Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

BPF (Safe dynamic programs and tools)

M:	Alexei Starovoitov <ast@kernel.org>

M:	Daniel Borkmann <daniel@iogearbox.net>

M:	Andrii Nakryiko <andrii@kernel.org>

R:	Martin KaFai Lau <kafai@fb.com>

R:	Song Liu <songliubraving@fb.com>

R:	Yonghong Song <yhs@fb.com>

R:	Andrii Nakryiko <andrii@kernel.org>

R:	John Fastabend <john.fastabend@gmail.com>

R:	KP Singh <kpsingh@chromium.org>

L:	netdev@vger.kernel.org

	struct tnum range = tnum_range(0, 1);

	enum bpf_prog_type prog_type = resolve_prog_type(env->prog);

	int err;

	const bool is_subprog = env->cur_state->frame[0]->subprogno;

	/* LSM and struct_ops func-ptr's return type could be "void" */

	if ((prog_type == BPF_PROG_TYPE_STRUCT_OPS ||

	if (!is_subprog &&

	    (prog_type == BPF_PROG_TYPE_STRUCT_OPS ||

	     prog_type == BPF_PROG_TYPE_LSM) &&

	    !prog->aux->attach_func_proto->type)

		return 0;

		return -EACCES;

	}

	reg = cur_regs(env) + BPF_REG_0;

	if (is_subprog) {

		if (reg->type != SCALAR_VALUE) {

			verbose(env, "At subprogram exit the register R0 is not a scalar value (%s)\n",

				reg_type_str[reg->type]);

			return -EINVAL;

		}

		return 0;

	}

	switch (prog_type) {

	case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:

		if (env->prog->expected_attach_type == BPF_CGROUP_UDP4_RECVMSG ||

		return 0;

	}

	reg = cur_regs(env) + BPF_REG_0;

	if (reg->type != SCALAR_VALUE) {

		verbose(env, "At program exit the register R0 is not a known value (%s)\n",

			reg_type_str[reg->type]);

			       struct bpf_insn *insn,

			       struct bpf_insn_aux_data *aux)

{

	u32 datasec_id, type, id = insn->imm;

	const struct btf_var_secinfo *vsi;

	const struct btf_type *datasec;

	const struct btf_type *t;

	const char *sym_name;

	bool percpu = false;

	u32 type, id = insn->imm;

	s32 datasec_id;

	u64 addr;

	int i;

	if (copy_from_user(buf, buffer, count)) {

		ret = -EFAULT;

		goto out;

		goto out_free;

	}

	buf[count] = '\0';

	sym = strstrip(buf);

		ret = count;

	}

out:

	kfree(buf);

	mutex_unlock(&fei_lock);

out_free:

	kfree(buf);

	return ret;

}

{

	int ret;

	/*

	 * NB: We rely on strncpy_from_user() not copying junk past the NUL

	 * terminator into `dst`.

	 *

	 * strncpy_from_user() does long-sized strides in the fast path. If the

	 * strncpy does not mask out the bytes after the NUL in `unsafe_ptr`,

	 * then there could be junk after the NUL in `dst`. If user takes `dst`

	 * and keys a hash map with it, then semantically identical strings can

	 * occupy multiple entries in the map.

	 */

	ret = strncpy_from_user_nofault(dst, unsafe_ptr, size);

	if (unlikely(ret < 0))

		memset(dst, 0, size);

	*btf = bpf_get_btf_vmlinux();

	if (IS_ERR_OR_NULL(*btf))

		return PTR_ERR(*btf);

		return IS_ERR(*btf) ? PTR_ERR(*btf) : -EINVAL;

	if (ptr->type_id > 0)

		*btf_id = ptr->type_id;

		goto byte_at_a_time;

	while (max >= sizeof(unsigned long)) {

		unsigned long c, data;

		unsigned long c, data, mask;

		/* Fall back to byte-at-a-time if we get a page fault */

		unsafe_get_user(c, (unsigned long __user *)(src+res), byte_at_a_time);

		*(unsigned long *)(dst+res) = c;

		/*

		 * Note that we mask out the bytes following the NUL. This is

		 * important to do because string oblivious code may read past

		 * the NUL. For those routines, we don't want to give them

		 * potentially random bytes after the NUL in `src`.

		 *

		 * One example of such code is BPF map keys. BPF treats map keys

		 * as an opaque set of bytes. Without the post-NUL mask, any BPF

		 * maps keyed by strings returned from strncpy_from_user() may

		 * have multiple entries for semantically identical strings.

		 */

		if (has_zero(c, &data, &constants)) {

			data = prep_zero_mask(c, data, &constants);

			data = create_zero_mask(data);

			mask = zero_bytemask(data);

			*(unsigned long *)(dst+res) = c & mask;

			return res + find_zero(data);

		}

		*(unsigned long *)(dst+res) = c;

		res += sizeof(unsigned long);

		max -= sizeof(unsigned long);

	}