Message ID | 20230929204121.20305-1-daniel@iogearbox.net (mailing list archive) |
---|---|
State | Accepted |
Commit | f9b0e1088bbf35933e25c839b75094039059b3be |
Delegated to: | BPF |
Headers | show |
Series | [bpf,1/2] bpf, mprog: Fix maximum program check on mprog attachment | expand |
Hello: This series was applied to bpf/bpf.git (master) by Andrii Nakryiko <andrii@kernel.org>: On Fri, 29 Sep 2023 22:41:20 +0200 you wrote: > After Paul's recent improvement to syzkaller to improve coverage for > bpf_mprog and tcx, it hit a splat that the program limit was surpassed. > What happened is that the maximum number of progs got added, followed > by another prog add request which adds with BPF_F_BEFORE flag relative > to the last program in the array. The idx >= bpf_mprog_max() check in > bpf_mprog_attach() still passes because the index is below the maximum > but the maximum will be surpassed. We need to add a check upfront for > insertions to catch this situation. > > [...] Here is the summary with links: - [bpf,1/2] bpf, mprog: Fix maximum program check on mprog attachment https://git.kernel.org/bpf/bpf/c/f9b0e1088bbf - [bpf,2/2] selftest/bpf: Add various selftests for program limits https://git.kernel.org/bpf/bpf/c/4cb893e89221 You are awesome, thank you!
diff --git a/kernel/bpf/mprog.c b/kernel/bpf/mprog.c index 32d2c4829eb8..007d98c799e2 100644 --- a/kernel/bpf/mprog.c +++ b/kernel/bpf/mprog.c @@ -253,6 +253,9 @@ int bpf_mprog_attach(struct bpf_mprog_entry *entry, goto out; } idx = tidx; + } else if (bpf_mprog_total(entry) == bpf_mprog_max()) { + ret = -ERANGE; + goto out; } if (flags & BPF_F_BEFORE) { tidx = bpf_mprog_pos_before(entry, &rtuple);