Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

BTF_ID(func, bpf_lsm_syslog)

BTF_ID(func, bpf_lsm_task_alloc)

BTF_ID(func, bpf_lsm_current_getsecid_subj)

BTF_ID(func, bpf_lsm_task_getsecid_obj)

BTF_ID(func, bpf_lsm_task_prctl)

BTF_ID(func, bpf_lsm_task_setscheduler)

BTF_ID(func, bpf_lsm_task_to_inode)

static void dev_map_free(struct bpf_map *map)

{

	struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map);

	int i;

	u32 i;

	/* At this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0,

	 * so the programs (can be more than one that used this map) were

{

	struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map);

	struct bpf_dtab_netdev *old_dev;

	int k = *(u32 *)key;

	u32 k = *(u32 *)key;

	if (k >= map->max_entries)

		return -EINVAL;

{

	struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map);

	struct bpf_dtab_netdev *old_dev;

	int k = *(u32 *)key;

	u32 k = *(u32 *)key;

	unsigned long flags;

	int ret = -ENOENT;

#include <net/ipv6.h>

#include <uapi/linux/btf.h>

#include <linux/btf_ids.h>

#include <linux/bpf_mem_alloc.h>

/* Intermediate node */

#define LPM_TREE_NODE_FLAG_IM BIT(0)

struct lpm_trie_node;

struct lpm_trie_node {

	struct rcu_head rcu;

	struct lpm_trie_node __rcu	*child[2];

	u32				prefixlen;

	u32				flags;

struct lpm_trie {

	struct bpf_map			map;

	struct lpm_trie_node __rcu	*root;

	struct bpf_mem_alloc		ma;

	size_t				n_entries;

	size_t				max_prefixlen;

	size_t				data_size;

	spinlock_t			lock;

	raw_spinlock_t			lock;

};

/* This trie implements a longest prefix match algorithm that can be used to

	return found->data + trie->data_size;

}

static struct lpm_trie_node *lpm_trie_node_alloc(const struct lpm_trie *trie,

						 const void *value)

static struct lpm_trie_node *lpm_trie_node_alloc(struct lpm_trie *trie,

						 const void *value,

						 bool disable_migration)

{

	struct lpm_trie_node *node;

	size_t size = sizeof(struct lpm_trie_node) + trie->data_size;

	if (value)

		size += trie->map.value_size;

	if (disable_migration)

		migrate_disable();

	node = bpf_mem_cache_alloc(&trie->ma);

	if (disable_migration)

		migrate_enable();

	node = bpf_map_kmalloc_node(&trie->map, size, GFP_NOWAIT | __GFP_NOWARN,

				    trie->map.numa_node);

	if (!node)

		return NULL;

	return node;

}

static int trie_check_add_elem(struct lpm_trie *trie, u64 flags)

{

	if (flags == BPF_EXIST)

		return -ENOENT;

	if (trie->n_entries == trie->map.max_entries)

		return -ENOSPC;

	trie->n_entries++;

	return 0;

}

/* Called from syscall or from eBPF program */

static long trie_update_elem(struct bpf_map *map,

			     void *_key, void *value, u64 flags)

{

	struct lpm_trie *trie = container_of(map, struct lpm_trie, map);

	struct lpm_trie_node *node, *im_node = NULL, *new_node = NULL;

	struct lpm_trie_node *node, *im_node, *new_node;

	struct lpm_trie_node *free_node = NULL;

	struct lpm_trie_node __rcu **slot;

	struct bpf_lpm_trie_key_u8 *key = _key;

	if (key->prefixlen > trie->max_prefixlen)

		return -EINVAL;

	spin_lock_irqsave(&trie->lock, irq_flags);

	/* Allocate and fill a new node */

	if (trie->n_entries == trie->map.max_entries) {

		ret = -ENOSPC;

		goto out;

	}

	new_node = lpm_trie_node_alloc(trie, value);

	if (!new_node) {

		ret = -ENOMEM;

		goto out;

	}

	/* Allocate and fill a new node. Need to disable migration before

	 * invoking bpf_mem_cache_alloc().

	 */

	new_node = lpm_trie_node_alloc(trie, value, true);

	if (!new_node)

		return -ENOMEM;

	trie->n_entries++;

	raw_spin_lock_irqsave(&trie->lock, irq_flags);

	new_node->prefixlen = key->prefixlen;

	RCU_INIT_POINTER(new_node->child[0], NULL);

		matchlen = longest_prefix_match(trie, node, key);

		if (node->prefixlen != matchlen ||

		    node->prefixlen == key->prefixlen ||

		    node->prefixlen == trie->max_prefixlen)

		    node->prefixlen == key->prefixlen)

			break;

		next_bit = extract_bit(key->data, node->prefixlen);

	 * simply assign the @new_node to that slot and be done.

	 */

	if (!node) {

		ret = trie_check_add_elem(trie, flags);

		if (ret)

			goto out;

		rcu_assign_pointer(*slot, new_node);

		goto out;

	}

	 * which already has the correct data array set.

	 */

	if (node->prefixlen == matchlen) {

		if (!(node->flags & LPM_TREE_NODE_FLAG_IM)) {

			if (flags == BPF_NOEXIST) {

				ret = -EEXIST;

				goto out;

			}

		} else {

			ret = trie_check_add_elem(trie, flags);

			if (ret)

				goto out;

		}

		new_node->child[0] = node->child[0];

		new_node->child[1] = node->child[1];

		if (!(node->flags & LPM_TREE_NODE_FLAG_IM))

			trie->n_entries--;

		rcu_assign_pointer(*slot, new_node);

		free_node = node;

		goto out;

	}

	ret = trie_check_add_elem(trie, flags);

	if (ret)

		goto out;

	/* If the new node matches the prefix completely, it must be inserted

	 * as an ancestor. Simply insert it between @node and *@slot.

	 */

		goto out;

	}

	im_node = lpm_trie_node_alloc(trie, NULL);

	/* migration is disabled within the locked scope */

	im_node = lpm_trie_node_alloc(trie, NULL, false);

	if (!im_node) {

		trie->n_entries--;

		ret = -ENOMEM;

		goto out;

	}

	rcu_assign_pointer(*slot, im_node);

out:

	if (ret) {

		if (new_node)

			trie->n_entries--;

	raw_spin_unlock_irqrestore(&trie->lock, irq_flags);

		kfree(new_node);

		kfree(im_node);

	}

	spin_unlock_irqrestore(&trie->lock, irq_flags);

	kfree_rcu(free_node, rcu);

	migrate_disable();

	if (ret)

		bpf_mem_cache_free(&trie->ma, new_node);

	bpf_mem_cache_free_rcu(&trie->ma, free_node);

	migrate_enable();

	return ret;

}

	if (key->prefixlen > trie->max_prefixlen)

		return -EINVAL;

	spin_lock_irqsave(&trie->lock, irq_flags);

	raw_spin_lock_irqsave(&trie->lock, irq_flags);

	/* Walk the tree looking for an exact key/length match and keeping

	 * track of the path we traverse.  We will need to know the node

	free_node = node;

out:

	spin_unlock_irqrestore(&trie->lock, irq_flags);

	kfree_rcu(free_parent, rcu);

	kfree_rcu(free_node, rcu);

	raw_spin_unlock_irqrestore(&trie->lock, irq_flags);

	migrate_disable();

	bpf_mem_cache_free_rcu(&trie->ma, free_parent);

	bpf_mem_cache_free_rcu(&trie->ma, free_node);

	migrate_enable();

	return ret;

}

static struct bpf_map *trie_alloc(union bpf_attr *attr)

{

	struct lpm_trie *trie;

	size_t leaf_size;

	int err;

	/* check sanity of attributes */

	if (attr->max_entries == 0 ||

			  offsetof(struct bpf_lpm_trie_key_u8, data);

	trie->max_prefixlen = trie->data_size * 8;

	spin_lock_init(&trie->lock);

	raw_spin_lock_init(&trie->lock);

	/* Allocate intermediate and leaf nodes from the same allocator */

	leaf_size = sizeof(struct lpm_trie_node) + trie->data_size +

		    trie->map.value_size;

	err = bpf_mem_alloc_init(&trie->ma, leaf_size, false);

	if (err)

		goto free_out;

	return &trie->map;

free_out:

	bpf_map_area_free(trie);

	return ERR_PTR(err);

}

static void trie_free(struct bpf_map *map)

				continue;

			}

			kfree(node);

			/* No bpf program may access the map, so freeing the

			 * node without waiting for the extra RCU GP.

			 */

			bpf_mem_cache_raw_free(node);

			RCU_INIT_POINTER(*slot, NULL);

			break;

		}

	}

out:

	bpf_mem_alloc_destroy(&trie->ma);

	bpf_map_area_free(trie);

}

	struct lpm_trie_node **node_stack = NULL;

	int err = 0, stack_ptr = -1;

	unsigned int next_bit;

	size_t matchlen;

	size_t matchlen = 0;

	/* The get_next_key follows postorder. For the 4 node example in

	 * the top of this file, the trie_get_next_key() returns the following

		next_bit = extract_bit(key->data, node->prefixlen);

		node = rcu_dereference(node->child[next_bit]);

	}

	if (!node || node->prefixlen != key->prefixlen ||

	if (!node || node->prefixlen != matchlen ||

	    (node->flags & LPM_TREE_NODE_FLAG_IM))

		goto find_leftmost;

/* Mark stack slot as STACK_MISC, unless it is already STACK_INVALID, in which

 * case they are equivalent, or it's STACK_ZERO, in which case we preserve

 * more precise STACK_ZERO.

 * Note, in uprivileged mode leaving STACK_INVALID is wrong, so we take

 * env->allow_ptr_leaks into account and force STACK_MISC, if necessary.

 * Regardless of allow_ptr_leaks setting (i.e., privileged or unprivileged

 * mode), we won't promote STACK_INVALID to STACK_MISC. In privileged case it is

 * unnecessary as both are considered equivalent when loading data and pruning,

 * in case of unprivileged mode it will be incorrect to allow reads of invalid

 * slots.

 */

static void mark_stack_slot_misc(struct bpf_verifier_env *env, u8 *stype)

{

	if (*stype == STACK_ZERO)

		return;

	if (env->allow_ptr_leaks && *stype == STACK_INVALID)

	if (*stype == STACK_INVALID)

		return;

	*stype = STACK_MISC;

}

	 */

	if (!env->allow_ptr_leaks &&

	    is_spilled_reg(&state->stack[spi]) &&

	    !is_spilled_scalar_reg(&state->stack[spi]) &&

	    size != BPF_REG_SIZE) {

		verbose(env, "attempt to corrupt spilled pointer on stack\n");

		return -EACCES;

	if (reg->type != PTR_TO_STACK && reg->type != CONST_PTR_TO_DYNPTR) {

		verbose(env,

			"arg#%d expected pointer to stack or const struct bpf_dynptr\n",

			regno);

			regno - 1);

		return -EINVAL;

	}

		if (!is_dynptr_reg_valid_init(env, reg)) {

			verbose(env,

				"Expected an initialized dynptr as arg #%d\n",

				regno);

				regno - 1);

			return -EINVAL;

		}

		if (!is_dynptr_type_expected(env, reg, arg_type & ~MEM_RDONLY)) {

			verbose(env,

				"Expected a dynptr of type %s as arg #%d\n",

				dynptr_type_str(arg_to_dynptr_type(arg_type)), regno);

				dynptr_type_str(arg_to_dynptr_type(arg_type)), regno - 1);

			return -EINVAL;

		}

	const struct btf_type *t;

	int spi, err, i, nr_slots, btf_id;

	if (reg->type != PTR_TO_STACK) {

		verbose(env, "arg#%d expected pointer to an iterator on stack\n", regno - 1);

		return -EINVAL;

	}

	/* For iter_{new,next,destroy} functions, btf_check_iter_kfuncs()

	 * ensures struct convention, so we wouldn't need to do any BTF

	 * validation here. But given iter state can be passed as a parameter

	 */

	btf_id = btf_check_iter_arg(meta->btf, meta->func_proto, regno - 1);

	if (btf_id < 0) {

		verbose(env, "expected valid iter pointer as arg #%d\n", regno);

		verbose(env, "expected valid iter pointer as arg #%d\n", regno - 1);

		return -EINVAL;

	}

	t = btf_type_by_id(meta->btf, btf_id);

		/* bpf_iter_<type>_new() expects pointer to uninit iter state */

		if (!is_iter_reg_valid_uninit(env, reg, nr_slots)) {

			verbose(env, "expected uninitialized iter_%s as arg #%d\n",

				iter_type_str(meta->btf, btf_id), regno);

				iter_type_str(meta->btf, btf_id), regno - 1);

			return -EINVAL;

		}

			break;

		case -EINVAL:

			verbose(env, "expected an initialized iter_%s as arg #%d\n",

				iter_type_str(meta->btf, btf_id), regno);

				iter_type_str(meta->btf, btf_id), regno - 1);

			return err;

		case -EPROTO:

			verbose(env, "expected an RCU CS when using %s\n", meta->func_name);

			cork = true;

			psock->cork = NULL;

		}

		sk_msg_return(sk, msg, tosend);

		release_sock(sk);

		origsize = msg->sg.size;

			sock_put(sk_redir);

		lock_sock(sk);

		sk_mem_uncharge(sk, sent);

		if (unlikely(ret < 0)) {

			int free = sk_msg_free_nocharge(sk, msg);

			int free = sk_msg_free(sk, msg);

			if (!cork)

				*copied -= free;

		break;

	case __SK_DROP:

	default:

		sk_msg_free_partial(sk, msg, tosend);

		sk_msg_free(sk, msg);

		sk_msg_apply_bytes(psock, tosend);

		*copied -= (tosend + delta);

		return -EACCES;

		}

		if (msg &&

		    msg->sg.data[msg->sg.start].page_link &&

		    msg->sg.data[msg->sg.start].length) {

			if (eval == __SK_REDIRECT)

				sk_mem_charge(sk, tosend - sent);

		    msg->sg.data[msg->sg.start].length)

			goto more_data;

	}

	}

	return ret;

}