bpf: fix ri->map_owner pointer on bpf_prog_realloc

Commit 109980b894e9 ("bpf: don't select potentially stale
ri->map from buggy xdp progs") passed the pointer to the prog
itself to be loaded into r4 prior on bpf_redirect_map() helper
call, so that we can store the owner into ri->map_owner out of
the helper.

Issue with that is that the actual address of the prog is still
subject to change when subsequent rewrites occur that require
slow path in bpf_prog_realloc() to alloc more memory, e.g. from
patching inlining helper functions or constant blinding. Thus,
we really need to take prog->aux as the address we're holding,
which also works with prog clones as they share the same aux
object.

Instead of then fetching aux->prog during runtime, which could
potentially incur cache misses due to false sharing, we are
going to just use aux for comparison on the map owner. This
will also keep the patchlet of the same size, and later check
in xdp_map_invalid() only accesses read-only aux pointer from
the prog, it's also in the same cacheline already from prior
access when calling bpf_func.

Fixes: 109980b894e9 ("bpf: don't select potentially stale ri->map from buggy xdp progs")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 799b2451ef2df42b17aadfe679a09dee9a0848c9..b914fbe1383e83fa9609944bc54358456794f470 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4205,7 +4205,12 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
                }
 
                if (insn->imm == BPF_FUNC_redirect_map) {
-                       u64 addr = (unsigned long)prog;
+                       /* Note, we cannot use prog directly as imm as subsequent
+                        * rewrites would still change the prog pointer. The only
+                        * stable address we can use is aux, which also works with
+                        * prog clones during blinding.
+                        */
+                       u64 addr = (unsigned long)prog->aux;
                        struct bpf_insn r4_ld[] = {
                                BPF_LD_IMM64(BPF_REG_4, addr),
                                *insn,

diff --git a/net/core/filter.c b/net/core/filter.c
index 24dd33dd9f0452994623e26e3a379f0bf56190ce..82edad58d066857aeee562661098effa3b3e6961 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1794,7 +1794,7 @@ struct redirect_info {
        u32 flags;
        struct bpf_map *map;
        struct bpf_map *map_to_flush;
-       const struct bpf_prog *map_owner;
+       unsigned long   map_owner;
 };
 
 static DEFINE_PER_CPU(struct redirect_info, redirect_info);
@@ -2500,11 +2500,17 @@ void xdp_do_flush_map(void)
 }
 EXPORT_SYMBOL_GPL(xdp_do_flush_map);
 
+static inline bool xdp_map_invalid(const struct bpf_prog *xdp_prog,
+                                  unsigned long aux)
+{
+       return (unsigned long)xdp_prog->aux != aux;
+}
+
 static int xdp_do_redirect_map(struct net_device *dev, struct xdp_buff *xdp,
                               struct bpf_prog *xdp_prog)
 {
        struct redirect_info *ri = this_cpu_ptr(&redirect_info);
-       const struct bpf_prog *map_owner = ri->map_owner;
+       unsigned long map_owner = ri->map_owner;
        struct bpf_map *map = ri->map;
        struct net_device *fwd = NULL;
        u32 index = ri->ifindex;
@@ -2512,9 +2518,9 @@ static int xdp_do_redirect_map(struct net_device *dev, struct xdp_buff *xdp,
 
        ri->ifindex = 0;
        ri->map = NULL;
-       ri->map_owner = NULL;
+       ri->map_owner = 0;
 
-       if (unlikely(map_owner != xdp_prog)) {
+       if (unlikely(xdp_map_invalid(xdp_prog, map_owner))) {
                err = -EFAULT;
                map = NULL;
                goto err;
@@ -2574,7 +2580,7 @@ int xdp_do_generic_redirect(struct net_device *dev, struct sk_buff *skb,
                            struct bpf_prog *xdp_prog)
 {
        struct redirect_info *ri = this_cpu_ptr(&redirect_info);
-       const struct bpf_prog *map_owner = ri->map_owner;
+       unsigned long map_owner = ri->map_owner;
        struct bpf_map *map = ri->map;
        struct net_device *fwd = NULL;
        u32 index = ri->ifindex;
@@ -2583,10 +2589,10 @@ int xdp_do_generic_redirect(struct net_device *dev, struct sk_buff *skb,
 
        ri->ifindex = 0;
        ri->map = NULL;
-       ri->map_owner = NULL;
+       ri->map_owner = 0;
 
        if (map) {
-               if (unlikely(map_owner != xdp_prog)) {
+               if (unlikely(xdp_map_invalid(xdp_prog, map_owner))) {
                        err = -EFAULT;
                        map = NULL;
                        goto err;
@@ -2632,7 +2638,7 @@ BPF_CALL_2(bpf_xdp_redirect, u32, ifindex, u64, flags)
        ri->ifindex = ifindex;
        ri->flags = flags;
        ri->map = NULL;
-       ri->map_owner = NULL;
+       ri->map_owner = 0;
 
        return XDP_REDIRECT;
 }
@@ -2646,7 +2652,7 @@ static const struct bpf_func_proto bpf_xdp_redirect_proto = {
 };
 
 BPF_CALL_4(bpf_xdp_redirect_map, struct bpf_map *, map, u32, ifindex, u64, flags,
-          const struct bpf_prog *, map_owner)
+          unsigned long, map_owner)
 {
        struct redirect_info *ri = this_cpu_ptr(&redirect_info);