2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-27 06:34:11 +08:00
linux-next/include
Daniel Borkmann 5ccb071e97 bpf: fix overflow in prog accounting
Commit aaac3ba95e ("bpf: charge user for creation of BPF maps and
programs") made a wrong assumption of charging against prog->pages.
Unlike map->pages, prog->pages are still subject to change when we
need to expand the program through bpf_prog_realloc().

This can for example happen during verification stage when we need to
expand and rewrite parts of the program. Should the required space
cross a page boundary, then prog->pages is not the same anymore as
its original value that we used to bpf_prog_charge_memlock() on. Thus,
we'll hit a wrap-around during bpf_prog_uncharge_memlock() when prog
is freed eventually. I noticed this that despite having unlimited
memlock, programs suddenly refused to load with EPERM error due to
insufficient memlock.

There are two ways to fix this issue. One would be to add a cached
variable to struct bpf_prog that takes a snapshot of prog->pages at the
time of charging. The other approach is to also account for resizes. I
chose to go with the latter for a couple of reasons: i) We want accounting
rather to be more accurate instead of further fooling limits, ii) adding
yet another page counter on struct bpf_prog would also be a waste just
for this purpose. We also do want to charge as early as possible to
avoid going into the verifier just to find out later on that we crossed
limits. The only place that needs to be fixed is bpf_prog_realloc(),
since only here we expand the program, so we try to account for the
needed delta and should we fail, call-sites check for outcome anyway.
On cBPF to eBPF migrations, we don't grab a reference to the user as
they are charged differently. With that in place, my test case worked
fine.

Fixes: aaac3ba95e ("bpf: charge user for creation of BPF maps and programs")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-12-17 21:27:44 -05:00
..
acpi Merge branches 'acpica-fixes', 'acpi-cppc-fixes' and 'acpi-tools-fixes' 2016-11-18 21:34:42 +01:00
asm-generic Revert "default exported asm symbols to zero" 2016-12-07 08:39:00 -08:00
clocksource
crypto crypto: drbg - prevent invalid SG mappings 2016-11-30 19:46:44 +08:00
drm drm: Don't force all planes to be added to the state due to zpos 2016-10-26 18:48:05 +02:00
dt-bindings dt-bindings: net: add EEE capability constants 2016-11-29 19:38:31 -05:00
keys
kvm
linux bpf: fix overflow in prog accounting 2016-12-17 21:27:44 -05:00
math-emu
media Linux 4.8 2016-10-05 16:43:53 -03:00
memory
misc
net inet: Fix get port to handle zero port number with soreuseport set 2016-12-17 11:13:19 -05:00
pcmcia
ras
rdma Merge of primary rdma-core code for 4.9 2016-10-09 17:04:33 -07:00
rxrpc
scsi
soc powerpc updates for 4.9 #2 2016-10-14 11:07:42 -07:00
sound
target target: Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT REACHABLE 2016-10-19 21:22:32 -07:00
trace net/phy: add trace events for mdio accesses 2016-11-24 11:55:43 -05:00
uapi net: l2tp: deprecate PPPOL2TP_MSG_* in favour of L2TP_MSG_* 2016-12-10 23:29:11 -05:00
video fbdev changes for 4.9 2016-10-12 11:01:37 -07:00
xen xen: features and fixes for 4.9-rc0 2016-10-06 11:19:10 -07:00
Kbuild