Commit a80afe89 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Daniel Borkmann says:

====================
pull-request: bpf 2018-09-02

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) Fix one remaining buggy offset override in sockmap's bpf_msg_pull_data()
   when linearizing multiple scatterlist elements, from Tushar.

2) Fix BPF sockmap's misuse of ULP when a collision with another ULP is
   found on map update where it would release existing ULP. syzbot found and
   triggered this couple of times now, fix from John.

3) Add missing xskmap type to bpftool so it will properly show the type
   on map dump, from Prashant.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 15a81b41 597222f7
...@@ -1462,9 +1462,15 @@ static void smap_destroy_psock(struct rcu_head *rcu) ...@@ -1462,9 +1462,15 @@ static void smap_destroy_psock(struct rcu_head *rcu)
schedule_work(&psock->gc_work); schedule_work(&psock->gc_work);
} }
static bool psock_is_smap_sk(struct sock *sk)
{
return inet_csk(sk)->icsk_ulp_ops == &bpf_tcp_ulp_ops;
}
static void smap_release_sock(struct smap_psock *psock, struct sock *sock) static void smap_release_sock(struct smap_psock *psock, struct sock *sock)
{ {
if (refcount_dec_and_test(&psock->refcnt)) { if (refcount_dec_and_test(&psock->refcnt)) {
if (psock_is_smap_sk(sock))
tcp_cleanup_ulp(sock); tcp_cleanup_ulp(sock);
write_lock_bh(&sock->sk_callback_lock); write_lock_bh(&sock->sk_callback_lock);
smap_stop_sock(psock, sock); smap_stop_sock(psock, sock);
...@@ -1892,6 +1898,10 @@ static int __sock_map_ctx_update_elem(struct bpf_map *map, ...@@ -1892,6 +1898,10 @@ static int __sock_map_ctx_update_elem(struct bpf_map *map,
* doesn't update user data. * doesn't update user data.
*/ */
if (psock) { if (psock) {
if (!psock_is_smap_sk(sock)) {
err = -EBUSY;
goto out_progs;
}
if (READ_ONCE(psock->bpf_parse) && parse) { if (READ_ONCE(psock->bpf_parse) && parse) {
err = -EBUSY; err = -EBUSY;
goto out_progs; goto out_progs;
......
...@@ -2292,7 +2292,7 @@ static const struct bpf_func_proto bpf_msg_cork_bytes_proto = { ...@@ -2292,7 +2292,7 @@ static const struct bpf_func_proto bpf_msg_cork_bytes_proto = {
BPF_CALL_4(bpf_msg_pull_data, BPF_CALL_4(bpf_msg_pull_data,
struct sk_msg_buff *, msg, u32, start, u32, end, u64, flags) struct sk_msg_buff *, msg, u32, start, u32, end, u64, flags)
{ {
unsigned int len = 0, offset = 0, copy = 0; unsigned int len = 0, offset = 0, copy = 0, poffset = 0;
int bytes = end - start, bytes_sg_total; int bytes = end - start, bytes_sg_total;
struct scatterlist *sg = msg->sg_data; struct scatterlist *sg = msg->sg_data;
int first_sg, last_sg, i, shift; int first_sg, last_sg, i, shift;
...@@ -2348,16 +2348,15 @@ BPF_CALL_4(bpf_msg_pull_data, ...@@ -2348,16 +2348,15 @@ BPF_CALL_4(bpf_msg_pull_data,
if (unlikely(!page)) if (unlikely(!page))
return -ENOMEM; return -ENOMEM;
p = page_address(page); p = page_address(page);
offset = 0;
i = first_sg; i = first_sg;
do { do {
from = sg_virt(&sg[i]); from = sg_virt(&sg[i]);
len = sg[i].length; len = sg[i].length;
to = p + offset; to = p + poffset;
memcpy(to, from, len); memcpy(to, from, len);
offset += len; poffset += len;
sg[i].length = 0; sg[i].length = 0;
put_page(sg_page(&sg[i])); put_page(sg_page(&sg[i]));
......
...@@ -68,6 +68,7 @@ static const char * const map_type_name[] = { ...@@ -68,6 +68,7 @@ static const char * const map_type_name[] = {
[BPF_MAP_TYPE_DEVMAP] = "devmap", [BPF_MAP_TYPE_DEVMAP] = "devmap",
[BPF_MAP_TYPE_SOCKMAP] = "sockmap", [BPF_MAP_TYPE_SOCKMAP] = "sockmap",
[BPF_MAP_TYPE_CPUMAP] = "cpumap", [BPF_MAP_TYPE_CPUMAP] = "cpumap",
[BPF_MAP_TYPE_XSKMAP] = "xskmap",
[BPF_MAP_TYPE_SOCKHASH] = "sockhash", [BPF_MAP_TYPE_SOCKHASH] = "sockhash",
[BPF_MAP_TYPE_CGROUP_STORAGE] = "cgroup_storage", [BPF_MAP_TYPE_CGROUP_STORAGE] = "cgroup_storage",
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment