From: Daniel Borkmann <[email protected]>
Date: Wed, 20 Sep 2017 00:44:21 +0200
> Commit 109980b894e9 ("bpf: don't select potentially stale
> ri->map from buggy xdp progs") passed the pointer to the prog
> itself to be loaded into r4 prior on bpf_redirect_map() helper
> call, so that we can store the owner into ri->map_owner out of
> the helper.
>
> Issue with that is that the actual address of the prog is still
> subject to change when subsequent rewrites occur that require
> slow path in bpf_prog_realloc() to alloc more memory, e.g. from
> patching inlining helper functions or constant blinding. Thus,
> we really need to take prog->aux as the address we're holding,
> which also works with prog clones as they share the same aux
> object.
>
> Instead of then fetching aux->prog during runtime, which could
> potentially incur cache misses due to false sharing, we are
> going to just use aux for comparison on the map owner. This
> will also keep the patchlet of the same size, and later check
> in xdp_map_invalid() only accesses read-only aux pointer from
> the prog, it's also in the same cacheline already from prior
> access when calling bpf_func.
>
> Fixes: 109980b894e9 ("bpf: don't select potentially stale ri->map from buggy
> xdp progs")
> Signed-off-by: Daniel Borkmann <[email protected]>
> Acked-by: Alexei Starovoitov <[email protected]>
> ---
> v1->v2:
> - Decided to go with prog->aux instead.
Applied, thanks Daniel.
