• Jiri Olsa's avatar
    bpf: Add deny list of btf ids check for tracing programs · 35e3815f
    Jiri Olsa authored
    The recursion check in __bpf_prog_enter and __bpf_prog_exit
    leaves some (not inlined) functions unprotected:
    
    In __bpf_prog_enter:
      - migrate_disable is called before prog->active is checked
    
    In __bpf_prog_exit:
      - migrate_enable,rcu_read_unlock_strict are called after
        prog->active is decreased
    
    When attaching trampoline to them we get panic like:
    
      traps: PANIC: double fault, error_code: 0x0
      double fault: 0000 [#1] SMP PTI
      RIP: 0010:__bpf_prog_enter+0x4/0x50
      ...
      Call Trace:
       <IRQ>
       bpf_trampoline_6442466513_0+0x18/0x1000
       migrate_disable+0x5/0x50
       __bpf_prog_enter+0x9/0x50
       bpf_trampoline_6442466513_0+0x18/0x1000
       migrate_disable+0x5/0x50
       __bpf_prog_enter+0x9/0x50
       bpf_trampoline_6442466513_0+0x18/0x1000
       migrate_disable+0x5/0x50
       __bpf_prog_enter+0x9/0x50
       bpf_trampoline_6442466513_0+0x18/0x1000
       migrate_disable+0x5/0x50
       ...
    
    Fixing this by adding deny list of btf ids for tracing
    programs and checking btf id during program verification.
    Adding above functions to this list.
    Suggested-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Link: https://lore.kernel.org/bpf/20210429114712.43783-1-jolsa@kernel.org
    35e3815f
verifier.c 384 KB