MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2026-01-27 12:47:24 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
abf529abd6
linux-yocto/kernel
History
Paul Chaignon 058a0da4f6 bpf: Reject narrower access to pointer ctx fields 
commit e09299225d upstream.

The following BPF program, simplified from a syzkaller repro, causes a
kernel warning:

    r0 = *(u8 *)(r1 + 169);
    exit;

With pointer field sk being at offset 168 in __sk_buff. This access is
detected as a narrower read in bpf_skb_is_valid_access because it
doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
and later proceeds to bpf_convert_ctx_access. Note that for the
"is_narrower_load" case in the convert_ctx_accesses(), the insn->off
is aligned, so the cnt may not be 0 because it matches the
offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,
the target_size stays 0 and the verifier errors with a kernel warning:

    verifier bug: error during ctx access conversion(1)

This patch fixes that to return a proper "invalid bpf_context access
off=X size=Y" error on the load instruction.

The same issue affects multiple other fields in context structures that
allow narrow access. Some other non-affected fields (for sk_msg,
sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
consistency.

Note this syzkaller crash was reported in the "Closes" link below, which
used to be about a different bug, fixed in
commit fce7bd8e38 ("bpf/verifier: Handle BPF_LOAD_ACQ instructions
in insn_def_regno()"). Because syzbot somehow confused the two bugs,
the new crash and repro didn't get reported to the mailing list.

Fixes: f96da09473 ("bpf: simplify narrower ctx access")
Fixes: 0df1a55afa ("bpf: Warn on internal verifier errors")
Reported-by: syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://patch.msgid.link/3b8dcee67ff4296903351a974ddd9c4dca768b64.1753194596.git.paul.chaignon@gmail.com
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-01-23 11:18:50 +01:00
..
bpf bpf: Reject narrower access to pointer ctx fields 2026-01-23 11:18:50 +01:00
cgroup cpuset: Treat cpusets in attaching as populated 2025-12-18 13:55:03 +01:00
configs tinyconfig: remove unnecessary 'is not set' for choice blocks 2024-09-01 20:34:38 +09:00
debug move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
dma dma/pool: eliminate alloc_pages warning in atomic_pool_expand 2025-12-18 13:55:20 +01:00
entry treewide: context_tracking: Rename CONTEXT_* into CT_STATE_* 2024-07-29 07:33:10 +05:30
events perf: Remove get_perf_callchain() init_nr argument 2025-12-18 13:54:49 +01:00
futex futex: Don't leak robust_list pointer on exec race 2025-11-13 15:34:06 -05:00
gcov gcov: add support for GCC 15 2025-11-24 10:35:59 +01:00
irq genirq/irq_sim: Initialize work context pointers properly 2025-07-10 16:05:07 +02:00
kcsan kcsan: test: Initialize dummy variable 2025-08-15 12:13:46 +02:00
livepatch livepatch: Match old_sympos 0 and 1 in klp_find_func() 2026-01-08 10:13:56 +01:00
locking locktorture: Fix memory leak in param_set_cpumask() 2025-12-18 13:54:54 +01:00
module module: Prevent silent truncation of module name in delete_module(2) 2025-08-20 18:30:46 +02:00
power PM: hibernate: Use atomic64_t for compressed_size variable 2025-11-24 10:36:03 +01:00
printk printk: nbcon: Allow reacquire during panic 2025-08-20 18:30:47 +02:00
rcu rcu: Fix racy re-initialization of irq_work causing hangs 2025-08-20 18:30:58 +02:00
sched sched/fair: Proportional newidle balance 2026-01-11 15:25:21 +01:00
time hrtimer: Fix softirq base check in update_needs_ipi() 2026-01-23 11:18:45 +01:00
trace fgraph: Check ftrace_pids_enabled on registration for early filtering 2026-01-08 10:14:41 +01:00
.gitignore
acct.c acct: block access to kernel internal filesystems 2025-02-27 04:30:23 -08:00
async.c
audit_fsnotify.c
audit_tree.c
audit_watch.c
audit.c audit: Make use of str_enabled_disabled() helper 2024-09-03 16:35:16 -04:00
audit.h audit,module: restore audit logging in load failure case 2025-08-15 12:13:31 +02:00
auditfilter.c audit: use task_tgid_nr() instead of task_pid_nr() 2024-08-28 16:48:28 -04:00
auditsc.c audit,module: restore audit logging in load failure case 2025-08-15 12:13:31 +02:00
backtracetest.c backtracetest: add MODULE_DESCRIPTION() 2024-06-24 22:24:55 -07:00
bounds.c
capability.c
cfi.c
compat.c
configs.c
context_tracking.c context_tracking, rcu: Rename rcu_dyntick trace event into rcu_watching 2024-08-15 21:30:43 +05:30
cpu_pm.c
cpu.c watchdog/hardlockup/perf: Fix perf_event memory leak 2025-04-10 14:39:11 +02:00
crash_core.c crash: fix crashkernel resource shrink 2025-11-24 10:36:01 +01:00
crash_reserve.c crash: fix crash memory reserve exceed system memory bug 2024-09-01 20:43:30 -07:00
cred.c
delayacct.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
dma.c
elfcorehdr.c
exec_domain.c
exit.c perf: Fix sample vs do_exit() 2025-06-27 11:11:45 +01:00
exit.h
extable.c
fail_function.c
fork.c copy_sighand: Handle architectures where sizeof(unsigned long) < sizeof(u64) 2025-10-19 16:33:48 +02:00
freezer.c sched,freezer: Remove unnecessary warning in __thaw_task 2025-07-24 08:56:37 +02:00
gen_kheaders.sh kheaders: Ignore silly-rename files 2025-01-23 17:22:55 +01:00
groups.c
hung_task.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
iomem.c
irq_work.c
jump_label.c jump_label: Fix static_key_slow_dec() yet again 2024-09-10 11:57:27 +02:00
kallsyms_internal.h kallsyms: get rid of code for absolute kallsyms 2024-07-20 16:33:21 +09:00
kallsyms_selftest.c kallsyms: Match symbols exactly with CONFIG_LTO_CLANG 2024-08-15 09:33:35 -07:00
kallsyms_selftest.h
kallsyms.c kallsyms: Fix wrong "big" kernel symbol type read from procfs 2026-01-08 10:14:14 +01:00
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.kexec crash, powerpc: default to CRASH_DUMP=n on PPC_BOOK3S_32 2024-11-14 22:43:48 -08:00
Kconfig.locks
Kconfig.preempt sched_ext: Build fix on !CONFIG_STACKTRACE[_SUPPORT] 2024-08-01 07:08:01 -10:00
kcov.c kcov: mark in_softirq_really() as __always_inline 2025-01-09 13:33:49 +01:00
kexec_core.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
kexec_elf.c kexec: initialize ELF lowest address to ULONG_MAX 2025-04-10 14:39:24 +02:00
kexec_file.c kexec_file: fix elfcorehdr digest exclusion when CONFIG_CRASH_HOTPLUG=y 2024-09-01 17:59:01 -07:00
kexec_internal.h kexec: use atomic_try_cmpxchg_acquire() in kexec_trylock() 2024-09-01 20:43:23 -07:00
kexec.c
kheaders.c
kprobes.c kprobes: Fix to check symbol prefixes correctly 2024-08-05 14:04:03 +09:00
ksyms_common.c
ksysfs.c profiling: remove prof_cpu_mask 2024-07-29 10:45:54 -07:00
kthread.c kthread: unpark only parked kthread 2024-10-09 12:47:19 -07:00
latencytop.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
Makefile mm: move kernel/numa.c to mm/ 2024-09-03 21:15:26 -07:00
module_signature.c
notifier.c
nsproxy.c introduce fd_file(), convert all accessors to it. 2024-08-12 22:00:43 -04:00
padata.c padata: Reset next CPU when reorder sequence wraps around 2025-10-23 16:20:42 +02:00
panic.c objtool, panic: Disable SMAP in __stack_chk_fail() 2025-05-02 07:59:19 +02:00
params.c module: ensure that kobject_put() is safe for module type kobjects 2025-05-18 08:24:54 +02:00
pid_namespace.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
pid_sysctl.h sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
pid.c pid: Add a judgment for ns null in pid_nr_ns 2025-10-19 16:34:05 +02:00
profile.c profiling: remove profile=sleep support 2024-08-04 13:36:28 -07:00
ptrace.c
range.c
reboot.c Flush console log from kernel_power_off() 2025-04-20 10:15:12 +02:00
regset.c
relay.c [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
resource_kunit.c resource, kunit: fix user-after-free in resource_test_region_intersects() 2024-10-09 12:47:19 -07:00
resource.c Reinstate "resource: avoid unnecessary lookups in find_next_iomem_res()" 2025-12-18 13:55:11 +01:00
rseq.c rseq: Protect event mask against membarrier IPI 2025-10-19 16:33:34 +02:00
scftorture.c
scs.c scs: fix a wrong parameter in __scs_magic 2026-01-08 10:14:21 +01:00
seccomp.c seccomp: passthrough uprobe systemcall without filtering 2025-11-02 22:15:20 +09:00
signal.c pidfs: improve multi-threaded exec and premature thread-group leader exit polling 2025-05-29 11:02:09 +02:00
smp.c smp: Fix up and expand the smp_call_function_many() kerneldoc 2025-10-15 12:00:02 +02:00
smpboot.c
smpboot.h
softirq.c lockdep: Fix wait context check on softirq for PREEMPT_RT 2025-05-29 11:02:08 +02:00
stackleak.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
stacktrace.c
static_call_inline.c x86/static-call: provide a way to do very early static-call updates 2024-12-19 18:13:23 +01:00
static_call.c
stop_machine.c sched/core: Fix migrate_swap() vs. hotplug 2025-07-17 18:37:03 +02:00
sys_ni.c Probes updates for v6.11: 2024-07-18 12:19:20 -07:00
sys.c kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths 2025-10-19 16:33:51 +02:00
sysctl-test.c
sysctl.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
task_work.c task_work: Fix NMI race condition 2025-12-18 13:54:50 +01:00
taskstats.c introduce fd_file(), convert all accessors to it. 2024-08-12 22:00:43 -04:00
torture.c
tracepoint.c tracepoint: Support iterating tracepoints in a loading module 2024-09-25 23:23:44 +09:00
tsacct.c tsacct: replace strncpy() with strscpy() 2024-07-12 16:39:53 -07:00
ucount.c ucount: fix atomic_long_inc_below() argument type 2025-08-15 12:13:59 +02:00
uid16.c
uid16.h
umh.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
up.c
user_namespace.c user_namespace: use kmemdup_array() instead of kmemdup() for multiple allocation 2024-09-09 16:47:42 -07:00
user-return-notifier.c
user.c uidgid: make sure we fit into one cacheline 2024-09-12 12:16:09 +02:00
usermode_driver.c
utsname_sysctl.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
utsname.c
vhost_task.c vhost: Take a reference on the task in struct vhost_task. 2025-10-02 13:44:10 +02:00
vmcore_info.c mm: support only one page_type per page 2024-09-03 21:15:43 -07:00
watch_queue.c watch_queue: fix pipe accounting mismatch 2025-04-10 14:39:10 +02:00
watchdog_buddy.c
watchdog_perf.c watchdog/hardlockup/perf: Fix perf_event memory leak 2025-04-10 14:39:11 +02:00
watchdog.c watchdog: fix watchdog may detect false positive of softlockup 2025-06-27 11:11:22 +01:00
workqueue_internal.h
workqueue.c workqueue: Initialize wq_isolated_cpumask in workqueue_init_early() 2025-06-27 11:11:42 +01:00