bpf: Use kvmalloc for map keys in syscalls

Same as previous patch but for the keys. memdup_bpfptr is renamed
to kvmemdup_bpfptr (and converted to kvmalloc).

Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Link: https://lore.kernel.org/bpf/20210818235216.1159202-2-sdf@google.com
This commit is contained in:
Stanislav Fomichev 2021-08-18 16:52:16 -07:00 committed by Daniel Borkmann
parent f0dce1d9b7
commit 44779a4b85
2 changed files with 27 additions and 19 deletions

View File

@ -62,9 +62,17 @@ static inline int copy_to_bpfptr_offset(bpfptr_t dst, size_t offset,
return copy_to_sockptr_offset((sockptr_t) dst, offset, src, size); return copy_to_sockptr_offset((sockptr_t) dst, offset, src, size);
} }
static inline void *memdup_bpfptr(bpfptr_t src, size_t len) static inline void *kvmemdup_bpfptr(bpfptr_t src, size_t len)
{ {
return memdup_sockptr((sockptr_t) src, len); void *p = kvmalloc(len, GFP_USER | __GFP_NOWARN);
if (!p)
return ERR_PTR(-ENOMEM);
if (copy_from_bpfptr(p, src, len)) {
kvfree(p);
return ERR_PTR(-EFAULT);
}
return p;
} }
static inline long strncpy_from_bpfptr(char *dst, bpfptr_t src, size_t count) static inline long strncpy_from_bpfptr(char *dst, bpfptr_t src, size_t count)

View File

@ -1013,7 +1013,7 @@ int __weak bpf_stackmap_copy(struct bpf_map *map, void *key, void *value)
static void *__bpf_copy_key(void __user *ukey, u64 key_size) static void *__bpf_copy_key(void __user *ukey, u64 key_size)
{ {
if (key_size) if (key_size)
return memdup_user(ukey, key_size); return vmemdup_user(ukey, key_size);
if (ukey) if (ukey)
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
@ -1024,7 +1024,7 @@ static void *__bpf_copy_key(void __user *ukey, u64 key_size)
static void *___bpf_copy_key(bpfptr_t ukey, u64 key_size) static void *___bpf_copy_key(bpfptr_t ukey, u64 key_size)
{ {
if (key_size) if (key_size)
return memdup_bpfptr(ukey, key_size); return kvmemdup_bpfptr(ukey, key_size);
if (!bpfptr_is_null(ukey)) if (!bpfptr_is_null(ukey))
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
@ -1093,7 +1093,7 @@ static int map_lookup_elem(union bpf_attr *attr)
free_value: free_value:
kvfree(value); kvfree(value);
free_key: free_key:
kfree(key); kvfree(key);
err_put: err_put:
fdput(f); fdput(f);
return err; return err;
@ -1153,7 +1153,7 @@ static int map_update_elem(union bpf_attr *attr, bpfptr_t uattr)
free_value: free_value:
kvfree(value); kvfree(value);
free_key: free_key:
kfree(key); kvfree(key);
err_put: err_put:
fdput(f); fdput(f);
return err; return err;
@ -1205,7 +1205,7 @@ static int map_delete_elem(union bpf_attr *attr)
bpf_enable_instrumentation(); bpf_enable_instrumentation();
maybe_wait_bpf_programs(map); maybe_wait_bpf_programs(map);
out: out:
kfree(key); kvfree(key);
err_put: err_put:
fdput(f); fdput(f);
return err; return err;
@ -1247,7 +1247,7 @@ static int map_get_next_key(union bpf_attr *attr)
} }
err = -ENOMEM; err = -ENOMEM;
next_key = kmalloc(map->key_size, GFP_USER); next_key = kvmalloc(map->key_size, GFP_USER);
if (!next_key) if (!next_key)
goto free_key; goto free_key;
@ -1270,9 +1270,9 @@ out:
err = 0; err = 0;
free_next_key: free_next_key:
kfree(next_key); kvfree(next_key);
free_key: free_key:
kfree(key); kvfree(key);
err_put: err_put:
fdput(f); fdput(f);
return err; return err;
@ -1299,7 +1299,7 @@ int generic_map_delete_batch(struct bpf_map *map,
if (!max_count) if (!max_count)
return 0; return 0;
key = kmalloc(map->key_size, GFP_USER | __GFP_NOWARN); key = kvmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
if (!key) if (!key)
return -ENOMEM; return -ENOMEM;
@ -1326,7 +1326,7 @@ int generic_map_delete_batch(struct bpf_map *map,
if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp))) if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
err = -EFAULT; err = -EFAULT;
kfree(key); kvfree(key);
return err; return err;
} }
@ -1357,13 +1357,13 @@ int generic_map_update_batch(struct bpf_map *map,
if (!max_count) if (!max_count)
return 0; return 0;
key = kmalloc(map->key_size, GFP_USER | __GFP_NOWARN); key = kvmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
if (!key) if (!key)
return -ENOMEM; return -ENOMEM;
value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN); value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN);
if (!value) { if (!value) {
kfree(key); kvfree(key);
return -ENOMEM; return -ENOMEM;
} }
@ -1385,7 +1385,7 @@ int generic_map_update_batch(struct bpf_map *map,
err = -EFAULT; err = -EFAULT;
kvfree(value); kvfree(value);
kfree(key); kvfree(key);
return err; return err;
} }
@ -1419,13 +1419,13 @@ int generic_map_lookup_batch(struct bpf_map *map,
if (put_user(0, &uattr->batch.count)) if (put_user(0, &uattr->batch.count))
return -EFAULT; return -EFAULT;
buf_prevkey = kmalloc(map->key_size, GFP_USER | __GFP_NOWARN); buf_prevkey = kvmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
if (!buf_prevkey) if (!buf_prevkey)
return -ENOMEM; return -ENOMEM;
buf = kvmalloc(map->key_size + value_size, GFP_USER | __GFP_NOWARN); buf = kvmalloc(map->key_size + value_size, GFP_USER | __GFP_NOWARN);
if (!buf) { if (!buf) {
kfree(buf_prevkey); kvfree(buf_prevkey);
return -ENOMEM; return -ENOMEM;
} }
@ -1485,7 +1485,7 @@ int generic_map_lookup_batch(struct bpf_map *map,
err = -EFAULT; err = -EFAULT;
free_buf: free_buf:
kfree(buf_prevkey); kvfree(buf_prevkey);
kvfree(buf); kvfree(buf);
return err; return err;
} }
@ -1575,7 +1575,7 @@ static int map_lookup_and_delete_elem(union bpf_attr *attr)
free_value: free_value:
kvfree(value); kvfree(value);
free_key: free_key:
kfree(key); kvfree(key);
err_put: err_put:
fdput(f); fdput(f);
return err; return err;