On 7/22/20 11:53 PM, Alexei Starovoitov wrote:
On Wed, Jul 22, 2020 at 11:15:33PM -0700, Yonghong Song wrote:Bpf iterator has been implemented for task, task_file, bpf_map, ipv6_route, netlink, tcp and udp so far. For map elements, there are two ways to traverse all elements from user space: 1. using BPF_MAP_GET_NEXT_KEY bpf subcommand to get elements one by one. 2. using BPF_MAP_LOOKUP_BATCH bpf subcommand to get a batch of elements. Both these approaches need to copy data from kernel to user space in order to do inspection. This patch implements bpf iterator for map elements. User can have a bpf program in kernel to run with each map element, do checking, filtering, aggregation, modifying values etc. without copying data to user space. Patch #1 and #2 are refactoring. Patch #3 implements readonly/readwrite buffer support in verifier. Patches #4 - #7 implements map element support for hash, percpu hash, lru hash lru percpu hash, array, percpu array and sock local storage maps. Patches #8 - #9 are libbpf and bpftool support. Patches #10 - #13 are selftests for implemented map element iterators.kasan is not happy: [ 16.896170] ================================================================== [ 16.896994] BUG: KASAN: use-after-free in __do_sys_bpf+0x34f3/0x3860 [ 16.897657] Read of size 4 at addr ffff8881f105b208 by task test_progs/1958 [ 16.898416] [ 16.898577] CPU: 0 PID: 1958 Comm: test_progs Not tainted 5.8.0-rc4-01920-g6276000cd38e #2828 [ 16.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 [ 16.900405] Call Trace: [ 16.900679] dump_stack+0x7d/0xb0 [ 16.901068] print_address_description.constprop.0+0x3a/0x60 [ 16.901689] ? __do_sys_bpf+0x34f3/0x3860 [ 16.902125] kasan_report.cold+0x1f/0x37 [ 16.902595] ? __do_sys_bpf+0x34f3/0x3860 [ 16.903029] __do_sys_bpf+0x34f3/0x3860 [ 16.903494] ? bpf_trace_run2+0xd1/0x210 [ 16.903971] ? bpf_link_get_from_fd+0xe0/0xe0 [ 16.907802] do_syscall_64+0x38/0x60 [ 16.908187] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 16.908730] RIP: 0033:0x7f014cdfe7f9 [ 16.909148] Code: Bad RIP value. [ 16.909524] RSP: 002b:00007ffe1d1e8b28 EFLAGS: 00000206 ORIG_RAX: 0000000000000141 [ 16.910345] RAX: ffffffffffffffda RBX: 00007f014dd27690 RCX: 00007f014cdfe7f9 [ 16.911058] RDX: 0000000000000078 RSI: 00007ffe1d1e8b60 RDI: 000000000000001e [ 16.911820] RBP: 00007ffe1d1e8b40 R08: 00007ffe1d1e8b40 R09: 00007ffe1d1e8b60 [ 16.912575] R10: 0000000000000044 R11: 0000000000000206 R12: 0000000000000002 [ 16.913304] R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000002 [ 16.914026] [ 16.914189] Allocated by task 1958: [ 16.914562] save_stack+0x1b/0x40 [ 16.914944] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 16.915476] bpf_iter_link_attach+0x235/0x4e0 [ 16.915975] __do_sys_bpf+0x1832/0x3860 [ 16.916371] do_syscall_64+0x38/0x60 [ 16.916750] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 16.917338] [ 16.917524] Freed by task 1958: [ 16.917874] save_stack+0x1b/0x40 [ 16.918241] __kasan_slab_free+0x12f/0x180 [ 16.918681] kfree+0xc6/0x280 [ 16.919024] bpf_iter_link_attach+0x3e3/0x4e0 [ 16.919488] __do_sys_bpf+0x1832/0x3860 [ 16.919915] do_syscall_64+0x38/0x60 [ 16.920301] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Thanks for reporting the bug. The gcc on my system is 8.2 and the requirement for kasan support is gcc 8.3. Using clang, I am able to see the issue. Will fix and re-submit. Thanks!
To reproduce: ./test_progs -n 5 #5 bpf_obj_id:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED ./test_progs -n 4/18 #4/18 bpf_hash_map:OK #4 bpf_iter:OK Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED ./test_progs -n 5 [ 37.569154] ================================================================== [ 37.570020] BUG: KASAN: use-after-free in __do_sys_bpf+0x34f3/0x3860
