From patchwork Fri May 4 14:27:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Daniel Borkmann X-Patchwork-Id: 908782 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=iogearbox.net Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40cvWG1sNmz9s3D for ; Sat, 5 May 2018 00:28:10 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751495AbeEDO2I (ORCPT ); Fri, 4 May 2018 10:28:08 -0400 Received: from www62.your-server.de ([213.133.104.62]:43950 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751001AbeEDO2H (ORCPT ); Fri, 4 May 2018 10:28:07 -0400 Received: from [62.202.221.10] (helo=localhost) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85_2) (envelope-from ) id 1fEbgr-0001QH-QZ; Fri, 04 May 2018 16:28:05 +0200 From: Daniel Borkmann To: alexei.starovoitov@gmail.com Cc: netdev@vger.kernel.org, Daniel Borkmann , =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= Subject: [PATCH bpf-next] bpf, xskmap: fix crash in xsk_map_alloc error path handling Date: Fri, 4 May 2018 16:27:53 +0200 Message-Id: <20180504142753.10621-1-daniel@iogearbox.net> X-Mailer: git-send-email 2.9.5 MIME-Version: 1.0 X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.99.3/24539/Fri May 4 14:33:05 2018) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If bpf_map_precharge_memlock() did not fail, then we set err to zero. However, any subsequent failure from either alloc_percpu() or the bpf_map_area_alloc() will return ERR_PTR(0) which in find_and_alloc_map() will cause NULL pointer deref. In devmap we have the convention that we return -EINVAL on page count overflow, so keep the same logic here and just set err to -ENOMEM after successful bpf_map_precharge_memlock(). Fixes: fbfc504a24f5 ("bpf: introduce new bpf AF_XDP map type BPF_MAP_TYPE_XSKMAP") Signed-off-by: Daniel Borkmann Cc: Björn Töpel Acked-by: David S. Miller --- kernel/bpf/xskmap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/xskmap.c b/kernel/bpf/xskmap.c index 869dbb1..cb3a121 100644 --- a/kernel/bpf/xskmap.c +++ b/kernel/bpf/xskmap.c @@ -56,6 +56,8 @@ static struct bpf_map *xsk_map_alloc(union bpf_attr *attr) if (err) goto free_m; + err = -ENOMEM; + m->flush_list = alloc_percpu(struct list_head); if (!m->flush_list) goto free_m;