Patch "bpf: Check percpu map value size first" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 11 Oct 2024 15:39:11 -0400

This is a note to let you know that I've just added the patch titled

    bpf: Check percpu map value size first

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-check-percpu-map-value-size-first.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 50209262418c5b4e1e93a44636eaa4ab57a92e00
Author: Tao Chen <chen.dylane@xxxxxxxxx>
Date:   Tue Sep 10 22:41:10 2024 +0800

    bpf: Check percpu map value size first
    
    [ Upstream commit 1d244784be6b01162b732a5a7d637dfc024c3203 ]
    
    Percpu map is often used, but the map value size limit often ignored,
    like issue: https://github.com/iovisor/bcc/issues/2519. Actually,
    percpu map value size is bound by PCPU_MIN_UNIT_SIZE, so we
    can check the value size whether it exceeds PCPU_MIN_UNIT_SIZE first,
    like percpu map of local_storage. Maybe the error message seems clearer
    compared with "cannot allocate memory".
    
    Signed-off-by: Jinke Han <jinkehan@xxxxxxxxxxxxxx>
    Signed-off-by: Tao Chen <chen.dylane@xxxxxxxxx>
    Signed-off-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
    Acked-by: Jiri Olsa <jolsa@xxxxxxxxxx>
    Acked-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
    Link: https://lore.kernel.org/bpf/20240910144111.1464912-2-chen.dylane@xxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index c9843dde69081..1811efcfbd6e3 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -73,6 +73,9 @@ int array_map_alloc_check(union bpf_attr *attr)
 	/* avoid overflow on round_up(map->value_size) */
 	if (attr->value_size > INT_MAX)
 		return -E2BIG;
+	/* percpu map value size is bound by PCPU_MIN_UNIT_SIZE */
+	if (percpu && round_up(attr->value_size, 8) > PCPU_MIN_UNIT_SIZE)
+		return -E2BIG;
 
 	return 0;
 }
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 85cd17ca38290..7c64ad4f3732b 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -458,6 +458,9 @@ static int htab_map_alloc_check(union bpf_attr *attr)
 		 * kmalloc-able later in htab_map_update_elem()
 		 */
 		return -E2BIG;
+	/* percpu map value size is bound by PCPU_MIN_UNIT_SIZE */
+	if (percpu && round_up(attr->value_size, 8) > PCPU_MIN_UNIT_SIZE)
+		return -E2BIG;
 
 	return 0;
 }







