bpf: Fix trampoline usage in preempt

author Alexei Starovoitov <ast@kernel.org>

Tue, 21 Jan 2020 03:22:31 +0000 (19:22 -0800)

committer Daniel Borkmann <daniel@iogearbox.net>

Wed, 22 Jan 2020 10:31:21 +0000 (11:31 +0100)
author Alexei Starovoitov <ast@kernel.org>
Tue, 21 Jan 2020 03:22:31 +0000 (19:22 -0800)
committer Daniel Borkmann <daniel@iogearbox.net>
Wed, 22 Jan 2020 10:31:21 +0000 (11:31 +0100)
diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c

index 79a04417050dba6741aed7497454afd58b3f10f8..7657ede7aee211623ffbc782d29da49f0686684c 100644 (file)
--- a/kernel/bpf/trampoline.c
+++ b/kernel/bpf/trampoline.c
@@ -160,6 +160,14 @@ static int bpf_trampoline_update(struct bpf_trampoline *tr)
         if (fexit_cnt)
                 flags = BPF_TRAMP_F_CALL_ORIG | BPF_TRAMP_F_SKIP_FRAME;
  
+       /* Though the second half of trampoline page is unused a task could be
+        * preempted in the middle of the first half of trampoline and two
+        * updates to trampoline would change the code from underneath the
+        * preempted task. Hence wait for tasks to voluntarily schedule or go
+        * to userspace.
+        */
+       synchronize_rcu_tasks();
+
         err = arch_prepare_bpf_trampoline(new_image, new_image + PAGE_SIZE / 2,
                                           &tr->func.model, flags,
                                           fentry, fentry_cnt,
@@ -251,6 +259,8 @@ void bpf_trampoline_put(struct bpf_trampoline *tr)
                 goto out;
         if (WARN_ON_ONCE(!hlist_empty(&tr->progs_hlist[BPF_TRAMP_FEXIT])))
                 goto out;
+       /* wait for tasks to get out of trampoline before freeing it */
+       synchronize_rcu_tasks();
         bpf_jit_free_exec(tr->image);
         hlist_del(&tr->hlist);
         kfree(tr);
author	Alexei Starovoitov <ast@kernel.org>
	Tue, 21 Jan 2020 03:22:31 +0000 (19:22 -0800)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Wed, 22 Jan 2020 10:31:21 +0000 (11:31 +0100)