net: fix unsafe set_memory_rw from softirq

+1

arch/arm/net/bpf_jit_32.c

··· 930 930 { 931 931 if (fp->bpf_func != sk_run_filter) 932 932 module_free(NULL, fp->bpf_func); 933 + kfree(fp); 933 934 }

+1

arch/powerpc/net/bpf_jit_comp.c

··· 691 691 { 692 692 if (fp->bpf_func != sk_run_filter) 693 693 module_free(NULL, fp->bpf_func); 694 + kfree(fp); 694 695 }

+3 -1

arch/s390/net/bpf_jit_comp.c

··· 881 881 struct bpf_binary_header *header = (void *)addr; 882 882 883 883 if (fp->bpf_func == sk_run_filter) 884 - return; 884 + goto free_filter; 885 885 set_memory_rw(addr, header->pages); 886 886 module_free(NULL, header); 887 + free_filter: 888 + kfree(fp); 887 889 }

+1

arch/sparc/net/bpf_jit_comp.c

··· 808 808 { 809 809 if (fp->bpf_func != sk_run_filter) 810 810 module_free(NULL, fp->bpf_func); 811 + kfree(fp); 811 812 }

+13 -5

arch/x86/net/bpf_jit_comp.c

··· 772 772 return; 773 773 } 774 774 775 + static void bpf_jit_free_deferred(struct work_struct *work) 776 + { 777 + struct sk_filter *fp = container_of(work, struct sk_filter, work); 778 + unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK; 779 + struct bpf_binary_header *header = (void *)addr; 780 + 781 + set_memory_rw(addr, header->pages); 782 + module_free(NULL, header); 783 + kfree(fp); 784 + } 785 + 775 786 void bpf_jit_free(struct sk_filter *fp) 776 787 { 777 788 if (fp->bpf_func != sk_run_filter) { 778 - unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK; 779 - struct bpf_binary_header *header = (void *)addr; 780 - 781 - set_memory_rw(addr, header->pages); 782 - module_free(NULL, header); 789 + INIT_WORK(&fp->work, bpf_jit_free_deferred); 790 + schedule_work(&fp->work); 783 791 } 784 792 }

+11 -4

include/linux/filter.h

··· 6 6 7 7 #include <linux/atomic.h> 8 8 #include <linux/compat.h> 9 + #include <linux/workqueue.h> 9 10 #include <uapi/linux/filter.h> 10 11 11 12 #ifdef CONFIG_COMPAT ··· 26 25 { 27 26 atomic_t refcnt; 28 27 unsigned int len; /* Number of filter blocks */ 28 + struct rcu_head rcu; 29 29 unsigned int (*bpf_func)(const struct sk_buff *skb, 30 30 const struct sock_filter *filter); 31 - struct rcu_head rcu; 32 - struct sock_filter insns[0]; 31 + union { 32 + struct sock_filter insns[0]; 33 + struct work_struct work; 34 + }; 33 35 }; 34 36 35 - static inline unsigned int sk_filter_len(const struct sk_filter *fp) 37 + static inline unsigned int sk_filter_size(unsigned int proglen) 36 38 { 37 - return fp->len * sizeof(struct sock_filter) + sizeof(*fp); 39 + return max(sizeof(struct sk_filter), 40 + offsetof(struct sk_filter, insns[proglen])); 38 41 } 39 42 40 43 extern int sk_filter(struct sock *sk, struct sk_buff *skb); ··· 72 67 } 73 68 #define SK_RUN_FILTER(FILTER, SKB) (*FILTER->bpf_func)(SKB, FILTER->insns) 74 69 #else 70 + #include <linux/slab.h> 75 71 static inline void bpf_jit_compile(struct sk_filter *fp) 76 72 { 77 73 } 78 74 static inline void bpf_jit_free(struct sk_filter *fp) 79 75 { 76 + kfree(fp); 80 77 } 81 78 #define SK_RUN_FILTER(FILTER, SKB) sk_run_filter(SKB, FILTER->insns) 82 79 #endif

+2 -4

include/net/sock.h

··· 1630 1630 1631 1631 static inline void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp) 1632 1632 { 1633 - unsigned int size = sk_filter_len(fp); 1634 - 1635 - atomic_sub(size, &sk->sk_omem_alloc); 1633 + atomic_sub(sk_filter_size(fp->len), &sk->sk_omem_alloc); 1636 1634 sk_filter_release(fp); 1637 1635 } 1638 1636 1639 1637 static inline void sk_filter_charge(struct sock *sk, struct sk_filter *fp) 1640 1638 { 1641 1639 atomic_inc(&fp->refcnt); 1642 - atomic_add(sk_filter_len(fp), &sk->sk_omem_alloc); 1640 + atomic_add(sk_filter_size(fp->len), &sk->sk_omem_alloc); 1643 1641 } 1644 1642 1645 1643 /*

+4 -4

net/core/filter.c

··· 644 644 struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu); 645 645 646 646 bpf_jit_free(fp); 647 - kfree(fp); 648 647 } 649 648 EXPORT_SYMBOL(sk_filter_release_rcu); 650 649 ··· 682 683 if (fprog->filter == NULL) 683 684 return -EINVAL; 684 685 685 - fp = kmalloc(fsize + sizeof(*fp), GFP_KERNEL); 686 + fp = kmalloc(sk_filter_size(fprog->len), GFP_KERNEL); 686 687 if (!fp) 687 688 return -ENOMEM; 688 689 memcpy(fp->insns, fprog->filter, fsize); ··· 722 723 { 723 724 struct sk_filter *fp, *old_fp; 724 725 unsigned int fsize = sizeof(struct sock_filter) * fprog->len; 726 + unsigned int sk_fsize = sk_filter_size(fprog->len); 725 727 int err; 726 728 727 729 if (sock_flag(sk, SOCK_FILTER_LOCKED)) ··· 732 732 if (fprog->filter == NULL) 733 733 return -EINVAL; 734 734 735 - fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL); 735 + fp = sock_kmalloc(sk, sk_fsize, GFP_KERNEL); 736 736 if (!fp) 737 737 return -ENOMEM; 738 738 if (copy_from_user(fp->insns, fprog->filter, fsize)) { 739 - sock_kfree_s(sk, fp, fsize+sizeof(*fp)); 739 + sock_kfree_s(sk, fp, sk_fsize); 740 740 return -EFAULT; 741 741 } 742 742

Configure Feed

Configure Feed