Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / ff936a04e5f28b7e0455be0e7fa91334f89e4b44^! / . / net / packet / af_packet.c
commitff936a04e5f28b7e0455be0e7fa91334f89e4b44[log] [tgz]
authorAlexei Starovoitov <ast@plumgrid.com>Wed Oct 07 10:55:41 2015 -0700
committerDavid S. Miller <davem@davemloft.net>Sun Oct 11 04:40:05 2015 -0700
treef23b1f44945600ce2631560eb1f93364606b62b6
parentd49ae37c613f7cc1f4c1fd6ef073d60c32e000dd [diff] [blame]
bpf: fix cb access in socket filter programs

eBPF socket filter programs may see junk in 'u32 cb[5]' area,
since it could have been used by protocol layers earlier.

For socket filter programs used in af_packet we need to clean
20 bytes of skb->cb area if it could be used by the program.
For programs attached to TCP/UDP sockets we need to save/restore
these 20 bytes, since it's used by protocol layers.

Remove SK_RUN_FILTER macro, since it's no longer used.

Long term we may move this bpf cb area to per-cpu scratch, but that
requires addition of new 'per-cpu load/store' instructions,
so not suitable as a short term fix.

Fixes: d691f9e8d440 ("bpf: allow programs to write to certain skb fields")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 81c900f..104910f 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c

@@ -1423,7 +1423,7 @@
 	rcu_read_lock();
 	prog = rcu_dereference(f->bpf_prog);
 	if (prog)
-		ret = BPF_PROG_RUN(prog, skb) % num;
+		ret = bpf_prog_run_clear_cb(prog, skb) % num;
 	rcu_read_unlock();
 
 	return ret;
@@ -1939,16 +1939,16 @@
 	return err;
 }
 
-static unsigned int run_filter(const struct sk_buff *skb,
-				      const struct sock *sk,
-				      unsigned int res)
+static unsigned int run_filter(struct sk_buff *skb,
+			       const struct sock *sk,
+			       unsigned int res)
 {
 	struct sk_filter *filter;
 
 	rcu_read_lock();
 	filter = rcu_dereference(sk->sk_filter);
 	if (filter != NULL)
-		res = SK_RUN_FILTER(filter, skb);
+		res = bpf_prog_run_clear_cb(filter->prog, skb);
 	rcu_read_unlock();
 
 	return res;