Commit 830f1fc0 authored by Benjamin Tissoires's avatar Benjamin Tissoires Committed by Pu Lehui
Browse files

bpf: replace bpf_timer_set_callback with a generic helper 

mainline inclusion
from mainline-v6.10-rc1
commit 073f11b0264310b85754b6a0946afee753790c66
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEM1
CVE: CVE-2024-41045

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=073f11b02643



--------------------------------

In the same way we have a generic __bpf_async_init(), we also need
to share code between timer and workqueue for the set_callback call.

We just add an unused flags parameter, as it will be used for workqueues.

Signed-off-by: default avatarBenjamin Tissoires <bentiss@kernel.org>
Link: https://lore.kernel.org/r/20240420-bpf_wq-v2-3-6c986a5a741f@kernel.org


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarPu Lehui <pulehui@huawei.com>
parent 4075a70c

kernel/bpf/helpers.c

+18 −11
Original line number Diff line number Diff line
@@ -1263,22 +1263,23 @@ static const struct bpf_func_proto bpf_timer_init_proto = { 
	.arg3_type	= ARG_ANYTHING,

};



BPF_CALL_3(bpf_timer_set_callback, struct bpf_async_kern *, timer, void *, callback_fn,

	   struct bpf_prog_aux *, aux)

static int __bpf_async_set_callback(struct bpf_async_kern *async, void *callback_fn,

				    struct bpf_prog_aux *aux, unsigned int flags,

				    enum bpf_async_type type)

{

	struct bpf_prog *prev, *prog = aux->prog;

	struct bpf_hrtimer *t;

	struct bpf_async_cb *cb;

	int ret = 0;



	if (in_nmi())

		return -EOPNOTSUPP;

	__bpf_spin_lock_irqsave(&timer->lock);

	t = timer->timer;

	if (!t) {

	__bpf_spin_lock_irqsave(&async->lock);

	cb = async->cb;

	if (!cb) {

		ret = -EINVAL;

		goto out;

	}

	if (!atomic64_read(&t->cb.map->usercnt)) {

	if (!atomic64_read(&cb->map->usercnt)) {

		/* maps with timers must be either held by user space

		 * or pinned in bpffs. Otherwise timer might still be

		 * running even when bpf prog is detached and user space
@@ -1287,7 +1288,7 @@ BPF_CALL_3(bpf_timer_set_callback, struct bpf_async_kern *, timer, void *, callb 
		ret = -EPERM;

		goto out;

	}

	prev = t->cb.prog;

	prev = cb->prog;

	if (prev != prog) {

		/* Bump prog refcnt once. Every bpf_timer_set_callback()

		 * can pick different callback_fn-s within the same prog.
@@ -1300,14 +1301,20 @@ BPF_CALL_3(bpf_timer_set_callback, struct bpf_async_kern *, timer, void *, callb 
		if (prev)

			/* Drop prev prog refcnt when swapping with new prog */

			bpf_prog_put(prev);

		t->cb.prog = prog;

		cb->prog = prog;

	}

	rcu_assign_pointer(t->cb.callback_fn, callback_fn);

	rcu_assign_pointer(cb->callback_fn, callback_fn);

out:

	__bpf_spin_unlock_irqrestore(&timer->lock);

	__bpf_spin_unlock_irqrestore(&async->lock);

	return ret;

}



BPF_CALL_3(bpf_timer_set_callback, struct bpf_async_kern *, timer, void *, callback_fn,

	   struct bpf_prog_aux *, aux)

{

	return __bpf_async_set_callback(timer, callback_fn, aux, 0, BPF_ASYNC_TYPE_TIMER);

}



static const struct bpf_func_proto bpf_timer_set_callback_proto = {

	.func		= bpf_timer_set_callback,

	.gpl_only	= true,