diff options
author | David S. Miller <davem@davemloft.net> | 2018-09-02 15:53:38 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-09-02 15:53:38 -0700 |
commit | a80afe89d81af6b64bf2d9b3afef70dcf75df12b (patch) | |
tree | b2c917465cd88aeff2aefcb30406dd271f5d2f0c /net | |
parent | 15a81b418e22a9aa4a0504471fdcb0f4ebf69b96 (diff) | |
parent | 597222f72a94118f593e4f32bf58ae7e049a0df1 (diff) |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says:
====================
pull-request: bpf 2018-09-02
The following pull-request contains BPF updates for your *net* tree.
The main changes are:
1) Fix one remaining buggy offset override in sockmap's bpf_msg_pull_data()
when linearizing multiple scatterlist elements, from Tushar.
2) Fix BPF sockmap's misuse of ULP when a collision with another ULP is
found on map update where it would release existing ULP. syzbot found and
triggered this couple of times now, fix from John.
3) Add missing xskmap type to bpftool so it will properly show the type
on map dump, from Prashant.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/core/filter.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/net/core/filter.c b/net/core/filter.c index 2c7801f6737a..aecdeba052d3 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2292,7 +2292,7 @@ static const struct bpf_func_proto bpf_msg_cork_bytes_proto = { BPF_CALL_4(bpf_msg_pull_data, struct sk_msg_buff *, msg, u32, start, u32, end, u64, flags) { - unsigned int len = 0, offset = 0, copy = 0; + unsigned int len = 0, offset = 0, copy = 0, poffset = 0; int bytes = end - start, bytes_sg_total; struct scatterlist *sg = msg->sg_data; int first_sg, last_sg, i, shift; @@ -2348,16 +2348,15 @@ BPF_CALL_4(bpf_msg_pull_data, if (unlikely(!page)) return -ENOMEM; p = page_address(page); - offset = 0; i = first_sg; do { from = sg_virt(&sg[i]); len = sg[i].length; - to = p + offset; + to = p + poffset; memcpy(to, from, len); - offset += len; + poffset += len; sg[i].length = 0; put_page(sg_page(&sg[i])); |