• Daniel Borkmann's avatar
    bpf: fix redirect to map under tail calls · f6069b9a
    Daniel Borkmann authored
    Commits 109980b8 ("bpf: don't select potentially stale ri->map
    from buggy xdp progs") and 7c300131 ("bpf: fix ri->map_owner
    pointer on bpf_prog_realloc") tried to mitigate that buggy programs
    using bpf_redirect_map() helper call do not leave stale maps behind.
    Idea was to add a map_owner cookie into the per CPU struct redirect_info
    which was set to prog->aux by the prog making the helper call as a
    proof that the map is not stale since the prog is implicitly holding
    a reference to it. This owner cookie could later on get compared with
    the program calling into BPF whether they match and therefore the
    redirect could proceed with processing the map safely.
    
    In (obvious) hindsight, this approach breaks down when tail calls are
    involved since the original caller's prog->aux pointer does not have
    to match the one from one of the progs out of the tail call chain,
    and therefore the xdp buffer will be dropped instead of redirected.
    A way around that would be to fix the issue differently (which also
    allows to remove related work in fast path at the same time): once
    the life-time of a redirect map has come to its end we use it's map
    free callback where we need to wait on synchronize_rcu() for current
    outstanding xdp buffers and remove such a map pointer from the
    redirect info if found to be present. At that time no program is
    using this map anymore so we simply invalidate the map pointers to
    NULL iff they previously pointed to that instance while making sure
    that the redirect path only reads out the map once.
    
    Fixes: 97f91a7c ("bpf: add bpf_redirect_map helper routine")
    Fixes: 109980b8 ("bpf: don't select potentially stale ri->map from buggy xdp progs")
    Reported-by: default avatarSebastiano Miano <sebastiano.miano@polito.it>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    f6069b9a
verifier.c 175 KB