In bpf_link_free, bpf trampoline will update the image and remove the
unlinked prog.
bpf_trampoline_unlink_prog is committed as 'never fail', however it depends
on the result of image update. It is possible to fail if memory allocation
fail in bpf_trampoline_update.
The error result of bpf_trampoline_update can't be passed to bpf_link_free
because link release callback returns void. Then it will free the prog
whether image updating is successful or not.
If the old image tries to call a freed prog, it makes kernel panic.
BUG: unable to handle page fault for address: ffffffffc04a8d20
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
RIP: 0010:0xffffffffc04a8d20
Code: Unable to access opcode bytes at RIP 0xffffffffc04a8cf6.
...
Call Trace:
? bpf_trampoline_78223_0
bpf_traced_function
...
Fix this when bpf_trampoline_update failed in bpf_trampoline_unlink_prog,
unregister fentry to disable the trampoline. Then other progs on the
trampoline can be unlinked safely and finally the trampoline will be
released.
Fixes: 88fd9e5352fe ("bpf: Refactor trampoline update code")
Signed-off-by: Chen Zhongjin <chenzhongjin@xxxxxxxxxx>
---
kernel/bpf/trampoline.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
index d0ed7d6f5eec..6daa93b30e81 100644
--- a/kernel/bpf/trampoline.c
+++ b/kernel/bpf/trampoline.c
@@ -604,7 +604,10 @@ static int __bpf_trampoline_unlink_prog(struct bpf_tramp_link *link, struct bpf_
}
hlist_del_init(&link->tramp_hlist);
tr->progs_cnt[kind]--;
- return bpf_trampoline_update(tr, true /* lock_direct_mutex */);
+ err = bpf_trampoline_update(tr, true /* lock_direct_mutex */);
+ if (err && tr->cur_image)
+ unregister_fentry(tr, tr->cur_image->image);
+ return err;
}
/* bpf_trampoline_unlink_prog() should never fail. */
--
2.17.1
