diff mbox series

[bpf-next] bpf: fix bpf_dynptr_slice() to stop return an ERR_PTR.

Message ID 20230803231206.1060485-1-thinker.li@gmail.com (mailing list archive)
State Accepted
Commit 5426700e6841bf72e652e34b5cec68eadf442435
Delegated to: BPF
Headers show
Series [bpf-next] bpf: fix bpf_dynptr_slice() to stop return an ERR_PTR. | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for bpf-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1368 this patch: 1368
netdev/cc_maintainers fail 1 blamed authors not CCed: joannelkoong@gmail.com; 12 maintainers not CCed: kuba@kernel.org hawk@kernel.org daniel@iogearbox.net netdev@vger.kernel.org kpsingh@kernel.org joannelkoong@gmail.com john.fastabend@gmail.com sdf@google.com yonghong.song@linux.dev davem@davemloft.net jolsa@kernel.org haoluo@google.com
netdev/build_clang success Errors and warnings before: 1351 this patch: 1351
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1391 this patch: 1391
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-14 success Logs for test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-26 fail Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-16 success Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-8 success Logs for test_maps on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-12 fail Logs for test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-3 success Logs for build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-7 success Logs for test_maps on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-9 success Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-10 success Logs for test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-11 success Logs for test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-13 success Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-15 success Logs for test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-17 success Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-18 success Logs for test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-19 success Logs for test_progs_no_alu32_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-20 success Logs for test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-21 success Logs for test_progs_no_alu32_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-22 success Logs for test_progs_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-23 success Logs for test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-24 success Logs for test_progs_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-25 success Logs for test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-27 success Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-28 success Logs for test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-29 success Logs for veristat
bpf/vmtest-bpf-next-PR success PR summary
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-6 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-2 success Logs for build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-4 success Logs for build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-5 success Logs for build for x86_64 with llvm-16

Commit Message

Kui-Feng Lee Aug. 3, 2023, 11:12 p.m. UTC 
From: Kui-Feng Lee <thinker.li@gmail.com>

Verify if the pointer obtained from bpf_xdp_pointer() is either an error or
NULL before returning it.

The function bpf_dynptr_slice() mistakenly returned an ERR_PTR. Instead of
solely checking for NULL, it should also verify if the pointer returned by
bpf_xdp_pointer() is an error or NULL.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/bpf/d1360219-85c3-4a03-9449-253ea905f9d1@moroto.mountain/
Fixes: 66e3a13e7c2c ("bpf: Add bpf_dynptr_slice and bpf_dynptr_slice_rdwr")
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
---
 kernel/bpf/helpers.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Yonghong Song Aug. 4, 2023, 1:32 a.m. UTC | #1 
On 8/3/23 4:12 PM, thinker.li@gmail.com wrote:
> From: Kui-Feng Lee <thinker.li@gmail.com>
> 
> Verify if the pointer obtained from bpf_xdp_pointer() is either an error or
> NULL before returning it.
> 
> The function bpf_dynptr_slice() mistakenly returned an ERR_PTR. Instead of
> solely checking for NULL, it should also verify if the pointer returned by
> bpf_xdp_pointer() is an error or NULL.
> 
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/bpf/d1360219-85c3-4a03-9449-253ea905f9d1@moroto.mountain/
> Fixes: 66e3a13e7c2c ("bpf: Add bpf_dynptr_slice and bpf_dynptr_slice_rdwr")
> Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
> Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>

Acked-by: Yonghong Song <yonghong.song@linux.dev>
Kui-Feng Lee Aug. 4, 2023, 5:25 p.m. UTC | #2 
On 8/3/23 18:32, Yonghong Song wrote:
> 
> 
> On 8/3/23 4:12 PM, thinker.li@gmail.com wrote:
>> From: Kui-Feng Lee <thinker.li@gmail.com>
>>
>> Verify if the pointer obtained from bpf_xdp_pointer() is either an 
>> error or
>> NULL before returning it.
>>
>> The function bpf_dynptr_slice() mistakenly returned an ERR_PTR. 
>> Instead of
>> solely checking for NULL, it should also verify if the pointer 
>> returned by
>> bpf_xdp_pointer() is an error or NULL.
>>
>> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
>> Closes: 
>> https://lore.kernel.org/bpf/d1360219-85c3-4a03-9449-253ea905f9d1@moroto.mountain/
>> Fixes: 66e3a13e7c2c ("bpf: Add bpf_dynptr_slice and 
>> bpf_dynptr_slice_rdwr")
>> Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
>> Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
> 
> Acked-by: Yonghong Song <yonghong.song@linux.dev>
Thanks!
patchwork-bot+netdevbpf@kernel.org Aug. 4, 2023, 10 p.m. UTC | #3 
Hello:

This patch was applied to bpf/bpf-next.git (master)
by Martin KaFai Lau <martin.lau@kernel.org>:

On Thu,  3 Aug 2023 16:12:06 -0700 you wrote:
> From: Kui-Feng Lee <thinker.li@gmail.com>
> 
> Verify if the pointer obtained from bpf_xdp_pointer() is either an error or
> NULL before returning it.
> 
> The function bpf_dynptr_slice() mistakenly returned an ERR_PTR. Instead of
> solely checking for NULL, it should also verify if the pointer returned by
> bpf_xdp_pointer() is an error or NULL.
> 
> [...]

Here is the summary with links:
  - [bpf-next] bpf: fix bpf_dynptr_slice() to stop return an ERR_PTR.
    https://git.kernel.org/bpf/bpf-next/c/5426700e6841

You are awesome, thank you!
Martin KaFai Lau Aug. 4, 2023, 10:26 p.m. UTC | #4 
On 8/3/23 4:12 PM, thinker.li@gmail.com wrote:
> From: Kui-Feng Lee <thinker.li@gmail.com>
> 
> Verify if the pointer obtained from bpf_xdp_pointer() is either an error or
> NULL before returning it.
> 
> The function bpf_dynptr_slice() mistakenly returned an ERR_PTR. Instead of
> solely checking for NULL, it should also verify if the pointer returned by
> bpf_xdp_pointer() is an error or NULL.
> 
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/bpf/d1360219-85c3-4a03-9449-253ea905f9d1@moroto.mountain/
> Fixes: 66e3a13e7c2c ("bpf: Add bpf_dynptr_slice and bpf_dynptr_slice_rdwr")
> Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
> Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
> ---
>   kernel/bpf/helpers.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 56ce5008aedd..eb91cae0612a 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2270,7 +2270,7 @@ __bpf_kfunc void *bpf_dynptr_slice(const struct bpf_dynptr_kern *ptr, u32 offset
>   	case BPF_DYNPTR_TYPE_XDP:
>   	{
>   		void *xdp_ptr = bpf_xdp_pointer(ptr->data, ptr->offset + offset, len);
> -		if (xdp_ptr)
> +		if (!IS_ERR_OR_NULL(xdp_ptr))

Considering the earlier bpf_dynptr_check_off_len() should have avoided the 
IS_ERR() case here, I think targeting bpf-next makes sense. Applied.
Kui-Feng Lee Aug. 7, 2023, 5:07 p.m. UTC | #5 
On 8/4/23 15:26, Martin KaFai Lau wrote:
> On 8/3/23 4:12 PM, thinker.li@gmail.com wrote:
>> From: Kui-Feng Lee <thinker.li@gmail.com>
>>
>> Verify if the pointer obtained from bpf_xdp_pointer() is either an 
>> error or
>> NULL before returning it.
>>
>> The function bpf_dynptr_slice() mistakenly returned an ERR_PTR. 
>> Instead of
>> solely checking for NULL, it should also verify if the pointer 
>> returned by
>> bpf_xdp_pointer() is an error or NULL.
>>
>> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
>> Closes: 
>> https://lore.kernel.org/bpf/d1360219-85c3-4a03-9449-253ea905f9d1@moroto.mountain/
>> Fixes: 66e3a13e7c2c ("bpf: Add bpf_dynptr_slice and 
>> bpf_dynptr_slice_rdwr")
>> Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
>> Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
>> ---
>>   kernel/bpf/helpers.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
>> index 56ce5008aedd..eb91cae0612a 100644
>> --- a/kernel/bpf/helpers.c
>> +++ b/kernel/bpf/helpers.c
>> @@ -2270,7 +2270,7 @@ __bpf_kfunc void *bpf_dynptr_slice(const struct 
>> bpf_dynptr_kern *ptr, u32 offset
>>       case BPF_DYNPTR_TYPE_XDP:
>>       {
>>           void *xdp_ptr = bpf_xdp_pointer(ptr->data, ptr->offset + 
>> offset, len);
>> -        if (xdp_ptr)
>> +        if (!IS_ERR_OR_NULL(xdp_ptr))
> 
> Considering the earlier bpf_dynptr_check_off_len() should have avoided 
> the IS_ERR() case here, I think targeting bpf-next makes sense. Applied.

It is a good point. I think the bpf_dynptr_check_off_len() check is
wrong as well. According to the behavior of the rest of the function,
it should be

     err = bpf_dynptr_check_off_len(ptr, ptr->offset + offset, len);

How do you think?
Martin KaFai Lau Aug. 7, 2023, 7:49 p.m. UTC | #6 
On 8/7/23 10:07 AM, Kui-Feng Lee wrote:
> 
> 
> On 8/4/23 15:26, Martin KaFai Lau wrote:
>> On 8/3/23 4:12 PM, thinker.li@gmail.com wrote:
>>> From: Kui-Feng Lee <thinker.li@gmail.com>
>>>
>>> Verify if the pointer obtained from bpf_xdp_pointer() is either an error or
>>> NULL before returning it.
>>>
>>> The function bpf_dynptr_slice() mistakenly returned an ERR_PTR. Instead of
>>> solely checking for NULL, it should also verify if the pointer returned by
>>> bpf_xdp_pointer() is an error or NULL.
>>>
>>> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
>>> Closes: 
>>> https://lore.kernel.org/bpf/d1360219-85c3-4a03-9449-253ea905f9d1@moroto.mountain/
>>> Fixes: 66e3a13e7c2c ("bpf: Add bpf_dynptr_slice and bpf_dynptr_slice_rdwr")
>>> Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
>>> Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
>>> ---
>>>   kernel/bpf/helpers.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
>>> index 56ce5008aedd..eb91cae0612a 100644
>>> --- a/kernel/bpf/helpers.c
>>> +++ b/kernel/bpf/helpers.c
>>> @@ -2270,7 +2270,7 @@ __bpf_kfunc void *bpf_dynptr_slice(const struct 
>>> bpf_dynptr_kern *ptr, u32 offset
>>>       case BPF_DYNPTR_TYPE_XDP:
>>>       {
>>>           void *xdp_ptr = bpf_xdp_pointer(ptr->data, ptr->offset + offset, len);
>>> -        if (xdp_ptr)
>>> +        if (!IS_ERR_OR_NULL(xdp_ptr))
>>
>> Considering the earlier bpf_dynptr_check_off_len() should have avoided the 
>> IS_ERR() case here, I think targeting bpf-next makes sense. Applied.
> 
> It is a good point. I think the bpf_dynptr_check_off_len() check is
> wrong as well. According to the behavior of the rest of the function,
> it should be
> 
>      err = bpf_dynptr_check_off_len(ptr, ptr->offset + offset, len);

Not sure why it is needed either.
The bpf_dynptr_adjust() has updated the size after updating the offset.
Did I missing other offset update places?
diff mbox series

Patch

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 56ce5008aedd..eb91cae0612a 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -2270,7 +2270,7 @@  __bpf_kfunc void *bpf_dynptr_slice(const struct bpf_dynptr_kern *ptr, u32 offset
 	case BPF_DYNPTR_TYPE_XDP:
 	{
 		void *xdp_ptr = bpf_xdp_pointer(ptr->data, ptr->offset + offset, len);
-		if (xdp_ptr)
+		if (!IS_ERR_OR_NULL(xdp_ptr))
 			return xdp_ptr;
 
 		if (!buffer__opt)