bpf: Fix swapped arguments in calls to check_buffer_access

There are a couple of arguments of the boolean flag zero_size_allowed and
the char pointer buf_info when calling to function check_buffer_access that
are swapped by mistake. Fix these by swapping them to correct the argument
ordering.

Fixes: afbf21dce668 ("bpf: Support readonly/readwrite buffers in verifier")
Addresses-Coverity: ("Array compared to 0")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20200727175411.155179-1-colin.king@canonical.com

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index cd14e70..88bb25d 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3477,14 +3477,14 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
                                regno, reg_type_str[reg->type]);
                        return -EACCES;
                }
-               err = check_buffer_access(env, reg, regno, off, size, "rdonly",
-                                         false,
+               err = check_buffer_access(env, reg, regno, off, size, false,
+                                         "rdonly",
                                          &env->prog->aux->max_rdonly_access);
                if (!err && value_regno >= 0)
                        mark_reg_unknown(env, regs, value_regno);
        } else if (reg->type == PTR_TO_RDWR_BUF) {
-               err = check_buffer_access(env, reg, regno, off, size, "rdwr",
-                                         false,
+               err = check_buffer_access(env, reg, regno, off, size, false,
+                                         "rdwr",
                                          &env->prog->aux->max_rdwr_access);
                if (!err && t == BPF_READ && value_regno >= 0)
                        mark_reg_unknown(env, regs, value_regno);