[PATCH 5.19 019/155] bpf: Fix a data-race around bpf_jit_limit.
From: Greg Kroah-Hartman
Date: Tue Sep 06 2022 - 10:02:45 EST
From: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
[ Upstream commit 0947ae1121083d363d522ff7518ee72b55bd8d29 ]
While reading bpf_jit_limit, it can be changed concurrently via sysctl,
WRITE_ONCE() in __do_proc_doulongvec_minmax(). The size of bpf_jit_limit
is long, so we need to add a paired READ_ONCE() to avoid load-tearing.
Fixes: ede95a63b5e8 ("bpf: add bpf_jit_limit knob to restrict unpriv allocations")
Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Link: https://lore.kernel.org/bpf/20220823215804.2177-1-kuniyu@xxxxxxxxxx
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
kernel/bpf/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index fb6bd57228a84..cf44ff50b1f23 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -1005,7 +1005,7 @@ pure_initcall(bpf_jit_charge_init);
int bpf_jit_charge_modmem(u32 size)
{
- if (atomic_long_add_return(size, &bpf_jit_current) > bpf_jit_limit) {
+ if (atomic_long_add_return(size, &bpf_jit_current) > READ_ONCE(bpf_jit_limit)) {
if (!bpf_capable()) {
atomic_long_sub(size, &bpf_jit_current);
return -EPERM;
--
2.35.1