Commit 319fc77f authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 

Pull BPF fixes from Daniel Borkmann:

 - Fix a soft-lockup in BPF arena_map_free on 64k page size kernels
   (Alan Maguire)

 - Fix a missing allocation failure check in BPF verifier's
   acquire_lock_state (Kumar Kartikeya Dwivedi)

 - Fix a NULL-pointer dereference in trace_kfree_skb by adding kfree_skb
   to the raw_tp_null_args set (Kuniyuki Iwashima)

 - Fix a deadlock when freeing BPF cgroup storage (Abel Wu)

 - Fix a syzbot-reported deadlock when holding BPF map's freeze_mutex
   (Andrii Nakryiko)

 - Fix a use-after-free issue in bpf_test_init when eth_skb_pkt_type is
   accessing skb data not containing an Ethernet header (Shigeru
   Yoshida)

 - Fix skipping non-existing keys in generic_map_lookup_batch (Yan Zhai)

 - Several BPF sockmap fixes to address incorrect TCP copied_seq
   calculations, which prevented correct data reads from recv(2) in user
   space (Jiayuan Chen)

 - Two fixes for BPF map lookup nullness elision (Daniel Xu)

 - Fix a NULL-pointer dereference from vmlinux BTF lookup in
   bpf_sk_storage_tracing_allowed (Jared Kangas)

* tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
  selftests: bpf: test batch lookup on array of maps with holes
  bpf: skip non exist keys in generic_map_lookup_batch
  bpf: Handle allocation failure in acquire_lock_state
  bpf: verifier: Disambiguate get_constant_map_key() errors
  bpf: selftests: Test constant key extraction on irrelevant maps
  bpf: verifier: Do not extract constant map keys for irrelevant maps
  bpf: Fix softlockup in arena_map_free on 64k page kernel
  net: Add rx_skb of kfree_skb to raw_tp_null_args[].
  bpf: Fix deadlock when freeing cgroup storage
  selftests/bpf: Add strparser test for bpf
  selftests/bpf: Fix invalid flag of recv()
  bpf: Disable non stream socket for strparser
  bpf: Fix wrong copied_seq calculation
  strparser: Add read_sock callback
  bpf: avoid holding freeze_mutex during mmap operation
  bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic
  selftests/bpf: Adjust data size to have ETH_HLEN
  bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()
  bpf: Remove unnecessary BTF lookups in bpf_sk_storage_tracing_allowed
parents 27eddbf3 dbf7cc56

Documentation/networking/strparser.rst

+8 −1
Original line number Diff line number Diff line
@@ -112,7 +112,7 @@ Functions 
Callbacks

=========



There are six callbacks:

There are seven callbacks:



    ::
@@ -182,6 +182,13 @@ There are six callbacks: 
    the length of the message. skb->len - offset may be greater

    then full_len since strparser does not trim the skb.



    ::



	int (*read_sock)(struct strparser *strp, read_descriptor_t *desc,

                     sk_read_actor_t recv_actor);



    The read_sock callback is used by strparser instead of

    sock->ops->read_sock, if provided.

    ::



	int (*read_sock_done)(struct strparser *strp, int err);

include/linux/skmsg.h

+2 −0
Original line number Diff line number Diff line
@@ -91,6 +91,8 @@ struct sk_psock { 
	struct sk_psock_progs		progs;

#if IS_ENABLED(CONFIG_BPF_STREAM_PARSER)

	struct strparser		strp;

	u32				copied_seq;

	u32				ingress_bytes;

#endif

	struct sk_buff_head		ingress_skb;

	struct list_head		ingress_msg;

include/net/strparser.h

+2 −0
Original line number Diff line number Diff line
@@ -43,6 +43,8 @@ struct strparser; 
struct strp_callbacks {

	int (*parse_msg)(struct strparser *strp, struct sk_buff *skb);

	void (*rcv_msg)(struct strparser *strp, struct sk_buff *skb);

	int (*read_sock)(struct strparser *strp, read_descriptor_t *desc,

			 sk_read_actor_t recv_actor);

	int (*read_sock_done)(struct strparser *strp, int err);

	void (*abort_parser)(struct strparser *strp, int err);

	void (*lock)(struct strparser *strp);

include/net/tcp.h

+8 −0
Original line number Diff line number Diff line
@@ -743,6 +743,9 @@ void tcp_get_info(struct sock *, struct tcp_info *); 
/* Read 'sendfile()'-style from a TCP socket */

int tcp_read_sock(struct sock *sk, read_descriptor_t *desc,

		  sk_read_actor_t recv_actor);

int tcp_read_sock_noack(struct sock *sk, read_descriptor_t *desc,

			sk_read_actor_t recv_actor, bool noack,

			u32 *copied_seq);

int tcp_read_skb(struct sock *sk, skb_read_actor_t recv_actor);

struct sk_buff *tcp_recv_skb(struct sock *sk, u32 seq, u32 *off);

void tcp_read_done(struct sock *sk, size_t len);
@@ -2613,6 +2616,11 @@ struct sk_psock; 
#ifdef CONFIG_BPF_SYSCALL

int tcp_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore);

void tcp_bpf_clone(const struct sock *sk, struct sock *newsk);

#ifdef CONFIG_BPF_STREAM_PARSER

struct strparser;

int tcp_bpf_strp_read_sock(struct strparser *strp, read_descriptor_t *desc,

			   sk_read_actor_t recv_actor);

#endif /* CONFIG_BPF_STREAM_PARSER */

#endif /* CONFIG_BPF_SYSCALL */



#ifdef CONFIG_INET

kernel/bpf/arena.c

+1 −1
Original line number Diff line number Diff line
@@ -39,7 +39,7 @@ 
 */



/* number of bytes addressable by LDX/STX insn with 16-bit 'off' field */

#define GUARD_SZ (1ull << sizeof_field(struct bpf_insn, off) * 8)

#define GUARD_SZ round_up(1ull << sizeof_field(struct bpf_insn, off) * 8, PAGE_SIZE << 1)

#define KERN_VM_SZ (SZ_4G + GUARD_SZ)



struct bpf_arena {