bpf: fix overflow in prog accounting (5ccb071e) · Commits · 戴 / test

include/linux/bpf.h

+11 −0

Original line number	Diff line number	Diff line
		@@ -238,6 +238,8 @@ struct bpf_prog * __must_check bpf_prog_add(struct bpf_prog *prog, int i);
		void bpf_prog_sub(struct bpf_prog *prog, int i);
		struct bpf_prog * __must_check bpf_prog_inc(struct bpf_prog *prog);
		void bpf_prog_put(struct bpf_prog *prog);
		int __bpf_prog_charge(struct user_struct *user, u32 pages);
		void __bpf_prog_uncharge(struct user_struct *user, u32 pages);

		struct bpf_map *bpf_map_get_with_uref(u32 ufd);
		struct bpf_map *__bpf_map_get(struct fd f);
		@@ -318,6 +320,15 @@ static inline struct bpf_prog * __must_check bpf_prog_inc(struct bpf_prog *prog)
		{
		return ERR_PTR(-EOPNOTSUPP);
		}

		static inline int __bpf_prog_charge(struct user_struct *user, u32 pages)
		{
		return 0;
		}

		static inline void __bpf_prog_uncharge(struct user_struct *user, u32 pages)
		{
		}
		#endif /* CONFIG_BPF_SYSCALL */

		/* verifier prototypes for helper functions called from eBPF programs */

+13 −3

Original line number	Diff line number	Diff line
		@@ -105,19 +105,29 @@ struct bpf_prog bpf_prog_realloc(struct bpf_prog fp_old, unsigned int size,
		gfp_t gfp_flags = GFP_KERNEL \| __GFP_HIGHMEM \| __GFP_ZERO \|
		gfp_extra_flags;
		struct bpf_prog *fp;
		u32 pages, delta;
		int ret;

		BUG_ON(fp_old == NULL);

		size = round_up(size, PAGE_SIZE);
		if (size <= fp_old->pages * PAGE_SIZE)
		pages = size / PAGE_SIZE;
		if (pages <= fp_old->pages)
		return fp_old;

		delta = pages - fp_old->pages;
		ret = __bpf_prog_charge(fp_old->aux->user, delta);
		if (ret)
		return NULL;

		fp = __vmalloc(size, gfp_flags, PAGE_KERNEL);
		if (fp != NULL) {
		if (fp == NULL) {
		__bpf_prog_uncharge(fp_old->aux->user, delta);
		} else {
		kmemcheck_annotate_bitfield(fp, meta);

		memcpy(fp, fp_old, fp_old->pages * PAGE_SIZE);
		fp->pages = size / PAGE_SIZE;
		fp->pages = pages;
		fp->aux->prog = fp;

		/* We keep fp->aux from fp_old around in the new

+28 −8

Original line number	Diff line number	Diff line
		@@ -615,19 +615,39 @@ static void free_used_maps(struct bpf_prog_aux *aux)
		kfree(aux->used_maps);
		}

		int __bpf_prog_charge(struct user_struct *user, u32 pages)
		{
		unsigned long memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
		unsigned long user_bufs;

		if (user) {
		user_bufs = atomic_long_add_return(pages, &user->locked_vm);
		if (user_bufs > memlock_limit) {
		atomic_long_sub(pages, &user->locked_vm);
		return -EPERM;
		}
		}

		return 0;
		}

		void __bpf_prog_uncharge(struct user_struct *user, u32 pages)
		{
		if (user)
		atomic_long_sub(pages, &user->locked_vm);
		}

		static int bpf_prog_charge_memlock(struct bpf_prog *prog)
		{
		struct user_struct *user = get_current_user();
		unsigned long memlock_limit;
		int ret;

		memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;

		atomic_long_add(prog->pages, &user->locked_vm);
		if (atomic_long_read(&user->locked_vm) > memlock_limit) {
		atomic_long_sub(prog->pages, &user->locked_vm);
		ret = __bpf_prog_charge(user, prog->pages);
		if (ret) {
		free_uid(user);
		return -EPERM;
		return ret;
		}

		prog->aux->user = user;
		return 0;
		}
		@@ -636,7 +656,7 @@ static void bpf_prog_uncharge_memlock(struct bpf_prog *prog)
		{
		struct user_struct *user = prog->aux->user;

		atomic_long_sub(prog->pages, &user->locked_vm);
		__bpf_prog_uncharge(user, prog->pages);
		free_uid(user);
		}