From: Alexei Starovoitov Date: Mon, 25 Nov 2024 22:25:49 +0000 (-0800) Subject: Merge branch 'bpf-fix-oob-accesses-in-map_delete_elem-callbacks' X-Git-Tag: nvme-6.14-2025-01-12~168^2~11 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=7ca088420084cbceb9ebdee8c5ff9bfc9eac8dae;p=nvme.git Merge branch 'bpf-fix-oob-accesses-in-map_delete_elem-callbacks' Maciej Fijalkowski says: ==================== bpf: fix OOB accesses in map_delete_elem callbacks v1->v2: - CC stable and collect tags from Toke & John Hi, Jordy reported that for big enough XSKMAPs and DEVMAPs, when deleting elements, OOB writes occur. Reproducer below: // compile with gcc -o map_poc map_poc.c -lbpf #include #include #include #include #include #include #include int main() { // Create a large enough BPF XSK map int map_fd; union bpf_attr create_attr = { .map_type = BPF_MAP_TYPE_XSKMAP, .key_size = sizeof(int), .value_size = sizeof(int), .max_entries = 0x80000000 + 2, }; map_fd = syscall(SYS_bpf, BPF_MAP_CREATE, &create_attr, sizeof(create_attr)); if (map_fd < 0) { fprintf(stderr, "Failed to create BPF map: %s\n", strerror(errno)); return 1; } // Delete an element from the map using syscall unsigned int key = 0x80000000 + 1; if (syscall(SYS_bpf, BPF_MAP_DELETE_ELEM, &(union bpf_attr){ .map_fd = map_fd, .key = &key, }, sizeof(union bpf_attr)) < 0) { fprintf(stderr, "Failed to delete element from BPF map: %s\n", strerror(errno)); return 1; } close(map_fd); return 0; } This tiny series changes data types from int to u32 of keys being used for map accesses. Thanks, Maciej ==================== Link: https://patch.msgid.link/20241122121030.716788-1-maciej.fijalkowski@intel.com Signed-off-by: Alexei Starovoitov --- 7ca088420084cbceb9ebdee8c5ff9bfc9eac8dae