Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

Daniel Borkmann says:

====================
pull-request: bpf-next 2018-09-25

The following pull-request contains BPF updates for your *net-next* tree.

The main changes are:

1) Allow for RX stack hardening by implementing the kernel's flow
   dissector in BPF. Idea was originally presented at netconf 2017 [0].
   Quote from merge commit:

     [...] Because of the rigorous checks of the BPF verifier, this
     provides significant security guarantees. In particular, the BPF
     flow dissector cannot get inside of an infinite loop, as with
     CVE-2013-4348, because BPF programs are guaranteed to terminate.
     It cannot read outside of packet bounds, because all memory accesses
     are checked. Also, with BPF the administrator can decide which
     protocols to support, reducing potential attack surface. Rarely
     encountered protocols can be excluded from dissection and the
     program can be updated without kernel recompile or reboot if a
     bug is discovered. [...]

   Also, a sample flow dissector has been implemented in BPF as part
   of this work, from Petar and Willem.

   [0] http://vger.kernel.org/netconf2017_files/rx_hardening_and_udp_gso.pdf

2) Add support for bpftool to list currently active attachment
   points of BPF networking programs providing a quick overview
   similar to bpftool's perf subcommand, from Yonghong.

3) Fix a verifier pruning instability bug where a union member
   from the register state was not cleared properly leading to
   branches not being pruned despite them being valid candidates,
   from Alexei.

4) Various smaller fast-path optimizations in XDP's map redirect
   code, from Jesper.

5) Enable to recognize BPF_MAP_TYPE_REUSEPORT_SOCKARRAY maps
   in bpftool, from Roman.

6) Remove a duplicate check in libbpf that probes for function
   storage, from Taeung.

7) Fix an issue in test_progs by avoid checking for errno since
   on success its value should not be checked, from Mauricio.

8) Fix unused variable warning in bpf_getsockopt() helper when
   CONFIG_INET is not configured, from Anders.

9) Fix a compilation failure in the BPF sample code's use of
   bpf_flow_keys, from Prashant.

10) Minor cleanups in BPF code, from Yue and Zhong.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 26 insertions, 0 deletions

diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 66917a4eba27..aa5ccd2385ed 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -152,6 +152,7 @@ enum bpf_prog_type {
         BPF_PROG_TYPE_LWT_SEG6LOCAL,
         BPF_PROG_TYPE_LIRC_MODE2,
         BPF_PROG_TYPE_SK_REUSEPORT,
+        BPF_PROG_TYPE_FLOW_DISSECTOR,
 };
 
 enum bpf_attach_type {
@@ -172,6 +173,7 @@ enum bpf_attach_type {
         BPF_CGROUP_UDP4_SENDMSG,
         BPF_CGROUP_UDP6_SENDMSG,
         BPF_LIRC_MODE2,
+        BPF_FLOW_DISSECTOR,
         __MAX_BPF_ATTACH_TYPE
 };
 
@@ -2333,6 +2335,7 @@ struct __sk_buff {
         /* ... here. */
 
         __u32 data_meta;
+        struct bpf_flow_keys *flow_keys;
 };
 
 struct bpf_tunnel_key {
@@ -2778,4 +2781,27 @@ enum bpf_task_fd_type {
         BPF_FD_TYPE_URETPROBE,          /* filename + offset */
 };
 
+struct bpf_flow_keys {
+        __u16   nhoff;
+        __u16   thoff;
+        __u16   addr_proto;                     /* ETH_P_* of valid addrs */
+        __u8    is_frag;
+        __u8    is_first_frag;
+        __u8    is_encap;
+        __u8    ip_proto;
+        __be16  n_proto;
+        __be16  sport;
+        __be16  dport;
+        union {
+                struct {
+                        __be32  ipv4_src;
+                        __be32  ipv4_dst;
+                };
+                struct {
+                        __u32   ipv6_src[4];    /* in6_addr; network order */
+                        __u32   ipv6_dst[4];    /* in6_addr; network order */
+                };
+        };
+};
+
 #endif /* _UAPI__LINUX_BPF_H__ */