Commit b8d5b7ce authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Daniel Borkmann says:

====================
pull-request: bpf 2018-10-05

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) Fix to truncate input on ALU operations in 32 bit mode, from Jann.

2) Fixes for cgroup local storage to reject reserved flags on element
   update and rejection of map allocation with zero-sized value, from Roman.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 7e418375 b799207e
...@@ -129,7 +129,7 @@ static int cgroup_storage_update_elem(struct bpf_map *map, void *_key, ...@@ -129,7 +129,7 @@ static int cgroup_storage_update_elem(struct bpf_map *map, void *_key,
struct bpf_cgroup_storage *storage; struct bpf_cgroup_storage *storage;
struct bpf_storage_buffer *new; struct bpf_storage_buffer *new;
if (flags & BPF_NOEXIST) if (flags != BPF_ANY && flags != BPF_EXIST)
return -EINVAL; return -EINVAL;
storage = cgroup_storage_lookup((struct bpf_cgroup_storage_map *)map, storage = cgroup_storage_lookup((struct bpf_cgroup_storage_map *)map,
...@@ -195,6 +195,9 @@ static struct bpf_map *cgroup_storage_map_alloc(union bpf_attr *attr) ...@@ -195,6 +195,9 @@ static struct bpf_map *cgroup_storage_map_alloc(union bpf_attr *attr)
if (attr->key_size != sizeof(struct bpf_cgroup_storage_key)) if (attr->key_size != sizeof(struct bpf_cgroup_storage_key))
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
if (attr->value_size == 0)
return ERR_PTR(-EINVAL);
if (attr->value_size > PAGE_SIZE) if (attr->value_size > PAGE_SIZE)
return ERR_PTR(-E2BIG); return ERR_PTR(-E2BIG);
......
...@@ -2896,6 +2896,15 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, ...@@ -2896,6 +2896,15 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
u64 umin_val, umax_val; u64 umin_val, umax_val;
u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
if (insn_bitness == 32) {
/* Relevant for 32-bit RSH: Information can propagate towards
* LSB, so it isn't sufficient to only truncate the output to
* 32 bits.
*/
coerce_reg_to_size(dst_reg, 4);
coerce_reg_to_size(&src_reg, 4);
}
smin_val = src_reg.smin_value; smin_val = src_reg.smin_value;
smax_val = src_reg.smax_value; smax_val = src_reg.smax_value;
umin_val = src_reg.umin_value; umin_val = src_reg.umin_value;
...@@ -3131,7 +3140,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, ...@@ -3131,7 +3140,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
if (BPF_CLASS(insn->code) != BPF_ALU64) { if (BPF_CLASS(insn->code) != BPF_ALU64) {
/* 32-bit ALU ops are (32,32)->32 */ /* 32-bit ALU ops are (32,32)->32 */
coerce_reg_to_size(dst_reg, 4); coerce_reg_to_size(dst_reg, 4);
coerce_reg_to_size(&src_reg, 4);
} }
__reg_deduce_bounds(dst_reg); __reg_deduce_bounds(dst_reg);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment