Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Daniel Borkmann says: ==================== pull-request: bpf 2019-10-27 The following pull-request contains BPF updates for your *net* tree. We've added 7 non-merge commits during the last 11 day(s) which contain a total of 7 files changed, 66 insertions(+), 16 deletions(-). The main changes are: 1) Fix two use-after-free bugs in relation to RCU in jited symbol exposure to kallsyms, from Daniel Borkmann. 2) Fix NULL pointer dereference in AF_XDP rx-only sockets, from Magnus Karlsson. 3) Fix hang in netdev unregister for hash based devmap as well as another overflow bug on 32 bit archs in memlock cost calculation, from Toke Høiland-Jørgensen. 4) Fix wrong memory access in LWT BPF programs on reroute due to invalid dst. Also fix BPF selftests to use more compatible nc options, from Jiri Benc. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2019-10-26 21:30:55 -0400
committer: David S. Miller <davem@davemloft.net> 2019-10-26 21:30:55 -0400
commit: 1a51a47491a5a23f0625b03ad6dc84cf39bf6a82 (patch)
tree: d2089bedb4a4ff10a9f03c197a6e78966dfbb7a4 /kernel/bpf/syscall.c
parent: 45f338069941f799ecc22e5a51b423da0b32459d (diff)
parent: 2afd23f78f39da84937006ecd24aa664a4ab052b (diff)
1 files changed, 20 insertions, 11 deletions
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 82eabd4e38ad..0937719b87e2 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1326,24 +1326,32 @@ static void __bpf_prog_put_rcu(struct rcu_head *rcu)
 {
        struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
+        kvfree(aux->func_info);
        free_used_maps(aux);
        bpf_prog_uncharge_memlock(aux->prog);
        security_bpf_prog_free(aux);
        bpf_prog_free(aux->prog);
 }
+static void __bpf_prog_put_noref(struct bpf_prog *prog, bool deferred)
+{
+        bpf_prog_kallsyms_del_all(prog);
+        btf_put(prog->aux->btf);
+        bpf_prog_free_linfo(prog);
+        if (deferred)
+                call_rcu(&prog->aux->rcu, __bpf_prog_put_rcu);
+        else
+                __bpf_prog_put_rcu(&prog->aux->rcu);
+}
 static void __bpf_prog_put(struct bpf_prog *prog, bool do_idr_lock)
 {
        if (atomic_dec_and_test(&prog->aux->refcnt)) {
                perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_UNLOAD, 0);
                /* bpf_prog_free_id() must be called first */
                bpf_prog_free_id(prog, do_idr_lock);
-                bpf_prog_kallsyms_del_all(prog);
+                __bpf_prog_put_noref(prog, true);
-                btf_put(prog->aux->btf);
-                kvfree(prog->aux->func_info);
-                bpf_prog_free_linfo(prog);
-                call_rcu(&prog->aux->rcu, __bpf_prog_put_rcu);
        }
 }
@@ -1741,11 +1749,12 @@ static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr)
        return err;
 free_used_maps:
-        bpf_prog_free_linfo(prog);
+        /* In case we have subprogs, we need to wait for a grace
-        kvfree(prog->aux->func_info);
+         * period before we can tear down JIT memory since symbols
-        btf_put(prog->aux->btf);
+         * are already exposed under kallsyms.
-        bpf_prog_kallsyms_del_subprogs(prog);
+         */
-        free_used_maps(prog->aux);
+        __bpf_prog_put_noref(prog, prog->aux->func_cnt);
+        return err;
 free_prog:
        bpf_prog_uncharge_memlock(prog);
 free_prog_sec:
author	David S. Miller <davem@davemloft.net>	2019-10-26 21:30:55 -0400
committer	David S. Miller <davem@davemloft.net>	2019-10-26 21:30:55 -0400
commit	1a51a47491a5a23f0625b03ad6dc84cf39bf6a82 (patch)
tree	d2089bedb4a4ff10a9f03c197a6e78966dfbb7a4 /kernel/bpf/syscall.c
parent	45f338069941f799ecc22e5a51b423da0b32459d (diff)
parent	2afd23f78f39da84937006ecd24aa664a4ab052b (diff)