mirror of
https://github.com/hardkernel/linux.git
synced 2026-04-05 20:53:04 +09:00
ebd2ef4e301f6e4eac8012ccae9e1ff51c98ceea
227 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Chenbo Feng
|
0521e0b3fc |
UPSTREAM: selinux: bpf: Add addtional check for bpf object file receive
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
This check is necessary because the bpf maps and programs are using a
anonymous inode as their shared inode so the normal way of checking the
files and sockets when passing between processes cannot work properly on
eBPF object. This check only works when the BPF_SYSCALL is configured.
Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry-pick from net-next:
|
||
|
Chenbo Feng
|
f3ad3766a9 |
BACKPORT: security: bpf: Add LSM hooks for bpf object related syscall
Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the right priviliges can
read/write to a specific map or use a specific eBPF program. Besides
that, a general security hook is added before the multiplexer of bpf
syscall to check the cmd and the attribute used for the command. The
actual security module can decide which command need to be checked and
how the cmd should be checked.
Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Added the LIST_HEAD_INIT call for security hooks, it nolonger exist in
uptream code.
(cherry-pick from net-next:
|
||
|
Chenbo Feng
|
4672ded3ec |
BACKPORT: bpf: Add file mode configuration into bpf maps
Introduce the map read/write flags to the eBPF syscalls that returns the
map fd. The flags is used to set up the file mode when construct a new
file descriptor for bpf maps. To not break the backward capability, the
f_flags is set to O_RDWR if the flag passed by syscall is 0. Otherwise
it should be O_RDONLY or O_WRONLY. When the userspace want to modify or
read the map content, it will check the file mode to see if it is
allowed to make the change.
Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Deleted the file mode configuration code in unsupported map type and
removed the file mode check in non-existing helper functions.
(cherry-pick from net-next:
|
||
|
Greg Kroah-Hartman
|
cdbe07ad26 |
Merge 4.9.55 into android-4.9
Changes in 4.9.55
USB: gadgetfs: Fix crash caused by inadequate synchronization
USB: gadgetfs: fix copy_to_user while holding spinlock
usb: gadget: udc: atmel: set vbus irqflags explicitly
usb: gadget: udc: renesas_usb3: fix for no-data control transfer
usb: gadget: udc: renesas_usb3: fix Pn_RAMMAP.Pn_MPKT value
usb: gadget: udc: renesas_usb3: Fix return value of usb3_write_pipe()
usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
usb-storage: fix bogus hardware error messages for ATA pass-thru devices
usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
usb: pci-quirks.c: Corrected timeout values used in handshake
USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
USB: dummy-hcd: fix connection failures (wrong speed)
USB: dummy-hcd: fix infinite-loop resubmission bug
USB: dummy-hcd: Fix erroneous synchronization change
USB: devio: Don't corrupt user memory
usb: gadget: mass_storage: set msg_registered after msg registered
USB: g_mass_storage: Fix deadlock when driver is unbound
USB: uas: fix bug in handling of alternate settings
USB: core: harden cdc_parse_cdc_header
usb: Increase quirk delay for USB devices
USB: fix out-of-bounds in usb_set_configuration
xhci: fix finding correct bus_state structure for USB 3.1 hosts
xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'
iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()'
iio: ad_sigma_delta: Implement a dedicated reset function
staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
iio: core: Return error for failed read_reg
IIO: BME280: Updates to Humidity readings need ctrl_reg write!
iio: ad7793: Fix the serial interface reset
iio: adc: mcp320x: Fix readout of negative voltages
iio: adc: mcp320x: Fix oops on module unload
uwb: properly check kthread_run return value
uwb: ensure that endpoint is interrupt
staging: vchiq_2835_arm: Fix NULL ptr dereference in free_pagelist
mm, oom_reaper: skip mm structs with mmu notifiers
lib/ratelimit.c: use deferred printk() version
lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
ALSA: compress: Remove unused variable
Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members"
ALSA: usx2y: Suppress kernel warning at page allocation failures
mlxsw: spectrum: Prevent mirred-related crash on removal
net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
tcp: update skb->skb_mstamp more carefully
bpf/verifier: reject BPF_ALU64|BPF_END
tcp: fix data delivery rate
udpv6: Fix the checksum computation when HW checksum does not apply
ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
net: phy: Fix mask value write on gmii2rgmii converter speed register
ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
net/sched: cls_matchall: fix crash when used with classful qdisc
tcp: fastopen: fix on syn-data transmit failure
net: emac: Fix napi poll list corruption
packet: hold bind lock when rebinding to fanout hook
bpf: one perf event close won't free bpf program attached by another perf event
isdn/i4l: fetch the ppp_write buffer in one shot
net_sched: always reset qdisc backlog in qdisc_reset()
net: qcom/emac: specify the correct size when mapping a DMA buffer
vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
l2tp: Avoid schedule while atomic in exit_net
l2tp: fix race condition in l2tp_tunnel_delete
tun: bail out from tun_get_user() if the skb is empty
net: dsa: Fix network device registration order
packet: in packet_do_bind, test fanout with bind_lock held
packet: only test po->has_vnet_hdr once in packet_snd
net: Set sk_prot_creator when cloning sockets to the right proto
netlink: do not proceed if dump's start() errs
ip6_gre: ip6gre_tap device should keep dst
ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
tipc: use only positive error codes in messages
net: rtnetlink: fix info leak in RTM_GETSTATS call
socket, bpf: fix possible use after free
powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks
powerpc/tm: Fix illegal TM state in signal handler
percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
driver core: platform: Don't read past the end of "driver_override" buffer
Drivers: hv: fcopy: restore correct transfer length
stm class: Fix a use-after-free
ftrace: Fix kmemleak in unregister_ftrace_graph
HID: i2c-hid: allocate hid buffers for real worst case
HID: wacom: leds: Don't try to control the EKR's read-only LEDs
HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
HID: wacom: bits shifted too much for 9th and 10th buttons
rocker: fix rocker_tlv_put_* functions for KASAN
netlink: fix nla_put_{u8,u16,u32} for KASAN
iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
iwlwifi: add workaround to disable wide channels in 5GHz
scsi: sd: Do not override max_sectors_kb sysfs setting
brcmfmac: add length check in brcmf_cfg80211_escan_handler()
brcmfmac: setup passive scan if requested by user-space
drm/i915/bios: ignore HDMI on port A
nvme-pci: Use PCI bus address for data/queues in CMB
mmc: core: add driver strength selection when selecting hs400es
sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
vfs: deny copy_file_range() for non regular files
ext4: fix data corruption for mmap writes
ext4: Don't clear SGID when inheriting ACLs
ext4: don't allow encrypted operations without keys
f2fs: don't allow encrypted operations without keys
KVM: x86: fix singlestepping over syscall
Linux 4.9.55
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Edward Cree
|
e159492b3c |
bpf/verifier: reject BPF_ALU64|BPF_END
[ Upstream commit |
||
|
Greg Kroah-Hartman
|
a3840b1234 |
Merge 4.9.46 into android-4.9
Changes in 4.9.46
sparc64: remove unnecessary log message
af_key: do not use GFP_KERNEL in atomic contexts
dccp: purge write queue in dccp_destroy_sock()
dccp: defer ccid_hc_tx_delete() at dismantle time
ipv4: fix NULL dereference in free_fib_info_rcu()
net_sched/sfq: update hierarchical backlog when drop packet
net_sched: remove warning from qdisc_hash_add
bpf: fix bpf_trace_printk on 32 bit archs
openvswitch: fix skb_panic due to the incorrect actions attrlen
ptr_ring: use kmalloc_array()
ipv4: better IP_MAX_MTU enforcement
nfp: fix infinite loop on umapping cleanup
sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
tipc: fix use-after-free
ipv6: reset fn->rr_ptr when replacing route
ipv6: repair fib6 tree in failure case
tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled
irda: do not leak initialized list.dev to userspace
net: sched: fix NULL pointer dereference when action calls some targets
net_sched: fix order of queue length updates in qdisc_replace()
bpf, verifier: add additional patterns to evaluate_reg_imm_alu
bpf: adjust verifier heuristics
bpf, verifier: fix alu ops against map_value{, _adj} register types
bpf: fix mixed signed/unsigned derived min/max value bounds
bpf/verifier: fix min/max handling in BPF_SUB
Input: trackpoint - add new trackpoint firmware ID
Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310
Input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad
KVM: s390: sthyi: fix sthyi inline assembly
KVM: s390: sthyi: fix specification exception detection
KVM: x86: block guest protection keys unless the host has them enabled
ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets
ALSA: core: Fix unexpected error at replacing user TLV
ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
ALSA: firewire: fix NULL pointer dereference when releasing uninitialized data of iso-resource
ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses
mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled
i2c: designware: Fix system suspend
mm/madvise.c: fix freeing of locked page with MADV_FREE
fork: fix incorrect fput of ->exe_file causing use-after-free
mm/memblock.c: reversed logic in memblock_discard()
drm: Release driver tracking before making the object available again
drm/atomic: If the atomic check fails, return its value first
drm: rcar-du: Fix crash in encoder failure error path
drm: rcar-du: Fix display timing controller parameter
drm: rcar-du: Fix H/V sync signal polarity configuration
tracing: Call clear_boot_tracer() at lateinit_sync
tracing: Fix kmemleak in tracing_map_array_free()
tracing: Fix freeing of filter in create_filter() when set_str is false
kbuild: linker script do not match C names unless LD_DEAD_CODE_DATA_ELIMINATION is configured
cifs: Fix df output for users with quota limits
cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
nfsd: Limit end of page list when decoding NFSv4 WRITE
ftrace: Check for null ret_stack on profile function graph entry function
perf/core: Fix group {cpu,task} validation
perf probe: Fix --funcs to show correct symbols for offline module
perf/x86/intel/rapl: Make package handling more robust
timers: Fix excessive granularity of new timers after a nohz idle
x86/mm: Fix use-after-free of ldt_struct
net: sunrpc: svcsock: fix NULL-pointer exception
Revert "leds: handle suspend/resume in heartbeat trigger"
netfilter: nat: fix src map lookup
Bluetooth: hidp: fix possible might sleep error in hidp_session_thread
Bluetooth: cmtp: fix possible might sleep error in cmtp_session
Bluetooth: bnep: fix possible might sleep error in bnep_session
Revert "android: binder: Sanity check at binder ioctl"
binder: use group leader instead of open thread
binder: Use wake up hint for synchronous transactions.
ANDROID: binder: fix proc->tsk check.
iio: imu: adis16480: Fix acceleration scale factor for adis16480
iio: hid-sensor-trigger: Fix the race with user space powering up sensors
staging: rtl8188eu: add RNX-N150NUB support
Clarify (and fix) MAX_LFS_FILESIZE macros
ntb_transport: fix qp count bug
ntb_transport: fix bug calculating num_qps_mw
NTB: ntb_test: fix bug printing ntb_perf results
ntb: no sleep in ntb_async_tx_submit
ntb: ntb_test: ensure the link is up before trying to configure the mws
ntb: transport shouldn't disable link due to bogus values in SPADs
ACPI: ioapic: Clear on-stack resource before using it
ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal
ACPI: EC: Fix regression related to wrong ECDT initialization order
powerpc/mm: Ensure cpumask update is ordered
Linux 4.9.46
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Edward Cree
|
655da3da9b |
bpf/verifier: fix min/max handling in BPF_SUB
[ Upstream commit |
||
|
Daniel Borkmann
|
bf5b91b782 |
bpf: fix mixed signed/unsigned derived min/max value bounds
[ Upstream commit |
||
|
Daniel Borkmann
|
8d674bee8f |
bpf, verifier: fix alu ops against map_value{, _adj} register types
[ Upstream commit |
||
|
Daniel Borkmann
|
577aa83b28 |
bpf: adjust verifier heuristics
[ Upstream commit
|
||
|
John Fastabend
|
e37bdeee95 |
bpf, verifier: add additional patterns to evaluate_reg_imm_alu
[ Upstream commit
|
||
|
Greg Kroah-Hartman
|
14accea70e |
Merge 4.9.39 into android-4.9
Changes in 4.9.39
xen-netfront: Rework the fix for Rx stall during OOM and network stress
net_sched: fix error recovery at qdisc creation
net: sched: Fix one possible panic when no destroy callback
net/phy: micrel: configure intterupts after autoneg workaround
ipv6: avoid unregistering inet6_dev for loopback
net: dp83640: Avoid NULL pointer dereference.
tcp: reset sk_rx_dst in tcp_disconnect()
net: prevent sign extension in dev_get_stats()
bridge: mdb: fix leak on complete_info ptr on fail path
rocker: move dereference before free
bpf: prevent leaking pointer via xadd on unpriviledged
net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish()
net/mlx5: Cancel delayed recovery work when unloading the driver
liquidio: fix bug in soft reset failure detection
net/mlx5e: Fix TX carrier errors report in get stats ndo
ipv6: dad: don't remove dynamic addresses if link is down
vxlan: fix hlist corruption
net: core: Fix slab-out-of-bounds in netdev_stats_to_stats64
net: ipv6: Compare lwstate in detecting duplicate nexthops
vrf: fix bug_on triggered by rx when destroying a vrf
rds: tcp: use sock_create_lite() to create the accept socket
brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
brcmfmac: Fix a memory leak in error handling path in 'brcmf_cfg80211_attach'
brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
sfc: don't read beyond unicast address list
cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE
cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES
cfg80211: Check if PMKID attribute is of expected size
cfg80211: Check if NAN service ID is of expected size
irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity
parisc: Report SIGSEGV instead of SIGBUS when running out of stack
parisc: use compat_sys_keyctl()
parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs
parisc/mm: Ensure IRQs are off in switch_mm()
tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth
thp, mm: fix crash due race in MADV_FREE handling
kernel/extable.c: mark core_kernel_text notrace
mm/list_lru.c: fix list_lru_count_node() to be race free
fs/dcache.c: fix spin lockup issue on nlru->lock
checkpatch: silence perl 5.26.0 unescaped left brace warnings
binfmt_elf: use ELF_ET_DYN_BASE only for PIE
arm: move ELF_ET_DYN_BASE to 4MB
arm64: move ELF_ET_DYN_BASE to 4GB / 4MB
powerpc: move ELF_ET_DYN_BASE to 4GB / 4MB
s390: reduce ELF_ET_DYN_BASE
exec: Limit arg stack to at most 75% of _STK_LIM
ARM64: dts: marvell: armada37xx: Fix timer interrupt specifiers
vt: fix unchecked __put_user() in tioclinux ioctls
rcu: Add memory barriers for NOCB leader wakeup
nvmem: core: fix leaks on registration errors
mnt: In umount propagation reparent in a separate pass
mnt: In propgate_umount handle visiting mounts in any order
mnt: Make propagate_umount less slow for overlapping mount propagation trees
selftests/capabilities: Fix the test_execve test
mm: fix overflow check in expand_upwards()
crypto: talitos - Extend max key length for SHA384/512-HMAC and AEAD
crypto: atmel - only treat EBUSY as transient if backlog
crypto: sha1-ssse3 - Disable avx2
crypto: caam - properly set IV after {en,de}crypt
crypto: caam - fix signals handling
Revert "sched/core: Optimize SCHED_SMT"
sched/fair, cpumask: Export for_each_cpu_wrap()
sched/topology: Fix building of overlapping sched-groups
sched/topology: Optimize build_group_mask()
sched/topology: Fix overlapping sched_group_mask
PM / wakeirq: Convert to SRCU
PM / QoS: return -EINVAL for bogus strings
tracing: Use SOFTIRQ_OFFSET for softirq dectection for more accurate results
kvm: vmx: Do not disable intercepts for BNDCFGS
kvm: x86: Guest BNDCFGS requires guest MPX support
kvm: vmx: Check value written to IA32_BNDCFGS
kvm: vmx: allow host to access guest MSR_IA32_BNDCFGS
4.9.39
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Daniel Borkmann
|
cd5de9cb85 |
bpf: prevent leaking pointer via xadd on unpriviledged
commit |
||
|
Greg Kroah-Hartman
|
184ce810ce |
Merge 4.9.36 into android-4.9
Changes in 4.9.36 ipv6: release dst on error in ip6_dst_lookup_tail net: don't call strlen on non-terminated string in dev_set_alias() decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb net: Zero ifla_vf_info in rtnl_fill_vfinfo() net: vrf: Make add_fib_rules per network namespace flag af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers Fix an intermittent pr_emerg warning about lo becoming free. sctp: disable BH in sctp_for_each_endpoint net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse net/mlx5e: Added BW check for DIM decision mechanism net/mlx5e: Fix wrong indications in DIM due to counter wraparound proc: snmp6: Use correct type in memset igmp: acquire pmc lock for ip_mc_clear_src() igmp: add a missing spin_lock_init() ipv6: fix calling in6_ifa_hold incorrectly for dad work sctp: return next obj by passing pos + 1 into sctp_transport_get_idx net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it net/mlx5: Wait for FW readiness before initializing command interface net/mlx5e: Fix timestamping capabilities reporting decnet: always not take dst->__refcnt when inserting dst into hash table net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev sfc: provide dummy definitions of vswitch functions ipv6: Do not leak throw route references rtnetlink: add IFLA_GROUP to ifla_policy netfilter: xt_TCPMSS: add more sanity tests on tcph->doff netfilter: synproxy: fix conntrackd interaction NFSv4: fix a reference leak caused WARNING messages NFSv4.x/callback: Create the callback service through svc_create_pooled xen/blkback: don't use xen_blkif_get() in xen-blkback kthread drm/ast: Handle configuration without P2A bridge mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff() MIPS: head: Reorder instructions missing a delay slot MIPS: Avoid accidental raw backtrace MIPS: pm-cps: Drop manual cache-line alignment of ready_count MIPS: Fix IRQ tracing & lockdep when rescheduling ALSA: hda - Fix endless loop of codec configure ALSA: hda - set input_path bitmap to zero after moving it to new place NFSv4.1: Fix a race in nfs4_proc_layoutget gpiolib: fix filtering out unwanted events drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr dm thin: do not queue freed thin mapping for next stage processing x86/mm: Fix boot crash caused by incorrect loop count calculation in sync_global_pgds() usb: gadget: f_fs: Fix possibe deadlock l2tp: fix race in l2tp_recv_common() l2tp: ensure session can't get removed during pppol2tp_session_ioctl() l2tp: fix duplicate session creation l2tp: hold session while sending creation notifications l2tp: take a reference on sessions used in genetlink handlers mm: numa: avoid waiting on freed migrated pages sparc64: Handle PIO & MEM non-resumable errors. sparc64: Zero pages on allocation for mondo and error queues. net: ethtool: add support for 2500BaseT and 5000BaseT link modes net: phy: add an option to disable EEE advertisement dt-bindings: net: add EEE capability constants net: phy: fix sign type error in genphy_config_eee_advert net: phy: use boolean dt properties for eee broken modes dt: bindings: net: use boolean dt properties for eee broken modes ARM64: dts: meson-gxbb-odroidc2: fix GbE tx link breakage xen/blkback: don't free be structure too early KVM: x86: fix fixing of hypercalls scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type stmmac: add missing of_node_put scsi: lpfc: Set elsiocb contexts to NULL after freeing it qla2xxx: Terminate exchange if corrupted qla2xxx: Fix erroneous invalid handle message drm/amdgpu: fix program vce instance logic error. drm/amdgpu: add support for new hainan variants net: phy: dp83848: add DP83620 PHY support perf/x86/intel: Handle exclusive threadid correctly on CPU hotplug net: korina: Fix NAPI versus resources freeing powerpc/eeh: Enable IO path on permanent error net: ethtool: Initialize buffer when querying device channel settings xen-netback: fix memory leaks on XenBus disconnect xen-netback: protect resource cleaning on XenBus disconnect bnxt_en: Fix "uninitialized variable" bug in TPA code path. bpf: don't trigger OOM killer under pressure with map alloc objtool: Fix IRET's opcode gianfar: Do not reuse pages from emergency reserve Btrfs: Fix deadlock between direct IO and fast fsync Btrfs: fix truncate down when no_holes feature is enabled virtio_console: fix a crash in config_work_handler swiotlb-xen: update dev_addr after swapping pages xen-netfront: Fix Rx stall during network stress and OOM scsi: virtio_scsi: Reject commands when virtqueue is broken iwlwifi: fix kernel crash when unregistering thermal zone platform/x86: ideapad-laptop: handle ACPI event 1 amd-xgbe: Check xgbe_init() return code net: dsa: Check return value of phy_connect_direct() drm/amdgpu: check ring being ready before using vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null mlxsw: spectrum_router: Correctly reallocate adjacency entries virtio_net: fix PAGE_SIZE > 64k ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() vxlan: do not age static remote mac entries ibmveth: Add a proper check for the availability of the checksum features kernel/panic.c: add missing \n Documentation: devicetree: change the mediatek ethernet compatible string drm/etnaviv: trick drm_mm into giving out a low IOVA perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code pinctrl: intel: Set pin direction properly net: phy: marvell: fix Marvell 88E1512 used in SGMII mode mac80211: recalculate min channel width on VHT opmode changes perf/x86/intel: Use ULL constant to prevent undefined shift behaviour HID: i2c-hid: Add sleep between POWER ON and RESET scsi: lpfc: avoid double free of resource identifiers spi: davinci: use dma_mapping_error() arm64: assembler: make adr_l work in modules under KASLR net: thunderx: acpi: fix LMAC initialization drm/radeon/si: load special ucode for certain MC configs drm/amd/powerplay: fix vce cg logic error on CZ/St. drm/amd/powerplay: refine vce dpm update code on Cz. pmem: return EIO on read_pmem() failure mac80211: initialize SMPS field in HT capabilities x86/tsc: Add the Intel Denverton Processor to native_calibrate_tsc() x86/mpx: Use compatible types in comparison to fix sparse error perf/core: Fix sys_perf_event_open() vs. hotplug perf/x86: Reject non sampling events with precise_ip aio: fix lock dep warning coredump: Ensure proper size of sparse core files swiotlb: ensure that page-sized mappings are page-aligned s390/ctl_reg: make __ctl_load a full memory barrier usb: dwc2: gadget: Fix GUSBCFG.USBTRDTIM value be2net: fix status check in be_cmd_pmac_add() be2net: don't delete MAC on close on unprivileged BE3 VFs be2net: fix MAC addr setting on privileged BE3 VFs perf probe: Fix to show correct locations for events on modules net: phy: dp83867: allow RGMII_TXID/RGMII_RXID interface types tipc: allocate user memory with GFP_KERNEL flag perf probe: Fix to probe on gcc generated functions in modules net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV sctp: check af before verify address in sctp_addr_id2transport ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets ravb: Fix use-after-free on `ifconfig eth0 down` mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY xfrm: NULL dereference on allocation failure xfrm: Oops on error in pfkey_msg2xfrm_state() netfilter: use skb_to_full_sk in ip_route_me_harder watchdog: bcm281xx: Fix use of uninitialized spinlock. sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting spi: When no dma_chan map buffers with spi_master's parent spi: fix device-node leaks regulator: tps65086: Fix expected switch DT node names regulator: tps65086: Fix DT node referencing in of_parse_cb ARM: OMAP2+: omap_device: Sync omap_device and pm_runtime after probe defer ARM: dts: OMAP3: Fix MFG ID EEPROM ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation ARM: 8685/1: ensure memblock-limit is pmd-aligned tools arch: Sync arch/x86/lib/memcpy_64.S with the kernel x86/boot/KASLR: Fix kexec crash due to 'virt_addr' calculation bug x86/mpx: Correctly report do_mpx_bt_fault() failures to user-space x86/mm: Fix flush_tlb_page() on Xen ocfs2: o2hb: revert hb threshold to keep compatible iommu/vt-d: Don't over-free page table directories iommu: Handle default domain attach failure iommu/dma: Don't reserve PCI I/O windows iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid() iommu/amd: Fix interrupt remapping when disable guest_mode cpufreq: s3c2416: double free on driver init error path clk: scpi: don't add cpufreq device if the scpi dvfs node is disabled objtool: Fix another GCC jump table detection issue infiniband: hns: avoid gcc-7.0.1 warning for uninitialized data brcmfmac: avoid writing channel out of allocated array i2c: brcmstb: Fix START and STOP conditions mtd: nand: brcmnand: Check flash #WP pin status before nand erase/program arm64: fix NULL dereference in have_cpu_die() KVM: x86: fix emulation of RSM and IRET instructions KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh() KVM: x86: zero base3 of unusable segments KVM: nVMX: Fix exception injection Linux 4.9.36 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Daniel Borkmann
|
251d00bf13 |
bpf: don't trigger OOM killer under pressure with map alloc
[ Upstream commit
|
||
|
Daniel Borkmann
|
edb6da11b9 |
FROMLIST: bpf: cgroup skb progs cannot access ld_abs/ind
Commit |
||
|
Chenbo Feng
|
b9aad97657 |
FROMLIST: [net-next,v2,2/2] bpf: Remove the capability check for cgroup skb eBPF
program Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN capability while attaching the program to a cgroup only requires the user have CAP_NET_ADMIN privilege. We can escape the capability check when load the program just like socket filter program to make the capability requirement consistent. Change since v1: Change the code style in order to be compliant with checkpatch.pl preference (url: http://patchwork.ozlabs.org/patch/769460/) Signed-off-by: Chenbo Feng <fengc@google.com> Bug: 30950746 Change-Id: Ibe51235127d6f9349b8f563ad31effc061b278ed |
||
|
Chenbo Feng
|
9e3c655559 |
FROMLIST: [net-next,v2,1/2] bpf: Allow CGROUP_SKB eBPF program to access
sk_buff This allows cgroup eBPF program to classify packet based on their protocol or other detail information. Currently program need CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A process with CAP_NET_ADMIN can already see all packets on the system, for example, by creating an iptables rules that causes the packet to be passed to userspace via NFLOG. (url: http://patchwork.ozlabs.org/patch/769459/) Signed-off-by: Chenbo Feng <fengc@google.com> Bug: 30950746 Change-Id: I11bef84ce26cf8b8f1b89483c32a7fcdd61ae926 |
||
|
Daniel Mack
|
a5d371cda6 |
UPSTREAM: bpf: cgroup: fix documentation of __cgroup_bpf_update()
There's a 'not' missing in one paragraph. Add it. Fixes: |
||
|
Alexei Starovoitov
|
1ee2b4b803 |
BACKPORT: bpf: introduce BPF_F_ALLOW_OVERRIDE flag
If BPF_F_ALLOW_OVERRIDE flag is used in BPF_PROG_ATTACH command to the given cgroup the descendent cgroup will be able to override effective bpf program that was inherited from this cgroup. By default it's not passed, therefore override is disallowed. Examples: 1. prog X attached to /A with default prog Y fails to attach to /A/B and /A/B/C Everything under /A runs prog X 2. prog X attached to /A with allow_override. prog Y fails to attach to /A/B with default (non-override) prog M attached to /A/B with allow_override. Everything under /A/B runs prog M only. 3. prog X attached to /A with allow_override. prog Y fails to attach to /A with default. The user has to detach first to switch the mode. In the future this behavior may be extended with a chain of non-overridable programs. Also fix the bug where detach from cgroup where nothing is attached was not throwing error. Return ENOENT in such case. Add several testcases and adjust libbpf. Fixes: |
||
|
Willem de Bruijn
|
2c1289c999 |
BACKPORT: UPSTREAM: bpf: pass sk to helper functions
Cherrypick from commit
|
||
|
Daniel Mack
|
00615dfcd2 |
UPSTREAM: bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands
Cherry-pick from commit
|
||
|
Daniel Mack
|
f791c42b63 |
UPSTREAM: cgroup: add support for eBPF programs
Cherry-pick from commit
|
||
|
Daniel Borkmann
|
ced0a31e66 |
bpf: don't let ldimm64 leak map addresses on unprivileged
[ Upstream commit |
||
|
Yonghong Song
|
7bca0a9702 |
bpf: enhance verifier to understand stack pointer arithmetic
[ Upstream commit
|
||
|
Alexei Starovoitov
|
0ea3c23577 |
bpf: improve verifier packet range checks
[ Upstream commit |
||
|
Daniel Borkmann
|
0e0f1d6fdb |
bpf: fix mark_reg_unknown_value for spilled regs on map value marking
[ Upstream commit |
||
|
Daniel Borkmann
|
1889d6d9b5 |
bpf: fix regression on verifier pruning wrt map lookups
[ Upstream commit |
||
|
Alexei Starovoitov
|
b7f5aa1ca0 |
bpf: fix state equivalence
[ Upstream commit |
||
|
Thomas Graf
|
1411707acb |
bpf: Detect identical PTR_TO_MAP_VALUE_OR_NULL registers
[ Upstream commit
|
||
|
Josef Bacik
|
e2d2afe15e |
bpf: fix states equal logic for varlen access
If we have a branch that looks something like this
int foo = map->value;
if (condition) {
foo += blah;
} else {
foo = bar;
}
map->array[foo] = baz;
We will incorrectly assume that the !condition branch is equal to the condition
branch as the register for foo will be UNKNOWN_VALUE in both cases. We need to
adjust this logic to only do this if we didn't do a varlen access after we
processed the !condition branch, otherwise we have different ranges and need to
check the other branch as well.
Fixes:
|
||
|
Josef Bacik
|
f23cc643f9 |
bpf: fix range arithmetic for bpf map access
I made some invalid assumptions with BPF_AND and BPF_MOD that could result in invalid accesses to bpf map entries. Fix this up by doing a few things 1) Kill BPF_MOD support. This doesn't actually get used by the compiler in real life and just adds extra complexity. 2) Fix the logic for BPF_AND, don't allow AND of negative numbers and set the minimum value to 0 for positive AND's. 3) Don't do operations on the ranges if they are set to the limits, as they are by definition undefined, and allowing arithmetic operations on those values could make them appear valid when they really aren't. This fixes the testcase provided by Jann as well as a few other theoretical problems. Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Josef Bacik <jbacik@fb.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Daniel Borkmann
|
20b2b24f91 |
bpf: fix map not being uncharged during map creation failure
In map_create(), we first find and create the map, then once that
suceeded, we charge it to the user's RLIMIT_MEMLOCK, and then fetch
a new anon fd through anon_inode_getfd(). The problem is, once the
latter fails f.e. due to RLIMIT_NOFILE limit, then we only destruct
the map via map->ops->map_free(), but without uncharging the previously
locked memory first. That means that the user_struct allocation is
leaked as well as the accounted RLIMIT_MEMLOCK memory not released.
Make the label names in the fix consistent with bpf_prog_load().
Fixes:
|
||
|
Daniel Borkmann
|
483bed2b0d |
bpf: fix htab map destruction when extra reserve is in use
Commit |
||
|
Linus Torvalds
|
101105b171 |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull more vfs updates from Al Viro: ">rename2() work from Miklos + current_time() from Deepa" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fs: Replace current_fs_time() with current_time() fs: Replace CURRENT_TIME_SEC with current_time() for inode timestamps fs: Replace CURRENT_TIME with current_time() for inode timestamps fs: proc: Delete inode time initializations in proc_alloc_inode() vfs: Add current_time() api vfs: add note about i_op->rename changes to porting fs: rename "rename2" i_op to "rename" vfs: remove unused i_op->rename fs: make remaining filesystems use .rename2 libfs: support RENAME_NOREPLACE in simple_rename() fs: support RENAME_NOREPLACE for local filesystems ncpfs: fix unused variable warning |
||
|
Josef Bacik
|
484611357c |
bpf: allow access into map value arrays
Suppose you have a map array value that is something like this
struct foo {
unsigned iter;
int array[SOME_CONSTANT];
};
You can easily insert this into an array, but you cannot modify the contents of
foo->array[] after the fact. This is because we have no way to verify we won't
go off the end of the array at verification time. This patch provides a start
for this work. We accomplish this by keeping track of a minimum and maximum
value a register could be while we're checking the code. Then at the time we
try to do an access into a MAP_VALUE we verify that the maximum offset into that
region is a valid access into that memory region. So in practice, code such as
this
unsigned index = 0;
if (foo->iter >= SOME_CONSTANT)
foo->iter = index;
else
index = foo->iter++;
foo->array[index] = bar;
would be allowed, as we can verify that index will always be between 0 and
SOME_CONSTANT-1. If you wish to use signed values you'll have to have an extra
check to make sure the index isn't less than 0, or do something like index %=
SOME_CONSTANT.
Signed-off-by: Josef Bacik <jbacik@fb.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|
Shaohua Li
|
b761fe226b |
bpf: clean up put_cpu_var usage
put_cpu_var takes the percpu data, not the data returned from get_cpu_var. This doesn't change the behavior. Cc: Tejun Heo <tj@kernel.org> Cc: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Shaohua Li <shli@fb.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Deepa Dinamani
|
078cd8279e |
fs: Replace CURRENT_TIME with current_time() for inode timestamps
CURRENT_TIME macro is not appropriate for filesystems as it doesn't use the right granularity for filesystem timestamps. Use current_time() instead. CURRENT_TIME is also not y2038 safe. This is also in preparation for the patch that transitions vfs timestamps to use 64 bit time and hence make them y2038 safe. As part of the effort current_time() will be extended to do range checks. Hence, it is necessary for all file system timestamps to use current_time(). Also, current_time() will be transitioned along with vfs to be y2038 safe. Note that whenever a single call to current_time() is used to change timestamps in different inodes, it is because they share the same time granularity. Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Felipe Balbi <balbi@kernel.org> Acked-by: Steven Whitehouse <swhiteho@redhat.com> Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Acked-by: David Sterba <dsterba@suse.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
||
|
Mickaël Salaün
|
1955351da4 |
bpf: Set register type according to is_valid_access()
This prevent future potential pointer leaks when an unprivileged eBPF program will read a pointer value from its context. Even if is_valid_access() returns a pointer type, the eBPF verifier replace it with UNKNOWN_VALUE. The register value that contains a kernel address is then allowed to leak. Moreover, this fix allows unprivileged eBPF programs to use functions with (legitimate) pointer arguments. Not an issue currently since reg_type is only set for PTR_TO_PACKET or PTR_TO_PACKET_END in XDP and TC programs that can only be loaded as privileged. For now, the only unprivileged eBPF program allowed is for socket filtering and all the types from its context are UNKNOWN_VALUE. However, this fix is important for future unprivileged eBPF programs which could use pointers in their context. Signed-off-by: Mickaël Salaün <mic@digikod.net> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Jakub Kicinski
|
6b17387307 |
bpf: recognize 64bit immediate loads as consts
When running as parser interpret BPF_LD | BPF_IMM | BPF_DW instructions as loading CONST_IMM with the value stored in imm. The verifier will continue not recognizing those due to concerns about search space/program complexity increase. Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Jakub Kicinski
|
13a27dfc66 |
bpf: enable non-core use of the verfier
Advanced JIT compilers and translators may want to use eBPF verifier as a base for parsers or to perform custom checks and validations. Add ability for external users to invoke the verifier and provide callbacks to be invoked for every intruction checked. For now only add most basic callback for per-instruction pre-interpretation checks is added. More advanced users may also like to have per-instruction post callback and state comparison callback. Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Jakub Kicinski
|
58e2af8b3a |
bpf: expose internal verfier structures
Move verifier's internal structures to a header file and prefix their names with bpf_ to avoid potential namespace conflicts. Those structures will soon be used by external analyzers. Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Jakub Kicinski
|
3df126f35f |
bpf: don't (ab)use instructions to store state
Storing state in reserved fields of instructions makes it impossible to run verifier on programs already marked as read-only. Allocate and use an array of per-instruction state instead. While touching the error path rename and move existing jump target. Suggested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Daniel Borkmann
|
36bbef52c7 |
bpf: direct packet write and access for helpers for clsact progs
This work implements direct packet access for helpers and direct packet write in a similar fashion as already available for XDP types via commits |
||
|
Daniel Borkmann
|
b399cf64e3 |
bpf, verifier: enforce larger zero range for pkt on overloading stack buffs
Current contract for the following two helper argument types is:
* ARG_CONST_STACK_SIZE: passed argument pair must be (ptr, >0).
* ARG_CONST_STACK_SIZE_OR_ZERO: passed argument pair can be either
(NULL, 0) or (ptr, >0).
With
|
||
|
Daniel Borkmann
|
f3694e0012 |
bpf: add BPF_CALL_x macros for declaring helpers
This work adds BPF_CALL_<n>() macros and converts all the eBPF helper functions
to use them, in a similar fashion like we do with SYSCALL_DEFINE<n>() macros
that are used today. Motivation for this is to hide all the register handling
and all necessary casts from the user, so that it is done automatically in the
background when adding a BPF_CALL_<n>() call.
This makes current helpers easier to review, eases to write future helpers,
avoids getting the casting mess wrong, and allows for extending all helpers at
once (f.e. build time checks, etc). It also helps detecting more easily in
code reviews that unused registers are not instrumented in the code by accident,
breaking compatibility with existing programs.
BPF_CALL_<n>() internals are quite similar to SYSCALL_DEFINE<n>() ones with some
fundamental differences, for example, for generating the actual helper function
that carries all u64 regs, we need to fill unused regs, so that we always end up
with 5 u64 regs as an argument.
I reviewed several 0-5 generated BPF_CALL_<n>() variants of the .i results and
they look all as expected. No sparse issue spotted. We let this also sit for a
few days with Fengguang's kbuild test robot, and there were no issues seen. On
s390, it barked on the "uses dynamic stack allocation" notice, which is an old
one from bpf_perf_event_output{,_tp}() reappearing here due to the conversion
to the call wrapper, just telling that the perf raw record/frag sits on stack
(gcc with s390's -mwarn-dynamicstack), but that's all. Did various runtime tests
and they were fine as well. All eBPF helpers are now converted to use these
macros, getting rid of a good chunk of all the raw castings.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|
Daniel Borkmann
|
6088b5823b |
bpf: minor cleanups in helpers
Some minor misc cleanups, f.e. use sizeof(__u32) instead of hardcoding and in __bpf_skb_max_len(), I missed that we always have skb->dev valid anyway, so we can drop the unneeded test for dev; also few more other misc bits addressed here. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Daniel Borkmann
|
2d2be8cab2 |
bpf: fix range propagation on direct packet access
LLVM can generate code that tests for direct packet access via
skb->data/data_end in a way that currently gets rejected by the
verifier, example:
[...]
7: (61) r3 = *(u32 *)(r6 +80)
8: (61) r9 = *(u32 *)(r6 +76)
9: (bf) r2 = r9
10: (07) r2 += 54
11: (3d) if r3 >= r2 goto pc+12
R1=inv R2=pkt(id=0,off=54,r=0) R3=pkt_end R4=inv R6=ctx
R9=pkt(id=0,off=0,r=0) R10=fp
12: (18) r4 = 0xffffff7a
14: (05) goto pc+430
[...]
from 11 to 24: R1=inv R2=pkt(id=0,off=54,r=0) R3=pkt_end R4=inv
R6=ctx R9=pkt(id=0,off=0,r=0) R10=fp
24: (7b) *(u64 *)(r10 -40) = r1
25: (b7) r1 = 0
26: (63) *(u32 *)(r6 +56) = r1
27: (b7) r2 = 40
28: (71) r8 = *(u8 *)(r9 +20)
invalid access to packet, off=20 size=1, R9(id=0,off=0,r=0)
The reason why this gets rejected despite a proper test is that we
currently call find_good_pkt_pointers() only in case where we detect
tests like rX > pkt_end, where rX is of type pkt(id=Y,off=Z,r=0) and
derived, for example, from a register of type pkt(id=Y,off=0,r=0)
pointing to skb->data. find_good_pkt_pointers() then fills the range
in the current branch to pkt(id=Y,off=0,r=Z) on success.
For above case, we need to extend that to recognize pkt_end >= rX
pattern and mark the other branch that is taken on success with the
appropriate pkt(id=Y,off=0,r=Z) type via find_good_pkt_pointers().
Since eBPF operates on BPF_JGT (>) and BPF_JGE (>=), these are the
only two practical options to test for from what LLVM could have
generated, since there's no such thing as BPF_JLT (<) or BPF_JLE (<=)
that we would need to take into account as well.
After the fix:
[...]
7: (61) r3 = *(u32 *)(r6 +80)
8: (61) r9 = *(u32 *)(r6 +76)
9: (bf) r2 = r9
10: (07) r2 += 54
11: (3d) if r3 >= r2 goto pc+12
R1=inv R2=pkt(id=0,off=54,r=0) R3=pkt_end R4=inv R6=ctx
R9=pkt(id=0,off=0,r=0) R10=fp
12: (18) r4 = 0xffffff7a
14: (05) goto pc+430
[...]
from 11 to 24: R1=inv R2=pkt(id=0,off=54,r=54) R3=pkt_end R4=inv
R6=ctx R9=pkt(id=0,off=0,r=54) R10=fp
24: (7b) *(u64 *)(r10 -40) = r1
25: (b7) r1 = 0
26: (63) *(u32 *)(r6 +56) = r1
27: (b7) r2 = 40
28: (71) r8 = *(u8 *)(r9 +20)
29: (bf) r1 = r8
30: (25) if r8 > 0x3c goto pc+47
R1=inv56 R2=imm40 R3=pkt_end R4=inv R6=ctx R8=inv56
R9=pkt(id=0,off=0,r=54) R10=fp
31: (b7) r1 = 1
[...]
Verifier test cases are also added in this work, one that demonstrates
the mentioned example here and one that tries a bad packet access for
the current/fall-through branch (the one with types pkt(id=X,off=Y,r=0),
pkt(id=X,off=0,r=0)), then a case with good and bad accesses, and two
with both test variants (>, >=).
Fixes:
|
||
|
Alexei Starovoitov
|
fdc15d388d |
bpf: perf_event progs should only use preallocated maps
Make sure that BPF_PROG_TYPE_PERF_EVENT programs only use preallocated hash maps, since doing memory allocation in overflow_handler can crash depending on where nmi got triggered. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Alexei Starovoitov
|
ea2e7ce5d0 |
bpf: support 8-byte metafield access
The verifier supported only 4-byte metafields in struct __sk_buff and struct xdp_md. The metafields in upcoming struct bpf_perf_event are 8-byte to match register width in struct pt_regs. Teach verifier to recognize 8-byte metafield access. The patch doesn't affect safety of sockets and xdp programs. They check for 4-byte only ctx access before these conditions are hit. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net> |