[PATCH] CFI: fix panic in kernel bpf map traversal

From: Eric Yan
Date: Fri Jul 21 2023 - 06:34:52 EST

During BPF map iterator test, 'bpf_for_each_map_elem' call failed on
Android common kernel kernel5.15/6.1 with clang CFI enabled.
It has been found that the "callback_fn" parameter received by
bpf_for_each_map_elem is the address of the jitted BPF program code,
which is not in the kernel text section, leads to kernel panic in
__cfi_slowpath_diag check. so, just disable CFI for bpf map iterator.

same crash message on a typical arm64 debian kernel is as follows:
Kernel panic - not syncing: CFI failure (target: bpf_prog_xx+0x0/0x560)
CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 5.15.0+ #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.cfi_jt+0x0/0x4
show_stack+0x30/0x3c
__dump_stack+0x28/0x34
dump_stack_lvl+0x74/0xc0
dump_stack+0x14/0x1c
panic+0x2b8/0x588
__cfi_slowpath_diag+0x0/0x78
__cfi_slowpath_diag+0x6c/0x78
bpf_for_each_hash_elem+0x228/0x304
bpf_for_each_map_elem+0xac/0xc0
bpf_prog_8aad3428fbe59598_F+0x184/0x6c4
bpf_dispatcher_nop_func.17066+0xc/0x14
bpf_trace_run1+0x1d4/0x208
__bpf_trace_sched_wakeup_template+0x4c/0x74
__traceiter_sched_wakeup+0x13c/0x170
trace_sched_wakeup+0xf4/0x108
ttwu_do_wakeup+0x58/0x17c

sample bpf testing code:
(based on ahttps://github.com/iovisor/bcc/blob/master/libbpf-tools/wakeuptime.bpf.c#L54)

static long chk_item(struct bpf_map *map, const void *key, void *value, void *cttx) {
bpf_printk("key: %llx\n", key);
return 0;
}
static int wakeup(void *ctx, struct task_struct *p) {
...
if (delta > 1000000)
bpf_for_each_map_elem(&counts, chk_item, NULL, 0);
}

Signed-off-by: Eric Yan <eric.yan@xxxxxxxx>
---
kernel/bpf/arraymap.c | 2 +-
kernel/bpf/hashtab.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 2058e89b5ddd..4cd400082236 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -686,7 +686,7 @@ static const struct bpf_iter_seq_info iter_seq_info = {
.seq_priv_size = sizeof(struct bpf_iter_seq_array_map_info),
};

-static long bpf_for_each_array_elem(struct bpf_map *map, bpf_callback_t callback_fn,
+static long __nocfi bpf_for_each_array_elem(struct bpf_map *map, bpf_callback_t callback_fn,
void *callback_ctx, u64 flags)
{
u32 i, key, num_elems = 0;
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 56d3da7d0bc6..59e337f446d0 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -2132,7 +2132,7 @@ static const struct bpf_iter_seq_info iter_seq_info = {
.seq_priv_size = sizeof(struct bpf_iter_seq_hash_map_info),
};

-static long bpf_for_each_hash_elem(struct bpf_map *map, bpf_callback_t callback_fn,
+static long __nocfi bpf_for_each_hash_elem(struct bpf_map *map, bpf_callback_t callback_fn,
void *callback_ctx, u64 flags)
{
struct bpf_htab *htab = container_of(map, struct bpf_htab, map);
--
2.25.1

________________________________
OPPO

本电子邮件及其附件含有OPPO公司的保密信息,仅限于邮件指明的收件人(包含个人及群组)使用。禁止任何人在未经授权的情况下以任何形式使用。如果您错收了本邮件,切勿传播、分发、复制、印刷或使用本邮件之任何部分或其所载之任何内容,并请立即以电子邮件通知发件人并删除本邮件及其附件。
网络通讯固有缺陷可能导致邮件被截留、修改、丢失、破坏或包含计算机病毒等不安全情况,OPPO对此类错误或遗漏而引致之任何损失概不承担责任并保留与本邮件相关之一切权利。
除非明确说明,本邮件及其附件无意作为在任何国家或地区之要约、招揽或承诺,亦无意作为任何交易或合同之正式确认。 发件人、其所属机构或所属机构之关联机构或任何上述机构之股东、董事、高级管理人员、员工或其他任何人(以下称“发件人”或“OPPO”)不因本邮件之误送而放弃其所享之任何权利,亦不对因故意或过失使用该等信息而引发或可能引发的损失承担任何责任。
文化差异披露:因全球文化差异影响,单纯以YES\OK或其他简单词汇的回复并不构成发件人对任何交易或合同之正式确认或接受,请与发件人再次确认以获得明确书面意见。发件人不对任何受文化差异影响而导致故意或错误使用该等信息所造成的任何直接或间接损害承担责任。
This e-mail and its attachments contain confidential information from OPPO, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you are not the intended recipient, please do not read, copy, distribute, or use this information. If you have received this transmission in error, please notify the sender immediately by reply e-mail and then delete this message.
Electronic communications may contain computer viruses or other defects inherently, may not be accurately and/or timely transmitted to other systems, or may be intercepted, modified ,delayed, deleted or interfered. OPPO shall not be liable for any damages that arise or may arise from such matter and reserves all rights in connection with the email.
Unless expressly stated, this e-mail and its attachments are provided without any warranty, acceptance or promise of any kind in any country or region, nor constitute a formal confirmation or acceptance of any transaction or contract. The sender, together with its affiliates or any shareholder, director, officer, employee or any other person of any such institution (hereinafter referred to as "sender" or "OPPO") does not waive any rights and shall not be liable for any damages that arise or may arise from the intentional or negligent use of such information.
Cultural Differences Disclosure: Due to global cultural differences, any reply with only YES\OK or other simple words does not constitute any confirmation or acceptance of any transaction or contract, please confirm with the sender again to ensure clear opinion in written form. The sender shall not be responsible for any direct or indirect damages resulting from the intentional or misuse of such information.