From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Borkmann Subject: [PATCH bpf 5/7] bpf: fix direct packet write into pop/peek helpers Date: Wed, 24 Oct 2018 22:05:47 +0200 Message-ID: <20181024200549.8516-6-daniel@iogearbox.net> References: <20181024200549.8516-1-daniel@iogearbox.net> Cc: netdev@vger.kernel.org, Daniel Borkmann , Mauricio Vasquez B To: ast@kernel.org Return-path: Received: from www62.your-server.de ([213.133.104.62]:51722 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725829AbeJYEf0 (ORCPT ); Thu, 25 Oct 2018 00:35:26 -0400 In-Reply-To: <20181024200549.8516-1-daniel@iogearbox.net> Sender: netdev-owner@vger.kernel.org List-ID: Commit f1a2e44a3aec ("bpf: add queue and stack maps") probably just copy-pasted .pkt_access for bpf_map_{pop,peek}_elem() helpers, but this is buggy in this context since it would allow writes into cloned skbs which is invalid. Therefore, disable .pkt_access for the two. Fixes: f1a2e44a3aec ("bpf: add queue and stack maps") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Cc: Mauricio Vasquez B --- kernel/bpf/helpers.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index ab0d5e3..a74972b 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -99,7 +99,6 @@ BPF_CALL_2(bpf_map_pop_elem, struct bpf_map *, map, void *, value) const struct bpf_func_proto bpf_map_pop_elem_proto = { .func = bpf_map_pop_elem, .gpl_only = false, - .pkt_access = true, .ret_type = RET_INTEGER, .arg1_type = ARG_CONST_MAP_PTR, .arg2_type = ARG_PTR_TO_UNINIT_MAP_VALUE, @@ -113,7 +112,6 @@ BPF_CALL_2(bpf_map_peek_elem, struct bpf_map *, map, void *, value) const struct bpf_func_proto bpf_map_peek_elem_proto = { .func = bpf_map_pop_elem, .gpl_only = false, - .pkt_access = true, .ret_type = RET_INTEGER, .arg1_type = ARG_CONST_MAP_PTR, .arg2_type = ARG_PTR_TO_UNINIT_MAP_VALUE, -- 2.9.5