diff options
author | John Fastabend <john.fastabend@gmail.com> | 2017-10-27 18:45:34 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-10-29 03:18:48 +0100 |
commit | 8108a77515126f6db4374e8593956e20430307c0 (patch) | |
tree | 0c6e1ae0c05ad353f1fa675edcdaad6cf9b333b3 /include/net | |
parent | tap: reference to KVA of an unloaded module causes kernel panic (diff) | |
download | linux-8108a77515126f6db4374e8593956e20430307c0.tar.xz linux-8108a77515126f6db4374e8593956e20430307c0.zip |
bpf: bpf_compute_data uses incorrect cb structure
SK_SKB program types use bpf_compute_data to store the end of the
packet data. However, bpf_compute_data assumes the cb is stored in the
qdisc layer format. But, for SK_SKB this is the wrong layer of the
stack for this type.
It happens to work (sort of!) because in most cases nothing happens
to be overwritten today. This is very fragile and error prone.
Fortunately, we have another hole in tcp_skb_cb we can use so lets
put the data_end value there.
Note, SK_SKB program types do not use data_meta, they are failed by
sk_skb_is_valid_access().
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/tcp.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/tcp.h b/include/net/tcp.h index b1ef98ebce53..33599d17522d 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -844,6 +844,7 @@ struct tcp_skb_cb { __u32 key; __u32 flags; struct bpf_map *map; + void *data_end; } bpf; }; }; |