bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: brianvv@google.com
Cc: bpf@vger.kernel.org
Subject: [bug report] bpf: Add generic support for update and delete batch ops
Date: Fri, 17 Jan 2020 13:44:00 +0300	[thread overview]
Message-ID: <20200117104400.iwfowq7z4epdvoww@kili.mountain> (raw)

Hello Brian Vazquez,

The patch aa2e93b8e58e: "bpf: Add generic support for update and
delete batch ops" from Jan 15, 2020, leads to the following static
checker warning:

	kernel/bpf/syscall.c:1322 generic_map_update_batch()
	error: 'key' dereferencing possible ERR_PTR()

kernel/bpf/syscall.c
  1296  
  1297          value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
  1298          if (!value)
  1299                  return -ENOMEM;
  1300  
  1301          for (cp = 0; cp < max_count; cp++) {
  1302                  key = __bpf_copy_key(keys + cp * map->key_size, map->key_size);
  1303                  if (IS_ERR(key)) {
  1304                          err = PTR_ERR(key);
  1305                          break;
                                ^^^^^
This will Oops.

  1306                  }
  1307                  err = -EFAULT;
  1308                  if (copy_from_user(value, values + cp * value_size, value_size))
  1309                          break;
  1310  
  1311                  err = bpf_map_update_value(map, f, key, value,
  1312                                             attr->batch.elem_flags);
  1313  
  1314                  if (err)
  1315                          break;

But the success path seems to leak.  Anyway, either we free the last
successful key or we are leaking so this doesn't seem workable.  Does
map->key_size change?  Maybe move the allocation from __bpf_copy_key()
to before the start of the loop.

  1316          }
  1317  
  1318          if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
  1319                  err = -EFAULT;
  1320  
  1321          kfree(value);
  1322          kfree(key);
  1323          return err;
  1324  }

regards,
dan carpenter

             reply	other threads:[~2020-01-17 10:44 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-17 10:44 Dan Carpenter [this message]
2020-01-17 17:59 ` [bug report] bpf: Add generic support for update and delete batch ops Brian Vazquez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200117104400.iwfowq7z4epdvoww@kili.mountain \
    --to=dan.carpenter@oracle.com \
    --cc=bpf@vger.kernel.org \
    --cc=brianvv@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).