Message ID | dd091b1fec763d74185a156ecd2f972810bdd1ce.1508251210.git.daniel@iogearbox.net |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
Series | Fix for BPF devmap percpu allocation splat | expand |
On Tue, Oct 17, 2017 at 04:55:53PM +0200, Daniel Borkmann wrote: > It was reported that syzkaller was able to trigger a splat on > devmap percpu allocation due to illegal/unsupported allocation > request size passed to __alloc_percpu(): > > [ 70.094249] illegal size (32776) or align (8) for percpu allocation > [ 70.094256] ------------[ cut here ]------------ > [ 70.094259] WARNING: CPU: 3 PID: 3451 at mm/percpu.c:1365 pcpu_alloc+0x96/0x630 > [...] > [ 70.094325] Call Trace: > [ 70.094328] __alloc_percpu_gfp+0x12/0x20 > [ 70.094330] dev_map_alloc+0x134/0x1e0 > [ 70.094331] SyS_bpf+0x9bc/0x1610 > [ 70.094333] ? selinux_task_setrlimit+0x5a/0x60 > [ 70.094334] ? security_task_setrlimit+0x43/0x60 > [ 70.094336] entry_SYSCALL_64_fastpath+0x1a/0xa5 > > This was due to too large max_entries for the map such that we > surpassed the upper limit of PCPU_MIN_UNIT_SIZE. It's fine to > fail naturally here, so switch to __alloc_percpu_gfp() and pass > __GFP_NOWARN instead. > > Fixes: 11393cc9b9be ("xdp: Add batching support to redirect map") > Reported-by: Mark Rutland <mark.rutland@arm.com> > Reported-by: Shankara Pailoor <sp3485@columbia.edu> > Reported-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> > Cc: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org>
On 10/17/2017 07:55 AM, Daniel Borkmann wrote: > It was reported that syzkaller was able to trigger a splat on > devmap percpu allocation due to illegal/unsupported allocation > request size passed to __alloc_percpu(): > > [ 70.094249] illegal size (32776) or align (8) for percpu allocation > [ 70.094256] ------------[ cut here ]------------ > [ 70.094259] WARNING: CPU: 3 PID: 3451 at mm/percpu.c:1365 pcpu_alloc+0x96/0x630 > [...] > [ 70.094325] Call Trace: > [ 70.094328] __alloc_percpu_gfp+0x12/0x20 > [ 70.094330] dev_map_alloc+0x134/0x1e0 > [ 70.094331] SyS_bpf+0x9bc/0x1610 > [ 70.094333] ? selinux_task_setrlimit+0x5a/0x60 > [ 70.094334] ? security_task_setrlimit+0x43/0x60 > [ 70.094336] entry_SYSCALL_64_fastpath+0x1a/0xa5 > > This was due to too large max_entries for the map such that we > surpassed the upper limit of PCPU_MIN_UNIT_SIZE. It's fine to > fail naturally here, so switch to __alloc_percpu_gfp() and pass > __GFP_NOWARN instead. > > Fixes: 11393cc9b9be ("xdp: Add batching support to redirect map") > Reported-by: Mark Rutland <mark.rutland@arm.com> > Reported-by: Shankara Pailoor <sp3485@columbia.edu> > Reported-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> > Cc: John Fastabend <john.fastabend@gmail.com> > --- Thanks! Acked-by: John Fastabend <john.fastabend@gmail.com>
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index e093d9a..920428d 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -111,8 +111,9 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr) err = -ENOMEM; /* A per cpu bitfield with a bit per possible net device */ - dtab->flush_needed = __alloc_percpu(dev_map_bitmap_size(attr), - __alignof__(unsigned long)); + dtab->flush_needed = __alloc_percpu_gfp(dev_map_bitmap_size(attr), + __alignof__(unsigned long), + GFP_KERNEL | __GFP_NOWARN); if (!dtab->flush_needed) goto free_dtab;
It was reported that syzkaller was able to trigger a splat on devmap percpu allocation due to illegal/unsupported allocation request size passed to __alloc_percpu(): [ 70.094249] illegal size (32776) or align (8) for percpu allocation [ 70.094256] ------------[ cut here ]------------ [ 70.094259] WARNING: CPU: 3 PID: 3451 at mm/percpu.c:1365 pcpu_alloc+0x96/0x630 [...] [ 70.094325] Call Trace: [ 70.094328] __alloc_percpu_gfp+0x12/0x20 [ 70.094330] dev_map_alloc+0x134/0x1e0 [ 70.094331] SyS_bpf+0x9bc/0x1610 [ 70.094333] ? selinux_task_setrlimit+0x5a/0x60 [ 70.094334] ? security_task_setrlimit+0x43/0x60 [ 70.094336] entry_SYSCALL_64_fastpath+0x1a/0xa5 This was due to too large max_entries for the map such that we surpassed the upper limit of PCPU_MIN_UNIT_SIZE. It's fine to fail naturally here, so switch to __alloc_percpu_gfp() and pass __GFP_NOWARN instead. Fixes: 11393cc9b9be ("xdp: Add batching support to redirect map") Reported-by: Mark Rutland <mark.rutland@arm.com> Reported-by: Shankara Pailoor <sp3485@columbia.edu> Reported-by: Richard Weinberger <richard@nod.at> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: John Fastabend <john.fastabend@gmail.com> --- kernel/bpf/devmap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)