• Dave Marchevsky's avatar
    selftests/bpf: Add rbtree test exercising race which 'owner' field prevents · fdf48dc2
    Dave Marchevsky authored
    This patch adds a runnable version of one of the races described by
    Kumar in [0]. Specifically, this interleaving:
    
    (rbtree1 and list head protected by lock1, rbtree2 protected by lock2)
    
    Prog A                          Prog B
    ======================================
    n = bpf_obj_new(...)
    m = bpf_refcount_acquire(n)
    kptr_xchg(map, m)
    
                                    m = kptr_xchg(map, NULL)
                                    lock(lock2)
    				bpf_rbtree_add(rbtree2, m->r, less)
    				unlock(lock2)
    
    lock(lock1)
    bpf_list_push_back(head, n->l)
    /* make n non-owning ref */
    bpf_rbtree_remove(rbtree1, n->r)
    unlock(lock1)
    
    The above interleaving, the node's struct bpf_rb_node *r can be used to
    add it to either rbtree1 or rbtree2, which are protected by different
    locks. If the node has been added to rbtree2, we should not be allowed
    to remove it while holding rbtree1's lock.
    
    Before changes in the previous patch in this series, the rbtree_remove
    in the second part of Prog A would succeed as the verifier has no way of
    knowing which tree owns a particular node at verification time. The
    addition of 'owner' field results in bpf_rbtree_remove correctly
    failing.
    
    The test added in this patch splits "Prog A" above into two separate BPF
    programs - A1 and A2 - and uses a second mapval + kptr_xchg to pass n
    from A1 to A2 similarly to the pass from A1 to B. If the test is run
    without the fix applied, the remove will succeed.
    
    Kumar's example had the two programs running on separate CPUs. This
    patch doesn't do this as it's not necessary to exercise the broken
    behavior / validate fixed behavior.
    
      [0]: https://lore.kernel.org/bpf/d7hyspcow5wtjcmw4fugdgyp3fwhljwuscp3xyut5qnwivyeru@ysdq543otzv2Signed-off-by: default avatarDave Marchevsky <davemarchevsky@fb.com>
    Suggested-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
    Link: https://lore.kernel.org/r/20230718083813.3416104-5-davemarchevsky@fb.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    fdf48dc2
refcounted_kptr.c 1.31 KB