tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Daniel Borkmann says:

====================
pull-request: bpf 2019-03-29

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) Bug fix in BTF deduplication that was mishandling an equivalence
comparison, from Andrii.

2) libbpf Makefile fixes to properly link against libelf for the shared
object and to actually export AF_XDP's xsk.h header, from Björn.

3) Fix use after free in bpf inode eviction, from Daniel.

4) Fix a bug in skb creation out of cpumap redirect, from Jesper.

5) Remove an unnecessary and triggerable WARN_ONCE() in max number
of call stack frames checking in verifier, from Paul.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 22bdf7d4 19c84744

+127 -26
+4 -4
Documentation/bpf/btf.rst
··· 148 148 for the type. The maximum value of ``BTF_INT_BITS()`` is 128. 149 149 150 150 The ``BTF_INT_OFFSET()`` specifies the starting bit offset to calculate values 151 - for this int. For example, a bitfield struct member has: * btf member bit 152 - offset 100 from the start of the structure, * btf member pointing to an int 153 - type, * the int type has ``BTF_INT_OFFSET() = 2`` and ``BTF_INT_BITS() = 4`` 151 + for this int. For example, a bitfield struct member has: 152 + * btf member bit offset 100 from the start of the structure, 153 + * btf member pointing to an int type, 154 + * the int type has ``BTF_INT_OFFSET() = 2`` and ``BTF_INT_BITS() = 4`` 154 155 155 156 Then in the struct memory layout, this member will occupy ``4`` bits starting 156 157 from bits ``100 + 2 = 102``. 157 158 158 159 Alternatively, the bitfield struct member can be the following to access the 159 160 same bits as the above: 160 - 161 161 * btf member bit offset 102, 162 162 * btf member pointing to an int type, 163 163 * the int type has ``BTF_INT_OFFSET() = 0`` and ``BTF_INT_BITS() = 4``
+10 -3
kernel/bpf/cpumap.c
··· 162 162 static struct sk_buff *cpu_map_build_skb(struct bpf_cpu_map_entry *rcpu, 163 163 struct xdp_frame *xdpf) 164 164 { 165 + unsigned int hard_start_headroom; 165 166 unsigned int frame_size; 166 167 void *pkt_data_start; 167 168 struct sk_buff *skb; 169 + 170 + /* Part of headroom was reserved to xdpf */ 171 + hard_start_headroom = sizeof(struct xdp_frame) + xdpf->headroom; 168 172 169 173 /* build_skb need to place skb_shared_info after SKB end, and 170 174 * also want to know the memory "truesize". Thus, need to ··· 187 183 * is not at a fixed memory location, with mixed length 188 184 * packets, which is bad for cache-line hotness. 189 185 */ 190 - frame_size = SKB_DATA_ALIGN(xdpf->len + xdpf->headroom) + 186 + frame_size = SKB_DATA_ALIGN(xdpf->len + hard_start_headroom) + 191 187 SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); 192 188 193 - pkt_data_start = xdpf->data - xdpf->headroom; 189 + pkt_data_start = xdpf->data - hard_start_headroom; 194 190 skb = build_skb(pkt_data_start, frame_size); 195 191 if (!skb) 196 192 return NULL; 197 193 198 - skb_reserve(skb, xdpf->headroom); 194 + skb_reserve(skb, hard_start_headroom); 199 195 __skb_put(skb, xdpf->len); 200 196 if (xdpf->metasize) 201 197 skb_metadata_set(skb, xdpf->metasize); ··· 208 204 * - HW RX hash (skb_set_hash) 209 205 * - RX ring dev queue index (skb_record_rx_queue) 210 206 */ 207 + 208 + /* Allow SKB to reuse area used by xdp_frame */ 209 + xdp_scrub_frame(xdpf); 211 210 212 211 return skb; 213 212 }
+18 -14
kernel/bpf/inode.c
··· 554 554 } 555 555 EXPORT_SYMBOL(bpf_prog_get_type_path); 556 556 557 - static void bpf_evict_inode(struct inode *inode) 558 - { 559 - enum bpf_type type; 560 - 561 - truncate_inode_pages_final(&inode->i_data); 562 - clear_inode(inode); 563 - 564 - if (S_ISLNK(inode->i_mode)) 565 - kfree(inode->i_link); 566 - if (!bpf_inode_type(inode, &type)) 567 - bpf_any_put(inode->i_private, type); 568 - } 569 - 570 557 /* 571 558 * Display the mount options in /proc/mounts. 572 559 */ ··· 566 579 return 0; 567 580 } 568 581 582 + static void bpf_destroy_inode_deferred(struct rcu_head *head) 583 + { 584 + struct inode *inode = container_of(head, struct inode, i_rcu); 585 + enum bpf_type type; 586 + 587 + if (S_ISLNK(inode->i_mode)) 588 + kfree(inode->i_link); 589 + if (!bpf_inode_type(inode, &type)) 590 + bpf_any_put(inode->i_private, type); 591 + free_inode_nonrcu(inode); 592 + } 593 + 594 + static void bpf_destroy_inode(struct inode *inode) 595 + { 596 + call_rcu(&inode->i_rcu, bpf_destroy_inode_deferred); 597 + } 598 + 569 599 static const struct super_operations bpf_super_ops = { 570 600 .statfs = simple_statfs, 571 601 .drop_inode = generic_delete_inode, 572 602 .show_options = bpf_show_options, 573 - .evict_inode = bpf_evict_inode, 603 + .destroy_inode = bpf_destroy_inode, 574 604 }; 575 605 576 606 enum {
+3 -2
kernel/bpf/verifier.c
··· 1897 1897 } 1898 1898 frame++; 1899 1899 if (frame >= MAX_CALL_FRAMES) { 1900 - WARN_ONCE(1, "verifier bug. Call stack is too deep\n"); 1901 - return -EFAULT; 1900 + verbose(env, "the call stack of %d frames is too deep !\n", 1901 + frame); 1902 + return -E2BIG; 1902 1903 } 1903 1904 goto process_func; 1904 1905 }
+4 -3
tools/lib/bpf/Makefile
··· 177 177 178 178 $(OUTPUT)libbpf.so.$(LIBBPF_VERSION): $(BPF_IN) 179 179 $(QUIET_LINK)$(CC) --shared -Wl,-soname,libbpf.so.$(VERSION) \ 180 - -Wl,--version-script=$(VERSION_SCRIPT) $^ -o $@ 180 + -Wl,--version-script=$(VERSION_SCRIPT) $^ -lelf -o $@ 181 181 @ln -sf $(@F) $(OUTPUT)libbpf.so 182 182 @ln -sf $(@F) $(OUTPUT)libbpf.so.$(VERSION) 183 183 ··· 220 220 install_headers: 221 221 $(call QUIET_INSTALL, headers) \ 222 222 $(call do_install,bpf.h,$(prefix)/include/bpf,644); \ 223 - $(call do_install,libbpf.h,$(prefix)/include/bpf,644); 224 - $(call do_install,btf.h,$(prefix)/include/bpf,644); 223 + $(call do_install,libbpf.h,$(prefix)/include/bpf,644); \ 224 + $(call do_install,btf.h,$(prefix)/include/bpf,644); \ 225 + $(call do_install,xsk.h,$(prefix)/include/bpf,644); 225 226 226 227 install: install_lib 227 228
+3
tools/lib/bpf/btf.c
··· 2107 2107 return fwd_kind == real_kind; 2108 2108 } 2109 2109 2110 + if (cand_kind != canon_kind) 2111 + return 0; 2112 + 2110 2113 switch (cand_kind) { 2111 2114 case BTF_KIND_INT: 2112 2115 return btf_equal_int(cand_type, canon_type);
+47
tools/testing/selftests/bpf/test_btf.c
··· 5777 5777 }, 5778 5778 }, 5779 5779 { 5780 + .descr = "dedup: void equiv check", 5781 + /* 5782 + * // CU 1: 5783 + * struct s { 5784 + * struct {} *x; 5785 + * }; 5786 + * // CU 2: 5787 + * struct s { 5788 + * int *x; 5789 + * }; 5790 + */ 5791 + .input = { 5792 + .raw_types = { 5793 + /* CU 1 */ 5794 + BTF_STRUCT_ENC(0, 0, 1), /* [1] struct {} */ 5795 + BTF_PTR_ENC(1), /* [2] ptr -> [1] */ 5796 + BTF_STRUCT_ENC(NAME_NTH(1), 1, 8), /* [3] struct s */ 5797 + BTF_MEMBER_ENC(NAME_NTH(2), 2, 0), 5798 + /* CU 2 */ 5799 + BTF_PTR_ENC(0), /* [4] ptr -> void */ 5800 + BTF_STRUCT_ENC(NAME_NTH(1), 1, 8), /* [5] struct s */ 5801 + BTF_MEMBER_ENC(NAME_NTH(2), 4, 0), 5802 + BTF_END_RAW, 5803 + }, 5804 + BTF_STR_SEC("\0s\0x"), 5805 + }, 5806 + .expect = { 5807 + .raw_types = { 5808 + /* CU 1 */ 5809 + BTF_STRUCT_ENC(0, 0, 1), /* [1] struct {} */ 5810 + BTF_PTR_ENC(1), /* [2] ptr -> [1] */ 5811 + BTF_STRUCT_ENC(NAME_NTH(1), 1, 8), /* [3] struct s */ 5812 + BTF_MEMBER_ENC(NAME_NTH(2), 2, 0), 5813 + /* CU 2 */ 5814 + BTF_PTR_ENC(0), /* [4] ptr -> void */ 5815 + BTF_STRUCT_ENC(NAME_NTH(1), 1, 8), /* [5] struct s */ 5816 + BTF_MEMBER_ENC(NAME_NTH(2), 4, 0), 5817 + BTF_END_RAW, 5818 + }, 5819 + BTF_STR_SEC("\0s\0x"), 5820 + }, 5821 + .opts = { 5822 + .dont_resolve_fwds = false, 5823 + .dedup_table_size = 1, /* force hash collisions */ 5824 + }, 5825 + }, 5826 + { 5780 5827 .descr = "dedup: all possible kinds (no duplicates)", 5781 5828 .input = { 5782 5829 .raw_types = {
+38
tools/testing/selftests/bpf/verifier/calls.c
··· 908 908 .result = REJECT, 909 909 }, 910 910 { 911 + "calls: stack depth check in dead code", 912 + .insns = { 913 + /* main */ 914 + BPF_MOV64_IMM(BPF_REG_1, 0), 915 + BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */ 916 + BPF_EXIT_INSN(), 917 + /* A */ 918 + BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 919 + BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2), /* call B */ 920 + BPF_MOV64_IMM(BPF_REG_0, 0), 921 + BPF_EXIT_INSN(), 922 + /* B */ 923 + BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */ 924 + BPF_EXIT_INSN(), 925 + /* C */ 926 + BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */ 927 + BPF_EXIT_INSN(), 928 + /* D */ 929 + BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */ 930 + BPF_EXIT_INSN(), 931 + /* E */ 932 + BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */ 933 + BPF_EXIT_INSN(), 934 + /* F */ 935 + BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */ 936 + BPF_EXIT_INSN(), 937 + /* G */ 938 + BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */ 939 + BPF_EXIT_INSN(), 940 + /* H */ 941 + BPF_MOV64_IMM(BPF_REG_0, 0), 942 + BPF_EXIT_INSN(), 943 + }, 944 + .prog_type = BPF_PROG_TYPE_XDP, 945 + .errstr = "call stack", 946 + .result = REJECT, 947 + }, 948 + { 911 949 "calls: spill into caller stack frame", 912 950 .insns = { 913 951 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),