[PATCH bpf-next] bpf: fix sock_map

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH bpf-next] bpf: fix sock_map_alloc() error path
@ 2018-02-13 23:33 Eric Dumazet
  2018-02-13 23:43 ` Eric Dumazet
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2018-02-13 23:33 UTC (permalink / raw)
  To: John Fastabend, Alexei Starovoitov; +Cc: netdev, Daniel Borkmann

From: Eric Dumazet <edumazet@google.com>

In case user program provides silly parameters, we want
a map_alloc() handler to return an error, not a NULL pointer,
otherwise we crash later in find_and_alloc_map()

Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
---
 kernel/bpf/sockmap.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
index 48c33417d13c0ad40154f25aeade0c9b4cafd96a..a927e89dad6e9591066c3a87afc497a196ebd887 100644
--- a/kernel/bpf/sockmap.c
+++ b/kernel/bpf/sockmap.c
@@ -521,8 +521,8 @@ static struct smap_psock *smap_init_psock(struct sock *sock,
 static struct bpf_map *sock_map_alloc(union bpf_attr *attr)
 {
 	struct bpf_stab *stab;
-	int err = -EINVAL;
 	u64 cost;
+	int err;
 
 	if (!capable(CAP_NET_ADMIN))
 		return ERR_PTR(-EPERM);
@@ -547,6 +547,7 @@ static struct bpf_map *sock_map_alloc(union bpf_attr *attr)
 
 	/* make sure page count doesn't overflow */
 	cost = (u64) stab->map.max_entries * sizeof(struct sock *);
+	err = -EINVAL;
 	if (cost >= U32_MAX - PAGE_SIZE)
 		goto free_stab;
 

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH bpf-next] bpf: fix sock_map_alloc() error path
  2018-02-13 23:33 [PATCH bpf-next] bpf: fix sock_map_alloc() error path Eric Dumazet
@ 2018-02-13 23:43 ` Eric Dumazet
  2018-02-14  1:19   ` Daniel Borkmann
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2018-02-13 23:43 UTC (permalink / raw)
  To: John Fastabend, Alexei Starovoitov; +Cc: netdev, Daniel Borkmann

On Tue, 2018-02-13 at 15:33 -0800, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> In case user program provides silly parameters, we want
> a map_alloc() handler to return an error, not a NULL pointer,
> otherwise we crash later in find_and_alloc_map()
> 
> Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>
> ---

This would apply to net or bpf trees, not -next ones, sorry for the
confusion in the [PATCH bpf-next] prefix.

Bug was added in 4.14

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH bpf-next] bpf: fix sock_map_alloc() error path
  2018-02-13 23:43 ` Eric Dumazet
@ 2018-02-14  1:19   ` Daniel Borkmann
  2018-02-14  2:53     ` John Fastabend
  0 siblings, 1 reply; 5+ messages in thread
From: Daniel Borkmann @ 2018-02-14  1:19 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: John Fastabend, Alexei Starovoitov, netdev

Hi Eric,

On 02/14/2018 12:43 AM, Eric Dumazet wrote:
> On Tue, 2018-02-13 at 15:33 -0800, Eric Dumazet wrote:
>> From: Eric Dumazet <edumazet@google.com>
>>
>> In case user program provides silly parameters, we want
>> a map_alloc() handler to return an error, not a NULL pointer,
>> otherwise we crash later in find_and_alloc_map()
>>
>> Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support")
>> Signed-off-by: Eric Dumazet <edumazet@google.com>
>> Reported-by: syzbot <syzkaller@googlegroups.com>
>> ---
> 
> This would apply to net or bpf trees, not -next ones, sorry for the
> confusion in the [PATCH bpf-next] prefix.

No problem, thanks for the fix!

> Bug was added in 4.14

Fixes tag is actually slightly different, it would be:

Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks")

I can change it if you want, no need to resend.

Thanks,
Daniel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH bpf-next] bpf: fix sock_map_alloc() error path
  2018-02-14  1:19   ` Daniel Borkmann
@ 2018-02-14  2:53     ` John Fastabend
  2018-02-14  3:22       ` Alexei Starovoitov
  0 siblings, 1 reply; 5+ messages in thread
From: John Fastabend @ 2018-02-14  2:53 UTC (permalink / raw)
  To: Daniel Borkmann, Eric Dumazet; +Cc: Alexei Starovoitov, netdev

On 02/13/2018 05:19 PM, Daniel Borkmann wrote:
> Hi Eric,
> 
> On 02/14/2018 12:43 AM, Eric Dumazet wrote:
>> On Tue, 2018-02-13 at 15:33 -0800, Eric Dumazet wrote:
>>> From: Eric Dumazet <edumazet@google.com>
>>>
>>> In case user program provides silly parameters, we want
>>> a map_alloc() handler to return an error, not a NULL pointer,
>>> otherwise we crash later in find_and_alloc_map()
>>>
>>> Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support")
>>> Signed-off-by: Eric Dumazet <edumazet@google.com>
>>> Reported-by: syzbot <syzkaller@googlegroups.com>
>>> ---

Thanks Eric, also great to see syzkaller working on the sockmap
types.

Acked-by: John Fastabend <john.fastabend@gmail.com>

>>
>> This would apply to net or bpf trees, not -next ones, sorry for the
>> confusion in the [PATCH bpf-next] prefix.
> 
> No problem, thanks for the fix!
> 
>> Bug was added in 4.14
> 
> Fixes tag is actually slightly different, it would be:
> 
> Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks")
> 

Yep.

> I can change it if you want, no need to resend.> Thanks,
> Daniel
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH bpf-next] bpf: fix sock_map_alloc() error path
  2018-02-14  2:53     ` John Fastabend
@ 2018-02-14  3:22       ` Alexei Starovoitov
  0 siblings, 0 replies; 5+ messages in thread
From: Alexei Starovoitov @ 2018-02-14  3:22 UTC (permalink / raw)
  To: John Fastabend; +Cc: Daniel Borkmann, Eric Dumazet, Alexei Starovoitov, netdev

On Tue, Feb 13, 2018 at 06:53:36PM -0800, John Fastabend wrote:
> On 02/13/2018 05:19 PM, Daniel Borkmann wrote:
> > Hi Eric,
> > 
> > On 02/14/2018 12:43 AM, Eric Dumazet wrote:
> >> On Tue, 2018-02-13 at 15:33 -0800, Eric Dumazet wrote:
> >>> From: Eric Dumazet <edumazet@google.com>
> >>>
> >>> In case user program provides silly parameters, we want
> >>> a map_alloc() handler to return an error, not a NULL pointer,
> >>> otherwise we crash later in find_and_alloc_map()
> >>>
> >>> Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support")
> >>> Signed-off-by: Eric Dumazet <edumazet@google.com>
> >>> Reported-by: syzbot <syzkaller@googlegroups.com>
> >>> ---
> 
> Thanks Eric, also great to see syzkaller working on the sockmap
> types.
> 
> Acked-by: John Fastabend <john.fastabend@gmail.com>
> 
> >>
> >> This would apply to net or bpf trees, not -next ones, sorry for the
> >> confusion in the [PATCH bpf-next] prefix.
> > 
> > No problem, thanks for the fix!
> > 
> >> Bug was added in 4.14
> > 
> > Fixes tag is actually slightly different, it would be:
> > 
> > Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks")
> > 
> 
> Yep.

Applied to bpf tree with corrected Fixes tag, Thanks everyone.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2018-02-14  3:22 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-13 23:33 [PATCH bpf-next] bpf: fix sock_map_alloc() error path Eric Dumazet
2018-02-13 23:43 ` Eric Dumazet
2018-02-14  1:19   ` Daniel Borkmann
2018-02-14  2:53     ` John Fastabend
2018-02-14  3:22       ` Alexei Starovoitov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).