Commit 20192d9c authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 



Andrii Nakryiko says:

====================
pull-request: bpf 2021-07-15

The following pull-request contains BPF updates for your *net* tree.

We've added 9 non-merge commits during the last 5 day(s) which contain
a total of 9 files changed, 37 insertions(+), 15 deletions(-).

The main changes are:

1) Fix NULL pointer dereference in BPF_TEST_RUN for BPF_XDP_DEVMAP and
   BPF_XDP_CPUMAP programs, from Xuan Zhuo.

2) Fix use-after-free of net_device in XDP bpf_link, from Xuan Zhuo.

3) Follow-up fix to subprog poke descriptor use-after-free problem, from
   Daniel Borkmann and John Fastabend.

4) Fix out-of-range array access in s390 BPF JIT backend, from Colin Ian King.

5) Fix memory leak in BPF sockmap, from John Fastabend.

6) Fix for sockmap to prevent proc stats reporting bug, from John Fastabend
   and Jakub Sitnicki.

7) Fix NULL pointer dereference in bpftool, from Tobias Klauser.

8) AF_XDP documentation fixes, from Baruch Siach.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents a6ecfb39 d444b06e

Documentation/networking/af_xdp.rst

+3 −3
Original line number Diff line number Diff line
@@ -243,8 +243,8 @@ Configuration Flags and Socket Options 
These are the various configuration flags that can be used to control

and monitor the behavior of AF_XDP sockets.



XDP_COPY and XDP_ZERO_COPY bind flags

-------------------------------------

XDP_COPY and XDP_ZEROCOPY bind flags

------------------------------------



When you bind to a socket, the kernel will first try to use zero-copy

copy. If zero-copy is not supported, it will fall back on using copy
@@ -252,7 +252,7 @@ mode, i.e. copying all packets out to user space. But if you would 
like to force a certain mode, you can use the following flags. If you

pass the XDP_COPY flag to the bind call, the kernel will force the

socket into copy mode. If it cannot use copy mode, the bind call will

fail with an error. Conversely, the XDP_ZERO_COPY flag will force the

fail with an error. Conversely, the XDP_ZEROCOPY flag will force the

socket into zero-copy mode or fail.



XDP_SHARED_UMEM bind flag

arch/s390/net/bpf_jit_comp.c

+1 −1
Original line number Diff line number Diff line
@@ -112,7 +112,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1) 
{

	u32 r1 = reg2hex[b1];



	if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15)

	if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1])

		jit->seen_reg[r1] = 1;

}

kernel/bpf/verifier.c

+2 −0
Original line number Diff line number Diff line
@@ -3677,6 +3677,8 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) 
	if (tail_call_reachable)

		for (j = 0; j < frame; j++)

			subprog[ret_prog[j]].tail_call_reachable = true;

	if (subprog[0].tail_call_reachable)

		env->prog->aux->tail_call_reachable = true;



	/* end of for() loop means the last insn of the 'subprog'

	 * was reached. Doesn't matter whether it was JA or EXIT

net/bpf/test_run.c

+3 −0
Original line number Diff line number Diff line
@@ -701,6 +701,9 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr, 
	void *data;

	int ret;



	if (prog->expected_attach_type == BPF_XDP_DEVMAP ||

	    prog->expected_attach_type == BPF_XDP_CPUMAP)

		return -EINVAL;

	if (kattr->test.ctx_in || kattr->test.ctx_out)

		return -EINVAL;

net/core/dev.c

+10 −4
Original line number Diff line number Diff line
@@ -9712,14 +9712,17 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog) 
	struct net_device *dev;

	int err, fd;



	rtnl_lock();

	dev = dev_get_by_index(net, attr->link_create.target_ifindex);

	if (!dev)

	if (!dev) {

		rtnl_unlock();

		return -EINVAL;

	}



	link = kzalloc(sizeof(*link), GFP_USER);

	if (!link) {

		err = -ENOMEM;

		goto out_put_dev;

		goto unlock;

	}



	bpf_link_init(&link->link, BPF_LINK_TYPE_XDP, &bpf_xdp_link_lops, prog);
@@ -9729,14 +9732,14 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog) 
	err = bpf_link_prime(&link->link, &link_primer);

	if (err) {

		kfree(link);

		goto out_put_dev;

		goto unlock;

	}



	rtnl_lock();

	err = dev_xdp_attach_link(dev, NULL, link);

	rtnl_unlock();



	if (err) {

		link->dev = NULL;

		bpf_link_cleanup(&link_primer);

		goto out_put_dev;

	}
@@ -9746,6 +9749,9 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog) 
	dev_put(dev);

	return fd;



unlock:

	rtnl_unlock();



out_put_dev:

	dev_put(dev);

	return err;