From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jakub Sitnicki <jakub@cloudflare.com>,
Menglong Dong <imagedong@tencent.com>,
Alexei Starovoitov <ast@kernel.org>,
Sasha Levin <sashal@kernel.org>,
daniel@iogearbox.net, andrii@kernel.org, davem@davemloft.net,
kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org,
bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 06/37] bpf: Make dst_port field in struct bpf_sock 16-bit wide
Date: Fri, 1 Apr 2022 10:44:15 -0400 [thread overview]
Message-ID: <20220401144446.1954694-6-sashal@kernel.org> (raw)
In-Reply-To: <20220401144446.1954694-1-sashal@kernel.org>
From: Jakub Sitnicki <jakub@cloudflare.com>
[ Upstream commit 4421a582718ab81608d8486734c18083b822390d ]
Menglong Dong reports that the documentation for the dst_port field in
struct bpf_sock is inaccurate and confusing. From the BPF program PoV, the
field is a zero-padded 16-bit integer in network byte order. The value
appears to the BPF user as if laid out in memory as so:
offsetof(struct bpf_sock, dst_port) + 0 <port MSB>
+ 8 <port LSB>
+16 0x00
+24 0x00
32-, 16-, and 8-bit wide loads from the field are all allowed, but only if
the offset into the field is 0.
32-bit wide loads from dst_port are especially confusing. The loaded value,
after converting to host byte order with bpf_ntohl(dst_port), contains the
port number in the upper 16-bits.
Remove the confusion by splitting the field into two 16-bit fields. For
backward compatibility, allow 32-bit wide loads from offsetof(struct
bpf_sock, dst_port).
While at it, allow loads 8-bit loads at offset [0] and [1] from dst_port.
Reported-by: Menglong Dong <imagedong@tencent.com>
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/r/20220130115518.213259-2-jakub@cloudflare.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/bpf.h | 3 ++-
net/core/filter.c | 10 +++++++++-
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 63038eb23560..4d0d932a7017 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -3068,7 +3068,8 @@ struct bpf_sock {
__u32 src_ip4;
__u32 src_ip6[4];
__u32 src_port; /* host byte order */
- __u32 dst_port; /* network byte order */
+ __be16 dst_port; /* network byte order */
+ __u16 :16; /* zero padding */
__u32 dst_ip4;
__u32 dst_ip6[4];
__u32 state;
diff --git a/net/core/filter.c b/net/core/filter.c
index d39518f691b4..54c5e3c379f6 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -6708,6 +6708,7 @@ bool bpf_sock_is_valid_access(int off, int size, enum bpf_access_type type,
struct bpf_insn_access_aux *info)
{
const int size_default = sizeof(__u32);
+ int field_size;
if (off < 0 || off >= sizeof(struct bpf_sock))
return false;
@@ -6719,7 +6720,6 @@ bool bpf_sock_is_valid_access(int off, int size, enum bpf_access_type type,
case offsetof(struct bpf_sock, family):
case offsetof(struct bpf_sock, type):
case offsetof(struct bpf_sock, protocol):
- case offsetof(struct bpf_sock, dst_port):
case offsetof(struct bpf_sock, src_port):
case bpf_ctx_range(struct bpf_sock, src_ip4):
case bpf_ctx_range_till(struct bpf_sock, src_ip6[0], src_ip6[3]):
@@ -6727,6 +6727,14 @@ bool bpf_sock_is_valid_access(int off, int size, enum bpf_access_type type,
case bpf_ctx_range_till(struct bpf_sock, dst_ip6[0], dst_ip6[3]):
bpf_ctx_record_field_size(info, size_default);
return bpf_ctx_narrow_access_ok(off, size, size_default);
+ case bpf_ctx_range(struct bpf_sock, dst_port):
+ field_size = size == size_default ?
+ size_default : sizeof_field(struct bpf_sock, dst_port);
+ bpf_ctx_record_field_size(info, field_size);
+ return bpf_ctx_narrow_access_ok(off, size, field_size);
+ case offsetofend(struct bpf_sock, dst_port) ...
+ offsetof(struct bpf_sock, dst_ip4) - 1:
+ return false;
}
return size == size_default;
--
2.34.1
next prev parent reply other threads:[~2022-04-01 15:02 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-01 14:44 [PATCH AUTOSEL 5.4 01/37] drm: Add orientation quirk for GPD Win Max Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 02/37] ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 03/37] drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 04/37] ptp: replace snprintf with sysfs_emit Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 05/37] powerpc: dts: t104xrdb: fix phy type for FMAN 4/5 Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` Sasha Levin [this message]
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 07/37] scsi: mvsas: Replace snprintf() with sysfs_emit() Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 08/37] scsi: bfa: " Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 09/37] power: supply: axp20x_battery: properly report current when discharging Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 10/37] ipv6: make mc_forwarding atomic Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 11/37] powerpc: Set crashkernel offset to mid of RMA region Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 12/37] drm/amdgpu: Fix recursive locking warning Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 13/37] PCI: aardvark: Fix support for MSI interrupts Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 14/37] iommu/arm-smmu-v3: fix event handling soft lockup Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 15/37] usb: ehci: add pci device support for Aspeed platforms Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 16/37] PCI: pciehp: Add Qualcomm quirk for Command Completed erratum Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 17/37] power: supply: axp288-charger: Set Vhold to 4.4V Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 18/37] ipv4: Invalidate neighbour for broadcast address upon address addition Sasha Levin
2022-04-01 14:44 ` [dm-devel] [PATCH AUTOSEL 5.4 19/37] dm ioctl: prevent potential spectre v1 gadget Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 20/37] drm/amdkfd: make CRAT table missing message informational only Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 21/37] scsi: pm8001: Fix pm8001_mpi_task_abort_resp() Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 22/37] scsi: aha152x: Fix aha152x_setup() __setup handler return value Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 23/37] net/smc: correct settings of RMB window update limit Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 24/37] mips: ralink: fix a refcount leak in ill_acc_of_setup() Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 25/37] macvtap: advertise link netns via netlink Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 26/37] tuntap: add sanity checks about msg_controllen in sendmsg Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 27/37] iommu/iova: Improve 32-bit free space estimate Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 28/37] bnxt_en: Eliminate unintended link toggle during FW reset Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 29/37] MIPS: fix fortify panic when copying asm exception handlers Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 30/37] powerpc/code-patching: Pre-map patch area Sasha Levin
2022-04-01 14:44 ` Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 31/37] scsi: libfc: Fix use after free in fc_exch_abts_resp() Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 32/37] usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 33/37] xtensa: fix DTC warning unit_address_format Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 34/37] Bluetooth: Fix use after free in hci_send_acl Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 35/37] netlabel: fix out-of-bounds memory accesses Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 36/37] init/main.c: return 1 from handled __setup() functions Sasha Levin
2022-04-01 14:44 ` [PATCH AUTOSEL 5.4 37/37] minix: fix bug when opening a file with O_DIRECT Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220401144446.1954694-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=imagedong@tencent.com \
--cc=jakub@cloudflare.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.