Patch "bpf: Fix __bpf_{list,rbtree}_add's beginning-of-node calculation" has been added to the 6.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 9 Jul 2023 01:05:26 -0400

This is a note to let you know that I've just added the patch titled

    bpf: Fix __bpf_{list,rbtree}_add's beginning-of-node calculation

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-fix-__bpf_-list-rbtree-_add-s-beginning-of-node-.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d9e3725fac6363552edd87ff66c0ed219572a341
Author: Dave Marchevsky <davemarchevsky@xxxxxx>
Date:   Thu Jun 1 19:26:41 2023 -0700

    bpf: Fix __bpf_{list,rbtree}_add's beginning-of-node calculation
    
    [ Upstream commit cc0d76cafebbd3e1ffab9c4252d48ecc9e0737f6 ]
    
    Given the pointer to struct bpf_{rb,list}_node within a local kptr and
    the byte offset of that field within the kptr struct, the calculation changed
    by this patch is meant to find the beginning of the kptr so that it can
    be passed to bpf_obj_drop.
    
    Unfortunately instead of doing
    
      ptr_to_kptr = ptr_to_node_field - offset_bytes
    
    the calculation is erroneously doing
    
      ptr_to_ktpr = ptr_to_node_field - (offset_bytes * sizeof(struct bpf_rb_node))
    
    or the bpf_list_node equivalent.
    
    This patch fixes the calculation.
    
    Fixes: d2dcc67df910 ("bpf: Migrate bpf_rbtree_add and bpf_list_push_{front,back} to possibly fail")
    Signed-off-by: Dave Marchevsky <davemarchevsky@xxxxxx>
    Link: https://lore.kernel.org/r/20230602022647.1571784-4-davemarchevsky@xxxxxx
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 8d368fa353f99..27b9f78195b2c 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1943,7 +1943,7 @@ static int __bpf_list_add(struct bpf_list_node *node, struct bpf_list_head *head
 		INIT_LIST_HEAD(h);
 	if (!list_empty(n)) {
 		/* Only called from BPF prog, no need to migrate_disable */
-		__bpf_obj_drop_impl(n - off, rec);
+		__bpf_obj_drop_impl((void *)n - off, rec);
 		return -EINVAL;
 	}
 
@@ -2025,7 +2025,7 @@ static int __bpf_rbtree_add(struct bpf_rb_root *root, struct bpf_rb_node *node,
 
 	if (!RB_EMPTY_NODE(n)) {
 		/* Only called from BPF prog, no need to migrate_disable */
-		__bpf_obj_drop_impl(n - off, rec);
+		__bpf_obj_drop_impl((void *)n - off, rec);
 		return -EINVAL;
 	}
 






