Commit 7e6f4b2a authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge tag 'for-net' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 

Alexei Starovoitov says:

====================
pull-request: bpf 2024-03-27

The following pull-request contains BPF updates for your *net* tree.

We've added 4 non-merge commits during the last 1 day(s) which contain
a total of 5 files changed, 26 insertions(+), 3 deletions(-).

The main changes are:

1) Fix bloom filter value size validation and protect the verifier
   against such mistakes, from Andrei.

2) Fix build due to CONFIG_KEXEC_CORE/CRASH_DUMP split, from Hari.

3) Update bpf_lsm maintainers entry, from Matt.

* tag 'for-net' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
  bpf: update BPF LSM designated reviewer list
  bpf: Protect against int overflow for stack access size
  bpf: Check bloom filter map value size
  bpf: fix warning for crash_kexec
====================

Link: https://lore.kernel.org/r/20240328012938.24249-1-alexei.starovoitov@gmail.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents 56d2f48e 4dd65107

MAINTAINERS

+1 −2
Original line number Diff line number Diff line
@@ -3941,8 +3941,7 @@ F: kernel/bpf/ringbuf.c 








BPF [SECURITY & LSM] (Security Audit and Enforcement using BPF)









M:	KP Singh <kpsingh@kernel.org>









R:	Florent Revest <revest@chromium.org>









R:	Brendan Jackman <jackmanb@chromium.org>









R:	Matt Bobrowski <mattbobrowski@google.com>









L:	bpf@vger.kernel.org









S:	Maintained









F:	Documentation/bpf/prog_lsm.rst
































kernel/bpf/bloom_filter.c



+13
−0






























Original line number
Diff line number
Diff line







@@ -80,6 +80,18 @@ static int bloom_map_get_next_key(struct bpf_map *map, void *key, void *next_key







	return -EOPNOTSUPP;









}



















/* Called from syscall */









static int bloom_map_alloc_check(union bpf_attr *attr)









{









	if (attr->value_size > KMALLOC_MAX_SIZE)









		/* if value_size is bigger, the user space won't be able to









		 * access the elements.









		 */









		return -E2BIG;



















	return 0;









}



















static struct bpf_map *bloom_map_alloc(union bpf_attr *attr)









{









	u32 bitset_bytes, bitset_mask, nr_hash_funcs, nr_bits;








@@ -191,6 +203,7 @@ static u64 bloom_map_mem_usage(const struct bpf_map *map)







BTF_ID_LIST_SINGLE(bpf_bloom_map_btf_ids, struct, bpf_bloom_filter)









const struct bpf_map_ops bloom_filter_map_ops = {









	.map_meta_equal = bpf_map_meta_equal,









	.map_alloc_check = bloom_map_alloc_check,









	.map_alloc = bloom_map_alloc,









	.map_free = bloom_map_free,









	.map_get_next_key = bloom_map_get_next_key,
































kernel/bpf/helpers.c



+1
−1






























Original line number
Diff line number
Diff line







@@ -2548,7 +2548,7 @@ __bpf_kfunc void bpf_throw(u64 cookie)







__bpf_kfunc_end_defs();



















BTF_KFUNCS_START(generic_btf_ids)









#ifdef CONFIG_KEXEC_CORE









#ifdef CONFIG_CRASH_DUMP









BTF_ID_FLAGS(func, crash_kexec, KF_DESTRUCTIVE)









#endif









BTF_ID_FLAGS(func, bpf_obj_new_impl, KF_ACQUIRE | KF_RET_NULL)
































kernel/bpf/verifier.c



+5
−0






























Original line number
Diff line number
Diff line







@@ -6701,6 +6701,11 @@ static int check_stack_access_within_bounds(







	err = check_stack_slot_within_bounds(env, min_off, state, type);









	if (!err && max_off > 0)









		err = -EINVAL; /* out of stack access into non-negative offsets */









	if (!err && access_size < 0)









		/* access_size should not be negative (or overflow an int); others checks









		 * along the way should have prevented such an access.









		 */









		err = -EFAULT; /* invalid negative access size; integer overflow? */

















	if (err) {









		if (tnum_is_const(reg->var_off)) {
































tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c



+6
−0






























Original line number
Diff line number
Diff line







@@ -2,6 +2,7 @@







/* Copyright (c) 2021 Facebook */



















#include <sys/syscall.h>









#include <limits.h>









#include <test_progs.h>









#include "bloom_filter_map.skel.h"


















@@ -21,6 +22,11 @@ static void test_fail_cases(void)







	if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid value size 0"))









		close(fd);



















	/* Invalid value size: too big */









	fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, INT32_MAX, 100, NULL);









	if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid value too large"))









		close(fd);



















	/* Invalid max entries size */









	fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, sizeof(value), 0, NULL);









	if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid max entries size"))