Netdev List
 help / color / mirror / Atom feed
* RE: [PATCH] qed: fix memory leak of a qed_spq_entry on error failure paths
From: Mintz, Yuval @ 2016-12-18  6:33 UTC (permalink / raw)
  To: Colin King, netdev@vger.kernel.org
  Cc: linux-kernel@vger.kernel.org, Elior, Ariel, Tayar, Tomer
In-Reply-To: <20161216125039.20969-1-colin.king@canonical.com>

> From: Colin Ian King <colin.king@canonical.com>
> 
> A qed_spq_entry entry is allocated by qed_sp_init_request but is not kfree'd
> if an error occurs, causing a memory leak. Fix this by kfree'ing it and also
> setting *pp_ent to NULL to be safe.
> 
> Found with static analysis by CoverityScan, CIDs 1389468-1389470
> 
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
...
> +err:
> +	kfree(*pp_ent);
> +	*pp_ent = NULL;
> +
> +	return rc;
>  }

Hi Colin - thanks for this.
It would have been preferable to return the previously allocated spq entry.
I.e., do:

+err:
+	qed_spq_return_entry(p_hwfn, *pp_ent);
+	*pp_ent = NULL;
+	return rc;

Thanks,
Yuval

^ permalink raw reply

* Re: [PATCH net] ipvlan: fix crash
From: David Miller @ 2016-12-18  4:54 UTC (permalink / raw)
  To: mahesh; +Cc: netdev, edumazet, maheshb
In-Reply-To: <1482027379-30785-1-git-send-email-mahesh@bandewar.net>

From: Mahesh Bandewar <mahesh@bandewar.net>
Date: Sat, 17 Dec 2016 18:16:19 -0800

> diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
> index b4e990743e1d..4294fc1f5564 100644
> --- a/drivers/net/ipvlan/ipvlan_core.c
> +++ b/drivers/net/ipvlan/ipvlan_core.c
> @@ -660,6 +660,9 @@ rx_handler_result_t ipvlan_handle_frame(struct sk_buff **pskb)
>  	if (!port)
>  		return RX_HANDLER_PASS;
>  
> +	if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
> +		goto out;
> +
>  	switch (port->mode) {

ipvlan only allows non-loopback ethernet devices to register
this RX handler.

Such situations being tested here should therefore be completely
impossible.

Every such device must send the SKB through eth_type_trans(), which
unconditionally accesses the ethernet header, therefore it must
be pulled into the linear SKB area already, long before this RX
handler is invoked.

If this really can legitimately happen, you must explain how so.

Just showing the crash that later happens in some (completely
unrelated BTW) ipvlan multicast workqueue handling function, is
really an insufficient commit log message for a bug like this.

^ permalink raw reply

* (unknown), 
From: netdev @ 2016-12-18  4:04 UTC (permalink / raw)
  To: netdev; +Cc: iqhm, 651366975, uqhzj, 139563427260, cvhv, pinz, 96948314

[-- Attachment #1: ONLINE-311698597317131.zip --]
[-- Type: application/zip, Size: 16286 bytes --]

^ permalink raw reply

* (unknown), 
From: netdev @ 2016-12-18  2:58 UTC (permalink / raw)
  To: netdev; +Cc: xhgn, 561383013161808, sjuud, 1197, skqi, vqjs, 2752446077

[-- Attachment #1: EMAIL-6394134655.zip --]
[-- Type: application/zip, Size: 16284 bytes --]

^ permalink raw reply

* [GIT] Networking
From: David Miller @ 2016-12-18  2:55 UTC (permalink / raw)
  To: torvalds; +Cc: akpm, netdev, linux-kernel


1) Revert bogus nla_ok() change, from Alexey Dobriyan.

2) Various bpf validator fixes from Daniel Borkmann.

3) Add some necessary SET_NETDEV_DEV() calls to hsis_femac and hip04
   drivers, from Dongpo Li.

4) Several ethtool ksettings conversions from Philippe Reynes.

5) Fix bugs in inet port management wrt. soreuseport, from Tom
   Herbert.

6) XDP support for virtio_net, from John Fastabend.

7) Fix NAT handling within a vrf, from David Ahern.

8) Endianness fixes in dpaa_eth driver, from Claudiu Manoil.

Please pull, thanks a lot!

The following changes since commit 8fa3b6f9392bf6d90cb7b908e07bd90166639f0a:

  Merge tag 'cris-for-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/jesper/cris (2016-12-12 09:06:38 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git 

for you to fetch changes up to 3e3397e7b11ce1b9526975ddfbe8dd569fc1f316:

  net: mv643xx_eth: fix build failure (2016-12-17 21:47:26 -0500)

----------------------------------------------------------------
Alexey Dobriyan (1):
      netlink: revert broken, broken "2-clause nla_ok()"

Andrew Lunn (1):
      net: dsa: mv88e6xxx: Fix opps when adding vlan bridge

Andy Lutomirski (1):
      cgroup: Fix CGROUP_BPF config

Arnd Bergmann (1):
      qed: fix old-style function definition

Bartosz Folta (1):
      net: macb: Added PCI wrapper for Platform Driver.

Ben Greear (1):
      mac80211: fix legacy and invalid rx-rate report

Cedric Izoard (1):
      mac80211: Ensure enough headroom when forwarding mesh pkt

Claudiu Manoil (1):
      dpaa_eth: use big endian accessors

Dan Carpenter (1):
      irda: w83977af_ir: cleanup an indent issue

Daniel Borkmann (5):
      bpf: fix regression on verifier pruning wrt map lookups
      bpf, test_verifier: fix a test case error result on unprivileged
      bpf: dynamically allocate digest scratch buffer
      bpf: fix overflow in prog accounting
      bpf: fix mark_reg_unknown_value for spilled regs on map value marking

Daniel Mack (1):
      bpf: cgroup: annotate pointers in struct cgroup_bpf with __rcu

David Ahern (2):
      net: vrf: Fix NAT within a VRF
      net: vrf: Drop conntrack data after pass through VRF device on Tx

David S. Miller (8):
      Merge branch 'hisilicon-netdev-dev'
      Merge branch 'cls_flower-mask'
      Merge branch 'inet_csk_get_port-and-soreusport-fixes'
      Merge branch 'dpaa_eth-fixes'
      Merge branch 'virtio_net-XDP'
      Merge branch 'gtp-fixes'
      Merge branch 'bpf-fixes'
      Merge tag 'mac80211-for-davem-2016-12-16' of git://git.kernel.org/.../jberg/mac80211

Dongpo Li (2):
      net: ethernet: hisi_femac: Call SET_NETDEV_DEV()
      net: ethernet: hip04: Call SET_NETDEV_DEV()

Emese Revfy (1):
      isdn: Constify some function parameters

Harald Welte (1):
      gtp: Fix initialization of Flags octet in GTPv1 header

Ido Schimmel (1):
      mlxsw: spectrum: Mark split ports as such

Jason Wang (1):
      virtio-net: correctly enable multiqueue

Jeroen De Wachter (2):
      encx24j600: bugfix - always move ERXTAIL to next packet in encx24j600_rx_packets
      encx24j600: Fix some checkstyle warnings

Johannes Berg (1):
      mac80211: don't call drv_set_default_unicast_key() for VLANs

John Fastabend (5):
      net: xdp: add invalid buffer warning
      virtio_net: Add XDP support
      virtio_net: add dedicated XDP transmit queues
      virtio_net: add XDP_TX support
      virtio_net: xdp, add slowpath case for non contiguous buffers

Kees Cook (7):
      isdn/gigaset: use designated initializers
      ATM: use designated initializers
      net: use designated initializers
      WAN: use designated initializers
      bna: use designated initializers
      isdn: use designated initializers
      net/x25: use designated initializers

LABBE Corentin (5):
      irda: irproc.c: Remove unneeded linux/miscdevice.h include
      irda: irnet: Move linux/miscdevice.h include
      irnet: ppp: move IRNET_MINOR to include/linux/miscdevice.h
      irda: irnet: Remove unused IRNET_MAJOR define
      irda: irnet: add member name to the miscdevice declaration

Lionel Gauthier (1):
      gtp: gtp_check_src_ms_ipv4() always return success

Madalin Bucur (2):
      dpaa_eth: remove redundant dependency on FSL_SOC
      MAINTAINERS: net: add entry for Freescale QorIQ DPAA Ethernet driver

Mantas M (1):
      net: ipv6: check route protocol when deleting routes

Manuel Bessler (1):
      r6040: move spinlock in r6040_close as SOFTIRQ-unsafe lock order detected

Paul Blakey (2):
      net/sched: cls_flower: Use mask for addr_type
      net/sched: cls_flower: Use masked key when calling HW offloads

Philippe Reynes (5):
      net: chelsio: cxgb2: use new api ethtool_{get|set}_link_ksettings
      net: chelsio: cxgb3: use new api ethtool_{get|set}_link_ksettings
      net: cirrus: ep93xx: use new api ethtool_{get|set}_link_ksettings
      net: davicom: dm9000: use new api ethtool_{get|set}_link_ksettings
      net: sfc: use new api ethtool_{get|set}_link_ksettings

Sudip Mukherjee (1):
      net: mv643xx_eth: fix build failure

Thomas Falcon (1):
      ibmveth: calculate gso_segs for large packets

Thomas Gleixner (1):
      net/3com/3c515: Fix timer handling, prevent leaks and crashes

Timur Tabi (1):
      net: qcom/emac: don't try to claim clocks on ACPI systems

Tom Herbert (2):
      inet: Don't go into port scan when looking for specific bind port
      inet: Fix get port to handle zero port number with soreuseport set

Xin Long (2):
      sctp: sctp_epaddr_lookup_transport should be protected by rcu_read_lock
      sctp: sctp_transport_lookup_process should rcu_read_unlock when transport is null

 MAINTAINERS                                        |   6 ++
 drivers/isdn/gigaset/bas-gigaset.c                 |  32 +++---
 drivers/isdn/gigaset/ser-gigaset.c                 |  32 +++---
 drivers/isdn/gigaset/usb-gigaset.c                 |  32 +++---
 drivers/isdn/hisax/config.c                        |  16 +--
 drivers/isdn/hisax/hisax.h                         |   4 +-
 drivers/isdn/i4l/isdn_concap.c                     |   6 +-
 drivers/isdn/i4l/isdn_x25iface.c                   |  16 +--
 drivers/net/dsa/mv88e6xxx/chip.c                   |   6 ++
 drivers/net/ethernet/3com/3c515.c                  |  15 +--
 drivers/net/ethernet/brocade/bna/bna_enet.c        |   8 +-
 drivers/net/ethernet/cadence/Kconfig               |   9 ++
 drivers/net/ethernet/cadence/Makefile              |   1 +
 drivers/net/ethernet/cadence/macb.c                |  31 +++++-
 drivers/net/ethernet/cadence/macb_pci.c            | 153 ++++++++++++++++++++++++++++
 drivers/net/ethernet/chelsio/cxgb/cxgb2.c          |  64 +++++++-----
 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c    |  65 ++++++------
 drivers/net/ethernet/cirrus/ep93xx_eth.c           |  14 +--
 drivers/net/ethernet/davicom/dm9000.c              |  14 +--
 drivers/net/ethernet/freescale/dpaa/Kconfig        |   2 +-
 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c     |  71 ++++++-------
 drivers/net/ethernet/hisilicon/hip04_eth.c         |   2 +-
 drivers/net/ethernet/hisilicon/hisi_femac.c        |   2 +-
 drivers/net/ethernet/ibm/ibmveth.c                 |  12 ++-
 drivers/net/ethernet/marvell/mv643xx_eth.c         |   2 +-
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c     |   2 +-
 drivers/net/ethernet/microchip/encx24j600-regmap.c |  17 ++--
 drivers/net/ethernet/microchip/encx24j600.c        |  19 +++-
 drivers/net/ethernet/qlogic/qed/qed_iscsi.c        |   2 +-
 drivers/net/ethernet/qualcomm/emac/emac.c          |   9 ++
 drivers/net/ethernet/rdc/r6040.c                   |  10 +-
 drivers/net/ethernet/sfc/ethtool.c                 |  35 ++++---
 drivers/net/ethernet/sfc/mcdi_port.c               |  60 ++++++-----
 drivers/net/ethernet/sfc/net_driver.h              |  12 +--
 drivers/net/gtp.c                                  |   8 +-
 drivers/net/irda/w83977af_ir.c                     |   6 +-
 drivers/net/virtio_net.c                           | 369 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 drivers/net/vrf.c                                  |   6 +-
 drivers/net/wan/lmc/lmc_media.c                    |  97 +++++++++---------
 include/linux/bpf-cgroup.h                         |   2 +-
 include/linux/bpf.h                                |  13 ++-
 include/linux/filter.h                             |  15 ++-
 include/linux/miscdevice.h                         |   1 +
 include/linux/platform_data/macb.h                 |   6 ++
 include/net/inet6_connection_sock.h                |   3 +-
 include/net/inet_connection_sock.h                 |   6 +-
 include/net/netlink.h                              |   3 +-
 init/Kconfig                                       |   3 +-
 kernel/bpf/core.c                                  |  43 +++++---
 kernel/bpf/syscall.c                               |  38 +++++--
 kernel/bpf/verifier.c                              |  28 ++++--
 net/atm/lec.c                                      |   6 +-
 net/atm/mpoa_caches.c                              |  43 ++++----
 net/core/filter.c                                  |   6 ++
 net/decnet/dn_dev.c                                |   2 +-
 net/ipv4/inet_connection_sock.c                    |  16 +--
 net/ipv6/inet6_connection_sock.c                   |   7 +-
 net/ipv6/route.c                                   |   2 +
 net/irda/irnet/irnet.h                             |   1 -
 net/irda/irnet/irnet_ppp.h                         |  11 +-
 net/irda/irproc.c                                  |   1 -
 net/mac80211/key.c                                 |   3 +-
 net/mac80211/rx.c                                  |   2 +-
 net/mac80211/sta_info.c                            |  14 +--
 net/sched/cls_flower.c                             |   6 +-
 net/sctp/endpointola.c                             |   5 +-
 net/sctp/socket.c                                  |   7 +-
 net/vmw_vsock/vmci_transport_notify.c              |  30 +++---
 net/vmw_vsock/vmci_transport_notify_qstate.c       |  30 +++---
 net/x25/sysctl_net_x25.c                           |   2 +-
 tools/testing/selftests/bpf/test_verifier.c        |  30 +++++-
 71 files changed, 1206 insertions(+), 446 deletions(-)
 create mode 100644 drivers/net/ethernet/cadence/macb_pci.c

^ permalink raw reply

* Re: [PATCH] net: mv643xx_eth: fix build failure
From: David Miller @ 2016-12-18  2:47 UTC (permalink / raw)
  To: sudipm.mukherjee; +Cc: sebastian.hesselbarth, linux-kernel, netdev
In-Reply-To: <1481935505-24475-1-git-send-email-sudipm.mukherjee@gmail.com>

From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Date: Sat, 17 Dec 2016 00:45:05 +0000

> The build of sparc allmodconfig fails with the error:
> "of_irq_to_resource" [drivers/net/ethernet/marvell/mv643xx_eth.ko]
> 	undefined!
> 
> of_irq_to_resource() is defined when CONFIG_OF_IRQ is defined. And also
> CONFIG_OF_IRQ can only be defined if CONFIG_IRQ is defined. So we can
> safely use #if defined(CONFIG_OF_IRQ) in the code.
> 
> Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>

Applied, thanks.

^ permalink raw reply

* Re: [PATCH] isdn: Constify some function parameters
From: David Miller @ 2016-12-18  2:46 UTC (permalink / raw)
  To: keescook; +Cc: isdn, linux-kernel, re.emese, netdev
In-Reply-To: <20161216214047.GA90306@beast>

From: Kees Cook <keescook@chromium.org>
Date: Fri, 16 Dec 2016 13:40:47 -0800

> From: Emese Revfy <re.emese@gmail.com>
> 
> The coming initify gcc plugin expects const pointer types, and caught
> some __printf arguments that weren't const yet. This fixes those.
> 
> Signed-off-by: Emese Revfy <re.emese@gmail.com>
> [kees: expanded commit message]
> Signed-off-by: Kees Cook <keescook@chromium.org>

Applied.

^ permalink raw reply

* Re: [patch net] mlxsw: spectrum: Mark split ports as such
From: David Miller @ 2016-12-18  2:45 UTC (permalink / raw)
  To: jiri; +Cc: netdev, idosch, eladr, yotamg, nogahf, arkadis, tamirw
In-Reply-To: <1481912943-2864-1-git-send-email-jiri@resnulli.us>

From: Jiri Pirko <jiri@resnulli.us>
Date: Fri, 16 Dec 2016 19:29:03 +0100

> From: Ido Schimmel <idosch@mellanox.com>
> 
> When a port is split we should mark it as such, as otherwise the split
> ports aren't renamed correctly (e.g. sw1p3 -> sw1p3s1) and the unsplit
> operation fails:
> 
> $ devlink port split sw1p3 count 4
> $ devlink port unsplit eth0
> devlink answers: Invalid argument
> [  598.565307] mlxsw_spectrum 0000:03:00.0 eth0: Port wasn't split
> 
> Fixes: 67963a33b4fd ("mlxsw: Make devlink port instances independent of spectrum/switchx2 port instances")
> Signed-off-by: Ido Schimmel <idosch@mellanox.com>
> Reported-by: Tamir Winetroub <tamirw@mellanox.com>
> Reviewed-by: Elad Raz <eladr@mellanox.com>
> Tested-by: Tamir Winetroub <tamirw@mellanox.com>
> Signed-off-by: Jiri Pirko <jiri@mellanox.com>

Applied, thanks Jiri.

^ permalink raw reply

* Re: [PATCH] cgroup: Fix CGROUP_BPF config
From: David Miller @ 2016-12-18  2:43 UTC (permalink / raw)
  To: luto; +Cc: alexei.starovoitov, daniel, netdev
In-Reply-To: <8d48c3940f8d0275da6398ea5bcef14e20233db5.1481905995.git.luto@kernel.org>

From: Andy Lutomirski <luto@kernel.org>
Date: Fri, 16 Dec 2016 08:33:45 -0800

> CGROUP_BPF depended on SOCK_CGROUP_DATA which can't be manually
> enabled, making it rather challenging to turn CGROUP_BPF on.
> 
> Signed-off-by: Andy Lutomirski <luto@kernel.org>

Applied, thanks.

^ permalink raw reply

* Re: pull-request: mac80211 2016-12-16
From: David Miller @ 2016-12-18  2:42 UTC (permalink / raw)
  To: johannes; +Cc: netdev, linux-wireless
In-Reply-To: <20161216123957.16744-1-johannes@sipsolutions.net>

From: Johannes Berg <johannes@sipsolutions.net>
Date: Fri, 16 Dec 2016 13:39:56 +0100

> Since you seem to be updating net, I thought I'd send you a few fixes.
> These aren't really all that important though, so if you want to let
> them wait for a bit I can live with that.
> 
> Please pull and let me know if there's any problem.

Pulled, thanks.

^ permalink raw reply

* Re: [PATCH net] qed: fix old-style function definition
From: David Miller @ 2016-12-18  2:39 UTC (permalink / raw)
  To: arnd
  Cc: Yuval.Mintz, Ariel.Elior, everest-linux-l2, arun.easi, hare,
	jthumshirn, netdev, linux-kernel
In-Reply-To: <20161216084808.1815139-1-arnd@arndb.de>

From: Arnd Bergmann <arnd@arndb.de>
Date: Fri, 16 Dec 2016 09:47:41 +0100

> The newly added file causes a harmless warning, with "make W=1":
> 
> drivers/net/ethernet/qlogic/qed/qed_iscsi.c: In function 'qed_get_iscsi_ops':
> drivers/net/ethernet/qlogic/qed/qed_iscsi.c:1268:29: warning: old-style function definition [-Wold-style-definition]
> 
> This makes it a proper prototype.
> 
> Fixes: fc831825f99e ("qed: Add support for hardware offloaded iSCSI.")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

APplied.

^ permalink raw reply

* Re: [PATCH] net: ipv6: check route protocol when deleting routes
From: David Miller @ 2016-12-18  2:37 UTC (permalink / raw)
  To: grawity; +Cc: netdev, linux-kernel
In-Reply-To: <20161216083059.251368-1-grawity@gmail.com>

From: Mantas Mikulėnas <grawity@gmail.com>
Date: Fri, 16 Dec 2016 10:30:59 +0200

> The protocol field is checked when deleting IPv4 routes, but ignored for
> IPv6, which causes problems with routing daemons accidentally deleting
> externally set routes (observed by multiple bird6 users).
> 
> This can be verified using `ip -6 route del <prefix> proto something`.
> 
> Signed-off-by: Mantas Mikulėnas <grawity@gmail.com>

Applied, thanks.

^ permalink raw reply

* Re: [PATCH v3 net] r6040: move spinlock in r6040_close as SOFTIRQ-unsafe lock order detected
From: David Miller @ 2016-12-18  2:36 UTC (permalink / raw)
  To: manuel.bessler; +Cc: netdev, f.fainelli
In-Reply-To: <1481860500-25117-1-git-send-email-manuel.bessler@sensus.com>

From: Manuel Bessler <manuel.bessler@sensus.com>
Date: Thu, 15 Dec 2016 22:55:00 -0500

> 'ifconfig eth0 down' makes r6040_close() trigger:
>  INFO: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
> 
> Fixed by moving calls to phy_stop(), napi_disable(), netif_stop_queue()
> to outside of the module's private spin_lock_irq block.
> 
> Found on a Versalogic Tomcat SBC with a Vortex86 SoC
 ...
> Signed-off-by: Manuel Bessler <manuel.bessler@sensus.com>

Applied, thanks.

^ permalink raw reply

* Re: [patch net-next] irda: w83977af_ir: cleanup an indent issue
From: David Miller @ 2016-12-18  2:33 UTC (permalink / raw)
  To: dan.carpenter; +Cc: samuel, joe, netdev, kernel-janitors
In-Reply-To: <20161212112134.GA10035@elgon.mountain>

From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 12 Dec 2016 14:21:34 +0300

> In commit 99d8d2159d7c ("irda: w83977af_ir: Neaten logging"), we
> accidentally added an extra tab to these lines.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied.

^ permalink raw reply

* Re: [PATCH] net: sfc: use new api ethtool_{get|set}_link_ksettings
From: David Miller @ 2016-12-18  2:32 UTC (permalink / raw)
  To: tremyfr; +Cc: linux-net-drivers, ecree, bkenward, netdev, linux-kernel
In-Reply-To: <1481757173-16000-1-git-send-email-tremyfr@gmail.com>

From: Philippe Reynes <tremyfr@gmail.com>
Date: Thu, 15 Dec 2016 00:12:53 +0100

> The ethtool api {get|set}_settings is deprecated.
> We move this driver to new api {get|set}_link_ksettings.
> 
> Signed-off-by: Philippe Reynes <tremyfr@gmail.com>

Applied.

^ permalink raw reply

* Re: [PATCH] net: davicom: dm9000: use new api ethtool_{get|set}_link_ksettings
From: David Miller @ 2016-12-18  2:32 UTC (permalink / raw)
  To: tremyfr
  Cc: robert.jarzmik, mugunthanvnm, marcel, jarod, s.nawrocki, fw,
	harvey.hunt, netdev
In-Reply-To: <1481706118-13076-1-git-send-email-tremyfr@gmail.com>

From: Philippe Reynes <tremyfr@gmail.com>
Date: Wed, 14 Dec 2016 10:01:58 +0100

> The ethtool api {get|set}_settings is deprecated.
> We move this driver to new api {get|set}_link_ksettings.
> 
> Signed-off-by: Philippe Reynes <tremyfr@gmail.com>

Applied.

^ permalink raw reply

* Re: [PATCH] net: cirrus: ep93xx: use new api ethtool_{get|set}_link_ksettings
From: David Miller @ 2016-12-18  2:32 UTC (permalink / raw)
  To: tremyfr; +Cc: hsweeten, netdev, linux-kernel
In-Reply-To: <1481581713-6590-1-git-send-email-tremyfr@gmail.com>

From: Philippe Reynes <tremyfr@gmail.com>
Date: Mon, 12 Dec 2016 23:28:33 +0100

> The ethtool api {get|set}_settings is deprecated.
> We move this driver to new api {get|set}_link_ksettings.
> 
> Signed-off-by: Philippe Reynes <tremyfr@gmail.com>

Applied.

^ permalink raw reply

* Re: [PATCH] net: chelsio: cxgb3: use new api ethtool_{get|set}_link_ksettings
From: David Miller @ 2016-12-18  2:31 UTC (permalink / raw)
  To: tremyfr; +Cc: santosh, netdev, linux-kernel
In-Reply-To: <1481498870-16946-1-git-send-email-tremyfr@gmail.com>

From: Philippe Reynes <tremyfr@gmail.com>
Date: Mon, 12 Dec 2016 00:27:49 +0100

> The ethtool api {get|set}_settings is deprecated.
> We move this driver to new api {get|set}_link_ksettings.
> 
> Signed-off-by: Philippe Reynes <tremyfr@gmail.com>

Applied.

^ permalink raw reply

* Re: [PATCH] net: chelsio: cxgb2: use new api ethtool_{get|set}_link_ksettings
From: David Miller @ 2016-12-18  2:31 UTC (permalink / raw)
  To: tremyfr; +Cc: jarod, netdev, linux-kernel
In-Reply-To: <1481492870-12222-1-git-send-email-tremyfr@gmail.com>

From: Philippe Reynes <tremyfr@gmail.com>
Date: Sun, 11 Dec 2016 22:47:50 +0100

> The ethtool api {get|set}_settings is deprecated.
> We move this driver to new api {get|set}_link_ksettings.
> 
> Signed-off-by: Philippe Reynes <tremyfr@gmail.com>

Applied.

^ permalink raw reply

* Re: [PATCH net v2 0/3] Couple of BPF fixes
From: David Miller @ 2016-12-18  2:28 UTC (permalink / raw)
  To: daniel; +Cc: ast, kafai, netdev
In-Reply-To: <cover.1482019225.git.daniel@iogearbox.net>

From: Daniel Borkmann <daniel@iogearbox.net>
Date: Sun, 18 Dec 2016 01:52:56 +0100

> This set contains three BPF fixes for net, one that addresses the
> complaint from Geert wrt static allocations, and the other is a fix
> wrt mem accounting that I found recently during testing and there's
> still one more fix on the map value marking.
> 
> Thanks!
> 
> v1 -> v2:
>   - Patch 1 as is.
>   - Fixed kbuild bot issue by letting charging helpers stay in the
>     syscall.c, since there locked_vm is valid and only export the
>     ones needed by bpf_prog_realloc(). Add empty stubs in case the
>     bpf syscall is not enabled.
>   - Added patch 3 that addresses one more issue in map val marking.

Series applied, thanks Daniel.

^ permalink raw reply

* [PATCH net] ipvlan: fix crash
From: Mahesh Bandewar @ 2016-12-18  2:16 UTC (permalink / raw)
  To: netdev, Eric Dumazet, David Miller; +Cc: Mahesh Bandewar

From: Mahesh Bandewar <maheshb@google.com>

------------[ cut here ]------------
kernel BUG at include/linux/skbuff.h:1737!
Call Trace:
 [<ffffffff921fbbc2>] dev_forward_skb+0x92/0xd0
 [<ffffffffc031ac65>] ipvlan_process_multicast+0x395/0x4c0 [ipvlan]
 [<ffffffffc031a9a7>] ? ipvlan_process_multicast+0xd7/0x4c0 [ipvlan]
 [<ffffffff91cdfea7>] ? process_one_work+0x147/0x660
 [<ffffffff91cdff09>] process_one_work+0x1a9/0x660
 [<ffffffff91cdfea7>] ? process_one_work+0x147/0x660
 [<ffffffff91ce086d>] worker_thread+0x11d/0x360
 [<ffffffff91ce0750>] ? rescuer_thread+0x350/0x350
 [<ffffffff91ce960b>] kthread+0xdb/0xe0
 [<ffffffff91c05c70>] ? _raw_spin_unlock_irq+0x30/0x50
 [<ffffffff91ce9530>] ? flush_kthread_worker+0xc0/0xc0
 [<ffffffff92348b7a>] ret_from_fork+0x9a/0xd0
 [<ffffffff91ce9530>] ? flush_kthread_worker+0xc0/0xc0

Signed-off-by: Mahesh Bandewar <maheshb@google.com>
---
 drivers/net/ipvlan/ipvlan_core.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
index b4e990743e1d..4294fc1f5564 100644
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -660,6 +660,9 @@ rx_handler_result_t ipvlan_handle_frame(struct sk_buff **pskb)
 	if (!port)
 		return RX_HANDLER_PASS;
 
+	if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
+		goto out;
+
 	switch (port->mode) {
 	case IPVLAN_MODE_L2:
 		return ipvlan_handle_mode_l2(pskb, port);
@@ -672,6 +675,8 @@ rx_handler_result_t ipvlan_handle_frame(struct sk_buff **pskb)
 	/* Should not reach here */
 	WARN_ONCE(true, "ipvlan_handle_frame() called for mode = [%hx]\n",
 			  port->mode);
+
+out:
 	kfree_skb(skb);
 	return RX_HANDLER_CONSUMED;
 }
-- 
2.8.0.rc3.226.g39d4020

^ permalink raw reply related

* [PATCH net v2 3/3] bpf: fix mark_reg_unknown_value for spilled regs on map value marking
From: Daniel Borkmann @ 2016-12-18  0:52 UTC (permalink / raw)
  To: davem; +Cc: ast, kafai, netdev, Daniel Borkmann
In-Reply-To: <cover.1482019225.git.daniel@iogearbox.net>

Martin reported a verifier issue that hit the BUG_ON() for his
test case in the mark_reg_unknown_value() function:

  [  202.861380] kernel BUG at kernel/bpf/verifier.c:467!
  [...]
  [  203.291109] Call Trace:
  [  203.296501]  [<ffffffff811364d5>] mark_map_reg+0x45/0x50
  [  203.308225]  [<ffffffff81136558>] mark_map_regs+0x78/0x90
  [  203.320140]  [<ffffffff8113938d>] do_check+0x226d/0x2c90
  [  203.331865]  [<ffffffff8113a6ab>] bpf_check+0x48b/0x780
  [  203.343403]  [<ffffffff81134c8e>] bpf_prog_load+0x27e/0x440
  [  203.355705]  [<ffffffff8118a38f>] ? handle_mm_fault+0x11af/0x1230
  [  203.369158]  [<ffffffff812d8188>] ? security_capable+0x48/0x60
  [  203.382035]  [<ffffffff811351a4>] SyS_bpf+0x124/0x960
  [  203.393185]  [<ffffffff810515f6>] ? __do_page_fault+0x276/0x490
  [  203.406258]  [<ffffffff816db320>] entry_SYSCALL_64_fastpath+0x13/0x94

This issue got uncovered after the fix in a08dd0da5307 ("bpf: fix
regression on verifier pruning wrt map lookups"). The reason why it
wasn't noticed before was, because as mentioned in a08dd0da5307,
mark_map_regs() was doing the id matching incorrectly based on the
uncached regs[regno].id. So, in the first loop, we walked all regs
and as soon as we found regno == i, then this reg's id was cleared
when calling mark_reg_unknown_value() thus that every subsequent
register was probed against id of 0 (which, in combination with the
PTR_TO_MAP_VALUE_OR_NULL type is an invalid condition that no other
register state can hold), and therefore wasn't type transitioned such
as in the spilled register case for the second loop.

Now since that got fixed, it turned out that 57a09bf0a416 ("bpf:
Detect identical PTR_TO_MAP_VALUE_OR_NULL registers") used
mark_reg_unknown_value() incorrectly for the spilled regs, and thus
hitting the BUG_ON() in some cases due to regno >= MAX_BPF_REG.

Although spilled regs have the same type as the non-spilled regs
for the verifier state, that is, struct bpf_reg_state, they are
semantically different from the non-spilled regs. In other words,
there can be up to 64 (MAX_BPF_STACK / BPF_REG_SIZE) spilled regs
in the stack, for example, register R<x> could have been spilled by
the program to stack location X, Y, Z, and in mark_map_regs() we
need to scan these stack slots of type STACK_SPILL for potential
registers that we have to transition from PTR_TO_MAP_VALUE_OR_NULL.
Therefore, depending on the location, the spilled_regs regno can
be a lot higher than just MAX_BPF_REG's value since we operate on
stack instead. The reset in mark_reg_unknown_value() itself is
just fine, only that the BUG_ON() was inappropriate for this. Fix
it by making a __mark_reg_unknown_value() version that can be
called from mark_map_reg() generically; we know for the non-spilled
case that the regno is always < MAX_BPF_REG anyway.

Fixes: 57a09bf0a416 ("bpf: Detect identical PTR_TO_MAP_VALUE_OR_NULL registers")
Reported-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
---
 kernel/bpf/verifier.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 64b7b1a..83ed2f8 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -462,14 +462,19 @@ static void init_reg_state(struct bpf_reg_state *regs)
 	regs[BPF_REG_1].type = PTR_TO_CTX;
 }
 
-static void mark_reg_unknown_value(struct bpf_reg_state *regs, u32 regno)
+static void __mark_reg_unknown_value(struct bpf_reg_state *regs, u32 regno)
 {
-	BUG_ON(regno >= MAX_BPF_REG);
 	regs[regno].type = UNKNOWN_VALUE;
 	regs[regno].id = 0;
 	regs[regno].imm = 0;
 }
 
+static void mark_reg_unknown_value(struct bpf_reg_state *regs, u32 regno)
+{
+	BUG_ON(regno >= MAX_BPF_REG);
+	__mark_reg_unknown_value(regs, regno);
+}
+
 static void reset_reg_range_values(struct bpf_reg_state *regs, u32 regno)
 {
 	regs[regno].min_value = BPF_REGISTER_MIN_RANGE;
@@ -1976,7 +1981,7 @@ static void mark_map_reg(struct bpf_reg_state *regs, u32 regno, u32 id,
 		 */
 		reg->id = 0;
 		if (type == UNKNOWN_VALUE)
-			mark_reg_unknown_value(regs, regno);
+			__mark_reg_unknown_value(regs, regno);
 	}
 }
 
-- 
1.9.3

^ permalink raw reply related

* [PATCH net v2 2/3] bpf: fix overflow in prog accounting
From: Daniel Borkmann @ 2016-12-18  0:52 UTC (permalink / raw)
  To: davem; +Cc: ast, kafai, netdev, Daniel Borkmann
In-Reply-To: <cover.1482019225.git.daniel@iogearbox.net>

Commit aaac3ba95e4c ("bpf: charge user for creation of BPF maps and
programs") made a wrong assumption of charging against prog->pages.
Unlike map->pages, prog->pages are still subject to change when we
need to expand the program through bpf_prog_realloc().

This can for example happen during verification stage when we need to
expand and rewrite parts of the program. Should the required space
cross a page boundary, then prog->pages is not the same anymore as
its original value that we used to bpf_prog_charge_memlock() on. Thus,
we'll hit a wrap-around during bpf_prog_uncharge_memlock() when prog
is freed eventually. I noticed this that despite having unlimited
memlock, programs suddenly refused to load with EPERM error due to
insufficient memlock.

There are two ways to fix this issue. One would be to add a cached
variable to struct bpf_prog that takes a snapshot of prog->pages at the
time of charging. The other approach is to also account for resizes. I
chose to go with the latter for a couple of reasons: i) We want accounting
rather to be more accurate instead of further fooling limits, ii) adding
yet another page counter on struct bpf_prog would also be a waste just
for this purpose. We also do want to charge as early as possible to
avoid going into the verifier just to find out later on that we crossed
limits. The only place that needs to be fixed is bpf_prog_realloc(),
since only here we expand the program, so we try to account for the
needed delta and should we fail, call-sites check for outcome anyway.
On cBPF to eBPF migrations, we don't grab a reference to the user as
they are charged differently. With that in place, my test case worked
fine.

Fixes: aaac3ba95e4c ("bpf: charge user for creation of BPF maps and programs")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
---
 include/linux/bpf.h  | 11 +++++++++++
 kernel/bpf/core.c    | 16 +++++++++++++---
 kernel/bpf/syscall.c | 36 ++++++++++++++++++++++++++++--------
 3 files changed, 52 insertions(+), 11 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 201eb48..f74ae68 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -238,6 +238,8 @@ u64 bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size,
 void bpf_prog_sub(struct bpf_prog *prog, int i);
 struct bpf_prog * __must_check bpf_prog_inc(struct bpf_prog *prog);
 void bpf_prog_put(struct bpf_prog *prog);
+int __bpf_prog_charge(struct user_struct *user, u32 pages);
+void __bpf_prog_uncharge(struct user_struct *user, u32 pages);
 
 struct bpf_map *bpf_map_get_with_uref(u32 ufd);
 struct bpf_map *__bpf_map_get(struct fd f);
@@ -318,6 +320,15 @@ static inline struct bpf_prog * __must_check bpf_prog_inc(struct bpf_prog *prog)
 {
 	return ERR_PTR(-EOPNOTSUPP);
 }
+
+static inline int __bpf_prog_charge(struct user_struct *user, u32 pages)
+{
+	return 0;
+}
+
+static inline void __bpf_prog_uncharge(struct user_struct *user, u32 pages)
+{
+}
 #endif /* CONFIG_BPF_SYSCALL */
 
 /* verifier prototypes for helper functions called from eBPF programs */
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 75c08b8..1eb4f13 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -105,19 +105,29 @@ struct bpf_prog *bpf_prog_realloc(struct bpf_prog *fp_old, unsigned int size,
 	gfp_t gfp_flags = GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO |
 			  gfp_extra_flags;
 	struct bpf_prog *fp;
+	u32 pages, delta;
+	int ret;
 
 	BUG_ON(fp_old == NULL);
 
 	size = round_up(size, PAGE_SIZE);
-	if (size <= fp_old->pages * PAGE_SIZE)
+	pages = size / PAGE_SIZE;
+	if (pages <= fp_old->pages)
 		return fp_old;
 
+	delta = pages - fp_old->pages;
+	ret = __bpf_prog_charge(fp_old->aux->user, delta);
+	if (ret)
+		return NULL;
+
 	fp = __vmalloc(size, gfp_flags, PAGE_KERNEL);
-	if (fp != NULL) {
+	if (fp == NULL) {
+		__bpf_prog_uncharge(fp_old->aux->user, delta);
+	} else {
 		kmemcheck_annotate_bitfield(fp, meta);
 
 		memcpy(fp, fp_old, fp_old->pages * PAGE_SIZE);
-		fp->pages = size / PAGE_SIZE;
+		fp->pages = pages;
 		fp->aux->prog = fp;
 
 		/* We keep fp->aux from fp_old around in the new
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 35d674c..e89acea 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -615,19 +615,39 @@ static void free_used_maps(struct bpf_prog_aux *aux)
 	kfree(aux->used_maps);
 }
 
+int __bpf_prog_charge(struct user_struct *user, u32 pages)
+{
+	unsigned long memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
+	unsigned long user_bufs;
+
+	if (user) {
+		user_bufs = atomic_long_add_return(pages, &user->locked_vm);
+		if (user_bufs > memlock_limit) {
+			atomic_long_sub(pages, &user->locked_vm);
+			return -EPERM;
+		}
+	}
+
+	return 0;
+}
+
+void __bpf_prog_uncharge(struct user_struct *user, u32 pages)
+{
+	if (user)
+		atomic_long_sub(pages, &user->locked_vm);
+}
+
 static int bpf_prog_charge_memlock(struct bpf_prog *prog)
 {
 	struct user_struct *user = get_current_user();
-	unsigned long memlock_limit;
-
-	memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
+	int ret;
 
-	atomic_long_add(prog->pages, &user->locked_vm);
-	if (atomic_long_read(&user->locked_vm) > memlock_limit) {
-		atomic_long_sub(prog->pages, &user->locked_vm);
+	ret = __bpf_prog_charge(user, prog->pages);
+	if (ret) {
 		free_uid(user);
-		return -EPERM;
+		return ret;
 	}
+
 	prog->aux->user = user;
 	return 0;
 }
@@ -636,7 +656,7 @@ static void bpf_prog_uncharge_memlock(struct bpf_prog *prog)
 {
 	struct user_struct *user = prog->aux->user;
 
-	atomic_long_sub(prog->pages, &user->locked_vm);
+	__bpf_prog_uncharge(user, prog->pages);
 	free_uid(user);
 }
 
-- 
1.9.3

^ permalink raw reply related

* [PATCH net v2 1/3] bpf: dynamically allocate digest scratch buffer
From: Daniel Borkmann @ 2016-12-18  0:52 UTC (permalink / raw)
  To: davem; +Cc: ast, kafai, netdev, Daniel Borkmann
In-Reply-To: <cover.1482019225.git.daniel@iogearbox.net>

Geert rightfully complained that 7bd509e311f4 ("bpf: add prog_digest
and expose it via fdinfo/netlink") added a too large allocation of
variable 'raw' from bss section, and should instead be done dynamically:

  # ./scripts/bloat-o-meter kernel/bpf/core.o.1 kernel/bpf/core.o.2
  add/remove: 3/0 grow/shrink: 0/0 up/down: 33291/0 (33291)
  function                                     old     new   delta
  raw                                            -   32832  +32832
  [...]

Since this is only relevant during program creation path, which can be
considered slow-path anyway, lets allocate that dynamically and be not
implicitly dependent on verifier mutex. Move bpf_prog_calc_digest() at
the beginning of replace_map_fd_with_map_ptr() and also error handling
stays straight forward.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
---
 include/linux/bpf.h    |  2 +-
 include/linux/filter.h | 14 +++++++++++---
 kernel/bpf/core.c      | 27 ++++++++++++++++-----------
 kernel/bpf/syscall.c   |  2 +-
 kernel/bpf/verifier.c  |  6 ++++--
 5 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 8796ff0..201eb48 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -216,7 +216,7 @@ struct bpf_event_entry {
 u64 bpf_get_stackid(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5);
 
 bool bpf_prog_array_compatible(struct bpf_array *array, const struct bpf_prog *fp);
-void bpf_prog_calc_digest(struct bpf_prog *fp);
+int bpf_prog_calc_digest(struct bpf_prog *fp);
 
 const struct bpf_func_proto *bpf_get_trace_printk_proto(void);
 
diff --git a/include/linux/filter.h b/include/linux/filter.h
index af8a180..7023142 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -57,9 +57,6 @@
 /* BPF program can access up to 512 bytes of stack space. */
 #define MAX_BPF_STACK	512
 
-/* Maximum BPF program size in bytes. */
-#define MAX_BPF_SIZE	(BPF_MAXINSNS * sizeof(struct bpf_insn))
-
 /* Helper macros for filter block array initializers. */
 
 /* ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg */
@@ -517,6 +514,17 @@ static __always_inline u32 bpf_prog_run_xdp(const struct bpf_prog *prog,
 	return BPF_PROG_RUN(prog, xdp);
 }
 
+static inline u32 bpf_prog_insn_size(const struct bpf_prog *prog)
+{
+	return prog->len * sizeof(struct bpf_insn);
+}
+
+static inline u32 bpf_prog_digest_scratch_size(const struct bpf_prog *prog)
+{
+	return round_up(bpf_prog_insn_size(prog) +
+			sizeof(__be64) + 1, SHA_MESSAGE_BYTES);
+}
+
 static inline unsigned int bpf_prog_size(unsigned int proglen)
 {
 	return max(sizeof(struct bpf_prog),
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 83e0d15..75c08b8 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -136,28 +136,29 @@ void __bpf_prog_free(struct bpf_prog *fp)
 	vfree(fp);
 }
 
-#define SHA_BPF_RAW_SIZE						\
-	round_up(MAX_BPF_SIZE + sizeof(__be64) + 1, SHA_MESSAGE_BYTES)
-
-/* Called under verifier mutex. */
-void bpf_prog_calc_digest(struct bpf_prog *fp)
+int bpf_prog_calc_digest(struct bpf_prog *fp)
 {
 	const u32 bits_offset = SHA_MESSAGE_BYTES - sizeof(__be64);
-	static u32 ws[SHA_WORKSPACE_WORDS];
-	static u8 raw[SHA_BPF_RAW_SIZE];
-	struct bpf_insn *dst = (void *)raw;
+	u32 raw_size = bpf_prog_digest_scratch_size(fp);
+	u32 ws[SHA_WORKSPACE_WORDS];
 	u32 i, bsize, psize, blocks;
+	struct bpf_insn *dst;
 	bool was_ld_map;
-	u8 *todo = raw;
+	u8 *raw, *todo;
 	__be32 *result;
 	__be64 *bits;
 
+	raw = vmalloc(raw_size);
+	if (!raw)
+		return -ENOMEM;
+
 	sha_init(fp->digest);
 	memset(ws, 0, sizeof(ws));
 
 	/* We need to take out the map fd for the digest calculation
 	 * since they are unstable from user space side.
 	 */
+	dst = (void *)raw;
 	for (i = 0, was_ld_map = false; i < fp->len; i++) {
 		dst[i] = fp->insnsi[i];
 		if (!was_ld_map &&
@@ -177,12 +178,13 @@ void bpf_prog_calc_digest(struct bpf_prog *fp)
 		}
 	}
 
-	psize = fp->len * sizeof(struct bpf_insn);
-	memset(&raw[psize], 0, sizeof(raw) - psize);
+	psize = bpf_prog_insn_size(fp);
+	memset(&raw[psize], 0, raw_size - psize);
 	raw[psize++] = 0x80;
 
 	bsize  = round_up(psize, SHA_MESSAGE_BYTES);
 	blocks = bsize / SHA_MESSAGE_BYTES;
+	todo   = raw;
 	if (bsize - psize >= sizeof(__be64)) {
 		bits = (__be64 *)(todo + bsize - sizeof(__be64));
 	} else {
@@ -199,6 +201,9 @@ void bpf_prog_calc_digest(struct bpf_prog *fp)
 	result = (__force __be32 *)fp->digest;
 	for (i = 0; i < SHA_DIGEST_WORDS; i++)
 		result[i] = cpu_to_be32(fp->digest[i]);
+
+	vfree(raw);
+	return 0;
 }
 
 static bool bpf_is_jmp_and_has_target(const struct bpf_insn *insn)
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 4819ec9..35d674c 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -811,7 +811,7 @@ static int bpf_prog_load(union bpf_attr *attr)
 
 	err = -EFAULT;
 	if (copy_from_user(prog->insns, u64_to_user_ptr(attr->insns),
-			   prog->len * sizeof(struct bpf_insn)) != 0)
+			   bpf_prog_insn_size(prog)) != 0)
 		goto free_prog;
 
 	prog->orig_prog = NULL;
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 81e267b..64b7b1a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2931,6 +2931,10 @@ static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env)
 	int insn_cnt = env->prog->len;
 	int i, j, err;
 
+	err = bpf_prog_calc_digest(env->prog);
+	if (err)
+		return err;
+
 	for (i = 0; i < insn_cnt; i++, insn++) {
 		if (BPF_CLASS(insn->code) == BPF_LDX &&
 		    (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) {
@@ -3178,8 +3182,6 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
 		log_level = 0;
 	}
 
-	bpf_prog_calc_digest(env->prog);
-
 	ret = replace_map_fd_with_map_ptr(env);
 	if (ret < 0)
 		goto skip_full_check;
-- 
1.9.3

^ permalink raw reply related

* [PATCH net v2 0/3] Couple of BPF fixes
From: Daniel Borkmann @ 2016-12-18  0:52 UTC (permalink / raw)
  To: davem; +Cc: ast, kafai, netdev, Daniel Borkmann

This set contains three BPF fixes for net, one that addresses the
complaint from Geert wrt static allocations, and the other is a fix
wrt mem accounting that I found recently during testing and there's
still one more fix on the map value marking.

Thanks!

v1 -> v2:
  - Patch 1 as is.
  - Fixed kbuild bot issue by letting charging helpers stay in the
    syscall.c, since there locked_vm is valid and only export the
    ones needed by bpf_prog_realloc(). Add empty stubs in case the
    bpf syscall is not enabled.
  - Added patch 3 that addresses one more issue in map val marking.

Daniel Borkmann (3):
  bpf: dynamically allocate digest scratch buffer
  bpf: fix overflow in prog accounting
  bpf: fix mark_reg_unknown_value for spilled regs on map value marking

 include/linux/bpf.h    | 13 ++++++++++++-
 include/linux/filter.h | 14 +++++++++++---
 kernel/bpf/core.c      | 43 +++++++++++++++++++++++++++++--------------
 kernel/bpf/syscall.c   | 38 +++++++++++++++++++++++++++++---------
 kernel/bpf/verifier.c  | 17 ++++++++++++-----
 5 files changed, 93 insertions(+), 32 deletions(-)

-- 
1.9.3

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox