Commit 3d5ad2d4 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 

Pull bpf fixes from Daniel Borkmann:

 - Fix BPF verifier to not affect subreg_def marks in its range
   propagation (Eduard Zingerman)

 - Fix a truncation bug in the BPF verifier's handling of
   coerce_reg_to_size_sx (Dimitar Kanaliev)

 - Fix the BPF verifier's delta propagation between linked registers
   under 32-bit addition (Daniel Borkmann)

 - Fix a NULL pointer dereference in BPF devmap due to missing rxq
   information (Florian Kauer)

 - Fix a memory leak in bpf_core_apply (Jiri Olsa)

 - Fix an UBSAN-reported array-index-out-of-bounds in BTF parsing for
   arrays of nested structs (Hou Tao)

 - Fix build ID fetching where memory areas backing the file were
   created with memfd_secret (Andrii Nakryiko)

 - Fix BPF task iterator tid filtering which was incorrectly using pid
   instead of tid (Jordan Rome)

 - Several fixes for BPF sockmap and BPF sockhash redirection in
   combination with vsocks (Michal Luczaj)

 - Fix riscv BPF JIT and make BPF_CMPXCHG fully ordered (Andrea Parri)

 - Fix riscv BPF JIT under CONFIG_CFI_CLANG to prevent the possibility
   of an infinite BPF tailcall (Pu Lehui)

 - Fix a build warning from resolve_btfids that bpf_lsm_key_free cannot
   be resolved (Thomas Weißschuh)

 - Fix a bug in kfunc BTF caching for modules where the wrong BTF object
   was returned (Toke Høiland-Jørgensen)

 - Fix a BPF selftest compilation error in cgroup-related tests with
   musl libc (Tony Ambardar)

 - Several fixes to BPF link info dumps to fill missing fields (Tyrone
   Wu)

 - Add BPF selftests for kfuncs from multiple modules, checking that the
   correct kfuncs are called (Simon Sundberg)

 - Ensure that internal and user-facing bpf_redirect flags don't overlap
   (Toke Høiland-Jørgensen)

 - Switch to use kvzmalloc to allocate BPF verifier environment (Rik van
   Riel)

 - Use raw_spinlock_t in BPF ringbuf to fix a sleep in atomic splat
   under RT (Wander Lairson Costa)

* tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: (38 commits)
  lib/buildid: Handle memfd_secret() files in build_id_parse()
  selftests/bpf: Add test case for delta propagation
  bpf: Fix print_reg_state's constant scalar dump
  bpf: Fix incorrect delta propagation between linked registers
  bpf: Properly test iter/task tid filtering
  bpf: Fix iter/task tid filtering
  riscv, bpf: Make BPF_CMPXCHG fully ordered
  bpf, vsock: Drop static vsock_bpf_prot initialization
  vsock: Update msg_count on read_skb()
  vsock: Update rx_bytes on read_skb()
  bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock
  selftests/bpf: Add asserts for netfilter link info
  bpf: Fix link info netfilter flags to populate defrag flag
  selftests/bpf: Add test for sign extension in coerce_subreg_to_size_sx()
  selftests/bpf: Add test for truncation after sign extension in coerce_reg_to_size_sx()
  bpf: Fix truncation bug in coerce_reg_to_size_sx()
  selftests/bpf: Assert link info uprobe_multi count & path_size if unset
  bpf: Fix unpopulated path_size when uprobe_multi fields unset
  selftests/bpf: Fix cross-compiling urandom_read
  selftests/bpf: Add test for kfunc module order
  ...
parents dbafeddb 5ac9b4e9

arch/riscv/net/bpf_jit_comp64.c

+5 −3
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ 
#define RV_MAX_REG_ARGS 8

#define RV_FENTRY_NINSNS 2

#define RV_FENTRY_NBYTES (RV_FENTRY_NINSNS * 4)

#define RV_KCFI_NINSNS (IS_ENABLED(CONFIG_CFI_CLANG) ? 1 : 0)

/* imm that allows emit_imm to emit max count insns */

#define RV_MAX_COUNT_IMM 0x7FFF7FF7FF7FF7FF
@@ -271,7 +272,8 @@ static void __build_epilogue(bool is_tail_call, struct rv_jit_context *ctx) 
	if (!is_tail_call)

		emit_addiw(RV_REG_A0, RV_REG_A5, 0, ctx);

	emit_jalr(RV_REG_ZERO, is_tail_call ? RV_REG_T3 : RV_REG_RA,

		  is_tail_call ? (RV_FENTRY_NINSNS + 1) * 4 : 0, /* skip reserved nops and TCC init */

		  /* kcfi, fentry and TCC init insns will be skipped on tailcall */

		  is_tail_call ? (RV_KCFI_NINSNS + RV_FENTRY_NINSNS + 1) * 4 : 0,

		  ctx);

}
@@ -548,8 +550,8 @@ static void emit_atomic(u8 rd, u8 rs, s16 off, s32 imm, bool is64, 
		     rv_lr_w(r0, 0, rd, 0, 0), ctx);

		jmp_offset = ninsns_rvoff(8);

		emit(rv_bne(RV_REG_T2, r0, jmp_offset >> 1), ctx);

		emit(is64 ? rv_sc_d(RV_REG_T3, rs, rd, 0, 0) :

		     rv_sc_w(RV_REG_T3, rs, rd, 0, 0), ctx);

		emit(is64 ? rv_sc_d(RV_REG_T3, rs, rd, 0, 1) :

		     rv_sc_w(RV_REG_T3, rs, rd, 0, 1), ctx);

		jmp_offset = ninsns_rvoff(-6);

		emit(rv_bne(RV_REG_T3, 0, jmp_offset >> 1), ctx);

		emit(rv_fence(0x3, 0x3), ctx);

include/net/sock.h

+5 −0
Original line number Diff line number Diff line
@@ -2717,6 +2717,11 @@ static inline bool sk_is_stream_unix(const struct sock *sk) 
	return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM;

}



static inline bool sk_is_vsock(const struct sock *sk)

{

	return sk->sk_family == AF_VSOCK;

}



/**

 * sk_eat_skb - Release a skb if it is no longer needed

 * @sk: socket to eat this skb from

include/uapi/linux/bpf.h

+5 −8
Original line number Diff line number Diff line
@@ -6047,11 +6047,6 @@ enum { 
	BPF_F_MARK_ENFORCE		= (1ULL << 6),

};



/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */

enum {

	BPF_F_INGRESS			= (1ULL << 0),

};



/* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */

enum {

	BPF_F_TUNINFO_IPV6		= (1ULL << 0),
@@ -6198,10 +6193,12 @@ enum { 
	BPF_F_BPRM_SECUREEXEC	= (1ULL << 0),

};



/* Flags for bpf_redirect_map helper */

/* Flags for bpf_redirect and bpf_redirect_map helpers */

enum {

	BPF_F_BROADCAST		= (1ULL << 3),

	BPF_F_EXCLUDE_INGRESS	= (1ULL << 4),

	BPF_F_INGRESS		= (1ULL << 0), /* used for skb path */

	BPF_F_BROADCAST		= (1ULL << 3), /* used for XDP path */

	BPF_F_EXCLUDE_INGRESS	= (1ULL << 4), /* used for XDP path */

#define BPF_F_REDIRECT_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS)

};



#define __bpf_md_ptr(type, name)	\

kernel/bpf/bpf_lsm.c

+0 −4
Original line number Diff line number Diff line
@@ -339,10 +339,6 @@ BTF_ID(func, bpf_lsm_path_chmod) 
BTF_ID(func, bpf_lsm_path_chown)

#endif /* CONFIG_SECURITY_PATH */



#ifdef CONFIG_KEYS

BTF_ID(func, bpf_lsm_key_free)

#endif /* CONFIG_KEYS */



BTF_ID(func, bpf_lsm_mmap_file)

BTF_ID(func, bpf_lsm_netlink_send)

BTF_ID(func, bpf_lsm_path_notify)

kernel/bpf/btf.c

+11 −4
Original line number Diff line number Diff line
@@ -3523,7 +3523,7 @@ static int btf_get_field_type(const struct btf *btf, const struct btf_type *var_ 
 *   (i + 1) * elem_size

 * where i is the repeat index and elem_size is the size of an element.

 */

static int btf_repeat_fields(struct btf_field_info *info,

static int btf_repeat_fields(struct btf_field_info *info, int info_cnt,

			     u32 field_cnt, u32 repeat_cnt, u32 elem_size)

{

	u32 i, j;
@@ -3543,6 +3543,12 @@ static int btf_repeat_fields(struct btf_field_info *info, 
		}

	}



	/* The type of struct size or variable size is u32,

	 * so the multiplication will not overflow.

	 */

	if (field_cnt * (repeat_cnt + 1) > info_cnt)

		return -E2BIG;



	cur = field_cnt;

	for (i = 0; i < repeat_cnt; i++) {

		memcpy(&info[cur], &info[0], field_cnt * sizeof(info[0]));
@@ -3587,7 +3593,7 @@ static int btf_find_nested_struct(const struct btf *btf, const struct btf_type * 
		info[i].off += off;



	if (nelems > 1) {

		err = btf_repeat_fields(info, ret, nelems - 1, t->size);

		err = btf_repeat_fields(info, info_cnt, ret, nelems - 1, t->size);

		if (err == 0)

			ret *= nelems;

		else
@@ -3681,10 +3687,10 @@ static int btf_find_field_one(const struct btf *btf, 


	if (ret == BTF_FIELD_IGNORE)

		return 0;

	if (nelems > info_cnt)

	if (!info_cnt)

		return -E2BIG;

	if (nelems > 1) {

		ret = btf_repeat_fields(info, 1, nelems - 1, sz);

		ret = btf_repeat_fields(info, info_cnt, 1, nelems - 1, sz);

		if (ret < 0)

			return ret;

	}
@@ -8961,6 +8967,7 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, 
	if (!type) {

		bpf_log(ctx->log, "relo #%u: bad type id %u\n",

			relo_idx, relo->type_id);

		kfree(specs);

		return -EINVAL;

	}