Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 105bc130 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 

Daniel Borkmann says:

====================
pull-request: bpf-next 2018-09-25

The following pull-request contains BPF updates for your *net-next* tree.

The main changes are:

1) Allow for RX stack hardening by implementing the kernel's flow
   dissector in BPF. Idea was originally presented at netconf 2017 [0].
   Quote from merge commit:

     [...] Because of the rigorous checks of the BPF verifier, this
     provides significant security guarantees. In particular, the BPF
     flow dissector cannot get inside of an infinite loop, as with
     CVE-2013-4348, because BPF programs are guaranteed to terminate.
     It cannot read outside of packet bounds, because all memory accesses
     are checked. Also, with BPF the administrator can decide which
     protocols to support, reducing potential attack surface. Rarely
     encountered protocols can be excluded from dissection and the
     program can be updated without kernel recompile or reboot if a
     bug is discovered. [...]

   Also, a sample flow dissector has been implemented in BPF as part
   of this work, from Petar and Willem.

   [0] http://vger.kernel.org/netconf2017_files/rx_hardening_and_udp_gso.pdf



2) Add support for bpftool to list currently active attachment
   points of BPF networking programs providing a quick overview
   similar to bpftool's perf subcommand, from Yonghong.

3) Fix a verifier pruning instability bug where a union member
   from the register state was not cleared properly leading to
   branches not being pruned despite them being valid candidates,
   from Alexei.

4) Various smaller fast-path optimizations in XDP's map redirect
   code, from Jesper.

5) Enable to recognize BPF_MAP_TYPE_REUSEPORT_SOCKARRAY maps
   in bpftool, from Roman.

6) Remove a duplicate check in libbpf that probes for function
   storage, from Taeung.

7) Fix an issue in test_progs by avoid checking for errno since
   on success its value should not be checked, from Mauricio.

8) Fix unused variable warning in bpf_getsockopt() helper when
   CONFIG_INET is not configured, from Anders.

9) Fix a compilation failure in the BPF sample code's use of
   bpf_flow_keys, from Prashant.

10) Minor cleanups in BPF code, from Yue and Zhong.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 3475372f d0e13a14

include/linux/bpf.h

+1 −0
Original line number Diff line number Diff line
@@ -212,6 +212,7 @@ enum bpf_reg_type { 
	PTR_TO_PACKET_META,	 /* skb->data - meta_len */

	PTR_TO_PACKET,		 /* reg points to skb->data */

	PTR_TO_PACKET_END,	 /* skb->data + headlen */

	PTR_TO_FLOW_KEYS,	 /* reg points to bpf_flow_keys */

};



/* The information passed from prog-specific *_is_valid_access

include/linux/bpf_types.h

+1 −0
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_SEG6LOCAL, lwt_seg6local) 
BPF_PROG_TYPE(BPF_PROG_TYPE_SOCK_OPS, sock_ops)

BPF_PROG_TYPE(BPF_PROG_TYPE_SK_SKB, sk_skb)

BPF_PROG_TYPE(BPF_PROG_TYPE_SK_MSG, sk_msg)

BPF_PROG_TYPE(BPF_PROG_TYPE_FLOW_DISSECTOR, flow_dissector)

#endif

#ifdef CONFIG_BPF_EVENTS

BPF_PROG_TYPE(BPF_PROG_TYPE_KPROBE, kprobe)

include/linux/skbuff.h

+20 −0
Original line number Diff line number Diff line
@@ -243,6 +243,8 @@ struct scatterlist; 
struct pipe_inode_info;

struct iov_iter;

struct napi_struct;

struct bpf_prog;

union bpf_attr;



#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)

struct nf_conntrack {
@@ -1192,6 +1194,24 @@ void skb_flow_dissector_init(struct flow_dissector *flow_dissector, 
			     const struct flow_dissector_key *key,

			     unsigned int key_count);



#ifdef CONFIG_NET

int skb_flow_dissector_bpf_prog_attach(const union bpf_attr *attr,

				       struct bpf_prog *prog);



int skb_flow_dissector_bpf_prog_detach(const union bpf_attr *attr);

#else

static inline int skb_flow_dissector_bpf_prog_attach(const union bpf_attr *attr,

						     struct bpf_prog *prog)

{

	return -EOPNOTSUPP;

}



static inline int skb_flow_dissector_bpf_prog_detach(const union bpf_attr *attr)

{

	return -EOPNOTSUPP;

}

#endif



bool __skb_flow_dissect(const struct sk_buff *skb,

			struct flow_dissector *flow_dissector,

			void *target_container,

include/net/net_namespace.h

+3 −0
Original line number Diff line number Diff line
@@ -43,6 +43,7 @@ struct ctl_table_header; 
struct net_generic;

struct uevent_sock;

struct netns_ipvs;

struct bpf_prog;





#define NETDEV_HASHBITS    8
@@ -145,6 +146,8 @@ struct net { 
#endif

	struct net_generic __rcu	*gen;



	struct bpf_prog __rcu	*flow_dissector_prog;



	/* Note : following structs are cache line aligned */

#ifdef CONFIG_XFRM

	struct netns_xfrm	xfrm;

include/net/sch_generic.h

+9 −3
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ struct Qdisc_ops; 
struct qdisc_walker;

struct tcf_walker;

struct module;

struct bpf_flow_keys;



typedef int tc_setup_cb_t(enum tc_setup_type type,

			  void *type_data, void *cb_priv);
@@ -321,9 +322,14 @@ struct tcf_proto { 
};



struct qdisc_skb_cb {

	union {

		struct {

			unsigned int		pkt_len;

			u16			slave_dev_queue_mapping;

			u16			tc_classid;

		};

		struct bpf_flow_keys *flow_keys;

	};

#define QDISC_CB_PRIV_LEN 20

	unsigned char		data[QDISC_CB_PRIV_LEN];

};