mirror of
https://github.com/Dasharo/linux.git
synced 2026-03-06 15:25:10 -08:00
Merge tag 'net-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Jakub Kicinski:
"Networking fixes, including fixes from mac80211, wifi, bpf.
Relatively large batches of fixes from BPF and the WiFi stack, calm in
general networking.
Current release - regressions:
- dpaa2-eth: fix buffer overrun when reporting ethtool statistics
Current release - new code bugs:
- bpf: fix incorrect state pruning for <8B spill/fill
- iavf:
- add missing unlocks in iavf_watchdog_task()
- do not override the adapter state in the watchdog task (again)
- mlxsw: spectrum_router: consolidate MAC profiles when possible
Previous releases - regressions:
- mac80211 fixes:
- rate control, avoid driver crash for retransmitted frames
- regression in SSN handling of addba tx
- a memory leak where sta_info is not freed
- marking TX-during-stop for TX in in_reconfig, prevent stall
- cfg80211: acquire wiphy mutex on regulatory work
- wifi drivers: fix build regressions and LED config dependency
- virtio_net: fix rx_drops stat for small pkts
- dsa: mv88e6xxx: unforce speed & duplex in mac_link_down()
Previous releases - always broken:
- bpf fixes:
- kernel address leakage in atomic fetch
- kernel address leakage in atomic cmpxchg's r0 aux reg
- signed bounds propagation after mov32
- extable fixup offset
- extable address check
- mac80211:
- fix the size used for building probe request
- send ADDBA requests using the tid/queue of the aggregation
session
- agg-tx: don't schedule_and_wake_txq() under sta->lock, avoid
deadlocks
- validate extended element ID is present
- mptcp:
- never allow the PM to close a listener subflow (null-defer)
- clear 'kern' flag from fallback sockets, prevent crash
- fix deadlock in __mptcp_push_pending()
- inet_diag: fix kernel-infoleak for UDP sockets
- xsk: do not sleep in poll() when need_wakeup set
- smc: avoid very long waits in smc_release()
- sch_ets: don't remove idle classes from the round-robin list
- netdevsim:
- zero-initialize memory for bpf map's value, prevent info leak
- don't let user space overwrite read only (max) ethtool parms
- ixgbe: set X550 MDIO speed before talking to PHY
- stmmac:
- fix null-deref in flower deletion w/ VLAN prio Rx steering
- dwmac-rk: fix oob read in rk_gmac_setup
- ice: time stamping fixes
- systemport: add global locking for descriptor life cycle"
* tag 'net-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (89 commits)
bpf, selftests: Fix racing issue in btf_skc_cls_ingress test
selftest/bpf: Add a test that reads various addresses.
bpf: Fix extable address check.
bpf: Fix extable fixup offset.
bpf, selftests: Add test case trying to taint map value pointer
bpf: Make 32->64 bounds propagation slightly more robust
bpf: Fix signed bounds propagation after mov32
sit: do not call ipip6_dev_free() from sit_init_net()
net: systemport: Add global locking for descriptor lifecycle
net/smc: Prevent smc_release() from long blocking
net: Fix double 0x prefix print in SKB dump
virtio_net: fix rx_drops stat for small pkts
dsa: mv88e6xxx: fix debug print for SPEED_UNFORCED
sfc_ef100: potential dereference of null pointer
net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup
net: usb: lan78xx: add Allied Telesis AT29M2-AF
net/packet: rx_owner_map depends on pg_vec
netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc
dpaa2-eth: fix ethtool statistics
ixgbe: set X550 MDIO speed before talking to PHY
...
This commit is contained in:
Linus Torvalds
@@ -33,6 +33,22 @@ noinline int bpf_testmod_loop_test(int n)
|
||||
return sum;
|
||||
}
|
||||
|
||||
__weak noinline struct file *bpf_testmod_return_ptr(int arg)
|
||||
{
|
||||
static struct file f = {};
|
||||
|
||||
switch (arg) {
|
||||
case 1: return (void *)EINVAL; /* user addr */
|
||||
case 2: return (void *)0xcafe4a11; /* user addr */
|
||||
case 3: return (void *)-EINVAL; /* canonical, but invalid */
|
||||
case 4: return (void *)(1ull << 60); /* non-canonical and invalid */
|
||||
case 5: return (void *)~(1ull << 30); /* trigger extable */
|
||||
case 6: return &f; /* valid addr */
|
||||
case 7: return (void *)((long)&f | 1); /* kernel tricks */
|
||||
default: return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
noinline ssize_t
|
||||
bpf_testmod_test_read(struct file *file, struct kobject *kobj,
|
||||
struct bin_attribute *bin_attr,
|
||||
@@ -43,6 +59,10 @@ bpf_testmod_test_read(struct file *file, struct kobject *kobj,
|
||||
.off = off,
|
||||
.len = len,
|
||||
};
|
||||
int i = 1;
|
||||
|
||||
while (bpf_testmod_return_ptr(i))
|
||||
i++;
|
||||
|
||||
/* This is always true. Use the check to make sure the compiler
|
||||
* doesn't remove bpf_testmod_loop_test.
|
||||
|
||||
@@ -90,7 +90,7 @@ static void print_err_line(void)
|
||||
|
||||
static void test_conn(void)
|
||||
{
|
||||
int listen_fd = -1, cli_fd = -1, err;
|
||||
int listen_fd = -1, cli_fd = -1, srv_fd = -1, err;
|
||||
socklen_t addrlen = sizeof(srv_sa6);
|
||||
int srv_port;
|
||||
|
||||
@@ -112,6 +112,10 @@ static void test_conn(void)
|
||||
if (CHECK_FAIL(cli_fd == -1))
|
||||
goto done;
|
||||
|
||||
srv_fd = accept(listen_fd, NULL, NULL);
|
||||
if (CHECK_FAIL(srv_fd == -1))
|
||||
goto done;
|
||||
|
||||
if (CHECK(skel->bss->listen_tp_sport != srv_port ||
|
||||
skel->bss->req_sk_sport != srv_port,
|
||||
"Unexpected sk src port",
|
||||
@@ -134,11 +138,13 @@ done:
|
||||
close(listen_fd);
|
||||
if (cli_fd != -1)
|
||||
close(cli_fd);
|
||||
if (srv_fd != -1)
|
||||
close(srv_fd);
|
||||
}
|
||||
|
||||
static void test_syncookie(void)
|
||||
{
|
||||
int listen_fd = -1, cli_fd = -1, err;
|
||||
int listen_fd = -1, cli_fd = -1, srv_fd = -1, err;
|
||||
socklen_t addrlen = sizeof(srv_sa6);
|
||||
int srv_port;
|
||||
|
||||
@@ -161,6 +167,10 @@ static void test_syncookie(void)
|
||||
if (CHECK_FAIL(cli_fd == -1))
|
||||
goto done;
|
||||
|
||||
srv_fd = accept(listen_fd, NULL, NULL);
|
||||
if (CHECK_FAIL(srv_fd == -1))
|
||||
goto done;
|
||||
|
||||
if (CHECK(skel->bss->listen_tp_sport != srv_port,
|
||||
"Unexpected tp src port",
|
||||
"listen_tp_sport:%u expected:%u\n",
|
||||
@@ -188,6 +198,8 @@ done:
|
||||
close(listen_fd);
|
||||
if (cli_fd != -1)
|
||||
close(cli_fd);
|
||||
if (srv_fd != -1)
|
||||
close(srv_fd);
|
||||
}
|
||||
|
||||
struct test {
|
||||
|
||||
@@ -87,6 +87,18 @@ int BPF_PROG(handle_fexit,
|
||||
return 0;
|
||||
}
|
||||
|
||||
SEC("fexit/bpf_testmod_return_ptr")
|
||||
int BPF_PROG(handle_fexit_ret, int arg, struct file *ret)
|
||||
{
|
||||
long buf = 0;
|
||||
|
||||
bpf_probe_read_kernel(&buf, 8, ret);
|
||||
bpf_probe_read_kernel(&buf, 8, (char *)ret + 256);
|
||||
*(volatile long long *)ret;
|
||||
*(volatile int *)&ret->f_mode;
|
||||
return 0;
|
||||
}
|
||||
|
||||
__u32 fmod_ret_read_sz = 0;
|
||||
|
||||
SEC("fmod_ret/bpf_testmod_test_read")
|
||||
|
||||
@@ -54,7 +54,7 @@
|
||||
#define MAX_INSNS BPF_MAXINSNS
|
||||
#define MAX_TEST_INSNS 1000000
|
||||
#define MAX_FIXUPS 8
|
||||
#define MAX_NR_MAPS 21
|
||||
#define MAX_NR_MAPS 22
|
||||
#define MAX_TEST_RUNS 8
|
||||
#define POINTER_VALUE 0xcafe4all
|
||||
#define TEST_DATA_LEN 64
|
||||
|
||||
@@ -138,6 +138,8 @@
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.result = ACCEPT,
|
||||
.result_unpriv = REJECT,
|
||||
.errstr_unpriv = "R0 leaks addr into mem",
|
||||
},
|
||||
{
|
||||
"Dest pointer in r0 - succeed",
|
||||
@@ -156,4 +158,88 @@
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.result = ACCEPT,
|
||||
.result_unpriv = REJECT,
|
||||
.errstr_unpriv = "R0 leaks addr into mem",
|
||||
},
|
||||
{
|
||||
"Dest pointer in r0 - succeed, check 2",
|
||||
.insns = {
|
||||
/* r0 = &val */
|
||||
BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
|
||||
/* val = r0; */
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
|
||||
/* r5 = &val */
|
||||
BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
|
||||
/* r0 = atomic_cmpxchg(&val, r0, r5); */
|
||||
BPF_ATOMIC_OP(BPF_DW, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
|
||||
/* r1 = *r0 */
|
||||
BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
|
||||
/* exit(0); */
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.result = ACCEPT,
|
||||
.result_unpriv = REJECT,
|
||||
.errstr_unpriv = "R0 leaks addr into mem",
|
||||
},
|
||||
{
|
||||
"Dest pointer in r0 - succeed, check 3",
|
||||
.insns = {
|
||||
/* r0 = &val */
|
||||
BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
|
||||
/* val = r0; */
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
|
||||
/* r5 = &val */
|
||||
BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
|
||||
/* r0 = atomic_cmpxchg(&val, r0, r5); */
|
||||
BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
|
||||
/* exit(0); */
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.result = REJECT,
|
||||
.errstr = "invalid size of register fill",
|
||||
.errstr_unpriv = "R0 leaks addr into mem",
|
||||
},
|
||||
{
|
||||
"Dest pointer in r0 - succeed, check 4",
|
||||
.insns = {
|
||||
/* r0 = &val */
|
||||
BPF_MOV32_REG(BPF_REG_0, BPF_REG_10),
|
||||
/* val = r0; */
|
||||
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
|
||||
/* r5 = &val */
|
||||
BPF_MOV32_REG(BPF_REG_5, BPF_REG_10),
|
||||
/* r0 = atomic_cmpxchg(&val, r0, r5); */
|
||||
BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
|
||||
/* r1 = *r10 */
|
||||
BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_10, -8),
|
||||
/* exit(0); */
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.result = ACCEPT,
|
||||
.result_unpriv = REJECT,
|
||||
.errstr_unpriv = "R10 partial copy of pointer",
|
||||
},
|
||||
{
|
||||
"Dest pointer in r0 - succeed, check 5",
|
||||
.insns = {
|
||||
/* r0 = &val */
|
||||
BPF_MOV32_REG(BPF_REG_0, BPF_REG_10),
|
||||
/* val = r0; */
|
||||
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
|
||||
/* r5 = &val */
|
||||
BPF_MOV32_REG(BPF_REG_5, BPF_REG_10),
|
||||
/* r0 = atomic_cmpxchg(&val, r0, r5); */
|
||||
BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
|
||||
/* r1 = *r0 */
|
||||
BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -8),
|
||||
/* exit(0); */
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.result = REJECT,
|
||||
.errstr = "R0 invalid mem access",
|
||||
.errstr_unpriv = "R10 partial copy of pointer",
|
||||
},
|
||||
|
||||
@@ -1,3 +1,97 @@
|
||||
{
|
||||
"atomic dw/fetch and address leakage of (map ptr & -1) via stack slot",
|
||||
.insns = {
|
||||
BPF_LD_IMM64(BPF_REG_1, -1),
|
||||
BPF_LD_MAP_FD(BPF_REG_8, 0),
|
||||
BPF_LD_MAP_FD(BPF_REG_9, 0),
|
||||
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
||||
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_9, 0),
|
||||
BPF_ATOMIC_OP(BPF_DW, BPF_AND | BPF_FETCH, BPF_REG_2, BPF_REG_1, 0),
|
||||
BPF_LDX_MEM(BPF_DW, BPF_REG_9, BPF_REG_2, 0),
|
||||
BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
|
||||
BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
|
||||
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
|
||||
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0),
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.fixup_map_array_48b = { 2, 4 },
|
||||
.result = ACCEPT,
|
||||
.result_unpriv = REJECT,
|
||||
.errstr_unpriv = "leaking pointer from stack off -8",
|
||||
},
|
||||
{
|
||||
"atomic dw/fetch and address leakage of (map ptr & -1) via returned value",
|
||||
.insns = {
|
||||
BPF_LD_IMM64(BPF_REG_1, -1),
|
||||
BPF_LD_MAP_FD(BPF_REG_8, 0),
|
||||
BPF_LD_MAP_FD(BPF_REG_9, 0),
|
||||
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
||||
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_9, 0),
|
||||
BPF_ATOMIC_OP(BPF_DW, BPF_AND | BPF_FETCH, BPF_REG_2, BPF_REG_1, 0),
|
||||
BPF_MOV64_REG(BPF_REG_9, BPF_REG_1),
|
||||
BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
|
||||
BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
|
||||
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
|
||||
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0),
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.fixup_map_array_48b = { 2, 4 },
|
||||
.result = ACCEPT,
|
||||
.result_unpriv = REJECT,
|
||||
.errstr_unpriv = "leaking pointer from stack off -8",
|
||||
},
|
||||
{
|
||||
"atomic w/fetch and address leakage of (map ptr & -1) via stack slot",
|
||||
.insns = {
|
||||
BPF_LD_IMM64(BPF_REG_1, -1),
|
||||
BPF_LD_MAP_FD(BPF_REG_8, 0),
|
||||
BPF_LD_MAP_FD(BPF_REG_9, 0),
|
||||
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
||||
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_9, 0),
|
||||
BPF_ATOMIC_OP(BPF_W, BPF_AND | BPF_FETCH, BPF_REG_2, BPF_REG_1, 0),
|
||||
BPF_LDX_MEM(BPF_DW, BPF_REG_9, BPF_REG_2, 0),
|
||||
BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
|
||||
BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
|
||||
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
|
||||
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0),
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.fixup_map_array_48b = { 2, 4 },
|
||||
.result = REJECT,
|
||||
.errstr = "invalid size of register fill",
|
||||
},
|
||||
{
|
||||
"atomic w/fetch and address leakage of (map ptr & -1) via returned value",
|
||||
.insns = {
|
||||
BPF_LD_IMM64(BPF_REG_1, -1),
|
||||
BPF_LD_MAP_FD(BPF_REG_8, 0),
|
||||
BPF_LD_MAP_FD(BPF_REG_9, 0),
|
||||
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
||||
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_9, 0),
|
||||
BPF_ATOMIC_OP(BPF_W, BPF_AND | BPF_FETCH, BPF_REG_2, BPF_REG_1, 0),
|
||||
BPF_MOV64_REG(BPF_REG_9, BPF_REG_1),
|
||||
BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
|
||||
BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
|
||||
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
|
||||
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0),
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.fixup_map_array_48b = { 2, 4 },
|
||||
.result = REJECT,
|
||||
.errstr = "invalid size of register fill",
|
||||
},
|
||||
#define __ATOMIC_FETCH_OP_TEST(src_reg, dst_reg, operand1, op, operand2, expect) \
|
||||
{ \
|
||||
"atomic fetch " #op ", src=" #dst_reg " dst=" #dst_reg, \
|
||||
|
||||
@@ -132,6 +132,77 @@
|
||||
.result = REJECT,
|
||||
.prog_type = BPF_PROG_TYPE_TRACEPOINT,
|
||||
},
|
||||
{
|
||||
"precision tracking for u32 spill/fill",
|
||||
.insns = {
|
||||
BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
|
||||
BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
|
||||
BPF_MOV32_IMM(BPF_REG_6, 32),
|
||||
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
|
||||
BPF_MOV32_IMM(BPF_REG_6, 4),
|
||||
/* Additional insns to introduce a pruning point. */
|
||||
BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
|
||||
BPF_MOV64_IMM(BPF_REG_3, 0),
|
||||
BPF_MOV64_IMM(BPF_REG_3, 0),
|
||||
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
|
||||
BPF_MOV64_IMM(BPF_REG_3, 0),
|
||||
/* u32 spill/fill */
|
||||
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_6, -8),
|
||||
BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_10, -8),
|
||||
/* out-of-bound map value access for r6=32 */
|
||||
BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
|
||||
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
||||
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
|
||||
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
||||
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
||||
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
|
||||
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
|
||||
BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.fixup_map_hash_8b = { 15 },
|
||||
.result = REJECT,
|
||||
.errstr = "R0 min value is outside of the allowed memory range",
|
||||
.prog_type = BPF_PROG_TYPE_TRACEPOINT,
|
||||
},
|
||||
{
|
||||
"precision tracking for u32 spills, u64 fill",
|
||||
.insns = {
|
||||
BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
|
||||
BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
|
||||
BPF_MOV32_IMM(BPF_REG_7, 0xffffffff),
|
||||
/* Additional insns to introduce a pruning point. */
|
||||
BPF_MOV64_IMM(BPF_REG_3, 1),
|
||||
BPF_MOV64_IMM(BPF_REG_3, 1),
|
||||
BPF_MOV64_IMM(BPF_REG_3, 1),
|
||||
BPF_MOV64_IMM(BPF_REG_3, 1),
|
||||
BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
|
||||
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
|
||||
BPF_MOV64_IMM(BPF_REG_3, 1),
|
||||
BPF_ALU32_IMM(BPF_DIV, BPF_REG_3, 0),
|
||||
/* u32 spills, u64 fill */
|
||||
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_6, -4),
|
||||
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_7, -8),
|
||||
BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_10, -8),
|
||||
/* if r8 != X goto pc+1 r8 known in fallthrough branch */
|
||||
BPF_JMP_IMM(BPF_JNE, BPF_REG_8, 0xffffffff, 1),
|
||||
BPF_MOV64_IMM(BPF_REG_3, 1),
|
||||
/* if r8 == X goto pc+1 condition always true on first
|
||||
* traversal, so starts backtracking to mark r8 as requiring
|
||||
* precision. r7 marked as needing precision. r6 not marked
|
||||
* since it's not tracked.
|
||||
*/
|
||||
BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 0xffffffff, 1),
|
||||
/* fails if r8 correctly marked unknown after fill. */
|
||||
BPF_ALU32_IMM(BPF_DIV, BPF_REG_3, 0),
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.result = REJECT,
|
||||
.errstr = "div by zero",
|
||||
.prog_type = BPF_PROG_TYPE_TRACEPOINT,
|
||||
},
|
||||
{
|
||||
"allocated_stack",
|
||||
.insns = {
|
||||
|
||||
@@ -175,6 +175,38 @@
|
||||
.errstr = "invalid access to packet",
|
||||
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
||||
},
|
||||
{
|
||||
"Spill u32 const scalars. Refill as u64. Offset to skb->data",
|
||||
.insns = {
|
||||
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
|
||||
offsetof(struct __sk_buff, data)),
|
||||
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
|
||||
offsetof(struct __sk_buff, data_end)),
|
||||
/* r6 = 0 */
|
||||
BPF_MOV32_IMM(BPF_REG_6, 0),
|
||||
/* r7 = 20 */
|
||||
BPF_MOV32_IMM(BPF_REG_7, 20),
|
||||
/* *(u32 *)(r10 -4) = r6 */
|
||||
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_6, -4),
|
||||
/* *(u32 *)(r10 -8) = r7 */
|
||||
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_7, -8),
|
||||
/* r4 = *(u64 *)(r10 -8) */
|
||||
BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_10, -8),
|
||||
/* r0 = r2 */
|
||||
BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
|
||||
/* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=inv,umax=65535 */
|
||||
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
|
||||
/* if (r0 > r3) R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=inv,umax=65535 */
|
||||
BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
|
||||
/* r0 = *(u32 *)r2 R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=inv20 */
|
||||
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.result = REJECT,
|
||||
.errstr = "invalid access to packet",
|
||||
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
||||
},
|
||||
{
|
||||
"Spill a u32 const scalar. Refill as u16 from fp-6. Offset to skb->data",
|
||||
.insns = {
|
||||
|
||||
@@ -1077,6 +1077,29 @@
|
||||
.errstr = "R0 invalid mem access 'inv'",
|
||||
.errstr_unpriv = "R0 pointer -= pointer prohibited",
|
||||
},
|
||||
{
|
||||
"map access: trying to leak tained dst reg",
|
||||
.insns = {
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
||||
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
||||
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
||||
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
||||
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
||||
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
|
||||
BPF_EXIT_INSN(),
|
||||
BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
|
||||
BPF_MOV32_IMM(BPF_REG_1, 0xFFFFFFFF),
|
||||
BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
|
||||
BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
|
||||
BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
|
||||
BPF_MOV64_IMM(BPF_REG_0, 0),
|
||||
BPF_EXIT_INSN(),
|
||||
},
|
||||
.fixup_map_array_48b = { 4 },
|
||||
.result = REJECT,
|
||||
.errstr = "math between map_value pointer and 4294967295 is not allowed",
|
||||
},
|
||||
{
|
||||
"32bit pkt_ptr -= scalar",
|
||||
.insns = {
|
||||
|
||||
@@ -72,6 +72,35 @@ rif_mac_profile_replacement_test()
|
||||
ip link set $h1.10 address $h1_10_mac
|
||||
}
|
||||
|
||||
rif_mac_profile_consolidation_test()
|
||||
{
|
||||
local count=$1; shift
|
||||
local h1_20_mac
|
||||
|
||||
RET=0
|
||||
|
||||
if [[ $count -eq 1 ]]; then
|
||||
return
|
||||
fi
|
||||
|
||||
h1_20_mac=$(mac_get $h1.20)
|
||||
|
||||
# Set the MAC of $h1.20 to that of $h1.10 and confirm that they are
|
||||
# using the same MAC profile.
|
||||
ip link set $h1.20 address 00:11:11:11:11:11
|
||||
check_err $?
|
||||
|
||||
occ=$(devlink -j resource show $DEVLINK_DEV \
|
||||
| jq '.[][][] | select(.name=="rif_mac_profiles") |.["occ"]')
|
||||
|
||||
[[ $occ -eq $((count - 1)) ]]
|
||||
check_err $? "MAC profile occupancy did not decrease"
|
||||
|
||||
log_test "RIF MAC profile consolidation"
|
||||
|
||||
ip link set $h1.20 address $h1_20_mac
|
||||
}
|
||||
|
||||
rif_mac_profile_shared_replacement_test()
|
||||
{
|
||||
local count=$1; shift
|
||||
@@ -104,6 +133,7 @@ rif_mac_profile_edit_test()
|
||||
create_max_rif_mac_profiles $count
|
||||
|
||||
rif_mac_profile_replacement_test
|
||||
rif_mac_profile_consolidation_test $count
|
||||
rif_mac_profile_shared_replacement_test $count
|
||||
}
|
||||
|
||||
|
||||
@@ -455,6 +455,22 @@ cleanup()
|
||||
ip netns del ${NSC} >/dev/null 2>&1
|
||||
}
|
||||
|
||||
cleanup_vrf_dup()
|
||||
{
|
||||
ip link del ${NSA_DEV2} >/dev/null 2>&1
|
||||
ip netns pids ${NSC} | xargs kill 2>/dev/null
|
||||
ip netns del ${NSC} >/dev/null 2>&1
|
||||
}
|
||||
|
||||
setup_vrf_dup()
|
||||
{
|
||||
# some VRF tests use ns-C which has the same config as
|
||||
# ns-B but for a device NOT in the VRF
|
||||
create_ns ${NSC} "-" "-"
|
||||
connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
|
||||
${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
|
||||
}
|
||||
|
||||
setup()
|
||||
{
|
||||
local with_vrf=${1}
|
||||
@@ -484,12 +500,6 @@ setup()
|
||||
|
||||
ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
|
||||
ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
|
||||
|
||||
# some VRF tests use ns-C which has the same config as
|
||||
# ns-B but for a device NOT in the VRF
|
||||
create_ns ${NSC} "-" "-"
|
||||
connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
|
||||
${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
|
||||
else
|
||||
ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
|
||||
ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
|
||||
@@ -1240,7 +1250,9 @@ ipv4_tcp_vrf()
|
||||
log_test_addr ${a} $? 1 "Global server, local connection"
|
||||
|
||||
# run MD5 tests
|
||||
setup_vrf_dup
|
||||
ipv4_tcp_md5
|
||||
cleanup_vrf_dup
|
||||
|
||||
#
|
||||
# enable VRF global server
|
||||
@@ -1798,8 +1810,9 @@ ipv4_addr_bind_vrf()
|
||||
for a in ${NSA_IP} ${VRF_IP}
|
||||
do
|
||||
log_start
|
||||
show_hint "Socket not bound to VRF, but address is in VRF"
|
||||
run_cmd nettest -s -R -P icmp -l ${a} -b
|
||||
log_test_addr ${a} $? 0 "Raw socket bind to local address"
|
||||
log_test_addr ${a} $? 1 "Raw socket bind to local address"
|
||||
|
||||
log_start
|
||||
run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
|
||||
@@ -2191,7 +2204,7 @@ ipv6_ping_vrf()
|
||||
log_start
|
||||
show_hint "Fails since VRF device does not support linklocal or multicast"
|
||||
run_cmd ${ping6} -c1 -w1 ${a}
|
||||
log_test_addr ${a} $? 2 "ping out, VRF bind"
|
||||
log_test_addr ${a} $? 1 "ping out, VRF bind"
|
||||
done
|
||||
|
||||
for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
|
||||
@@ -2719,7 +2732,9 @@ ipv6_tcp_vrf()
|
||||
log_test_addr ${a} $? 1 "Global server, local connection"
|
||||
|
||||
# run MD5 tests
|
||||
setup_vrf_dup
|
||||
ipv6_tcp_md5
|
||||
cleanup_vrf_dup
|
||||
|
||||
#
|
||||
# enable VRF global server
|
||||
@@ -3414,11 +3429,14 @@ ipv6_addr_bind_novrf()
|
||||
run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
|
||||
log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
|
||||
|
||||
# Sadly, the kernel allows binding a socket to a device and then
|
||||
# binding to an address not on the device. So this test passes
|
||||
# when it really should not
|
||||
a=${NSA_LO_IP6}
|
||||
log_start
|
||||
show_hint "Should fail with 'Cannot assign requested address'"
|
||||
show_hint "Tecnically should fail since address is not on device but kernel allows"
|
||||
run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
|
||||
log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
|
||||
log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
|
||||
}
|
||||
|
||||
ipv6_addr_bind_vrf()
|
||||
@@ -3459,10 +3477,15 @@ ipv6_addr_bind_vrf()
|
||||
run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
|
||||
log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
|
||||
|
||||
# Sadly, the kernel allows binding a socket to a device and then
|
||||
# binding to an address not on the device. The only restriction
|
||||
# is that the address is valid in the L3 domain. So this test
|
||||
# passes when it really should not
|
||||
a=${VRF_IP6}
|
||||
log_start
|
||||
show_hint "Tecnically should fail since address is not on device but kernel allows"
|
||||
run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
|
||||
log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind"
|
||||
log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
|
||||
|
||||
a=${NSA_LO_IP6}
|
||||
log_start
|
||||
|
||||
@@ -13,6 +13,8 @@ NETIFS[p5]=veth4
|
||||
NETIFS[p6]=veth5
|
||||
NETIFS[p7]=veth6
|
||||
NETIFS[p8]=veth7
|
||||
NETIFS[p9]=veth8
|
||||
NETIFS[p10]=veth9
|
||||
|
||||
# Port that does not have a cable connected.
|
||||
NETIF_NO_CABLE=eth8
|
||||
|
||||
@@ -311,7 +311,7 @@ check_exception()
|
||||
ip -netns h1 ro get ${H1_VRF_ARG} ${H2_N2_IP} | \
|
||||
grep -E -v 'mtu|redirected' | grep -q "cache"
|
||||
fi
|
||||
log_test $? 0 "IPv4: ${desc}"
|
||||
log_test $? 0 "IPv4: ${desc}" 0
|
||||
|
||||
# No PMTU info for test "redirect" and "mtu exception plus redirect"
|
||||
if [ "$with_redirect" = "yes" ] && [ "$desc" != "redirect exception plus mtu" ]; then
|
||||
|
||||
@@ -498,7 +498,7 @@ static void parse_opts(int argc, char **argv)
|
||||
bool have_toeplitz = false;
|
||||
int index, c;
|
||||
|
||||
while ((c = getopt_long(argc, argv, "46C:d:i:k:r:stT:u:v", long_options, &index)) != -1) {
|
||||
while ((c = getopt_long(argc, argv, "46C:d:i:k:r:stT:uv", long_options, &index)) != -1) {
|
||||
switch (c) {
|
||||
case '4':
|
||||
cfg_family = AF_INET;
|
||||
|
||||
Reference in New Issue
Block a user