Received: by 10.213.65.68 with SMTP id h4csp307349imn; Fri, 23 Mar 2018 05:13:10 -0700 (PDT) X-Google-Smtp-Source: AG47ELt/3mHo+68SiPrmqwNxIBhmiY/wvsSAYuRJlgQFsvX25DwjE7eEsAK8+FB/6A6zEM4jhSVo X-Received: by 2002:a17:902:2c83:: with SMTP id n3-v6mr18019958plb.317.1521807190795; Fri, 23 Mar 2018 05:13:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521807190; cv=none; d=google.com; s=arc-20160816; b=jmyP55QF3wpkV1uVrMKPOYYYyQ3YyLHJ76O1wrYaqux61FuS91cZKsczv9u13u6CcJ 4O06NZKNGW01IDhQz+EUphpzEGFwMBshCRKGWuvmuhzIHP5JPGXHFo+9seLd1qZll1ql djGc3loQ7zRp/5nAdjJPu9YsPBhFDgxc3E3Bebh8VhrQf/ifwLo0U0RdrNgYblAq75+k VXin8HJdO0Max3ZBdtY4hELg08eem+KrCiZzqxjf/1rdekXS2LSbU06JOXaxNUQOPriI P+8PN/wb7x+5yikmfewU4Z6YmSkkBli/7mK+M5iniluvbXLF0AzCne63EpvcStF/ffje Jtlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=+lnFpsG09Yb+gKL7Ub970N/SVBmR3lS42oO6b7OmNZk=; b=tIC0zfRJEin4plxJvLXC+umEc/uWbyon+MRIEIuXT4c9uEZaHhkOg8F2m6l+hQz1AW ZQuVSqFpZ+pEhVedY2xbMk6EvocmIPqleOJgXyr3qtjcYBNopp9q3kyvtV/gtL+unL8R D7zYz6kxel27TVGCvZxhOt5CL35gZ5J4wv3qGlI1KIDcyUywMLJTWNk65fV8sJcwKpfX TGuU6Aj20q1dRwiXq3K506FSIFukUQxrAZvuBoaaO7fhzfY7SBTUZmYViMwcY8S9TJY0 1Va6aK4HJ/Up3pt3JPbvA15HGTTR9l+pD9yBfwFYgQPiOfGC4xswYr0QFXx8V7olbnu2 PxJQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 207si2042685pfz.108.2018.03.23.05.12.55; Fri, 23 Mar 2018 05:13:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753196AbeCWMLw (ORCPT + 99 others); Fri, 23 Mar 2018 08:11:52 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:35228 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752877AbeCWJ5j (ORCPT ); Fri, 23 Mar 2018 05:57:39 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id E6DF41016; Fri, 23 Mar 2018 09:57:37 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yonghong Song , Roman Gushchin , Daniel Borkmann , Sasha Levin Subject: [PATCH 4.15 43/84] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog Date: Fri, 23 Mar 2018 10:53:57 +0100 Message-Id: <20180323095418.440265398@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180323095411.913234798@linuxfoundation.org> References: <20180323095411.913234798@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Yonghong Song [ Upstream commit 06ef0ccb5a36e1feba9b413ff59a04ecc4407c1c ] The tools/testing/selftests/bpf test program test_dev_cgroup fails with the following error when compiled with llvm 6.0. (I did not try with earlier versions.) libbpf: load bpf program failed: Permission denied libbpf: -- BEGIN DUMP LOG --- libbpf: 0: (61) r2 = *(u32 *)(r1 +4) 1: (b7) r0 = 0 2: (55) if r2 != 0x1 goto pc+8 R0=inv0 R1=ctx(id=0,off=0,imm=0) R2=inv1 R10=fp0 3: (69) r2 = *(u16 *)(r1 +0) invalid bpf_context access off=0 size=2 ... The culprit is the following statement in dev_cgroup.c: short type = ctx->access_type & 0xFFFF; This code is typical as the ctx->access_type is assigned as below in kernel/bpf/cgroup.c: struct bpf_cgroup_dev_ctx ctx = { .access_type = (access << 16) | dev_type, .major = major, .minor = minor, }; The compiler converts it to u16 access while the verifier cgroup_dev_is_valid_access rejects any non u32 access. This patch permits the field access_type to be accessible with type u16 and u8 as well. Signed-off-by: Yonghong Song Tested-by: Roman Gushchin Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- include/uapi/linux/bpf.h | 3 ++- kernel/bpf/cgroup.c | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -995,7 +995,8 @@ struct bpf_perf_event_value { #define BPF_DEVCG_DEV_CHAR (1ULL << 1) struct bpf_cgroup_dev_ctx { - __u32 access_type; /* (access << 16) | type */ + /* access_type encoded as (BPF_DEVCG_ACC_* << 16) | BPF_DEVCG_DEV_* */ + __u32 access_type; __u32 major; __u32 minor; }; --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -568,6 +568,8 @@ static bool cgroup_dev_is_valid_access(i enum bpf_access_type type, struct bpf_insn_access_aux *info) { + const int size_default = sizeof(__u32); + if (type == BPF_WRITE) return false; @@ -576,8 +578,17 @@ static bool cgroup_dev_is_valid_access(i /* The verifier guarantees that size > 0. */ if (off % size != 0) return false; - if (size != sizeof(__u32)) - return false; + + switch (off) { + case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type): + bpf_ctx_record_field_size(info, size_default); + if (!bpf_ctx_narrow_access_ok(off, size, size_default)) + return false; + break; + default: + if (size != size_default) + return false; + } return true; }