mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-09 23:39:18 +00:00
b2c4618162
The current conversion of skb->data_end reads like this: ; data_end = (void*)(long)skb->data_end; 559: (79) r1 = *(u64 *)(r2 +200) ; r1 = skb->data 560: (61) r11 = *(u32 *)(r2 +112) ; r11 = skb->len 561: (0f) r1 += r11 562: (61) r11 = *(u32 *)(r2 +116) 563: (1f) r1 -= r11 But similar to the case in 84f44df664e9 ("bpf: sock_ops sk access may stomp registers when dst_reg = src_reg"), the code will read an incorrect skb->len when src == dst. In this case we end up generating this xlated code: ; data_end = (void*)(long)skb->data_end; 559: (79) r1 = *(u64 *)(r1 +200) ; r1 = skb->data 560: (61) r11 = *(u32 *)(r1 +112) ; r11 = (skb->data)->len 561: (0f) r1 += r11 562: (61) r11 = *(u32 *)(r1 +116) 563: (1f) r1 -= r11 ... where line 560 is the reading 4B of (skb->data + 112) instead of the intended skb->len Here the skb pointer in r1 gets set to skb->data and the later deref for skb->len ends up following skb->data instead of skb. This fixes the issue similarly to the patch mentioned above by creating an additional temporary variable and using to store the register when dst_reg = src_reg. We name the variable bpf_temp_reg and place it in the cb context for sk_skb. Then we restore from the temp to ensure nothing is lost. Fixes: 16137b09a66f2 ("bpf: Compute data_end dynamically with JIT code") Signed-off-by: Jussi Maki <joamaki@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/20211103204736.248403-6-john.fastabend@gmail.com
164 lines
4.1 KiB
C
164 lines
4.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* Stream Parser
|
|
*
|
|
* Copyright (c) 2016 Tom Herbert <tom@herbertland.com>
|
|
*/
|
|
|
|
#ifndef __NET_STRPARSER_H_
|
|
#define __NET_STRPARSER_H_
|
|
|
|
#include <linux/skbuff.h>
|
|
#include <net/sock.h>
|
|
|
|
#define STRP_STATS_ADD(stat, count) ((stat) += (count))
|
|
#define STRP_STATS_INCR(stat) ((stat)++)
|
|
|
|
struct strp_stats {
|
|
unsigned long long msgs;
|
|
unsigned long long bytes;
|
|
unsigned int mem_fail;
|
|
unsigned int need_more_hdr;
|
|
unsigned int msg_too_big;
|
|
unsigned int msg_timeouts;
|
|
unsigned int bad_hdr_len;
|
|
};
|
|
|
|
struct strp_aggr_stats {
|
|
unsigned long long msgs;
|
|
unsigned long long bytes;
|
|
unsigned int mem_fail;
|
|
unsigned int need_more_hdr;
|
|
unsigned int msg_too_big;
|
|
unsigned int msg_timeouts;
|
|
unsigned int bad_hdr_len;
|
|
unsigned int aborts;
|
|
unsigned int interrupted;
|
|
unsigned int unrecov_intr;
|
|
};
|
|
|
|
struct strparser;
|
|
|
|
/* Callbacks are called with lock held for the attached socket */
|
|
struct strp_callbacks {
|
|
int (*parse_msg)(struct strparser *strp, struct sk_buff *skb);
|
|
void (*rcv_msg)(struct strparser *strp, struct sk_buff *skb);
|
|
int (*read_sock_done)(struct strparser *strp, int err);
|
|
void (*abort_parser)(struct strparser *strp, int err);
|
|
void (*lock)(struct strparser *strp);
|
|
void (*unlock)(struct strparser *strp);
|
|
};
|
|
|
|
struct strp_msg {
|
|
int full_len;
|
|
int offset;
|
|
};
|
|
|
|
struct _strp_msg {
|
|
/* Internal cb structure. struct strp_msg must be first for passing
|
|
* to upper layer.
|
|
*/
|
|
struct strp_msg strp;
|
|
int accum_len;
|
|
};
|
|
|
|
struct sk_skb_cb {
|
|
#define SK_SKB_CB_PRIV_LEN 20
|
|
unsigned char data[SK_SKB_CB_PRIV_LEN];
|
|
struct _strp_msg strp;
|
|
/* temp_reg is a temporary register used for bpf_convert_data_end_access
|
|
* when dst_reg == src_reg.
|
|
*/
|
|
u64 temp_reg;
|
|
};
|
|
|
|
static inline struct strp_msg *strp_msg(struct sk_buff *skb)
|
|
{
|
|
return (struct strp_msg *)((void *)skb->cb +
|
|
offsetof(struct sk_skb_cb, strp));
|
|
}
|
|
|
|
/* Structure for an attached lower socket */
|
|
struct strparser {
|
|
struct sock *sk;
|
|
|
|
u32 stopped : 1;
|
|
u32 paused : 1;
|
|
u32 aborted : 1;
|
|
u32 interrupted : 1;
|
|
u32 unrecov_intr : 1;
|
|
|
|
struct sk_buff **skb_nextp;
|
|
struct sk_buff *skb_head;
|
|
unsigned int need_bytes;
|
|
struct delayed_work msg_timer_work;
|
|
struct work_struct work;
|
|
struct strp_stats stats;
|
|
struct strp_callbacks cb;
|
|
};
|
|
|
|
/* Must be called with lock held for attached socket */
|
|
static inline void strp_pause(struct strparser *strp)
|
|
{
|
|
strp->paused = 1;
|
|
}
|
|
|
|
/* May be called without holding lock for attached socket */
|
|
void strp_unpause(struct strparser *strp);
|
|
/* Must be called with process lock held (lock_sock) */
|
|
void __strp_unpause(struct strparser *strp);
|
|
|
|
static inline void save_strp_stats(struct strparser *strp,
|
|
struct strp_aggr_stats *agg_stats)
|
|
{
|
|
/* Save psock statistics in the mux when psock is being unattached. */
|
|
|
|
#define SAVE_PSOCK_STATS(_stat) (agg_stats->_stat += \
|
|
strp->stats._stat)
|
|
SAVE_PSOCK_STATS(msgs);
|
|
SAVE_PSOCK_STATS(bytes);
|
|
SAVE_PSOCK_STATS(mem_fail);
|
|
SAVE_PSOCK_STATS(need_more_hdr);
|
|
SAVE_PSOCK_STATS(msg_too_big);
|
|
SAVE_PSOCK_STATS(msg_timeouts);
|
|
SAVE_PSOCK_STATS(bad_hdr_len);
|
|
#undef SAVE_PSOCK_STATS
|
|
|
|
if (strp->aborted)
|
|
agg_stats->aborts++;
|
|
if (strp->interrupted)
|
|
agg_stats->interrupted++;
|
|
if (strp->unrecov_intr)
|
|
agg_stats->unrecov_intr++;
|
|
}
|
|
|
|
static inline void aggregate_strp_stats(struct strp_aggr_stats *stats,
|
|
struct strp_aggr_stats *agg_stats)
|
|
{
|
|
#define SAVE_PSOCK_STATS(_stat) (agg_stats->_stat += stats->_stat)
|
|
SAVE_PSOCK_STATS(msgs);
|
|
SAVE_PSOCK_STATS(bytes);
|
|
SAVE_PSOCK_STATS(mem_fail);
|
|
SAVE_PSOCK_STATS(need_more_hdr);
|
|
SAVE_PSOCK_STATS(msg_too_big);
|
|
SAVE_PSOCK_STATS(msg_timeouts);
|
|
SAVE_PSOCK_STATS(bad_hdr_len);
|
|
SAVE_PSOCK_STATS(aborts);
|
|
SAVE_PSOCK_STATS(interrupted);
|
|
SAVE_PSOCK_STATS(unrecov_intr);
|
|
#undef SAVE_PSOCK_STATS
|
|
|
|
}
|
|
|
|
void strp_done(struct strparser *strp);
|
|
void strp_stop(struct strparser *strp);
|
|
void strp_check_rcv(struct strparser *strp);
|
|
int strp_init(struct strparser *strp, struct sock *sk,
|
|
const struct strp_callbacks *cb);
|
|
void strp_data_ready(struct strparser *strp);
|
|
int strp_process(struct strparser *strp, struct sk_buff *orig_skb,
|
|
unsigned int orig_offset, size_t orig_len,
|
|
size_t max_msg_size, long timeo);
|
|
|
|
#endif /* __NET_STRPARSER_H_ */
|