On 7/20/2023 4:57 PM, Jiri Olsa wrote:
> The nesting protection in bpf_perf_event_output relies on disabled
> preemption, which is guaranteed for kprobes and tracepoints.
>
> However bpf_perf_event_output can be also called from uprobes context
> through bpf_prog_run_array_sleepable function which disables migration,
> but keeps preemption enabled.
>
> This can cause task to be preempted by another one inside the nesting
> protection and lead eventually to two tasks using same perf_sample_data
> buffer and cause crashes like:
>
> kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
> BUG: unable to handle page fault for address: ffffffff82be3eea
> ...
> Call Trace:
> ? __die+0x1f/0x70
> ? page_fault_oops+0x176/0x4d0
> ? exc_page_fault+0x132/0x230
> ? asm_exc_page_fault+0x22/0x30
> ? perf_output_sample+0x12b/0x910
> ? perf_event_output+0xd0/0x1d0
> ? bpf_perf_event_output+0x162/0x1d0
> ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87
> ? __uprobe_perf_func+0x12b/0x540
> ? uprobe_dispatcher+0x2c4/0x430
> ? uprobe_notify_resume+0x2da/0xce0
> ? atomic_notifier_call_chain+0x7b/0x110
> ? exit_to_user_mode_prepare+0x13e/0x290
> ? irqentry_exit_to_user_mode+0x5/0x30
> ? asm_exc_int3+0x35/0x40
>
> Fixing this by disabling preemption in bpf_perf_event_output.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 8c7dcb84e3b7 ("bpf: implement sleepable uprobes by chaining gps")
> Signed-off-by: Jiri Olsa <jolsa@xxxxxxxxxx>
Acked-by: Hou Tao <houtao1@xxxxxxxxxx>
