On Mon, Dec 16, 2024 at 1:00 PM Andrea Righi <arighi@xxxxxxxxxx> wrote:
>
> On x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP
> disabled can trigger the following bug, as pcpu_hot is unavailable:
>
> [ 8.471774] BUG: unable to handle page fault for address: 00000000936a290c
> [ 8.471849] #PF: supervisor read access in kernel mode
> [ 8.471881] #PF: error_code(0x0000) - not-present page
>
> Fix by inlining a return 0 in the !CONFIG_SMP case.
>
> Fixes: 1ae6921009e5 ("bpf: inline bpf_get_smp_processor_id() helper")
> Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Signed-off-by: Andrea Righi <arighi@xxxxxxxxxx>
> ---
> kernel/bpf/verifier.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> ChangeLog v1 -> v2:
> - inline a "return 0" instead of not inlining bpf_get_smp_processor_id() at
> all in the !CONFIG_SMP case, as suggested by Daniel
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index f7f892a52a37..761c70899754 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -21281,11 +21281,15 @@ static int do_misc_fixups(struct bpf_verifier_env *env)
> * changed in some incompatible and hard to support
> * way, it's fine to back out this inlining logic
> */
> +#ifdef CONFIG_SMP
> insn_buf[0] = BPF_MOV32_IMM(BPF_REG_0, (u32)(unsigned long)&pcpu_hot.cpu_number);
> insn_buf[1] = BPF_MOV64_PERCPU_REG(BPF_REG_0, BPF_REG_0);
> insn_buf[2] = BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0);
> cnt = 3;
> -
> +#else
> + BPF_ALU32_REG(BPF_XOR, BPF_REG_0, BPF_REG_0),
um... shouldn't this be `insns_buf[0] = ` assignment? And that comma
instead of semicolon at the end?
pw-bot: cr
> + cnt = 1;
> +#endif
> new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
> if (!new_prog)
> return -ENOMEM;
> --
> 2.47.1
>
