Message ID | 20170825202714.64ivixeindjph3z6@mwanda |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On 08/25/2017 10:27 PM, Dan Carpenter wrote: > "err" is set to zero if bpf_map_area_alloc() fails so it means we return > ERR_PTR(0) which is NULL. The caller, find_and_alloc_map(), is not > expecting NULL returns and will oops. > > Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
On Fri, Aug 25, 2017 at 11:27:14PM +0300, Dan Carpenter wrote: > "err" is set to zero if bpf_map_area_alloc() fails so it means we return > ERR_PTR(0) which is NULL. The caller, find_and_alloc_map(), is not > expecting NULL returns and will oops. > > Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> good catch. Thanks! Acked-by: Alexei Starovoitov <ast@kernel.org>
On 08/25/2017 01:47 PM, Daniel Borkmann wrote: > On 08/25/2017 10:27 PM, Dan Carpenter wrote: >> "err" is set to zero if bpf_map_area_alloc() fails so it means we return >> ERR_PTR(0) which is NULL. The caller, find_and_alloc_map(), is not >> expecting NULL returns and will oops. >> >> Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support") >> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > Acked-by: Daniel Borkmann <daniel@iogearbox.net> Thanks. Acked-by: John Fastabend <john.fastabend@gmail.com>
From: Dan Carpenter <dan.carpenter@oracle.com> Date: Fri, 25 Aug 2017 23:27:14 +0300 > "err" is set to zero if bpf_map_area_alloc() fails so it means we return > ERR_PTR(0) which is NULL. The caller, find_and_alloc_map(), is not > expecting NULL returns and will oops. > > Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Applied.
diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c index 78b2bb9370ac..a11b9f52ea4a 100644 --- a/kernel/bpf/sockmap.c +++ b/kernel/bpf/sockmap.c @@ -497,6 +497,7 @@ static struct bpf_map *sock_map_alloc(union bpf_attr *attr) if (err) goto free_stab; + err = -ENOMEM; stab->sock_map = bpf_map_area_alloc(stab->map.max_entries * sizeof(struct sock *), stab->map.numa_node);
"err" is set to zero if bpf_map_area_alloc() fails so it means we return ERR_PTR(0) which is NULL. The caller, find_and_alloc_map(), is not expecting NULL returns and will oops. Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>