Commit ae90f6a6 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 

Pull bpf fixes from Daniel Borkmann:

 - Fix an out-of-bounds read in bpf_link_show_fdinfo for BPF sockmap
   link file descriptors (Hou Tao)

 - Fix BPF arm64 JIT's address emission with tag-based KASAN enabled
   reserving not enough size (Peter Collingbourne)

 - Fix BPF verifier do_misc_fixups patching for inlining of the
   bpf_get_branch_snapshot BPF helper (Andrii Nakryiko)

 - Fix a BPF verifier bug and reject BPF program write attempts into
   read-only marked BPF maps (Daniel Borkmann)

 - Fix perf_event_detach_bpf_prog error handling by removing an invalid
   check which would skip BPF program release (Jiri Olsa)

 - Fix memory leak when parsing mount options for the BPF filesystem
   (Hou Tao)

* tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
  bpf: Check validity of link->type in bpf_link_show_fdinfo()
  bpf: Add the missing BPF_LINK_TYPE invocation for sockmap
  bpf: fix do_misc_fixups() for bpf_get_branch_snapshot()
  bpf,perf: Fix perf_event_detach_bpf_prog error handling
  selftests/bpf: Add test for passing in uninit mtu_len
  selftests/bpf: Add test for writes to .rodata
  bpf: Remove MEM_UNINIT from skb/xdp MTU helpers
  bpf: Fix overloading of MEM_UNINIT's meaning
  bpf: Add MEM_WRITE attribute
  bpf: Preserve param->string when parsing mount options
  bpf, arm64: Fix address emission with tag-based KASAN enabled
parents d44cd822 d5fb316e

arch/arm64/net/bpf_jit_comp.c

+10 −2
Original line number Diff line number Diff line
@@ -2220,6 +2220,10 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im, 
	emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx);



	if (flags & BPF_TRAMP_F_CALL_ORIG) {

		/* for the first pass, assume the worst case */

		if (!ctx->image)

			ctx->idx += 4;

		else

			emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);

		emit_call((const u64)__bpf_tramp_enter, ctx);

	}
@@ -2264,6 +2268,10 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im, 


	if (flags & BPF_TRAMP_F_CALL_ORIG) {

		im->ip_epilogue = ctx->ro_image + ctx->idx;

		/* for the first pass, assume the worst case */

		if (!ctx->image)

			ctx->idx += 4;

		else

			emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);

		emit_call((const u64)__bpf_tramp_exit, ctx);

	}

include/linux/bpf.h

+11 −3
Original line number Diff line number Diff line
@@ -635,6 +635,7 @@ enum bpf_type_flag { 
	 */

	PTR_UNTRUSTED		= BIT(6 + BPF_BASE_TYPE_BITS),



	/* MEM can be uninitialized. */

	MEM_UNINIT		= BIT(7 + BPF_BASE_TYPE_BITS),



	/* DYNPTR points to memory local to the bpf program. */
@@ -700,6 +701,13 @@ enum bpf_type_flag { 
	 */

	MEM_ALIGNED		= BIT(17 + BPF_BASE_TYPE_BITS),



	/* MEM is being written to, often combined with MEM_UNINIT. Non-presence

	 * of MEM_WRITE means that MEM is only being read. MEM_WRITE without the

	 * MEM_UNINIT means that memory needs to be initialized since it is also

	 * read.

	 */

	MEM_WRITE		= BIT(18 + BPF_BASE_TYPE_BITS),



	__BPF_TYPE_FLAG_MAX,

	__BPF_TYPE_LAST_FLAG	= __BPF_TYPE_FLAG_MAX - 1,

};
@@ -758,10 +766,10 @@ enum bpf_arg_type { 
	ARG_PTR_TO_SOCKET_OR_NULL	= PTR_MAYBE_NULL | ARG_PTR_TO_SOCKET,

	ARG_PTR_TO_STACK_OR_NULL	= PTR_MAYBE_NULL | ARG_PTR_TO_STACK,

	ARG_PTR_TO_BTF_ID_OR_NULL	= PTR_MAYBE_NULL | ARG_PTR_TO_BTF_ID,

	/* pointer to memory does not need to be initialized, helper function must fill

	 * all bytes or clear them in error case.

	/* Pointer to memory does not need to be initialized, since helper function

	 * fills all bytes or clears them in error case.

	 */

	ARG_PTR_TO_UNINIT_MEM		= MEM_UNINIT | ARG_PTR_TO_MEM,

	ARG_PTR_TO_UNINIT_MEM		= MEM_UNINIT | MEM_WRITE | ARG_PTR_TO_MEM,

	/* Pointer to valid memory of size known at compile time. */

	ARG_PTR_TO_FIXED_SIZE_MEM	= MEM_FIXED_SIZE | ARG_PTR_TO_MEM,

include/linux/bpf_types.h

+1 −0
Original line number Diff line number Diff line
@@ -146,6 +146,7 @@ BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp) 
BPF_LINK_TYPE(BPF_LINK_TYPE_NETFILTER, netfilter)

BPF_LINK_TYPE(BPF_LINK_TYPE_TCX, tcx)

BPF_LINK_TYPE(BPF_LINK_TYPE_NETKIT, netkit)

BPF_LINK_TYPE(BPF_LINK_TYPE_SOCKMAP, sockmap)

#endif

#ifdef CONFIG_PERF_EVENTS

BPF_LINK_TYPE(BPF_LINK_TYPE_PERF_EVENT, perf)

include/uapi/linux/bpf.h

+3 −0
Original line number Diff line number Diff line
@@ -1121,6 +1121,9 @@ enum bpf_attach_type { 


#define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE



/* Add BPF_LINK_TYPE(type, name) in bpf_types.h to keep bpf_link_type_strs[]

 * in sync with the definitions below.

 */

enum bpf_link_type {

	BPF_LINK_TYPE_UNSPEC = 0,

	BPF_LINK_TYPE_RAW_TRACEPOINT = 1,

kernel/bpf/helpers.c

+5 −5
Original line number Diff line number Diff line
@@ -111,7 +111,7 @@ const struct bpf_func_proto bpf_map_pop_elem_proto = { 
	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_CONST_MAP_PTR,

	.arg2_type	= ARG_PTR_TO_MAP_VALUE | MEM_UNINIT,

	.arg2_type	= ARG_PTR_TO_MAP_VALUE | MEM_UNINIT | MEM_WRITE,

};



BPF_CALL_2(bpf_map_peek_elem, struct bpf_map *, map, void *, value)
@@ -124,7 +124,7 @@ const struct bpf_func_proto bpf_map_peek_elem_proto = { 
	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_CONST_MAP_PTR,

	.arg2_type	= ARG_PTR_TO_MAP_VALUE | MEM_UNINIT,

	.arg2_type	= ARG_PTR_TO_MAP_VALUE | MEM_UNINIT | MEM_WRITE,

};



BPF_CALL_3(bpf_map_lookup_percpu_elem, struct bpf_map *, map, void *, key, u32, cpu)
@@ -538,7 +538,7 @@ const struct bpf_func_proto bpf_strtol_proto = { 
	.arg1_type	= ARG_PTR_TO_MEM | MEM_RDONLY,

	.arg2_type	= ARG_CONST_SIZE,

	.arg3_type	= ARG_ANYTHING,

	.arg4_type	= ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,

	.arg4_type	= ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_WRITE | MEM_ALIGNED,

	.arg4_size	= sizeof(s64),

};
@@ -566,7 +566,7 @@ const struct bpf_func_proto bpf_strtoul_proto = { 
	.arg1_type	= ARG_PTR_TO_MEM | MEM_RDONLY,

	.arg2_type	= ARG_CONST_SIZE,

	.arg3_type	= ARG_ANYTHING,

	.arg4_type	= ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,

	.arg4_type	= ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_WRITE | MEM_ALIGNED,

	.arg4_size	= sizeof(u64),

};
@@ -1742,7 +1742,7 @@ static const struct bpf_func_proto bpf_dynptr_from_mem_proto = { 
	.arg1_type	= ARG_PTR_TO_UNINIT_MEM,

	.arg2_type	= ARG_CONST_SIZE_OR_ZERO,

	.arg3_type	= ARG_ANYTHING,

	.arg4_type	= ARG_PTR_TO_DYNPTR | DYNPTR_TYPE_LOCAL | MEM_UNINIT,

	.arg4_type	= ARG_PTR_TO_DYNPTR | DYNPTR_TYPE_LOCAL | MEM_UNINIT | MEM_WRITE,

};



BPF_CALL_5(bpf_dynptr_read, void *, dst, u32, len, const struct bpf_dynptr_kern *, src,