bpf: Check whether or not node is NULL before free it in free_bulk - kernel

diff options

author	Hou Tao <[email protected]>	2022-09-19 14:48:11 +0000
committer	Alexei Starovoitov <[email protected]>	2022-09-20 15:06:27 +0000
commit	c31b38cb948ee7d3317139f005fa1f90de4a06b7 (patch)
tree	5e1a3ff347842b592b258d6881b4eaee79a8ce6f /samples/bpf/task_fd_query_user.c
parent	selftests/bpf: Add test result messages for test_task_storage_map_stress_lookup (diff)
download	kernel-c31b38cb948ee7d3317139f005fa1f90de4a06b7.tar.gz kernel-c31b38cb948ee7d3317139f005fa1f90de4a06b7.zip

bpf: Check whether or not node is NULL before free it in free_bulk

llnode could be NULL if there are new allocations after the checking of c-free_cnt > c->high_watermark in bpf_mem_refill() and before the calling of __llist_del_first() in free_bulk (e.g. a PREEMPT_RT kernel or allocation in NMI context). And it will incur oops as shown below: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT_RT SMP CPU: 39 PID: 373 Comm: irq_work/39 Tainted: G W 6.0.0-rc6-rt9+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:bpf_mem_refill+0x66/0x130 ...... Call Trace: <TASK> irq_work_single+0x24/0x60 irq_work_run_list+0x24/0x30 run_irq_workd+0x18/0x20 smpboot_thread_fn+0x13f/0x2c0 kthread+0x121/0x140 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> Simply fixing it by checking whether or not llnode is NULL in free_bulk(). Fixes: 8d5a8011b35d ("bpf: Batch call_rcu callbacks instead of SLAB_TYPESAFE_BY_RCU.") Signed-off-by: Hou Tao <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>

Diffstat (limited to 'samples/bpf/task_fd_query_user.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: