Re: [PATCH bpf-next v2] bpf: Move out synchronize_rcu_tasks_trace from mutex CS

Jiri Olsa <olsajiri@xxxxxxxxx> · Wed, 8 Jan 2025 12:26:07 +0100



On Sat, Jan 04, 2025 at 01:39:46AM +0000, Pu Lehui wrote:
> From: Pu Lehui <pulehui@xxxxxxxxxx>
> 
> Commit ef1b808e3b7c ("bpf: Fix UAF via mismatching bpf_prog/attachment
> RCU flavors") resolved a possible UAF issue in uprobes that attach
> non-sleepable bpf prog by explicitly waiting for a tasks-trace-RCU grace
> period. But, in the current implementation, synchronize_rcu_tasks_trace
> is included within the mutex critical section, which increases the
> length of the critical section and may affect performance. So let's move
> out synchronize_rcu_tasks_trace from mutex CS.

lgtm, adding peter

Reviewed-by: Jiri Olsa <jolsa@xxxxxxxxxx>

jirka

> 
> Signed-off-by: Pu Lehui <pulehui@xxxxxxxxxx>
> ---
> v2: Simplify code logic. (Jiri)
> 
>  kernel/trace/bpf_trace.c | 21 +++++++++++++--------
>  1 file changed, 13 insertions(+), 8 deletions(-)
> 
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 48db147c6c7d..a90880f475af 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -2245,6 +2245,7 @@ void perf_event_detach_bpf_prog(struct perf_event *event)
>  {
>  	struct bpf_prog_array *old_array;
>  	struct bpf_prog_array *new_array;
> +	struct bpf_prog *prog = NULL;
>  	int ret;
>  
>  	mutex_lock(&bpf_event_mutex);
> @@ -2265,18 +2266,22 @@ void perf_event_detach_bpf_prog(struct perf_event *event)
>  	}
>  
>  put:
> -	/*
> -	 * It could be that the bpf_prog is not sleepable (and will be freed
> -	 * via normal RCU), but is called from a point that supports sleepable
> -	 * programs and uses tasks-trace-RCU.
> -	 */
> -	synchronize_rcu_tasks_trace();
> -
> -	bpf_prog_put(event->prog);
> +	prog = event->prog;
>  	event->prog = NULL;
>  
>  unlock:
>  	mutex_unlock(&bpf_event_mutex);
> +
> +	if (prog) {
> +		/*
> +		 * It could be that the bpf_prog is not sleepable (and will be freed
> +		 * via normal RCU), but is called from a point that supports sleepable
> +		 * programs and uses tasks-trace-RCU.
> +		 */
> +		synchronize_rcu_tasks_trace();
> +
> +		bpf_prog_put(prog);
> +	}
>  }
>  
>  int perf_event_query_prog_array(struct perf_event *event, void __user *info)
> -- 
> 2.34.1
> 
>