ich777/linux_media
1
0
Fork 0
mirror of https://github.com/tbsdtv/linux_media.git synced 2025-07-23 12:43:29 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
53f523f3052ac16bbc7718032aa6b848f971d28c
linux_media/kernel
History
Cong Wang 53f523f305 bpf: Clear percpu pointers in bpf_prog_clone_free() 
Similar to bpf_prog_realloc(), bpf_prog_clone_create() also copies
the percpu pointers, but the clone still shares them with the original
prog, so we have to clear these two percpu pointers in
bpf_prog_clone_free(). Otherwise we would get a double free:

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 [#1] SMP PTI
 CPU: 13 PID: 8140 Comm: kworker/13:247 Kdump: loaded Tainted: G                W    OE
  5.11.0-rc4.bm.1-amd64+ #1
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
 test_bpf: #1 TXA
 Workqueue: events bpf_prog_free_deferred
 RIP: 0010:percpu_ref_get_many.constprop.97+0x42/0xf0
 Code: [...]
 RSP: 0018:ffffa6bce1f9bda0 EFLAGS: 00010002
 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000021dfc7b
 RDX: ffffffffae2eeb90 RSI: 867f92637e338da5 RDI: 0000000000000046
 RBP: ffffa6bce1f9bda8 R08: 0000000000000000 R09: 0000000000000001
 R10: 0000000000000046 R11: 0000000000000000 R12: 0000000000000280
 R13: 0000000000000000 R14: 0000000000000000 R15: ffff9b5f3ffdedc0
 FS:    0000000000000000(0000) GS:ffff9b5f2fb40000(0000) knlGS:0000000000000000
 CS:    0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 000000027c36c002 CR4: 00000000003706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
    refill_obj_stock+0x5e/0xd0
    free_percpu+0xee/0x550
    __bpf_prog_free+0x4d/0x60
    process_one_work+0x26a/0x590
    worker_thread+0x3c/0x390
    ? process_one_work+0x590/0x590
    kthread+0x130/0x150
    ? kthread_park+0x80/0x80
    ret_from_fork+0x1f/0x30

This bug is 100% reproducible with test_kmod.sh.

Fixes: 700d4796ef ("bpf: Optimize program stats")
Fixes: ca06f55b90 ("bpf: Add per-program recursion prevention mechanism")
Reported-by: Jiang Wang <jiang.wang@bytedance.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20210218001647.71631-1-xiyou.wangcong@gmail.com
2021-02-22 18:08:35 +01:00
..
bpf
bpf: Clear percpu pointers in bpf_prog_clone_free()
2021-02-22 18:08:35 +01:00
cgroup
cgroup: fix psi monitor for root cgroup
2021-01-19 11:37:05 -05:00
configs
staging: ION: remove some references to CONFIG_ION
2021-01-06 17:39:38 +01:00
debug
smp: Cleanup smp_call_function*()
2020-11-24 16:47:49 +01:00
dma
dma-mapping: benchmark: use u8 for reserved field in uAPI structure
2021-02-05 12:48:46 +01:00
entry
entry: Explicitly flush pending rcuog wakeup before last rescheduling point
2021-02-17 14:12:43 +01:00
events
Merge tag 'perf-core-2021-02-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2021-02-21 12:49:32 -08:00
gcov
init/gcov: allow CONFIG_CONSTRUCTORS on UML to fix module gcov
2021-02-05 11:03:47 -08:00
irq
Merge tag 'irq-core-2021-02-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2021-02-21 11:53:06 -08:00
kcsan
kcsan: Rewrite kcsan_prandom_u32_max() without prandom_u32_state()
2021-01-04 14:39:07 -08:00
livepatch
livepatch: Use the default ftrace_ops instead of REGS when ARGS is available
2020-11-13 12:15:28 -05:00
locking
Merge tag 'sched-core-2021-02-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2021-02-21 12:35:04 -08:00
power
Merge branches 'powercap' and 'pm-misc'
2021-02-15 18:50:01 +01:00
printk
Merge branch 'printk-rework' into for-linus
2021-01-25 14:29:35 +01:00
rcu
Merge tag 'sched-core-2021-02-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2021-02-21 12:35:04 -08:00
sched
Merge tag 'sched-core-2021-02-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2021-02-21 12:35:04 -08:00
time
Merge tag 'core-rcu-2021-02-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2021-02-21 12:04:41 -08:00
trace
Merge tag 'for-5.12/block-2021-02-17' of git://git.kernel.dk/linux-block
2021-02-21 11:02:48 -08:00
.gitignore
acct.c
kernel/acct.c: use #elif instead of #end and #elif
2020-12-15 22:46:15 -08:00
async.c
treewide: Remove uninitialized_var() usage
2020-07-16 12:35:15 -07:00
audit_fsnotify.c
fsnotify: generalize handle_inode_event()
2020-12-03 14:58:35 +01:00
audit_tree.c
fsnotify: generalize handle_inode_event()
2020-12-03 14:58:35 +01:00
audit_watch.c
fsnotify: generalize handle_inode_event()
2020-12-03 14:58:35 +01:00
audit.c
audit: replace atomic_add_return()
2020-12-02 22:52:16 -05:00
audit.h
audit: change unnecessary globals into statics
2020-08-17 20:26:58 -04:00
auditfilter.c
treewide: Use fallthrough pseudo-keyword
2020-08-23 17:36:59 -05:00
auditsc.c
Merge tag 'audit-pr-20201214' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2020-12-16 10:54:03 -08:00
backtracetest.c
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
2020-07-30 11:15:58 -07:00
bounds.c
capability.c
LSM: Signal to SafeSetID when setting group IDs
2020-10-13 09:17:34 -07:00
compat.c
treewide: Use fallthrough pseudo-keyword
2020-08-23 17:36:59 -05:00
configs.c
context_tracking.c
context_tracking: Ensure that the critical path cannot be instrumented
2020-06-11 15:14:36 +02:00
cpu_pm.c
notifier: Fix broken error handling pattern
2020-09-01 09:58:03 +02:00
cpu.c
cpu/hotplug: Add lockdep_is_cpus_held()
2021-01-06 16:24:59 -08:00
crash_core.c
kdump: append uts_namespace.name offset to VMCOREINFO
2020-12-15 22:46:18 -08:00
crash_dump.c
cred.c
delayacct.c
dma.c
exec_domain.c
exit.c
kernel/io_uring: cancel io_uring before task works
2020-12-30 19:36:54 -07:00
extable.c
fail_function.c
fault-injection: handle EI_ETYPE_TRUE
2020-12-15 22:46:19 -08:00
fork.c
Kernel: fork.c: Fix coding style: Do not use {} around single-line statements
2021-01-11 12:55:01 +01:00
freezer.c
futex.c
Merge branch 'linus' into locking/core, to pick up upstream fixes
2021-02-12 12:54:58 +01:00
gen_kheaders.sh
kbuild: add variables for compression tools
2020-06-06 23:42:01 +09:00
groups.c
LSM: Signal to SafeSetID when setting group IDs
2020-10-13 09:17:34 -07:00
hung_task.c
kernel/hung_task.c: make type annotations consistent
2020-11-02 12:14:19 -08:00
iomem.c
irq_work.c
irq_work: Optimize irq_work_single()
2020-11-24 16:47:49 +01:00
jump_label.c
jump_label: Fix usage in module __init
2020-12-18 16:53:12 +01:00
kallsyms.c
treewide: Convert macro and uses of __section(foo) to __section("foo")
2020-10-25 14:51:49 -07:00
kcmp.c
Merge branch 'exec-update-lock-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2020-12-15 19:36:48 -08:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
preempt: Introduce CONFIG_PREEMPT_DYNAMIC
2021-02-17 14:12:24 +01:00
kcov.c
kernel: make kcov_common_handle consider the current context
2020-11-02 18:00:20 -08:00
kexec_core.c
Merge branch 'work.elf-compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2021-02-21 09:29:23 -08:00
kexec_elf.c
kexec_file.c
crypto: sha - split sha.h into sha1.h and sha2.h
2020-11-20 14:45:33 +11:00
kexec_internal.h
kexec.c
LSM: Introduce kernel_post_load_data() hook
2020-10-05 13:37:03 +02:00
kheaders.c
kmod.c
kmod: remove redundant "be an" in the comment
2020-08-12 10:58:01 -07:00
kprobes.c
kretprobe: Avoid re-registration of the same kretprobe earlier
2021-01-29 17:29:16 -05:00
ksysfs.c
kthread.c
Merge tag 'sched_urgent_for_v5.11_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2021-01-24 10:09:20 -08:00
latencytop.c
Makefile
kcov: don't instrument with UBSAN
2020-12-15 22:46:19 -08:00
module_signature.c
module_signing.c
module-internal.h
module.c
Merge tag 'modules-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux
2020-12-17 13:01:31 -08:00
notifier.c
notifier: Fix broken error handling pattern
2020-09-01 09:58:03 +02:00
nsproxy.c
Merge tag 'fixes-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
2020-12-14 16:40:27 -08:00
padata.c
padata: fix possible padata_works_lock deadlock
2020-09-04 17:51:55 +10:00
panic.c
panic: don't dump stack twice on warn
2020-11-14 11:26:04 -08:00
params.c
Merge tag 'modules-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux
2020-12-17 13:01:31 -08:00
pid_namespace.c
Merge tag 'fixes-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
2020-12-14 16:40:27 -08:00
pid.c
Merge branch 'exec-update-lock-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2020-12-15 19:36:48 -08:00
profile.c
ptrace.c
Merge branch 'akpm' (patches from Andrew)
2020-12-15 12:53:37 -08:00
range.c
kernel.h: split out min()/max() et al. helpers
2020-10-16 11:11:19 -07:00
reboot.c
reboot: hide from sysfs not applicable settings
2020-12-15 22:46:19 -08:00
regset.c
regset: kill ->get()
2020-07-27 14:31:12 -04:00
relay.c
relay: allow the use of const callback structs
2020-12-15 22:46:18 -08:00
resource_kunit.c
resource: provide meaningful MODULE_LICENSE() in test suite
2020-11-25 18:52:35 +01:00
resource.c
kernel/resource.c: fix kernel-doc markups
2020-12-15 22:46:18 -08:00
rseq.c
scftorture.c
scftorture: Add debug output for wrong-CPU warning
2021-01-04 13:53:41 -08:00
scs.c
scs: switch to vmapped shadow stacks
2020-12-01 10:30:28 +00:00
seccomp.c
Merge tag 'seccomp-v5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
2020-12-16 11:30:10 -08:00
signal.c
Merge tag 'for-linus-2021-01-24' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
2021-01-24 09:35:28 -08:00
smp.c
smp: Process pending softirqs in flush_smp_call_function_from_idle()
2021-02-17 14:12:42 +01:00
smpboot.c
kthread: Extract KTHREAD_IS_PER_CPU
2021-01-22 15:09:42 +01:00
smpboot.h
softirq.c
Merge tag 'locking-urgent-2020-12-27' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2020-12-27 09:06:10 -08:00
stackleak.c
stackleak: let stack_erasing_sysctl take a kernel pointer buffer
2020-09-19 13:13:39 -07:00
stacktrace.c
stacktrace: Remove reliable argument from arch_stack_walk() callback
2020-09-18 14:24:16 +01:00
static_call.c
static_call: Allow module use without exposing static_call_key
2021-02-17 14:12:42 +01:00
stop_machine.c
Merge branch 'linus' into sched/core, to resolve semantic conflict
2020-11-27 11:10:50 +01:00
sys_ni.c
epoll: wire up syscall epoll_pwait2
2020-12-19 11:18:38 -08:00
sys.c
fs: Remove dcookies support
2021-01-29 10:06:46 +05:30
sysctl-test.c
sysctl.c
rcu: Panic after fixed number of stalls
2020-11-19 19:37:16 -08:00
task_work.c
task_work: remove legacy TWA_SIGNAL path
2020-12-12 09:17:38 -07:00
taskstats.c
treewide: rename nla_strlcpy to nla_strscpy.
2020-11-16 08:08:54 -08:00
test_kprobes.c
torture.c
torture: Maintain torture-specific set of CPUs-online books
2021-01-06 17:17:22 -08:00
tracepoint.c
tracepoints: Migrate to use SYSCALL_WORK flag
2020-11-16 21:53:15 +01:00
tsacct.c
ucount.c
uid16.c
uid16.h
umh.c
usermodehelper: reset umask to default before executing user process
2020-10-06 10:31:52 -07:00
up.c
user_namespace.c
Merge tag 'fixes-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
2020-12-14 16:40:27 -08:00
user-return-notifier.c
user.c
user: Use generic ns_common::count
2020-08-19 14:14:12 +02:00
usermode_driver.c
umd: Stop using split_argv
2020-07-07 11:58:59 -05:00
utsname_sysctl.c
utsname.c
uts: Use generic ns_common::count
2020-08-19 14:13:20 +02:00
watch_queue.c
watch_queue: Limit the number of watches a user can hold
2020-08-17 09:39:18 -07:00
watchdog_hld.c
watchdog.c
kernel/watchdog: fix watchdog_allowed_mask not used warning
2020-11-14 11:26:03 -08:00
workqueue_internal.h
workqueue.c
workqueue: Restrict affinity change to rescuer
2021-01-22 15:09:43 +01:00