[PATCH bpf] bpf: fix rcu warning in bpf_prog_run_pin_on_cpu()

Yonghong Song <yhs@xxxxxx> · Wed, 28 Jul 2021 10:23:07 -0700

syzbot reported a RCU warning like below:
  WARNING: suspicious RCU usage
  ...
  Call Trace:
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
   task_css_set include/linux/cgroup.h:481 [inline]
   task_dfl_cgroup include/linux/cgroup.h:550 [inline]
   ____bpf_get_current_cgroup_id kernel/bpf/helpers.c:356 [inline]
   bpf_get_current_cgroup_id+0x1ce/0x210 kernel/bpf/helpers.c:354
   bpf_prog_08c4887f705f20b8+0x10/0x824
   bpf_dispatcher_nop_func include/linux/bpf.h:687 [inline]
   bpf_prog_run_pin_on_cpu include/linux/filter.h:624 [inline]
   bpf_prog_test_run_syscall+0x2cf/0x5f0 net/bpf/test_run.c:954
   bpf_prog_test_run kernel/bpf/syscall.c:3207 [inline]
   __sys_bpf+0x1993/0x53b0 kernel/bpf/syscall.c:4487

The warning is introduced by Commit 79a7f8bdb159d
("bpf: Introduce bpf_sys_bpf() helper and program type.").
The rcu_read_lock/unlock() is missing when calling
bpf_prog_run_pin_on_cpu().

Previously, bpf_prog_run_pin_on_cpu() is simply BPF_PROG_RUN
macro and if necessary functions using BPF_PROG_RUN all have proper
rcu_read_lock/unlock() protections.
Commit 3c58482a382ba ("bpf: Provide bpf_prog_run_pin_on_cpu() helper")
added bpf_prog_run_pin_on_cpu() helper in order to add
migrate_disable/enable() support.
Commit 79a7f8bdb159d later called bpf_prog_run_pin_on_cpu()
but didn't have rcu_read_lock/unlock() at the callsite which
triggered the reason.

I added rcu lock protection in bpf_prog_test_run_syscall()
which fixed the issue. Alternatively, rcu lock protection
could be added in bpf_prog_test_run_syscall() and some rcu
lock protection in bpf_prog_test_run_syscall() callers
can be removed. I feel the later is a bigger change for
bpf tree. So I picked the simpler solution.

Reported-by: syzbot+7ee5c2c09c284495371f@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 79a7f8bdb159d ("bpf: Introduce bpf_sys_bpf() helper and program type.")
Signed-off-by: Yonghong Song <yhs@xxxxxx>
---
 net/bpf/test_run.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 1cc75c811e24..a350b185d9d2 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -951,7 +951,10 @@ int bpf_prog_test_run_syscall(struct bpf_prog *prog,
 			goto out;
 		}
 	}
+
+	rcu_read_lock();
 	retval = bpf_prog_run_pin_on_cpu(prog, ctx);
+	rcu_read_unlock();
 
 	if (copy_to_user(&uattr->test.retval, &retval, sizeof(u32))) {
 		err = -EFAULT;
-- 
2.30.2








