forked from luck/tmp_suning_uos_patched
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says: ==================== pull-request: bpf 2020-07-31 The following pull-request contains BPF updates for your *net* tree. We've added 5 non-merge commits during the last 21 day(s) which contain a total of 5 files changed, 126 insertions(+), 18 deletions(-). The main changes are: 1) Fix a map element leak in HASH_OF_MAPS map type, from Andrii Nakryiko. 2) Fix a NULL pointer dereference in __btf_resolve_helper_id() when no btf_vmlinux is available, from Peilin Ye. 3) Init pos variable in __bpfilter_process_sockopt(), from Christoph Hellwig. 4) Fix a cgroup sockopt verifier test by specifying expected attach type, from Jean-Philippe Brucker. Note that when net gets merged into net-next later on, there is a small merge conflict in kernel/bpf/btf.c between commit5b801dfb7f
("bpf: Fix NULL pointer dereference in __btf_resolve_helper_id()") from the bpf tree and commit138b9a0511
("bpf: Remove btf_id helpers resolving") from the net-next tree. Resolve as follows: remove the old hunk with the __btf_resolve_helper_id() function. Change the btf_resolve_helper_id() so it actually tests for a NULL btf_vmlinux and bails out: int btf_resolve_helper_id(struct bpf_verifier_log *log, const struct bpf_func_proto *fn, int arg) { int id; if (fn->arg_type[arg] != ARG_PTR_TO_BTF_ID || !btf_vmlinux) return -EINVAL; id = fn->btf_id[arg]; if (!id || id > btf_vmlinux->nr_types) return -EINVAL; return id; } Let me know if you run into any others issues (CC'ing Jiri Olsa so he's in the loop with regards to merge conflict resolution). ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
commit
69138b34a7
|
@ -4058,6 +4058,11 @@ static int __btf_resolve_helper_id(struct bpf_verifier_log *log, void *fn,
|
||||||
const char *tname, *sym;
|
const char *tname, *sym;
|
||||||
u32 btf_id, i;
|
u32 btf_id, i;
|
||||||
|
|
||||||
|
if (!btf_vmlinux) {
|
||||||
|
bpf_log(log, "btf_vmlinux doesn't exist\n");
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
if (IS_ERR(btf_vmlinux)) {
|
if (IS_ERR(btf_vmlinux)) {
|
||||||
bpf_log(log, "btf_vmlinux is malformed\n");
|
bpf_log(log, "btf_vmlinux is malformed\n");
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
|
@ -779,15 +779,20 @@ static void htab_elem_free_rcu(struct rcu_head *head)
|
||||||
htab_elem_free(htab, l);
|
htab_elem_free(htab, l);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
|
static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l)
|
||||||
{
|
{
|
||||||
struct bpf_map *map = &htab->map;
|
struct bpf_map *map = &htab->map;
|
||||||
|
void *ptr;
|
||||||
|
|
||||||
if (map->ops->map_fd_put_ptr) {
|
if (map->ops->map_fd_put_ptr) {
|
||||||
void *ptr = fd_htab_map_get_ptr(map, l);
|
ptr = fd_htab_map_get_ptr(map, l);
|
||||||
|
|
||||||
map->ops->map_fd_put_ptr(ptr);
|
map->ops->map_fd_put_ptr(ptr);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
|
||||||
|
{
|
||||||
|
htab_put_fd_value(htab, l);
|
||||||
|
|
||||||
if (htab_is_prealloc(htab)) {
|
if (htab_is_prealloc(htab)) {
|
||||||
__pcpu_freelist_push(&htab->freelist, &l->fnode);
|
__pcpu_freelist_push(&htab->freelist, &l->fnode);
|
||||||
|
@ -839,6 +844,7 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key,
|
||||||
*/
|
*/
|
||||||
pl_new = this_cpu_ptr(htab->extra_elems);
|
pl_new = this_cpu_ptr(htab->extra_elems);
|
||||||
l_new = *pl_new;
|
l_new = *pl_new;
|
||||||
|
htab_put_fd_value(htab, old_elem);
|
||||||
*pl_new = old_elem;
|
*pl_new = old_elem;
|
||||||
} else {
|
} else {
|
||||||
struct pcpu_freelist_node *l;
|
struct pcpu_freelist_node *l;
|
||||||
|
|
|
@ -39,7 +39,7 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
|
||||||
{
|
{
|
||||||
struct mbox_request req;
|
struct mbox_request req;
|
||||||
struct mbox_reply reply;
|
struct mbox_reply reply;
|
||||||
loff_t pos;
|
loff_t pos = 0;
|
||||||
ssize_t n;
|
ssize_t n;
|
||||||
int ret = -EFAULT;
|
int ret = -EFAULT;
|
||||||
|
|
||||||
|
|
|
@ -5,10 +5,60 @@
|
||||||
|
|
||||||
#include "test_btf_map_in_map.skel.h"
|
#include "test_btf_map_in_map.skel.h"
|
||||||
|
|
||||||
|
static int duration;
|
||||||
|
|
||||||
|
static __u32 bpf_map_id(struct bpf_map *map)
|
||||||
|
{
|
||||||
|
struct bpf_map_info info;
|
||||||
|
__u32 info_len = sizeof(info);
|
||||||
|
int err;
|
||||||
|
|
||||||
|
memset(&info, 0, info_len);
|
||||||
|
err = bpf_obj_get_info_by_fd(bpf_map__fd(map), &info, &info_len);
|
||||||
|
if (err)
|
||||||
|
return 0;
|
||||||
|
return info.id;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Trigger synchronize_rcu() in kernel.
|
||||||
|
*
|
||||||
|
* ARRAY_OF_MAPS/HASH_OF_MAPS lookup/update operations trigger synchronize_rcu()
|
||||||
|
* if looking up an existing non-NULL element or updating the map with a valid
|
||||||
|
* inner map FD. Use this fact to trigger synchronize_rcu(): create map-in-map,
|
||||||
|
* create a trivial ARRAY map, update map-in-map with ARRAY inner map. Then
|
||||||
|
* cleanup. At the end, at least one synchronize_rcu() would be called.
|
||||||
|
*/
|
||||||
|
static int kern_sync_rcu(void)
|
||||||
|
{
|
||||||
|
int inner_map_fd, outer_map_fd, err, zero = 0;
|
||||||
|
|
||||||
|
inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, 4, 4, 1, 0);
|
||||||
|
if (CHECK(inner_map_fd < 0, "inner_map_create", "failed %d\n", -errno))
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
|
||||||
|
sizeof(int), inner_map_fd, 1, 0);
|
||||||
|
if (CHECK(outer_map_fd < 0, "outer_map_create", "failed %d\n", -errno)) {
|
||||||
|
close(inner_map_fd);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
err = bpf_map_update_elem(outer_map_fd, &zero, &inner_map_fd, 0);
|
||||||
|
if (err)
|
||||||
|
err = -errno;
|
||||||
|
CHECK(err, "outer_map_update", "failed %d\n", err);
|
||||||
|
close(inner_map_fd);
|
||||||
|
close(outer_map_fd);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
void test_btf_map_in_map(void)
|
void test_btf_map_in_map(void)
|
||||||
{
|
{
|
||||||
int duration = 0, err, key = 0, val;
|
int err, key = 0, val, i;
|
||||||
struct test_btf_map_in_map* skel;
|
struct test_btf_map_in_map *skel;
|
||||||
|
int outer_arr_fd, outer_hash_fd;
|
||||||
|
int fd, map1_fd, map2_fd, map1_id, map2_id;
|
||||||
|
|
||||||
skel = test_btf_map_in_map__open_and_load();
|
skel = test_btf_map_in_map__open_and_load();
|
||||||
if (CHECK(!skel, "skel_open", "failed to open&load skeleton\n"))
|
if (CHECK(!skel, "skel_open", "failed to open&load skeleton\n"))
|
||||||
|
@ -18,32 +68,78 @@ void test_btf_map_in_map(void)
|
||||||
if (CHECK(err, "skel_attach", "skeleton attach failed: %d\n", err))
|
if (CHECK(err, "skel_attach", "skeleton attach failed: %d\n", err))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
|
map1_fd = bpf_map__fd(skel->maps.inner_map1);
|
||||||
|
map2_fd = bpf_map__fd(skel->maps.inner_map2);
|
||||||
|
outer_arr_fd = bpf_map__fd(skel->maps.outer_arr);
|
||||||
|
outer_hash_fd = bpf_map__fd(skel->maps.outer_hash);
|
||||||
|
|
||||||
/* inner1 = input, inner2 = input + 1 */
|
/* inner1 = input, inner2 = input + 1 */
|
||||||
val = bpf_map__fd(skel->maps.inner_map1);
|
map1_fd = bpf_map__fd(skel->maps.inner_map1);
|
||||||
bpf_map_update_elem(bpf_map__fd(skel->maps.outer_arr), &key, &val, 0);
|
bpf_map_update_elem(outer_arr_fd, &key, &map1_fd, 0);
|
||||||
val = bpf_map__fd(skel->maps.inner_map2);
|
map2_fd = bpf_map__fd(skel->maps.inner_map2);
|
||||||
bpf_map_update_elem(bpf_map__fd(skel->maps.outer_hash), &key, &val, 0);
|
bpf_map_update_elem(outer_hash_fd, &key, &map2_fd, 0);
|
||||||
skel->bss->input = 1;
|
skel->bss->input = 1;
|
||||||
usleep(1);
|
usleep(1);
|
||||||
|
|
||||||
bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map1), &key, &val);
|
bpf_map_lookup_elem(map1_fd, &key, &val);
|
||||||
CHECK(val != 1, "inner1", "got %d != exp %d\n", val, 1);
|
CHECK(val != 1, "inner1", "got %d != exp %d\n", val, 1);
|
||||||
bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map2), &key, &val);
|
bpf_map_lookup_elem(map2_fd, &key, &val);
|
||||||
CHECK(val != 2, "inner2", "got %d != exp %d\n", val, 2);
|
CHECK(val != 2, "inner2", "got %d != exp %d\n", val, 2);
|
||||||
|
|
||||||
/* inner1 = input + 1, inner2 = input */
|
/* inner1 = input + 1, inner2 = input */
|
||||||
val = bpf_map__fd(skel->maps.inner_map2);
|
bpf_map_update_elem(outer_arr_fd, &key, &map2_fd, 0);
|
||||||
bpf_map_update_elem(bpf_map__fd(skel->maps.outer_arr), &key, &val, 0);
|
bpf_map_update_elem(outer_hash_fd, &key, &map1_fd, 0);
|
||||||
val = bpf_map__fd(skel->maps.inner_map1);
|
|
||||||
bpf_map_update_elem(bpf_map__fd(skel->maps.outer_hash), &key, &val, 0);
|
|
||||||
skel->bss->input = 3;
|
skel->bss->input = 3;
|
||||||
usleep(1);
|
usleep(1);
|
||||||
|
|
||||||
bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map1), &key, &val);
|
bpf_map_lookup_elem(map1_fd, &key, &val);
|
||||||
CHECK(val != 4, "inner1", "got %d != exp %d\n", val, 4);
|
CHECK(val != 4, "inner1", "got %d != exp %d\n", val, 4);
|
||||||
bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map2), &key, &val);
|
bpf_map_lookup_elem(map2_fd, &key, &val);
|
||||||
CHECK(val != 3, "inner2", "got %d != exp %d\n", val, 3);
|
CHECK(val != 3, "inner2", "got %d != exp %d\n", val, 3);
|
||||||
|
|
||||||
|
for (i = 0; i < 5; i++) {
|
||||||
|
val = i % 2 ? map1_fd : map2_fd;
|
||||||
|
err = bpf_map_update_elem(outer_hash_fd, &key, &val, 0);
|
||||||
|
if (CHECK_FAIL(err)) {
|
||||||
|
printf("failed to update hash_of_maps on iter #%d\n", i);
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
err = bpf_map_update_elem(outer_arr_fd, &key, &val, 0);
|
||||||
|
if (CHECK_FAIL(err)) {
|
||||||
|
printf("failed to update hash_of_maps on iter #%d\n", i);
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
map1_id = bpf_map_id(skel->maps.inner_map1);
|
||||||
|
map2_id = bpf_map_id(skel->maps.inner_map2);
|
||||||
|
CHECK(map1_id == 0, "map1_id", "failed to get ID 1\n");
|
||||||
|
CHECK(map2_id == 0, "map2_id", "failed to get ID 2\n");
|
||||||
|
|
||||||
|
test_btf_map_in_map__destroy(skel);
|
||||||
|
skel = NULL;
|
||||||
|
|
||||||
|
/* we need to either wait for or force synchronize_rcu(), before
|
||||||
|
* checking for "still exists" condition, otherwise map could still be
|
||||||
|
* resolvable by ID, causing false positives.
|
||||||
|
*
|
||||||
|
* Older kernels (5.8 and earlier) freed map only after two
|
||||||
|
* synchronize_rcu()s, so trigger two, to be entirely sure.
|
||||||
|
*/
|
||||||
|
CHECK(kern_sync_rcu(), "sync_rcu", "failed\n");
|
||||||
|
CHECK(kern_sync_rcu(), "sync_rcu", "failed\n");
|
||||||
|
|
||||||
|
fd = bpf_map_get_fd_by_id(map1_id);
|
||||||
|
if (CHECK(fd >= 0, "map1_leak", "inner_map1 leaked!\n")) {
|
||||||
|
close(fd);
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
fd = bpf_map_get_fd_by_id(map2_id);
|
||||||
|
if (CHECK(fd >= 0, "map2_leak", "inner_map2 leaked!\n")) {
|
||||||
|
close(fd);
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
test_btf_map_in_map__destroy(skel);
|
test_btf_map_in_map__destroy(skel);
|
||||||
}
|
}
|
||||||
|
|
|
@ -112,6 +112,7 @@
|
||||||
"perfevent for cgroup sockopt",
|
"perfevent for cgroup sockopt",
|
||||||
.insns = { __PERF_EVENT_INSNS__ },
|
.insns = { __PERF_EVENT_INSNS__ },
|
||||||
.prog_type = BPF_PROG_TYPE_CGROUP_SOCKOPT,
|
.prog_type = BPF_PROG_TYPE_CGROUP_SOCKOPT,
|
||||||
|
.expected_attach_type = BPF_CGROUP_SETSOCKOPT,
|
||||||
.fixup_map_event_output = { 4 },
|
.fixup_map_event_output = { 4 },
|
||||||
.result = ACCEPT,
|
.result = ACCEPT,
|
||||||
.retval = 1,
|
.retval = 1,
|
||||||
|
|
Loading…
Reference in New Issue
Block a user