Commit 70964fbd authored by Martin KaFai Lau's avatar Martin KaFai Lau Committed by Tengda Wu
Browse files

bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT 

stable inclusion
from stable-v6.6.76
commit 3392fa605d7c5708c5fbe02e4fbdac547c3b7352
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBREBI
CVE: CVE-2024-58070

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3392fa605d7c5708c5fbe02e4fbdac547c3b7352



--------------------------------

[ Upstream commit 8eef6ac4d70eb1f0099fff93321d90ce8fa49ee1 ]

In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible
context. bpf_mem_alloc must be used in PREEMPT_RT. This patch is
to enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT
is enabled.

[   35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
[   35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs
[   35.118569] preempt_count: 1, expected: 0
[   35.118571] RCU nest depth: 1, expected: 1
[   35.118577] INFO: lockdep is turned off.
    ...
[   35.118647]  __might_resched+0x433/0x5b0
[   35.118677]  rt_spin_lock+0xc3/0x290
[   35.118700]  ___slab_alloc+0x72/0xc40
[   35.118723]  __kmalloc_noprof+0x13f/0x4e0
[   35.118732]  bpf_map_kzalloc+0xe5/0x220
[   35.118740]  bpf_selem_alloc+0x1d2/0x7b0
[   35.118755]  bpf_local_storage_update+0x2fa/0x8b0
[   35.118784]  bpf_sk_storage_get_tracing+0x15a/0x1d0
[   35.118791]  bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66
[   35.118795]  bpf_trace_run3+0x222/0x400
[   35.118820]  __bpf_trace_inet_sock_set_state+0x11/0x20
[   35.118824]  trace_inet_sock_set_state+0x112/0x130
[   35.118830]  inet_sk_state_store+0x41/0x90
[   35.118836]  tcp_set_state+0x3b3/0x640

There is no need to adjust the gfp_flags passing to the
bpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL.
The verifier has ensured GFP_KERNEL is passed only in sleepable context.

It has been an old issue since the first introduction of the
bpf_local_storage ~5 years ago, so this patch targets the bpf-next.

bpf_mem_alloc is needed to solve it, so the Fixes tag is set
to the commit when bpf_mem_alloc was first used in the bpf_local_storage.

Fixes: 08a7ce38 ("bpf: Use bpf_mem_cache_alloc/free in bpf_local_storage_elem")
Reported-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
Link: https://lore.kernel.org/r/20241218193000.2084281-1-martin.lau@linux.dev


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarTengda Wu <wutengda2@huawei.com>
parent d7f2d2bf

kernel/bpf/bpf_local_storage.c

+6 −2
Original line number Diff line number Diff line
@@ -823,8 +823,12 @@ bpf_local_storage_map_alloc(union bpf_attr *attr, 
	smap->elem_size = offsetof(struct bpf_local_storage_elem,

				   sdata.data[attr->value_size]);



	smap->bpf_ma = bpf_ma;

	if (bpf_ma) {

	/* In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non

	 * preemptible context. Thus, enforce all storages to use

	 * bpf_mem_alloc when CONFIG_PREEMPT_RT is enabled.

	 */

	smap->bpf_ma = IS_ENABLED(CONFIG_PREEMPT_RT) ? true : bpf_ma;

	if (smap->bpf_ma) {

		err = bpf_mem_alloc_init(&smap->selem_ma, smap->elem_size, false);

		if (err)

			goto free_smap;