Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Daniel Borkmann says: ==================== pull-request: bpf 2018-11-25 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Fix an off-by-one bug when adjusting subprog start offsets after patching, from Edward. 2) Fix several bugs such as overflow in size allocation in queue / stack map creation, from Alexei. 3) Fix wrong IPv6 destination port byte order in bpf_sk_lookup_udp helper, from Andrey. 4) Fix several bugs in bpftool such as preventing an infinite loop in get_fdinfo, error handling and man page references, from Quentin. 5) Fix a warning in bpf_trace_printk() that wasn't catching an invalid format string, from Martynas. 6) Fix a bug in BPF cgroup local storage where non-atomic allocation was used in atomic context, from Roman. 7) Fix a NULL pointer dereference bug in bpftool from reallocarray() error handling, from Jakub and Wen. 8) Add a copy of pkt_cls.h and tc_bpf.h uapi headers to the tools include infrastructure so that bpftool compiles on older RHEL7-like user space which does not ship these headers, from Yonghong. 9) Fix BPF kselftests for user space where to get ping test working with ping6 and ping -6, from Li. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2018-11-25 23:04:58 -0500
committer: David S. Miller <davem@davemloft.net> 2018-11-25 23:04:58 -0500
commit: 69500127424cd90ff2cf8191256b2ac3b0a4af56 (patch)
tree: 0c28501d1b0ba294b0f63803eb72b4af1594d870 /kernel
parent: aba36930a35e7f1fe1319b203f25c05d6c119936 (diff)
parent: 1efb6ee3edea57f57f9fb05dba8dcb3f7333f61f (diff)
4 files changed, 16 insertions, 13 deletions
diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c
index c97a8f968638..bed9d48a7ae9 100644
--- a/kernel/bpf/local_storage.c
+++ b/kernel/bpf/local_storage.c
@@ -139,7 +139,8 @@ static int cgroup_storage_update_elem(struct bpf_map *map, void *_key,
                return -ENOENT;
        new = kmalloc_node(sizeof(struct bpf_storage_buffer) +
-                           map->value_size, __GFP_ZERO | GFP_USER,
+                           map->value_size,
+                           __GFP_ZERO | GFP_ATOMIC | __GFP_NOWARN,
                           map->numa_node);
        if (!new)
                return -ENOMEM;
diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
index 8bbd72d3a121..b384ea9f3254 100644
--- a/kernel/bpf/queue_stack_maps.c
+++ b/kernel/bpf/queue_stack_maps.c
@@ -7,6 +7,7 @@
 #include <linux/bpf.h>
 #include <linux/list.h>
 #include <linux/slab.h>
+#include <linux/capability.h>
 #include "percpu_freelist.h"
 #define QUEUE_STACK_CREATE_FLAG_MASK \
@@ -45,8 +46,12 @@ static bool queue_stack_map_is_full(struct bpf_queue_stack *qs)
 /* Called from syscall */
 static int queue_stack_map_alloc_check(union bpf_attr *attr)
 {
+        if (!capable(CAP_SYS_ADMIN))
+                return -EPERM;
        /* check sanity of attributes */
        if (attr->max_entries == 0 || attr->key_size != 0 ||
+            attr->value_size == 0 ||
            attr->map_flags & ~QUEUE_STACK_CREATE_FLAG_MASK)
                return -EINVAL;
@@ -63,15 +68,10 @@ static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr)
 {
        int ret, numa_node = bpf_map_attr_numa_node(attr);
        struct bpf_queue_stack *qs;
-        u32 size, value_size;
+        u64 size, queue_size, cost;
-        u64 queue_size, cost;
-        size = attr->max_entries + 1;
-        value_size = attr->value_size;
-        queue_size = sizeof(*qs) + (u64) value_size * size;
-        cost = queue_size;
+        size = (u64) attr->max_entries + 1;
+        cost = queue_size = sizeof(*qs) + size * attr->value_size;
        if (cost >= U32_MAX - PAGE_SIZE)
                return ERR_PTR(-E2BIG);
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 1971ca325fb4..6dd419550aba 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5650,7 +5650,7 @@ static void adjust_subprog_starts(struct bpf_verifier_env *env, u32 off, u32 len
                return;
        /* NOTE: fake 'exit' subprog should be updated as well. */
        for (i = 0; i <= env->subprog_cnt; i++) {
-                if (env->subprog_info[i].start < off)
+                if (env->subprog_info[i].start <= off)
                        continue;
                env->subprog_info[i].start += len - 1;
        }
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 08fcfe440c63..9864a35c8bb5 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -196,11 +196,13 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
                        i++;
                } else if (fmt[i] == 'p' || fmt[i] == 's') {
                        mod[fmt_cnt]++;
-                        i++;
+                        /* disallow any further format extensions */
-                        if (!isspace(fmt[i]) && !ispunct(fmt[i]) && fmt[i] != 0)
+                        if (fmt[i + 1] != 0 &&
+                            !isspace(fmt[i + 1]) &&
+                            !ispunct(fmt[i + 1]))
                                return -EINVAL;
                        fmt_cnt++;
-                        if (fmt[i - 1] == 's') {
+                        if (fmt[i] == 's') {
                                if (str_seen)
                                        /* allow only one '%s' per fmt string */
                                        return -EINVAL;
author	David S. Miller <davem@davemloft.net>	2018-11-25 23:04:58 -0500
committer	David S. Miller <davem@davemloft.net>	2018-11-25 23:04:58 -0500
commit	69500127424cd90ff2cf8191256b2ac3b0a4af56 (patch)
tree	0c28501d1b0ba294b0f63803eb72b4af1594d870 /kernel
parent	aba36930a35e7f1fe1319b203f25c05d6c119936 (diff)
parent	1efb6ee3edea57f57f9fb05dba8dcb3f7333f61f (diff)