aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexei Starovoitov <ast@kernel.org>2015-11-29 19:59:35 -0500
committerDavid S. Miller <davem@davemloft.net>2015-12-02 23:36:00 -0500
commit01b3f52157ff5a47d6d8d796f396a4b34a53c61d (patch)
treec20181b1b6da1127b53b329085562a9ea2993ca4
parenta64f3f83505f4ed6662fd9dda998d4890aba58bd (diff)
bpf: fix allocation warnings in bpf maps and integer overflow
For large map->value_size the user space can trigger memory allocation warnings like: WARNING: CPU: 2 PID: 11122 at mm/page_alloc.c:2989 __alloc_pages_nodemask+0x695/0x14e0() Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82743b56>] dump_stack+0x68/0x92 lib/dump_stack.c:50 [<ffffffff81244ec9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:460 [<ffffffff812450f9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:493 [< inline >] __alloc_pages_slowpath mm/page_alloc.c:2989 [<ffffffff81554e95>] __alloc_pages_nodemask+0x695/0x14e0 mm/page_alloc.c:3235 [<ffffffff816188fe>] alloc_pages_current+0xee/0x340 mm/mempolicy.c:2055 [< inline >] alloc_pages include/linux/gfp.h:451 [<ffffffff81550706>] alloc_kmem_pages+0x16/0xf0 mm/page_alloc.c:3414 [<ffffffff815a1c89>] kmalloc_order+0x19/0x60 mm/slab_common.c:1007 [<ffffffff815a1cef>] kmalloc_order_trace+0x1f/0xa0 mm/slab_common.c:1018 [< inline >] kmalloc_large include/linux/slab.h:390 [<ffffffff81627784>] __kmalloc+0x234/0x250 mm/slub.c:3525 [< inline >] kmalloc include/linux/slab.h:463 [< inline >] map_update_elem kernel/bpf/syscall.c:288 [< inline >] SYSC_bpf kernel/bpf/syscall.c:744 To avoid never succeeding kmalloc with order >= MAX_ORDER check that elem->value_size and computed elem_size are within limits for both hash and array type maps. Also add __GFP_NOWARN to kmalloc(value_size | elem_size) to avoid OOM warnings. Note kmalloc(key_size) is highly unlikely to trigger OOM, since key_size <= 512, so keep those kmalloc-s as-is. Large value_size can cause integer overflows in elem_size and map.pages formulas, so check for that as well. Fixes: aaac3ba95e4c ("bpf: charge user for creation of BPF maps and programs") Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--kernel/bpf/arraymap.c8
-rw-r--r--kernel/bpf/hashtab.c34
-rw-r--r--kernel/bpf/syscall.c4
3 files changed, 34 insertions, 12 deletions
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 4c67ce39732e..b0799bced518 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -28,11 +28,17 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
28 attr->value_size == 0) 28 attr->value_size == 0)
29 return ERR_PTR(-EINVAL); 29 return ERR_PTR(-EINVAL);
30 30
31 if (attr->value_size >= 1 << (KMALLOC_SHIFT_MAX - 1))
32 /* if value_size is bigger, the user space won't be able to
33 * access the elements.
34 */
35 return ERR_PTR(-E2BIG);
36
31 elem_size = round_up(attr->value_size, 8); 37 elem_size = round_up(attr->value_size, 8);
32 38
33 /* check round_up into zero and u32 overflow */ 39 /* check round_up into zero and u32 overflow */
34 if (elem_size == 0 || 40 if (elem_size == 0 ||
35 attr->max_entries > (U32_MAX - sizeof(*array)) / elem_size) 41 attr->max_entries > (U32_MAX - PAGE_SIZE - sizeof(*array)) / elem_size)
36 return ERR_PTR(-ENOMEM); 42 return ERR_PTR(-ENOMEM);
37 43
38 array_size = sizeof(*array) + attr->max_entries * elem_size; 44 array_size = sizeof(*array) + attr->max_entries * elem_size;
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 19909b22b4f8..34777b3746fa 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -64,12 +64,35 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
64 */ 64 */
65 goto free_htab; 65 goto free_htab;
66 66
67 err = -ENOMEM; 67 if (htab->map.value_size >= (1 << (KMALLOC_SHIFT_MAX - 1)) -
68 MAX_BPF_STACK - sizeof(struct htab_elem))
69 /* if value_size is bigger, the user space won't be able to
70 * access the elements via bpf syscall. This check also makes
71 * sure that the elem_size doesn't overflow and it's
72 * kmalloc-able later in htab_map_update_elem()
73 */
74 goto free_htab;
75
76 htab->elem_size = sizeof(struct htab_elem) +
77 round_up(htab->map.key_size, 8) +
78 htab->map.value_size;
79
68 /* prevent zero size kmalloc and check for u32 overflow */ 80 /* prevent zero size kmalloc and check for u32 overflow */
69 if (htab->n_buckets == 0 || 81 if (htab->n_buckets == 0 ||
70 htab->n_buckets > U32_MAX / sizeof(struct hlist_head)) 82 htab->n_buckets > U32_MAX / sizeof(struct hlist_head))
71 goto free_htab; 83 goto free_htab;
72 84
85 if ((u64) htab->n_buckets * sizeof(struct hlist_head) +
86 (u64) htab->elem_size * htab->map.max_entries >=
87 U32_MAX - PAGE_SIZE)
88 /* make sure page count doesn't overflow */
89 goto free_htab;
90
91 htab->map.pages = round_up(htab->n_buckets * sizeof(struct hlist_head) +
92 htab->elem_size * htab->map.max_entries,
93 PAGE_SIZE) >> PAGE_SHIFT;
94
95 err = -ENOMEM;
73 htab->buckets = kmalloc_array(htab->n_buckets, sizeof(struct hlist_head), 96 htab->buckets = kmalloc_array(htab->n_buckets, sizeof(struct hlist_head),
74 GFP_USER | __GFP_NOWARN); 97 GFP_USER | __GFP_NOWARN);
75 98
@@ -85,13 +108,6 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
85 raw_spin_lock_init(&htab->lock); 108 raw_spin_lock_init(&htab->lock);
86 htab->count = 0; 109 htab->count = 0;
87 110
88 htab->elem_size = sizeof(struct htab_elem) +
89 round_up(htab->map.key_size, 8) +
90 htab->map.value_size;
91
92 htab->map.pages = round_up(htab->n_buckets * sizeof(struct hlist_head) +
93 htab->elem_size * htab->map.max_entries,
94 PAGE_SIZE) >> PAGE_SHIFT;
95 return &htab->map; 111 return &htab->map;
96 112
97free_htab: 113free_htab:
@@ -222,7 +238,7 @@ static int htab_map_update_elem(struct bpf_map *map, void *key, void *value,
222 WARN_ON_ONCE(!rcu_read_lock_held()); 238 WARN_ON_ONCE(!rcu_read_lock_held());
223 239
224 /* allocate new element outside of lock */ 240 /* allocate new element outside of lock */
225 l_new = kmalloc(htab->elem_size, GFP_ATOMIC); 241 l_new = kmalloc(htab->elem_size, GFP_ATOMIC | __GFP_NOWARN);
226 if (!l_new) 242 if (!l_new)
227 return -ENOMEM; 243 return -ENOMEM;
228 244
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 4a8f3c1d7da6..3b39550d8485 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -240,7 +240,7 @@ static int map_lookup_elem(union bpf_attr *attr)
240 goto free_key; 240 goto free_key;
241 241
242 err = -ENOMEM; 242 err = -ENOMEM;
243 value = kmalloc(map->value_size, GFP_USER); 243 value = kmalloc(map->value_size, GFP_USER | __GFP_NOWARN);
244 if (!value) 244 if (!value)
245 goto free_key; 245 goto free_key;
246 246
@@ -299,7 +299,7 @@ static int map_update_elem(union bpf_attr *attr)
299 goto free_key; 299 goto free_key;
300 300
301 err = -ENOMEM; 301 err = -ENOMEM;
302 value = kmalloc(map->value_size, GFP_USER); 302 value = kmalloc(map->value_size, GFP_USER | __GFP_NOWARN);
303 if (!value) 303 if (!value)
304 goto free_key; 304 goto free_key;
305 305
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-23 08:14:58 -0400