1. 14 Jun, 2022 4 commits
  2. 11 Jun, 2022 3 commits
  3. 09 Jun, 2022 3 commits
  4. 07 Jun, 2022 18 commits
  5. 03 Jun, 2022 5 commits
  6. 02 Jun, 2022 7 commits
    • Wang Yufen's avatar
      bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues · d8616ee2
      Wang Yufen authored
      During TCP sockmap redirect pressure test, the following warning is triggered:
      
      WARNING: CPU: 3 PID: 2145 at net/core/stream.c:205 sk_stream_kill_queues+0xbc/0xd0
      CPU: 3 PID: 2145 Comm: iperf Kdump: loaded Tainted: G        W         5.10.0+ #9
      Call Trace:
       inet_csk_destroy_sock+0x55/0x110
       inet_csk_listen_stop+0xbb/0x380
       tcp_close+0x41b/0x480
       inet_release+0x42/0x80
       __sock_release+0x3d/0xa0
       sock_close+0x11/0x20
       __fput+0x9d/0x240
       task_work_run+0x62/0x90
       exit_to_user_mode_prepare+0x110/0x120
       syscall_exit_to_user_mode+0x27/0x190
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The reason we observed is that:
      
      When the listener is closing, a connection may have completed the three-way
      handshake but not accepted, and the client has sent some packets. The child
      sks in accept queue release by inet_child_forget()->inet_csk_destroy_sock(),
      but psocks of child sks have not released.
      
      To fix, add sock_map_destroy to release psocks.
      Signed-off-by: default avatarWang Yufen <wangyufen@huawei.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/bpf/20220524075311.649153-1-wangyufen@huawei.com
      d8616ee2
    • Lorenzo Bianconi's avatar
      sample: bpf: xdp_router_ipv4: Allow the kernel to send arp requests · 200a89e3
      Lorenzo Bianconi authored
      Forward the packet to the kernel if the gw router mac address is missing
      in to trigger ARP discovery.
      
      Fixes: 85bf1f51 ("samples: bpf: Convert xdp_router_ipv4 to XDP samples helper")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://lore.kernel.org/bpf/60bde5496d108089080504f58199bcf1143ea938.1653471558.git.lorenzo@kernel.org
      200a89e3
    • Douglas Raillard's avatar
      libbpf: Fix determine_ptr_size() guessing · 610cd93b
      Douglas Raillard authored
      One strategy employed by libbpf to guess the pointer size is by finding
      the size of "unsigned long" type. This is achieved by looking for a type
      of with the expected name and checking its size.
      
      Unfortunately, the C syntax is friendlier to humans than to computers
      as there is some variety in how such a type can be named. Specifically,
      gcc and clang do not use the same names for integer types in debug info:
      
          - clang uses "unsigned long"
          - gcc uses "long unsigned int"
      
      Lookup all the names for such a type so that libbpf can hope to find the
      information it wants.
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/bpf/20220524094447.332186-1-douglas.raillard@arm.com
      610cd93b
    • Tadeusz Struk's avatar
      bpf: Fix KASAN use-after-free Read in compute_effective_progs · 4c46091e
      Tadeusz Struk authored
      Syzbot found a Use After Free bug in compute_effective_progs().
      The reproducer creates a number of BPF links, and causes a fault
      injected alloc to fail, while calling bpf_link_detach on them.
      Link detach triggers the link to be freed by bpf_link_free(),
      which calls __cgroup_bpf_detach() and update_effective_progs().
      If the memory allocation in this function fails, the function restores
      the pointer to the bpf_cgroup_link on the cgroup list, but the memory
      gets freed just after it returns. After this, every subsequent call to
      update_effective_progs() causes this already deallocated pointer to be
      dereferenced in prog_list_length(), and triggers KASAN UAF error.
      
      To fix this issue don't preserve the pointer to the prog or link in the
      list, but remove it and replace it with a dummy prog without shrinking
      the table. The subsequent call to __cgroup_bpf_detach() or
      __cgroup_bpf_detach() will correct it.
      
      Fixes: af6eea57 ("bpf: Implement bpf_link-based cgroup BPF program attachment")
      Reported-by: <syzbot+f264bffdfbd5614f3bb2@syzkaller.appspotmail.com>
      Signed-off-by: default avatarTadeusz Struk <tadeusz.struk@linaro.org>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Cc: <stable@vger.kernel.org>
      Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4
      Link: https://lore.kernel.org/bpf/20220517180420.87954-1-tadeusz.struk@linaro.org
      4c46091e
    • Michael Mullin's avatar
      bpftool: Check for NULL ptr of btf in codegen_asserts · de4b4b94
      Michael Mullin authored
      bpf_object__btf() can return a NULL value.  If bpf_object__btf returns
      null, do not progress through codegen_asserts(). This avoids a null ptr
      dereference at the call btf__type_cnt() in the function find_type_for_map()
      Signed-off-by: default avatarMichael Mullin <masmullin@gmail.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://lore.kernel.org/bpf/20220523194917.igkgorco42537arb@jup
      de4b4b94
    • Yuntao Wang's avatar
      selftests/bpf: Fix test_run logic in fexit_stress.c · eb7b36ce
      Yuntao Wang authored
      In the commit da00d2f1 ("bpf: Add test ops for BPF_PROG_TYPE_TRACING"),
      the bpf_fentry_test1 function was moved into bpf_prog_test_run_tracing(),
      which is the test_run function of the tracing BPF programs.
      
      Thus calling 'bpf_prog_test_run_opts(filter_fd, &topts)' will not trigger
      bpf_fentry_test1 function as filter_fd is a sk_filter BPF program.
      
      Fix it by replacing filter_fd with fexit_fd in the bpf_prog_test_run_opts()
      function.
      
      Fixes: da00d2f1 ("bpf: Add test ops for BPF_PROG_TYPE_TRACING")
      Signed-off-by: default avatarYuntao Wang <ytcoode@gmail.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://lore.kernel.org/bpf/20220521151329.648013-1-ytcoode@gmail.com
      eb7b36ce
    • Andrii Nakryiko's avatar
      Merge branch 'libbpf: Textual representation of enums' · f7abbecd
      Andrii Nakryiko authored
      Daniel Müller says:
      
      ====================
      
      This patch set introduces the means for querying a textual representation of
      the following BPF related enum types:
      - enum bpf_map_type
      - enum bpf_prog_type
      - enum bpf_attach_type
      - enum bpf_link_type
      
      To make that possible, we introduce a new public function for each of the types:
      libbpf_bpf_<type>_type_str.
      
      Having a way to query a textual representation has been asked for in the past
      (by systemd, among others). Such representations can generally be useful in
      tracing and logging contexts, among others. At this point, at least one client,
      bpftool, maintains such a mapping manually, which is prone to get out of date as
      new enum variants are introduced. libbpf is arguably best situated to keep this
      list complete and up-to-date. This patch series adds BTF based tests to ensure
      that exhaustiveness is upheld moving forward.
      
      The libbpf provided textual representation can be inferred from the
      corresponding enum variant name by removing the prefix and lowercasing the
      remainder. E.g., BPF_PROG_TYPE_SOCKET_FILTER -> socket_filter. Unfortunately,
      bpftool does not use such a programmatic approach for some of the
      bpf_attach_type variants. We decided in favor of changing its behavior to work
      with libbpf representations. However, for user inputs, specifically, we do
      maintain support for the traditionally used names around (please see patch
      "bpftool: Use libbpf_bpf_attach_type_str").
      
      The patch series is structured as follows:
      - for each enumeration type in {bpf_prog_type, bpf_map_type, bpf_attach_type,
        bpf_link_type}:
        - we first introduce the corresponding public libbpf API function
        - we then add BTF based self-tests
        - we lastly adjust bpftool to use the libbpf provided functionality
      Signed-off-by: default avatarDaniel Müller <deso@posteo.net>
      Cc: Quentin Monnet <quentin@isovalent.com>
      ---
      Changelog:
      v3 -> v4:
      - use full string comparison for newly added attach types
      - switched away from erroneously used kdoc-style comments
      - removed unused prog_types variable and containing section from
        test_bpftool_synctypes.py
      - adjusted wording in documentation of get_types_from_array function
      - split various test_bpftool_synctypes.py changes into commits where they are
        required to eliminate temporary failures of this test
      
      v2 -> v3:
      - use LIBBPF_1.0.0 section in libbpf.map for newly added exports
      
      v1 -> v2:
      - adjusted bpftool to work with algorithmically determined attach types as
        libbpf now uses (just removed prefix from enum name and lowercased the rest)
        - adjusted tests, man page, and completion script to work with the new names
        - renamed bpf_attach_type_str -> bpf_attach_type_input_str
        - for input: added special cases that accept the traditionally used strings as
          well
      - changed 'char const *' -> 'const char *'
      ====================
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      f7abbecd