git a/tools/testing/selftests/bpf/prog_tests/tailcall_poke.c b/tools/testing/selftests/bpf/prog_tests/tailcall_poke.c new file mode 100644 index 000000000000..c18751677811 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/tailcall_poke.c @@ -0,0 +1,77 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <unistd.h> +#include <test_progs.h> +#include "tailcall_poke.skel.h" + +#define JMP_TABLE "/sys/fs/bpf/jmp_table" + +static int thread_exit; + +static void *update(void *arg) +{ + __u32 zero = 0, prog1_fd, prog2_fd, map_fd; + struct tailcall_poke *call = arg; + + map_fd = bpf_map__fd(call->maps.jmp_table); + prog1_fd = bpf_program__fd(call->progs.call1); + prog2_fd = bpf_program__fd(call->progs.call2); + + while (!thread_exit) { + bpf_map_update_elem(map_fd, &zero, &prog1_fd, BPF_ANY); + bpf_map_update_elem(map_fd, &zero, &prog2_fd, BPF_ANY); + } + + return NULL; +} + +void test_tailcall_poke(void) +{ + struct tailcall_poke *call, *test; + int err, cnt = 10; + pthread_t thread; + + unlink(JMP_TABLE); + + call = tailcall_poke__open_and_load(); + if (!ASSERT_OK_PTR(call, "tailcall_poke__open")) + return; + + err = bpf_map__pin(call->maps.jmp_table, JMP_TABLE); + if (!ASSERT_OK(err, "bpf_map__pin")) + goto out; + + err = pthread_create(&thread, NULL, update, call); + if (!ASSERT_OK(err, "new toggler")) + goto out; + + while (cnt--) { + test = tailcall_poke__open(); + if (!ASSERT_OK_PTR(test, "tailcall_poke__open")) + break; + + err = bpf_map__set_pin_path(test->maps.jmp_table, JMP_TABLE); + if (!ASSERT_OK(err, "bpf_map__pin")) { + tailcall_poke__destroy(test); + break; + } + + bpf_program__set_autoload(test->progs.test, true); + bpf_program__set_autoload(test->progs.call1, false); + bpf_program__set_autoload(test->progs.call2, false); + + err = tailcall_poke__load(test); + if (!ASSERT_OK(err, "tailcall_poke__load")) { + tailcall_poke__destroy(test); + break; + } + + tailcall_poke__destroy(test); + } + + thread_exit = 1; + ASSERT_OK(pthread_join(thread, NULL), "pthread_join"); + +out: + bpf_map__unpin(call->maps.jmp_table, JMP_TABLE); + tailcall_poke__destroy(call); +} diff --git a/tools/testing/selftests/bpf/progs/tailcall_poke.c b/tools/testing/selftests/bpf/progs/tailcall_poke.c new file mode 100644 index 000000000000..d4cf63c7db01 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/tailcall_poke.c @@ -0,0 +1,32 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <linux/bpf.h> +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_tracing.h> + +char _license[] SEC("license") = "GPL"; + +struct { + __uint(type, BPF_MAP_TYPE_PROG_ARRAY); + __uint(max_entries, 1); + __uint(key_size, sizeof(__u32)); + __uint(value_size, sizeof(__u32)); +} jmp_table SEC(".maps"); + +SEC("?fentry/bpf_fentry_test1") +int BPF_PROG(test, int a) +{ + bpf_tail_call_static(ctx, &jmp_table, 0); + return 0; +} + +SEC("fentry/bpf_fentry_test1") +int BPF_PROG(call1, int a) +{ + return 0; +} + +SEC("fentry/bpf_fentry_test1") +int BPF_PROG(call2, int a) +{ + return 0; +}
