diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-12-03 19:02:46 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-12-03 19:02:46 -0500 |
| commit | 071f5d105a0ae93aeb02197c4ee3557e8cc57a21 (patch) | |
| tree | 3d1cee6ce0235a2d36fffbae2b4f4ecd8121107d /kernel/bpf/syscall.c | |
| parent | 2873d32ff493ecbfb7d2c7f56812ab941dda42f4 (diff) | |
| parent | e3c9b1ef78eb111f925dd04992a3de1f383e8f49 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:
"A lot of Thanksgiving turkey leftovers accumulated, here goes:
1) Fix bluetooth l2cap_chan object leak, from Johan Hedberg.
2) IDs for some new iwlwifi chips, from Oren Givon.
3) Fix rtlwifi lockups on boot, from Larry Finger.
4) Fix memory leak in fm10k, from Stephen Hemminger.
5) We have a route leak in the ipv6 tunnel infrastructure, fix from
Paolo Abeni.
6) Fix buffer pointer handling in arm64 bpf JIT,f rom Zi Shen Lim.
7) Wrong lockdep annotations in tcp md5 support, fix from Eric
Dumazet.
8) Work around some middle boxes which prevent proper handling of TCP
Fast Open, from Yuchung Cheng.
9) TCP repair can do huge kmalloc() requests, build paged SKBs
instead. From Eric Dumazet.
10) Fix msg_controllen overflow in scm_detach_fds, from Daniel
Borkmann.
11) Fix device leaks on ipmr table destruction in ipv4 and ipv6, from
Nikolay Aleksandrov.
12) Fix use after free in epoll with AF_UNIX sockets, from Rainer
Weikusat.
13) Fix double free in VRF code, from Nikolay Aleksandrov.
14) Fix skb leaks on socket receive queue in tipc, from Ying Xue.
15) Fix ifup/ifdown crach in xgene driver, from Iyappan Subramanian.
16) Fix clearing of persistent array maps in bpf, from Daniel
Borkmann.
17) In TCP, for the cross-SYN case, we don't initialize tp->copied_seq
early enough. From Eric Dumazet.
18) Fix out of bounds accesses in bpf array implementation when
updating elements, from Daniel Borkmann.
19) Fill gaps in RCU protection of np->opt in ipv6 stack, from Eric
Dumazet.
20) When dumping proxy neigh entries, we have to accomodate NULL
device pointers properly, from Konstantin Khlebnikov.
21) SCTP doesn't release all ipv6 socket resources properly, fix from
Eric Dumazet.
22) Prevent underflows of sch->q.qlen for multiqueue packet
schedulers, also from Eric Dumazet.
23) Fix MAC and unicast list handling in bnxt_en driver, from Jeffrey
Huang and Michael Chan.
24) Don't actively scan radar channels, from Antonio Quartulli"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (110 commits)
net: phy: reset only targeted phy
bnxt_en: Setup uc_list mac filters after resetting the chip.
bnxt_en: enforce proper storing of MAC address
bnxt_en: Fixed incorrect implementation of ndo_set_mac_address
net: lpc_eth: remove irq > NR_IRQS check from probe()
net_sched: fix qdisc_tree_decrease_qlen() races
openvswitch: fix hangup on vxlan/gre/geneve device deletion
ipv4: igmp: Allow removing groups from a removed interface
ipv6: sctp: implement sctp_v6_destroy_sock()
arm64: bpf: add 'store immediate' instruction
ipv6: kill sk_dst_lock
ipv6: sctp: add rcu protection around np->opt
net/neighbour: fix crash at dumping device-agnostic proxy entries
sctp: use GFP_USER for user-controlled kmalloc
sctp: convert sack_needed and sack_generation to bits
ipv6: add complete rcu protection around np->opt
bpf: fix allocation warnings in bpf maps and integer overflow
mvebu: dts: enable IP checksum with jumbo frames for Armada 38x on Port0
net: mvneta: enable setting custom TX IP checksum limit
net: mvneta: fix error path for building skb
...
Diffstat (limited to 'kernel/bpf/syscall.c')
| -rw-r--r-- | kernel/bpf/syscall.c | 40 |
1 files changed, 27 insertions, 13 deletions
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 0d3313d02a7e..3b39550d8485 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c | |||
| @@ -82,6 +82,14 @@ static void bpf_map_free_deferred(struct work_struct *work) | |||
| 82 | map->ops->map_free(map); | 82 | map->ops->map_free(map); |
| 83 | } | 83 | } |
| 84 | 84 | ||
| 85 | static void bpf_map_put_uref(struct bpf_map *map) | ||
| 86 | { | ||
| 87 | if (atomic_dec_and_test(&map->usercnt)) { | ||
| 88 | if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY) | ||
| 89 | bpf_fd_array_map_clear(map); | ||
| 90 | } | ||
| 91 | } | ||
| 92 | |||
| 85 | /* decrement map refcnt and schedule it for freeing via workqueue | 93 | /* decrement map refcnt and schedule it for freeing via workqueue |
| 86 | * (unrelying map implementation ops->map_free() might sleep) | 94 | * (unrelying map implementation ops->map_free() might sleep) |
| 87 | */ | 95 | */ |
| @@ -93,17 +101,15 @@ void bpf_map_put(struct bpf_map *map) | |||
| 93 | } | 101 | } |
| 94 | } | 102 | } |
| 95 | 103 | ||
| 96 | static int bpf_map_release(struct inode *inode, struct file *filp) | 104 | void bpf_map_put_with_uref(struct bpf_map *map) |
| 97 | { | 105 | { |
| 98 | struct bpf_map *map = filp->private_data; | 106 | bpf_map_put_uref(map); |
| 99 | |||
| 100 | if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY) | ||
| 101 | /* prog_array stores refcnt-ed bpf_prog pointers | ||
| 102 | * release them all when user space closes prog_array_fd | ||
| 103 | */ | ||
| 104 | bpf_fd_array_map_clear(map); | ||
| 105 | |||
| 106 | bpf_map_put(map); | 107 | bpf_map_put(map); |
| 108 | } | ||
| 109 | |||
| 110 | static int bpf_map_release(struct inode *inode, struct file *filp) | ||
| 111 | { | ||
| 112 | bpf_map_put_with_uref(filp->private_data); | ||
| 107 | return 0; | 113 | return 0; |
| 108 | } | 114 | } |
| 109 | 115 | ||
| @@ -142,6 +148,7 @@ static int map_create(union bpf_attr *attr) | |||
| 142 | return PTR_ERR(map); | 148 | return PTR_ERR(map); |
| 143 | 149 | ||
| 144 | atomic_set(&map->refcnt, 1); | 150 | atomic_set(&map->refcnt, 1); |
| 151 | atomic_set(&map->usercnt, 1); | ||
| 145 | 152 | ||
| 146 | err = bpf_map_charge_memlock(map); | 153 | err = bpf_map_charge_memlock(map); |
| 147 | if (err) | 154 | if (err) |
| @@ -174,7 +181,14 @@ struct bpf_map *__bpf_map_get(struct fd f) | |||
| 174 | return f.file->private_data; | 181 | return f.file->private_data; |
| 175 | } | 182 | } |
| 176 | 183 | ||
| 177 | struct bpf_map *bpf_map_get(u32 ufd) | 184 | void bpf_map_inc(struct bpf_map *map, bool uref) |
| 185 | { | ||
| 186 | atomic_inc(&map->refcnt); | ||
| 187 | if (uref) | ||
| 188 | atomic_inc(&map->usercnt); | ||
| 189 | } | ||
| 190 | |||
| 191 | struct bpf_map *bpf_map_get_with_uref(u32 ufd) | ||
| 178 | { | 192 | { |
| 179 | struct fd f = fdget(ufd); | 193 | struct fd f = fdget(ufd); |
| 180 | struct bpf_map *map; | 194 | struct bpf_map *map; |
| @@ -183,7 +197,7 @@ struct bpf_map *bpf_map_get(u32 ufd) | |||
| 183 | if (IS_ERR(map)) | 197 | if (IS_ERR(map)) |
| 184 | return map; | 198 | return map; |
| 185 | 199 | ||
| 186 | atomic_inc(&map->refcnt); | 200 | bpf_map_inc(map, true); |
| 187 | fdput(f); | 201 | fdput(f); |
| 188 | 202 | ||
| 189 | return map; | 203 | return map; |
| @@ -226,7 +240,7 @@ static int map_lookup_elem(union bpf_attr *attr) | |||
| 226 | goto free_key; | 240 | goto free_key; |
| 227 | 241 | ||
| 228 | err = -ENOMEM; | 242 | err = -ENOMEM; |
| 229 | value = kmalloc(map->value_size, GFP_USER); | 243 | value = kmalloc(map->value_size, GFP_USER | __GFP_NOWARN); |
| 230 | if (!value) | 244 | if (!value) |
| 231 | goto free_key; | 245 | goto free_key; |
| 232 | 246 | ||
| @@ -285,7 +299,7 @@ static int map_update_elem(union bpf_attr *attr) | |||
| 285 | goto free_key; | 299 | goto free_key; |
| 286 | 300 | ||
| 287 | err = -ENOMEM; | 301 | err = -ENOMEM; |
| 288 | value = kmalloc(map->value_size, GFP_USER); | 302 | value = kmalloc(map->value_size, GFP_USER | __GFP_NOWARN); |
| 289 | if (!value) | 303 | if (!value) |
| 290 | goto free_key; | 304 | goto free_key; |
| 291 | 305 | ||