Commit 0d47fa5c authored Nov 29, 2023 by Jakub Kicinski

Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Daniel Borkmann says:

====================
pull-request: bpf 2023-11-30

We've added 5 non-merge commits during the last 7 day(s) which contain
a total of 10 files changed, 66 insertions(+), 15 deletions(-).

The main changes are:

1) Fix AF_UNIX splat from use after free in BPF sockmap,
   from John Fastabend.

2) Fix a syzkaller splat in netdevsim by properly handling offloaded
   programs (and not device-bound ones), from Stanislav Fomichev.

3) Fix bpf_mem_cache_alloc_flags() to initialize the allocation hint,
   from Hou Tao.

4) Fix netkit by rejecting IFLA_NETKIT_PEER_INFO in changelink,
   from Daniel Borkmann.

* tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
  bpf, sockmap: Add af_unix test with both sockets in map
  bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
  netkit: Reject IFLA_NETKIT_PEER_INFO in netkit_change_link
  bpf: Add missed allocation hint for bpf_mem_cache_alloc_flags()
  netdevsim: Don't accept device bound programs
====================

Link: https://lore.kernel.org/r/20231129234916.16128-1-daniel@iogearbox.net


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parents 83f2df9d 51354f70

drivers/net/netdevsim/bpf.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -93,7 +93,7 @@ static void nsim_prog_set_loaded(struct bpf_prog *prog, bool loaded)
		{
		struct nsim_bpf_bound_prog *state;

		if (!prog \|\| !prog->aux->offload)
		if (!prog \|\| !bpf_prog_is_offloaded(prog->aux))
		return;

		state = prog->aux->offload->dev_priv;
		@@ -311,7 +311,7 @@ nsim_setup_prog_hw_checks(struct netdevsim ns, struct netdev_bpf bpf)
		if (!bpf->prog)
		return 0;

		if (!bpf->prog->aux->offload) {
		if (!bpf_prog_is_offloaded(bpf->prog->aux)) {
		NSIM_EA(bpf->extack, "xdpoffload of non-bound program");
		return -EINVAL;
		}

drivers/net/netkit.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -851,6 +851,12 @@ static int netkit_change_link(struct net_device dev, struct nlattr tb[],
		return -EACCES;
		}

		if (data[IFLA_NETKIT_PEER_INFO]) {
		NL_SET_ERR_MSG_ATTR(extack, data[IFLA_NETKIT_PEER_INFO],
		"netkit peer info cannot be changed after device creation");
		return -EINVAL;
		}

		if (data[IFLA_NETKIT_POLICY]) {
		attr = data[IFLA_NETKIT_POLICY];
		policy = nla_get_u32(attr);

include/linux/skmsg.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -106,6 +106,7 @@ struct sk_psock {
		struct mutex work_mutex;
		struct sk_psock_work_state work_state;
		struct delayed_work work;
		struct sock *sk_pair;
		struct rcu_work rwork;
		};

include/net/af_unix.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -75,6 +75,7 @@ struct unix_sock {
		};

		#define unix_sk(ptr) container_of_const(ptr, struct unix_sock, sk)
		#define unix_peer(sk) (unix_sk(sk)->peer)

		#define peer_wait peer_wq.wait

kernel/bpf/memalloc.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -978,6 +978,8 @@ void notrace bpf_mem_cache_alloc_flags(struct bpf_mem_alloc ma, gfp_t flags)
		memcg = get_memcg(c);
		old_memcg = set_active_memcg(memcg);
		ret = __alloc(c, NUMA_NO_NODE, GFP_KERNEL \| __GFP_NOWARN \| __GFP_ACCOUNT);
		if (ret)
		(struct bpf_mem_cache *)ret = c;
		set_active_memcg(old_memcg);
		mem_cgroup_put(memcg);
		}