From: Dan Carpenter <dan.carpenter@oracle.com>
To: brianvv@google.com
Cc: bpf@vger.kernel.org
Subject: [bug report] bpf: Add generic support for update and delete batch ops
Date: Fri, 17 Jan 2020 13:44:00 +0300 [thread overview]
Message-ID: <20200117104400.iwfowq7z4epdvoww@kili.mountain> (raw)
Hello Brian Vazquez,
The patch aa2e93b8e58e: "bpf: Add generic support for update and
delete batch ops" from Jan 15, 2020, leads to the following static
checker warning:
kernel/bpf/syscall.c:1322 generic_map_update_batch()
error: 'key' dereferencing possible ERR_PTR()
kernel/bpf/syscall.c
1296
1297 value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
1298 if (!value)
1299 return -ENOMEM;
1300
1301 for (cp = 0; cp < max_count; cp++) {
1302 key = __bpf_copy_key(keys + cp * map->key_size, map->key_size);
1303 if (IS_ERR(key)) {
1304 err = PTR_ERR(key);
1305 break;
^^^^^
This will Oops.
1306 }
1307 err = -EFAULT;
1308 if (copy_from_user(value, values + cp * value_size, value_size))
1309 break;
1310
1311 err = bpf_map_update_value(map, f, key, value,
1312 attr->batch.elem_flags);
1313
1314 if (err)
1315 break;
But the success path seems to leak. Anyway, either we free the last
successful key or we are leaking so this doesn't seem workable. Does
map->key_size change? Maybe move the allocation from __bpf_copy_key()
to before the start of the loop.
1316 }
1317
1318 if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
1319 err = -EFAULT;
1320
1321 kfree(value);
1322 kfree(key);
1323 return err;
1324 }
regards,
dan carpenter
next reply other threads:[~2020-01-17 10:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-17 10:44 Dan Carpenter [this message]
2020-01-17 17:59 ` [bug report] bpf: Add generic support for update and delete batch ops Brian Vazquez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200117104400.iwfowq7z4epdvoww@kili.mountain \
--to=dan.carpenter@oracle.com \
--cc=bpf@vger.kernel.org \
--cc=brianvv@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).