Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
Martin KaFai Lau says:
====================
pull-request: bpf-next 2025-07-24
We've added 3 non-merge commits during the last 3 day(s) which contain
a total of 4 files changed, 40 insertions(+), 15 deletions(-).
The main changes are:
1) Improved verifier error message for incorrect narrower load from
pointer field in ctx, from Paul Chaignon.
2) Disabled migration in nf_hook_run_bpf to address a syzbot report,
from Kuniyuki Iwashima.
* tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next:
selftests/bpf: Test invalid narrower ctx load
bpf: Reject narrower access to pointer ctx fields
bpf: Disable migration in nf_hook_run_bpf().
====================
Link: https://patch.msgid.link/20250724173306.3578483-1-martin.lau@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+40
-15
+4
-4
kernel/bpf/cgroup.c
+4
-4
kernel/bpf/cgroup.c
···
2440
2440
}
2441
2441
2442
2442
switch (off) {
2443
-
case offsetof(struct bpf_sockopt, sk):
2443
+
case bpf_ctx_range_ptr(struct bpf_sockopt, sk):
2444
2444
if (size != sizeof(__u64))
2445
2445
return false;
2446
2446
info->reg_type = PTR_TO_SOCKET;
2447
2447
break;
2448
-
case offsetof(struct bpf_sockopt, optval):
2448
+
case bpf_ctx_range_ptr(struct bpf_sockopt, optval):
2449
2449
if (size != sizeof(__u64))
2450
2450
return false;
2451
2451
info->reg_type = PTR_TO_PACKET;
2452
2452
break;
2453
-
case offsetof(struct bpf_sockopt, optval_end):
2453
+
case bpf_ctx_range_ptr(struct bpf_sockopt, optval_end):
2454
2454
if (size != sizeof(__u64))
2455
2455
return false;
2456
2456
info->reg_type = PTR_TO_PACKET_END;
2457
2457
break;
2458
-
case offsetof(struct bpf_sockopt, retval):
2458
+
case bpf_ctx_range(struct bpf_sockopt, retval):
2459
2459
if (size != size_default)
2460
2460
return false;
2461
2461
return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT;
+10
-10
net/core/filter.c
+10
-10
net/core/filter.c
···
8699
8699
if (size != sizeof(__u64))
8700
8700
return false;
8701
8701
break;
8702
-
case offsetof(struct __sk_buff, sk):
8702
+
case bpf_ctx_range_ptr(struct __sk_buff, sk):
8703
8703
if (type == BPF_WRITE || size != sizeof(__u64))
8704
8704
return false;
8705
8705
info->reg_type = PTR_TO_SOCK_COMMON_OR_NULL;
···
9277
9277
return false;
9278
9278
}
9279
9279
break;
9280
-
case offsetof(struct bpf_sock_addr, sk):
9280
+
case bpf_ctx_range_ptr(struct bpf_sock_addr, sk):
9281
9281
if (type != BPF_READ)
9282
9282
return false;
9283
9283
if (size != sizeof(__u64))
···
9327
9327
if (size != sizeof(__u64))
9328
9328
return false;
9329
9329
break;
9330
-
case offsetof(struct bpf_sock_ops, sk):
9330
+
case bpf_ctx_range_ptr(struct bpf_sock_ops, sk):
9331
9331
if (size != sizeof(__u64))
9332
9332
return false;
9333
9333
info->reg_type = PTR_TO_SOCKET_OR_NULL;
9334
9334
break;
9335
-
case offsetof(struct bpf_sock_ops, skb_data):
9335
+
case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data):
9336
9336
if (size != sizeof(__u64))
9337
9337
return false;
9338
9338
info->reg_type = PTR_TO_PACKET;
9339
9339
break;
9340
-
case offsetof(struct bpf_sock_ops, skb_data_end):
9340
+
case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data_end):
9341
9341
if (size != sizeof(__u64))
9342
9342
return false;
9343
9343
info->reg_type = PTR_TO_PACKET_END;
···
9346
9346
bpf_ctx_record_field_size(info, size_default);
9347
9347
return bpf_ctx_narrow_access_ok(off, size,
9348
9348
size_default);
9349
-
case offsetof(struct bpf_sock_ops, skb_hwtstamp):
9349
+
case bpf_ctx_range(struct bpf_sock_ops, skb_hwtstamp):
9350
9350
if (size != sizeof(__u64))
9351
9351
return false;
9352
9352
break;
···
9416
9416
return false;
9417
9417
9418
9418
switch (off) {
9419
-
case offsetof(struct sk_msg_md, data):
9419
+
case bpf_ctx_range_ptr(struct sk_msg_md, data):
9420
9420
info->reg_type = PTR_TO_PACKET;
9421
9421
if (size != sizeof(__u64))
9422
9422
return false;
9423
9423
break;
9424
-
case offsetof(struct sk_msg_md, data_end):
9424
+
case bpf_ctx_range_ptr(struct sk_msg_md, data_end):
9425
9425
info->reg_type = PTR_TO_PACKET_END;
9426
9426
if (size != sizeof(__u64))
9427
9427
return false;
9428
9428
break;
9429
-
case offsetof(struct sk_msg_md, sk):
9429
+
case bpf_ctx_range_ptr(struct sk_msg_md, sk):
9430
9430
if (size != sizeof(__u64))
9431
9431
return false;
9432
9432
info->reg_type = PTR_TO_SOCKET;
···
11632
11632
return false;
11633
11633
11634
11634
switch (off) {
11635
-
case offsetof(struct bpf_sk_lookup, sk):
11635
+
case bpf_ctx_range_ptr(struct bpf_sk_lookup, sk):
11636
11636
info->reg_type = PTR_TO_SOCKET_OR_NULL;
11637
11637
return size == sizeof(__u64);
11638
11638
+1
-1
net/netfilter/nf_bpf_link.c
+1
-1
net/netfilter/nf_bpf_link.c
+25
tools/testing/selftests/bpf/progs/verifier_ctx.c
+25
tools/testing/selftests/bpf/progs/verifier_ctx.c
···
218
218
: __clobber_all);
219
219
}
220
220
221
+
#define narrow_load(type, ctx, field) \
222
+
SEC(type) \
223
+
__description("narrow load on field " #field " of " #ctx) \
224
+
__failure __msg("invalid bpf_context access") \
225
+
__naked void invalid_narrow_load##ctx##field(void) \
226
+
{ \
227
+
asm volatile (" \
228
+
r1 = *(u32 *)(r1 + %[off]); \
229
+
r0 = 0; \
230
+
exit;" \
231
+
: \
232
+
: __imm_const(off, offsetof(struct ctx, field) + 4) \
233
+
: __clobber_all); \
234
+
}
235
+
236
+
narrow_load("cgroup/getsockopt", bpf_sockopt, sk);
237
+
narrow_load("cgroup/getsockopt", bpf_sockopt, optval);
238
+
narrow_load("cgroup/getsockopt", bpf_sockopt, optval_end);
239
+
narrow_load("tc", __sk_buff, sk);
240
+
narrow_load("cgroup/bind4", bpf_sock_addr, sk);
241
+
narrow_load("sockops", bpf_sock_ops, sk);
242
+
narrow_load("sockops", bpf_sock_ops, skb_data);
243
+
narrow_load("sockops", bpf_sock_ops, skb_data_end);
244
+
narrow_load("sockops", bpf_sock_ops, skb_hwtstamp);
245
+
221
246
char _license[] SEC("license") = "GPL";