Re: [PATCH bpf-next] selftests/bpf: Test the release of map btf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 12/6/23 6:06 AM, Hou Tao wrote:

From: Hou Tao <houtao1@xxxxxxxxxx>

When there is bpf_list_head or bpf_rb_root field in map value, the free
of map btf and the free of map value may run concurrently and there may
be use-after-free problem, so add two test cases to demonstrate it.

The first test case tests the racing between the free of map btf and the
free of array map. It constructs the racing by releasing the array map in
the end after other ref-counter of map btf has been released. But it is
still hard to reproduce the UAF problem, and I managed to reproduce it
by queuing multiple kworkers to stress system_unbound_wq concurrently.

The second case tests the racing between the free of map btf and the
free of inner map. Beside using the similar method as the first one
does, it uses bpf_map_delete_elem() to delete the inner map and to defer
the release of inner map after one RCU grace period. The UAF problem can
been easily reproduced by using bpf_next tree and a KASAN-enabled kernel.


Thanks, Hou. I will use your test cases as well during debugging
besides my kernel mdeley() hack.



The reason for using two skeletons is to prevent the release of outer
map and inner map in map_in_map_btf.c interfering the release of bpf
map in normal_map_btf.c.

Signed-off-by: Hou Tao <houtao1@xxxxxxxxxx>
---
Hi,

I was also working on the UAF problem caused by the racing between the
free map btf and the free map value. However considering Yonghong posted
the patch first [1], I decided to post the selftest for the problem. The
reliable reproduce of the problem depends on the "Fix the release of
inner map" patch-set in bpf-next.

[1]: https://lore.kernel.org/bpf/20231205224812.813224-1-yonghong.song@xxxxxxxxx/

  .../selftests/bpf/prog_tests/map_btf.c        | 88 +++++++++++++++++++
  .../selftests/bpf/progs/map_in_map_btf.c      | 73 +++++++++++++++
  .../selftests/bpf/progs/normal_map_btf.c      | 56 ++++++++++++
  3 files changed, 217 insertions(+)
  create mode 100644 tools/testing/selftests/bpf/prog_tests/map_btf.c
  create mode 100644 tools/testing/selftests/bpf/progs/map_in_map_btf.c
  create mode 100644 tools/testing/selftests/bpf/progs/normal_map_btf.c


[...]
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux