Skip to content

Commit fdcd446

Browse files
author
Paolo Abeni
committed
Daniel Borkmann says: ==================== pull-request: bpf 2024-02-22 The following pull-request contains BPF updates for your *net* tree. We've added 11 non-merge commits during the last 24 day(s) which contain a total of 15 files changed, 217 insertions(+), 17 deletions(-). The main changes are: 1) Fix a syzkaller-triggered oops when attempting to read the vsyscall page through bpf_probe_read_kernel and friends, from Hou Tao. 2) Fix a kernel panic due to uninitialized iter position pointer in bpf_iter_task, from Yafang Shao. 3) Fix a race between bpf_timer_cancel_and_free and bpf_timer_cancel, from Martin KaFai Lau. 4) Fix a xsk warning in skb_add_rx_frag() (under CONFIG_DEBUG_NET) due to incorrect truesize accounting, from Sebastian Andrzej Siewior. 5) Fix a NULL pointer dereference in sk_psock_verdict_data_ready, from Shigeru Yoshida. 6) Fix a resolve_btfids warning when bpf_cpumask symbol cannot be resolved, from Hari Bathini. bpf-for-netdev * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready() selftests/bpf: Add negtive test cases for task iter bpf: Fix an issue due to uninitialized bpf_iter_task selftests/bpf: Test racing between bpf_timer_cancel_and_free and bpf_timer_cancel bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel selftest/bpf: Test the read of vsyscall page under x86-64 x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h bpf, scripts: Correct GPL license name xsk: Add truesize to skb_add_rx_frag(). bpf: Fix warning for bpf_cpumask in verifier ==================== Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Abeni <[email protected]>
2 parents 3489182 + 4cd12c6 commit fdcd446

File tree

15 files changed

+217
-17
lines changed

15 files changed

+217
-17
lines changed

arch/x86/include/asm/vsyscall.h

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44

55
#include <linux/seqlock.h>
66
#include <uapi/asm/vsyscall.h>
7+
#include <asm/page_types.h>
78

89
#ifdef CONFIG_X86_VSYSCALL_EMULATION
910
extern void map_vsyscall(void);
@@ -24,4 +25,13 @@ static inline bool emulate_vsyscall(unsigned long error_code,
2425
}
2526
#endif
2627

28+
/*
29+
* The (legacy) vsyscall page is the long page in the kernel portion
30+
* of the address space that has user-accessible permissions.
31+
*/
32+
static inline bool is_vsyscall_vaddr(unsigned long vaddr)
33+
{
34+
return unlikely((vaddr & PAGE_MASK) == VSYSCALL_ADDR);
35+
}
36+
2737
#endif /* _ASM_X86_VSYSCALL_H */

arch/x86/mm/fault.c

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -798,15 +798,6 @@ show_signal_msg(struct pt_regs *regs, unsigned long error_code,
798798
show_opcodes(regs, loglvl);
799799
}
800800

801-
/*
802-
* The (legacy) vsyscall page is the long page in the kernel portion
803-
* of the address space that has user-accessible permissions.
804-
*/
805-
static bool is_vsyscall_vaddr(unsigned long vaddr)
806-
{
807-
return unlikely((vaddr & PAGE_MASK) == VSYSCALL_ADDR);
808-
}
809-
810801
static void
811802
__bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
812803
unsigned long address, u32 pkey, int si_code)

arch/x86/mm/maccess.c

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@
33
#include <linux/uaccess.h>
44
#include <linux/kernel.h>
55

6+
#include <asm/vsyscall.h>
7+
68
#ifdef CONFIG_X86_64
79
bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
810
{
@@ -15,6 +17,14 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
1517
if (vaddr < TASK_SIZE_MAX + PAGE_SIZE)
1618
return false;
1719

20+
/*
21+
* Reading from the vsyscall page may cause an unhandled fault in
22+
* certain cases. Though it is at an address above TASK_SIZE_MAX, it is
23+
* usually considered as a user space address.
24+
*/
25+
if (is_vsyscall_vaddr(vaddr))
26+
return false;
27+
1828
/*
1929
* Allow everything during early boot before 'x86_virt_bits'
2030
* is initialized. Needed for instruction decoding in early

kernel/bpf/helpers.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1101,6 +1101,7 @@ struct bpf_hrtimer {
11011101
struct bpf_prog *prog;
11021102
void __rcu *callback_fn;
11031103
void *value;
1104+
struct rcu_head rcu;
11041105
};
11051106

11061107
/* the actual struct hidden inside uapi struct bpf_timer */
@@ -1332,6 +1333,7 @@ BPF_CALL_1(bpf_timer_cancel, struct bpf_timer_kern *, timer)
13321333

13331334
if (in_nmi())
13341335
return -EOPNOTSUPP;
1336+
rcu_read_lock();
13351337
__bpf_spin_lock_irqsave(&timer->lock);
13361338
t = timer->timer;
13371339
if (!t) {
@@ -1353,6 +1355,7 @@ BPF_CALL_1(bpf_timer_cancel, struct bpf_timer_kern *, timer)
13531355
* if it was running.
13541356
*/
13551357
ret = ret ?: hrtimer_cancel(&t->timer);
1358+
rcu_read_unlock();
13561359
return ret;
13571360
}
13581361

@@ -1407,7 +1410,7 @@ void bpf_timer_cancel_and_free(void *val)
14071410
*/
14081411
if (this_cpu_read(hrtimer_running) != t)
14091412
hrtimer_cancel(&t->timer);
1410-
kfree(t);
1413+
kfree_rcu(t, rcu);
14111414
}
14121415

14131416
BPF_CALL_2(bpf_kptr_xchg, void *, map_value, void *, ptr)

kernel/bpf/task_iter.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -978,6 +978,8 @@ __bpf_kfunc int bpf_iter_task_new(struct bpf_iter_task *it,
978978
BUILD_BUG_ON(__alignof__(struct bpf_iter_task_kern) !=
979979
__alignof__(struct bpf_iter_task));
980980

981+
kit->pos = NULL;
982+
981983
switch (flags) {
982984
case BPF_TASK_ITER_ALL_THREADS:
983985
case BPF_TASK_ITER_ALL_PROCS:

kernel/bpf/verifier.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5227,7 +5227,9 @@ BTF_ID(struct, prog_test_ref_kfunc)
52275227
#ifdef CONFIG_CGROUPS
52285228
BTF_ID(struct, cgroup)
52295229
#endif
5230+
#ifdef CONFIG_BPF_JIT
52305231
BTF_ID(struct, bpf_cpumask)
5232+
#endif
52315233
BTF_ID(struct, task_struct)
52325234
BTF_SET_END(rcu_protected_types)
52335235

net/core/skmsg.c

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1226,8 +1226,11 @@ static void sk_psock_verdict_data_ready(struct sock *sk)
12261226

12271227
rcu_read_lock();
12281228
psock = sk_psock(sk);
1229-
if (psock)
1230-
psock->saved_data_ready(sk);
1229+
if (psock) {
1230+
read_lock_bh(&sk->sk_callback_lock);
1231+
sk_psock_data_ready(sk, psock);
1232+
read_unlock_bh(&sk->sk_callback_lock);
1233+
}
12311234
rcu_read_unlock();
12321235
}
12331236
}

net/xdp/xsk.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -722,7 +722,8 @@ static struct sk_buff *xsk_build_skb(struct xdp_sock *xs,
722722
memcpy(vaddr, buffer, len);
723723
kunmap_local(vaddr);
724724

725-
skb_add_rx_frag(skb, nr_frags, page, 0, len, 0);
725+
skb_add_rx_frag(skb, nr_frags, page, 0, len, PAGE_SIZE);
726+
refcount_add(PAGE_SIZE, &xs->sk.sk_wmem_alloc);
726727
}
727728

728729
if (first_frag && desc->options & XDP_TX_METADATA) {

scripts/bpf_doc.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -513,7 +513,7 @@ def print_footer(self):
513513
instructions to the kernel when the programs are loaded. The format for that
514514
string is identical to the one in use for kernel modules (Dual licenses, such
515515
as "Dual BSD/GPL", may be used). Some helper functions are only accessible to
516-
programs that are compatible with the GNU Privacy License (GPL).
516+
programs that are compatible with the GNU General Public License (GNU GPL).
517517
518518
In order to use such helpers, the eBPF program must be loaded with the correct
519519
license string passed (via **attr**) to the **bpf**\\ () system call, and this

tools/testing/selftests/bpf/prog_tests/iters.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -193,6 +193,7 @@ static void subtest_task_iters(void)
193193
ASSERT_EQ(skel->bss->procs_cnt, 1, "procs_cnt");
194194
ASSERT_EQ(skel->bss->threads_cnt, thread_num + 1, "threads_cnt");
195195
ASSERT_EQ(skel->bss->proc_threads_cnt, thread_num + 1, "proc_threads_cnt");
196+
ASSERT_EQ(skel->bss->invalid_cnt, 0, "invalid_cnt");
196197
pthread_mutex_unlock(&do_nothing_mutex);
197198
for (int i = 0; i < thread_num; i++)
198199
ASSERT_OK(pthread_join(thread_ids[i], &ret), "pthread_join");

0 commit comments

Comments
 (0)