Merge branch 'bpf-jit-fixes'

Daniel Borkmann says: ==================== Two fixes that deal with buggy usage of bpf_helper_changes_pkt_data() in the sense that they also reload cached skb data when there's no skb context but xdp one, for example. A fix where skb meta data is reloaded out of the wrong register on helper call, rest is test cases and making sure on verifier side that there's always the guarantee that ctx sits in r1. Thanks! ==================== Signed-off-by: Alexei Starovoitov <ast@kernel.org>
author: Alexei Starovoitov <ast@kernel.org> 2017-12-15 09:19:36 -0800
committer: Alexei Starovoitov <ast@kernel.org> 2017-12-15 09:19:37 -0800
commit: c1b08ebe5003ae291470cb6e26923628ab19606f (patch)
tree: d6536ec187e003bb6a7c87cc8acdef20e16bf6c2 /kernel
parent: 2d17d8d79e77ff3f1b35b87522fc72fa562260ff (diff)
parent: 87ab8194303e73af2898e9e1c8b3b9bcfe91e7a9 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index d4593571c404..e39b01317b6f 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1674,7 +1674,13 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx)
 		return -EINVAL;
 	}
 
+	/* With LD_ABS/IND some JITs save/restore skb from r1. */
 	changes_data = bpf_helper_changes_pkt_data(fn->func);
+	if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {
+		verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n",
+			func_id_name(func_id), func_id);
+		return -EINVAL;
+	}
 
 	memset(&meta, 0, sizeof(meta));
 	meta.pkt_access = fn->pkt_access;
author	Alexei Starovoitov <ast@kernel.org>	2017-12-15 09:19:36 -0800
committer	Alexei Starovoitov <ast@kernel.org>	2017-12-15 09:19:37 -0800
commit	c1b08ebe5003ae291470cb6e26923628ab19606f (patch)
tree	d6536ec187e003bb6a7c87cc8acdef20e16bf6c2 /kernel
parent	2d17d8d79e77ff3f1b35b87522fc72fa562260ff (diff)
parent	87ab8194303e73af2898e9e1c8b3b9bcfe91e7a9 (diff)