From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: Yonghong Song <yhs@fb.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.15 45/78] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog
Date: Thu, 8 Mar 2018 04:56:21 +0000 [thread overview]
Message-ID: <20180308045525.7662-45-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180308045525.7662-1-alexander.levin@microsoft.com>
From: Yonghong Song <yhs@fb.com>
[ Upstream commit 06ef0ccb5a36e1feba9b413ff59a04ecc4407c1c ]
The tools/testing/selftests/bpf test program
test_dev_cgroup fails with the following error
when compiled with llvm 6.0. (I did not try
with earlier versions.)
libbpf: load bpf program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
libbpf:
0: (61) r2 = *(u32 *)(r1 +4)
1: (b7) r0 = 0
2: (55) if r2 != 0x1 goto pc+8
R0=inv0 R1=ctx(id=0,off=0,imm=0) R2=inv1 R10=fp0
3: (69) r2 = *(u16 *)(r1 +0)
invalid bpf_context access off=0 size=2
...
The culprit is the following statement in dev_cgroup.c:
short type = ctx->access_type & 0xFFFF;
This code is typical as the ctx->access_type is assigned
as below in kernel/bpf/cgroup.c:
struct bpf_cgroup_dev_ctx ctx = {
.access_type = (access << 16) | dev_type,
.major = major,
.minor = minor,
};
The compiler converts it to u16 access while
the verifier cgroup_dev_is_valid_access rejects
any non u32 access.
This patch permits the field access_type to be accessible
with type u16 and u8 as well.
Signed-off-by: Yonghong Song <yhs@fb.com>
Tested-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
include/uapi/linux/bpf.h | 3 ++-
kernel/bpf/cgroup.c | 15 +++++++++++++--
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 4c223ab30293..04b2f613dd06 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -995,7 +995,8 @@ struct bpf_perf_event_value {
#define BPF_DEVCG_DEV_CHAR (1ULL << 1)
struct bpf_cgroup_dev_ctx {
- __u32 access_type; /* (access << 16) | type */
+ /* access_type encoded as (BPF_DEVCG_ACC_* << 16) | BPF_DEVCG_DEV_* */
+ __u32 access_type;
__u32 major;
__u32 minor;
};
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index b789ab78d28f..c1c0b60d3f2f 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -568,6 +568,8 @@ static bool cgroup_dev_is_valid_access(int off, int size,
enum bpf_access_type type,
struct bpf_insn_access_aux *info)
{
+ const int size_default = sizeof(__u32);
+
if (type == BPF_WRITE)
return false;
@@ -576,8 +578,17 @@ static bool cgroup_dev_is_valid_access(int off, int size,
/* The verifier guarantees that size > 0. */
if (off % size != 0)
return false;
- if (size != sizeof(__u32))
- return false;
+
+ switch (off) {
+ case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type):
+ bpf_ctx_record_field_size(info, size_default);
+ if (!bpf_ctx_narrow_access_ok(off, size, size_default))
+ return false;
+ break;
+ default:
+ if (size != size_default)
+ return false;
+ }
return true;
}
--
2.14.1
next prev parent reply other threads:[~2018-03-08 4:57 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-08 4:56 [PATCH AUTOSEL for 4.15 01/78] ipmi_si: Fix error handling of platform device Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 02/78] drm/amdgpu: use polling mem to set SDMA3 wptr for VF Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 03/78] Bluetooth: hci_qca: Avoid setup failure on missing rampatch Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 04/78] Bluetooth: btqcomsmd: Fix skb double free corruption Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 05/78] cpufreq: longhaul: Revert transition_delay_us to 200 ms Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 07/78] media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 06/78] dt-bindings: net: add TI CC2560 Bluetooth chip Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 09/78] net: fec: add phy_reset_after_clk_enable() support Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 08/78] drm/msm: fix leak in failed get_pages Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 10/78] dm: ensure bio submission follows a depth-first tree walk Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 11/78] IB/ipoib: Warn when one port fails to initialize Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 12/78] RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 13/78] hv_netvsc: Fix the receive buffer size limit Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 15/78] tcp: allow TLP in ECN CWR Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 14/78] hv_netvsc: Fix the TX/RX buffer default sizes Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 18/78] libbpf: prefer global symbols as bpf program name source Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 17/78] spi: sh-msiof: Avoid writing to registers from spi_master.setup() Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 16/78] KVM: x86: add support for emulating UMIP Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 19/78] rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 20/78] rtlwifi: always initialize variables given to RT_TRACE() Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 22/78] ath10k: handling qos at STA side based on AP WMM enable/disable Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 21/78] media: bt8xx: Fix err 'bt878_probe()' Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 23/78] media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 24/78] qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 26/78] serial: 8250_dw: Disable clock on error Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 25/78] tty: goldfish: Enable 'earlycon' only if built-in Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 27/78] cros_ec: fix nul-termination for firmware build info Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 28/78] watchdog: Fix potential kref imbalance when opening watchdog Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 29/78] watchdog: Fix kref imbalance seen if handle_boot_enabled=0 Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 30/78] platform/chrome: Use proper protocol transfer function Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 32/78] drm/tilcdc: ensure nonatomic iowrite64 is not used Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 31/78] dmaengine: zynqmp_dma: Fix race condition in the probe Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 35/78] /dev/mem: Add bounce buffer for copy-out Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 34/78] mmc: block: fix logical error to avoid memory leak Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 33/78] mmc: avoid removing non-removable hosts during suspend Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 37/78] sfp: fix EEPROM reading in the case of non-SFF8472 SFPs Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 36/78] net: phy: meson-gxl: check phy_write return value Sasha Levin
2018-03-08 10:18 ` Jerome Brunet
2018-03-08 12:34 ` Greg KH
2018-03-19 15:28 ` Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 38/78] sfp: fix non-detection of PHY Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 39/78] media: s5p-mfc: Fix lock contention - request_firmware() once Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 40/78] rtc: ac100: Fix multiple race conditions Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 41/78] IB/ipoib: Avoid memory leak if the SA returns a different DGID Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 42/78] RDMA/cma: Use correct size when writing netlink stats Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 43/78] IB/umem: Fix use of npages/nmap fields Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 44/78] iser-target: avoid reinitializing rdma contexts for isert commands Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 46/78] PCI/ASPM: Calculate LTR_L1.2_THRESHOLD from device characteristics Sasha Levin
2018-03-08 4:56 ` Sasha Levin [this message]
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 48/78] omapdrm: panel: fix compatible vendor string for td028ttec1 Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 47/78] vgacon: Set VGA struct resource types Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 51/78] pty: cancel pty slave port buf's work in tty_release Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 49/78] mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 50/78] drm/omap: DMM: Check for DMM readiness after successful transaction commit Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 52/78] coresight: Fix disabling of CoreSight TPIU Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 53/78] PCI: designware-ep: Fix ->get_msi() to check MSI_EN bit Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 54/78] PCI: endpoint: Fix find_first_zero_bit() usage Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 55/78] PCI: rcar: Handle rcar_pcie_parse_request_of_pci_ranges() failures Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 56/78] media: davinci: fix a debug printk Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 58/78] dt-bindings: display: panel: Fix compatible string for Toshiba LT089AC29000 Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 57/78] clk: check ops pointer on clock register Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 59/78] clk: use round rate to bail out early in set_rate Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 60/78] pinctrl: Really force states during suspend/resume Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 62/78] iommu/vt-d: clean up pr_irq if request_threaded_irq fails Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 61/78] pinctrl: rockchip: enable clock when reading pin direction register Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 63/78] ip6_vti: adjust vti mtu according to mtu of lower device Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 64/78] ip_gre: fix error path when erspan_rcv failed Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 66/78] soc: qcom: smsm: fix child-node lookup Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 65/78] ip_gre: fix potential memory leak in erspan_rcv Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 68/78] scsi: lpfc: Fix issues connecting with nvme initiator Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 67/78] scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 71/78] nfsd4: permit layoutget of executable-only files Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 70/78] ARM: dts: aspeed-evb: Add unit name to memory node Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 69/78] RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 73/78] clk: Don't touch hardware when reparenting during registration Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 72/78] clk: at91: pmc: Wait for clocks when resuming Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 74/78] clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 75/78] clk: si5351: Rename internal plls to avoid name collisions Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 77/78] hwrng: core - Clean up RNG list when last hwrng is unregistered Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 76/78] crypto: artpec6 - set correct iv size for gcm(aes) Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 78/78] dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180308045525.7662-45-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox