Commit fdcd4467 authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 

Daniel Borkmann says:

====================
pull-request: bpf 2024-02-22

The following pull-request contains BPF updates for your *net* tree.

We've added 11 non-merge commits during the last 24 day(s) which contain
a total of 15 files changed, 217 insertions(+), 17 deletions(-).

The main changes are:

1) Fix a syzkaller-triggered oops when attempting to read the vsyscall
   page through bpf_probe_read_kernel and friends, from Hou Tao.

2) Fix a kernel panic due to uninitialized iter position pointer in
   bpf_iter_task, from Yafang Shao.

3) Fix a race between bpf_timer_cancel_and_free and bpf_timer_cancel,
   from Martin KaFai Lau.

4) Fix a xsk warning in skb_add_rx_frag() (under CONFIG_DEBUG_NET)
   due to incorrect truesize accounting, from Sebastian Andrzej Siewior.

5) Fix a NULL pointer dereference in sk_psock_verdict_data_ready,
   from Shigeru Yoshida.

6) Fix a resolve_btfids warning when bpf_cpumask symbol cannot be
   resolved, from Hari Bathini.

bpf-for-netdev

* tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
  bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()
  selftests/bpf: Add negtive test cases for task iter
  bpf: Fix an issue due to uninitialized bpf_iter_task
  selftests/bpf: Test racing between bpf_timer_cancel_and_free and bpf_timer_cancel
  bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel
  selftest/bpf: Test the read of vsyscall page under x86-64
  x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()
  x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h
  bpf, scripts: Correct GPL license name
  xsk: Add truesize to skb_add_rx_frag().
  bpf: Fix warning for bpf_cpumask in verifier
====================

Link: https://lore.kernel.org/r/20240221231826.1404-1-daniel@iogearbox.net


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents 3489182b 4cd12c60

arch/x86/include/asm/vsyscall.h

+10 −0
Original line number Diff line number Diff line
@@ -4,6 +4,7 @@ 


#include <linux/seqlock.h>

#include <uapi/asm/vsyscall.h>

#include <asm/page_types.h>



#ifdef CONFIG_X86_VSYSCALL_EMULATION

extern void map_vsyscall(void);
@@ -24,4 +25,13 @@ static inline bool emulate_vsyscall(unsigned long error_code, 
}

#endif



/*

 * The (legacy) vsyscall page is the long page in the kernel portion

 * of the address space that has user-accessible permissions.

 */

static inline bool is_vsyscall_vaddr(unsigned long vaddr)

{

	return unlikely((vaddr & PAGE_MASK) == VSYSCALL_ADDR);

}



#endif /* _ASM_X86_VSYSCALL_H */

arch/x86/mm/fault.c

+0 −9
Original line number Diff line number Diff line
@@ -798,15 +798,6 @@ show_signal_msg(struct pt_regs *regs, unsigned long error_code, 
	show_opcodes(regs, loglvl);

}



/*

 * The (legacy) vsyscall page is the long page in the kernel portion

 * of the address space that has user-accessible permissions.

 */

static bool is_vsyscall_vaddr(unsigned long vaddr)

{

	return unlikely((vaddr & PAGE_MASK) == VSYSCALL_ADDR);

}



static void

__bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,

		       unsigned long address, u32 pkey, int si_code)

arch/x86/mm/maccess.c

+10 −0
Original line number Diff line number Diff line
@@ -3,6 +3,8 @@ 
#include <linux/uaccess.h>

#include <linux/kernel.h>



#include <asm/vsyscall.h>



#ifdef CONFIG_X86_64

bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)

{
@@ -15,6 +17,14 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) 
	if (vaddr < TASK_SIZE_MAX + PAGE_SIZE)

		return false;



	/*

	 * Reading from the vsyscall page may cause an unhandled fault in

	 * certain cases.  Though it is at an address above TASK_SIZE_MAX, it is

	 * usually considered as a user space address.

	 */

	if (is_vsyscall_vaddr(vaddr))

		return false;



	/*

	 * Allow everything during early boot before 'x86_virt_bits'

	 * is initialized.  Needed for instruction decoding in early

kernel/bpf/helpers.c

+4 −1
Original line number Diff line number Diff line
@@ -1101,6 +1101,7 @@ struct bpf_hrtimer { 
	struct bpf_prog *prog;

	void __rcu *callback_fn;

	void *value;

	struct rcu_head rcu;

};



/* the actual struct hidden inside uapi struct bpf_timer */
@@ -1332,6 +1333,7 @@ BPF_CALL_1(bpf_timer_cancel, struct bpf_timer_kern *, timer) 


	if (in_nmi())

		return -EOPNOTSUPP;

	rcu_read_lock();

	__bpf_spin_lock_irqsave(&timer->lock);

	t = timer->timer;

	if (!t) {
@@ -1353,6 +1355,7 @@ BPF_CALL_1(bpf_timer_cancel, struct bpf_timer_kern *, timer) 
	 * if it was running.

	 */

	ret = ret ?: hrtimer_cancel(&t->timer);

	rcu_read_unlock();

	return ret;

}
@@ -1407,7 +1410,7 @@ void bpf_timer_cancel_and_free(void *val) 
	 */

	if (this_cpu_read(hrtimer_running) != t)

		hrtimer_cancel(&t->timer);

	kfree(t);

	kfree_rcu(t, rcu);

}



BPF_CALL_2(bpf_kptr_xchg, void *, map_value, void *, ptr)

kernel/bpf/task_iter.c

+2 −0
Original line number Diff line number Diff line
@@ -978,6 +978,8 @@ __bpf_kfunc int bpf_iter_task_new(struct bpf_iter_task *it, 
	BUILD_BUG_ON(__alignof__(struct bpf_iter_task_kern) !=

					__alignof__(struct bpf_iter_task));



	kit->pos = NULL;



	switch (flags) {

	case BPF_TASK_ITER_ALL_THREADS:

	case BPF_TASK_ITER_ALL_PROCS: