From patchwork Wed Nov 2 08:16:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Baisong Zhong X-Patchwork-Id: 14074 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp3481239wru; Wed, 2 Nov 2022 01:19:12 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6iecYMQQVw1DV1bbyiZIhXZoTqko7O936Ps5dC5rujJ1frfIOMPQF1JNd9LIO6ukXZ9fPt X-Received: by 2002:a17:90b:19d1:b0:213:7030:6bd9 with SMTP id nm17-20020a17090b19d100b0021370306bd9mr24683444pjb.43.1667377152335; Wed, 02 Nov 2022 01:19:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667377152; cv=none; d=google.com; s=arc-20160816; b=08vsuRKsimwo6FUiXXSKIw1eqYu/MZ+3mh6PtHN6DF6IMIdU4GPjFQ4ygntlkjWUme bAtBPr5L3XBtQ/9BAWAkaHZnxl4h4spTMeU1FAD4fzwkrEy9SBiNQQgyKL9WclXzlHkc xieRFWZDwGVFKRCf8uUBrIxdXJj5GPN4FvNCi1frHLcWHDkxuxVzJkizchVFq5o2sz2r jVGFrlAg8RkpDGcqgyw7C9AnM3AZpMNmxrXj+Xs3I4AgNDGINDOhFmUA7jokE+akmxa9 IHzJaSwNKgGShHhjwIi6CroXvZKkbGY7x6Uwu3JZVecKgwFjqaV/J6CbRIBdpQcVhnvT 6ZdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=yFOQLH1O+sSCK/RAGFvYBnCUOgWWUEDRvCwynRN9ekY=; b=muRqIas0WsCb/xA2tgYz17L2EuFPq0BAARUL5aWU6OjgqGb+X8FSSDPpJ3QqyPvFya phGV/d/C6+Hkb9cEZn8hjdewpuZ2iWvCdD7v1I+gjyL1rUwSaOXPhJkGWI8TH5rV+oBh Su45gMPG+7zJknpOTH3rSUPJKqAuivb82DOQhtUAqXPy2/r5hmn5PEOhc2jYhh0TxPOS SslvmTHIX5S4dWaCqZx5MhD4fH2ICnYHruinLgr2EbQFFExqq6EHxAy/kAO+hEdk00o0 WkaJjqaYfKhCFyKHBrJwPK26xq4Uh7mtMmHnoD/fl7lFOO57sVrYa54s+0qPmpqjbp6Q Z8Ow== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ls3-20020a17090b350300b001fe2de6a2c9si1935743pjb.4.2022.11.02.01.18.59; Wed, 02 Nov 2022 01:19:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230106AbiKBIQd (ORCPT + 99 others); Wed, 2 Nov 2022 04:16:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230171AbiKBIQ0 (ORCPT ); Wed, 2 Nov 2022 04:16:26 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 996852529C; Wed, 2 Nov 2022 01:16:23 -0700 (PDT) Received: from canpemm500005.china.huawei.com (unknown [172.30.72.53]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4N2KQb6XN0zJnS6; Wed, 2 Nov 2022 16:13:27 +0800 (CST) Received: from huawei.com (10.175.104.82) by canpemm500005.china.huawei.com (7.192.104.229) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 2 Nov 2022 16:16:21 +0800 From: Baisong Zhong To: , , , , , , CC: , , , , , Subject: [PATCH -next,v2] bpf, test_run: fix alignment problem in bpf_prog_test_run_skb() Date: Wed, 2 Nov 2022 16:16:20 +0800 Message-ID: <20221102081620.1465154-1-zhongbaisong@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To canpemm500005.china.huawei.com (7.192.104.229) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1748265211376281154?= X-GMAIL-MSGID: =?utf-8?q?1748371664776887894?= we got a syzkaller problem because of aarch64 alignment fault if KFENCE enabled. When the size from user bpf program is an odd number, like 399, 407, etc, it will cause the struct skb_shared_info's unaligned access. As seen below: BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 Use-after-free read at 0xffff6254fffac077 (in kfence-#213): __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline] arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline] arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline] atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline] __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 skb_clone+0xf4/0x214 net/core/skbuff.c:1481 ____bpf_clone_redirect net/core/filter.c:2433 [inline] bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420 bpf_prog_d3839dd9068ceb51+0x80/0x330 bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline] bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53 bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512 allocated by task 15074 on cpu 0 at 1342.585390s: kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:675 [inline] bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191 bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381 To fix the problem, we adjust @size so that (@size + @hearoom) is a multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info is aligned to a cache line. Fixes: 1cf1cae963c2 ("bpf: introduce BPF_PROG_TEST_RUN command") Signed-off-by: Baisong Zhong --- v2: use SKB_DATA_ALIGN instead kmalloc_size_roundup --- net/bpf/test_run.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index 4b855af267b1..bfdd7484b93f 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -259,6 +259,7 @@ static void *bpf_test_init(const union bpf_attr *kattr, u32 size, if (user_size > size) return ERR_PTR(-EMSGSIZE); + size = SKB_DATA_ALIGN(size); data = kzalloc(size + headroom + tailroom, GFP_USER); if (!data) return ERR_PTR(-ENOMEM);