diff options
| author | Alexei Starovoitov | 2019-03-13 12:04:35 -0700 |
|---|---|---|
| committer | Alexei Starovoitov | 2019-03-13 12:04:36 -0700 |
| commit | f48a920504e516bded420255946f8e1cb8a0944a (patch) | |
| tree | 31578584bffd05a9c77b22211ec37e648f113a40 /tools/lib | |
| parent | 6bf21b54a596d60905cfc7e8af8e2fe16d9fe7e9 (diff) | |
| parent | 7681e7b2fbe2a78806423810c0d84dd230b96f94 (diff) | |
Merge branch 'fix-fullsock-access-after-bpf_sk_release'
Martin KaFai Lau says:
====================
This set addresses issue about accessing invalid
ptr returned from bpf_tcp_sock() and bpf_sk_fullsock()
after bpf_sk_release().
v4:
- Tried the one "id" approach. It does not work well and the reason is in
the Patch 1 commit message.
- Rename refcount_id to ref_obj_id.
- With ref_obj_id, resetting reg->id to 0 is fine in mark_ptr_or_null_reg()
because ref_obj_id is passed to release_reference() instead of reg->id.
- Also reset reg->ref_obj_id in mark_ptr_or_null_reg() when is_null == true
- sk_to_full_sk() is removed from bpf_sk_fullsock() and bpf_tcp_sock().
- bpf_get_listener_sock() is added to do sk_to_full_sk() in Patch 2.
- If tp is from bpf_tcp_sock(sk) and sk is a refcounted ptr,
bpf_sk_release(tp) is also allowed.
v3:
- reset reg->refcount_id for the is_null case in mark_ptr_or_null_reg()
v2:
- Remove refcount_id arg from release_reference() because
id == refcount_id
- Add a WARN_ON_ONCE to mark_ptr_or_null_regs() to catch
an internal verifier bug.
====================
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'tools/lib')
0 files changed, 0 insertions, 0 deletions