aboutsummaryrefslogtreecommitdiff
path: root/Documentation/filesystems/caching/backend-api.rst
diff options
context:
space:
mode:
authorToke Høiland-Jørgensen <[email protected]>2021-10-26 13:00:19 +0200
committerAlexei Starovoitov <[email protected]>2021-10-26 12:37:28 -0700
commit54713c85f536048e685258f880bf298a74c3620d (patch)
treea3641b7d50d144bb45f184aea271f72b34ff85a7 /Documentation/filesystems/caching/backend-api.rst
parent99d0a3831e3500d945162cdb2310e3a5fce90b60 (diff)
bpf: Fix potential race in tail call compatibility check
Lorenzo noticed that the code testing for program type compatibility of tail call maps is potentially racy in that two threads could encounter a map with an unset type simultaneously and both return true even though they are inserting incompatible programs. The race window is quite small, but artificially enlarging it by adding a usleep_range() inside the check in bpf_prog_array_compatible() makes it trivial to trigger from userspace with a program that does, essentially: map_fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, 4, 4, 2, 0); pid = fork(); if (pid) { key = 0; value = xdp_fd; } else { key = 1; value = tc_fd; } err = bpf_map_update_elem(map_fd, &key, &value, 0); While the race window is small, it has potentially serious ramifications in that triggering it would allow a BPF program to tail call to a program of a different type. So let's get rid of it by protecting the update with a spinlock. The commit in the Fixes tag is the last commit that touches the code in question. v2: - Use a spinlock instead of an atomic variable and cmpxchg() (Alexei) v3: - Put lock and the members it protects into an embedded 'owner' struct (Daniel) Fixes: 3324b584b6f6 ("ebpf: misc core cleanup") Reported-by: Lorenzo Bianconi <[email protected]> Signed-off-by: Toke Høiland-Jørgensen <[email protected]> Signed-off-by: Alexei Starovoitov <[email protected]> Link: https://lore.kernel.org/bpf/[email protected]
Diffstat (limited to 'Documentation/filesystems/caching/backend-api.rst')
0 files changed, 0 insertions, 0 deletions