| Message ID | 20230602150011.1657856-16-andrii@kernel.org (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | BPF token | expand |
Hi Andrii,
kernel test robot noticed the following build errors:
[auto build test ERROR on bpf-next/master]
url: https://github.com/intel-lab-lkp/linux/commits/Andrii-Nakryiko/bpf-introduce-BPF-token-object/20230602-230448
base: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master
patch link: https://lore.kernel.org/r/20230602150011.1657856-16-andrii%40kernel.org
patch subject: [PATCH RESEND bpf-next 15/18] bpf: take into account BPF token when fetching helper protos
config: um-x86_64_defconfig (https://download.01.org/0day-ci/archive/20230603/202306030252.UOXkWZTK-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/3d830ca845b075ab4132487aaaa69b70a467863c
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Andrii-Nakryiko/bpf-introduce-BPF-token-object/20230602-230448
git checkout 3d830ca845b075ab4132487aaaa69b70a467863c
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 O=build_dir ARCH=um SUBARCH=x86_64 olddefconfig
make W=1 O=build_dir ARCH=um SUBARCH=x86_64 SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202306030252.UOXkWZTK-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from include/linux/bpf_verifier.h:7,
from net/core/filter.c:21:
include/linux/bpf.h: In function 'bpf_token_new_fd':
include/linux/bpf.h:2475:16: warning: returning 'int' from a function with return type 'struct bpf_token *' makes pointer from integer without a cast [-Wint-conversion]
2475 | return -EOPNOTSUPP;
| ^
net/core/filter.c: In function 'bpf_sk_base_func_proto':
>> net/core/filter.c:11653:14: error: implicit declaration of function 'bpf_token_capable'; did you mean 'bpf_token_put'? [-Werror=implicit-function-declaration]
11653 | if (!bpf_token_capable(prog->aux->token, CAP_PERFMON))
| ^~~~~~~~~~~~~~~~~
| bpf_token_put
cc1: some warnings being treated as errors
vim +11653 net/core/filter.c
11619
11620 static const struct bpf_func_proto *
11621 bpf_sk_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
11622 {
11623 const struct bpf_func_proto *func;
11624
11625 switch (func_id) {
11626 case BPF_FUNC_skc_to_tcp6_sock:
11627 func = &bpf_skc_to_tcp6_sock_proto;
11628 break;
11629 case BPF_FUNC_skc_to_tcp_sock:
11630 func = &bpf_skc_to_tcp_sock_proto;
11631 break;
11632 case BPF_FUNC_skc_to_tcp_timewait_sock:
11633 func = &bpf_skc_to_tcp_timewait_sock_proto;
11634 break;
11635 case BPF_FUNC_skc_to_tcp_request_sock:
11636 func = &bpf_skc_to_tcp_request_sock_proto;
11637 break;
11638 case BPF_FUNC_skc_to_udp6_sock:
11639 func = &bpf_skc_to_udp6_sock_proto;
11640 break;
11641 case BPF_FUNC_skc_to_unix_sock:
11642 func = &bpf_skc_to_unix_sock_proto;
11643 break;
11644 case BPF_FUNC_skc_to_mptcp_sock:
11645 func = &bpf_skc_to_mptcp_sock_proto;
11646 break;
11647 case BPF_FUNC_ktime_get_coarse_ns:
11648 return &bpf_ktime_get_coarse_ns_proto;
11649 default:
11650 return bpf_base_func_proto(func_id, prog);
11651 }
11652
11653 if (!bpf_token_capable(prog->aux->token, CAP_PERFMON))
11654 return NULL;
11655
11656 return func;
11657 }
11658
On Fri, Jun 2, 2023 at 11:48 AM kernel test robot <lkp@intel.com> wrote: > > Hi Andrii, > > kernel test robot noticed the following build errors: > > [auto build test ERROR on bpf-next/master] > > url: https://github.com/intel-lab-lkp/linux/commits/Andrii-Nakryiko/bpf-introduce-BPF-token-object/20230602-230448 > base: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master > patch link: https://lore.kernel.org/r/20230602150011.1657856-16-andrii%40kernel.org > patch subject: [PATCH RESEND bpf-next 15/18] bpf: take into account BPF token when fetching helper protos > config: um-x86_64_defconfig (https://download.01.org/0day-ci/archive/20230603/202306030252.UOXkWZTK-lkp@intel.com/config) > compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 > reproduce (this is a W=1 build): > # https://github.com/intel-lab-lkp/linux/commit/3d830ca845b075ab4132487aaaa69b70a467863c > git remote add linux-review https://github.com/intel-lab-lkp/linux > git fetch --no-tags linux-review Andrii-Nakryiko/bpf-introduce-BPF-token-object/20230602-230448 > git checkout 3d830ca845b075ab4132487aaaa69b70a467863c > # save the config file > mkdir build_dir && cp config build_dir/.config > make W=1 O=build_dir ARCH=um SUBARCH=x86_64 olddefconfig > make W=1 O=build_dir ARCH=um SUBARCH=x86_64 SHELL=/bin/bash > > If you fix the issue, kindly add following tag where applicable > | Reported-by: kernel test robot <lkp@intel.com> > | Closes: https://lore.kernel.org/oe-kbuild-all/202306030252.UOXkWZTK-lkp@intel.com/ > > All errors (new ones prefixed by >>): > > In file included from include/linux/bpf_verifier.h:7, > from net/core/filter.c:21: > include/linux/bpf.h: In function 'bpf_token_new_fd': > include/linux/bpf.h:2475:16: warning: returning 'int' from a function with return type 'struct bpf_token *' makes pointer from integer without a cast [-Wint-conversion] > 2475 | return -EOPNOTSUPP; > | ^ bad copy/paste, this function should return int. I forgot to test that everything compiles without CONFIG_BPF_SYSCALL. > net/core/filter.c: In function 'bpf_sk_base_func_proto': > >> net/core/filter.c:11653:14: error: implicit declaration of function 'bpf_token_capable'; did you mean 'bpf_token_put'? [-Werror=implicit-function-declaration] > 11653 | if (!bpf_token_capable(prog->aux->token, CAP_PERFMON)) > | ^~~~~~~~~~~~~~~~~ > | bpf_token_put > cc1: some warnings being treated as errors > > hm.. maybe I'll just make bpf_token_capable() a static inline function in include/linux/bpf.h > vim +11653 net/core/filter.c > > 11619 > 11620 static const struct bpf_func_proto * > 11621 bpf_sk_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) > 11622 { > 11623 const struct bpf_func_proto *func; > 11624 > 11625 switch (func_id) { > 11626 case BPF_FUNC_skc_to_tcp6_sock: > 11627 func = &bpf_skc_to_tcp6_sock_proto; > 11628 break; > 11629 case BPF_FUNC_skc_to_tcp_sock: > 11630 func = &bpf_skc_to_tcp_sock_proto; > 11631 break; > 11632 case BPF_FUNC_skc_to_tcp_timewait_sock: > 11633 func = &bpf_skc_to_tcp_timewait_sock_proto; > 11634 break; > 11635 case BPF_FUNC_skc_to_tcp_request_sock: > 11636 func = &bpf_skc_to_tcp_request_sock_proto; > 11637 break; > 11638 case BPF_FUNC_skc_to_udp6_sock: > 11639 func = &bpf_skc_to_udp6_sock_proto; > 11640 break; > 11641 case BPF_FUNC_skc_to_unix_sock: > 11642 func = &bpf_skc_to_unix_sock_proto; > 11643 break; > 11644 case BPF_FUNC_skc_to_mptcp_sock: > 11645 func = &bpf_skc_to_mptcp_sock_proto; > 11646 break; > 11647 case BPF_FUNC_ktime_get_coarse_ns: > 11648 return &bpf_ktime_get_coarse_ns_proto; > 11649 default: > 11650 return bpf_base_func_proto(func_id, prog); > 11651 } > 11652 > 11653 if (!bpf_token_capable(prog->aux->token, CAP_PERFMON)) > 11654 return NULL; > 11655 > 11656 return func; > 11657 } > 11658 > > -- > 0-DAY CI Kernel Test Service > https://github.com/intel/lkp-tests/wiki >
diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c index fe17c7f98e81..6d07693c6b9f 100644 --- a/drivers/media/rc/bpf-lirc.c +++ b/drivers/media/rc/bpf-lirc.c @@ -110,7 +110,7 @@ lirc_mode2_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_FUNC_get_prandom_u32: return &bpf_get_prandom_u32_proto; case BPF_FUNC_trace_printk: - if (perfmon_capable()) + if (bpf_token_capable(prog->aux->token, CAP_PERFMON)) return bpf_get_trace_printk_proto(); fallthrough; default: diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 320d93c542ed..9467d093e88e 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -2345,7 +2345,8 @@ int btf_check_type_match(struct bpf_verifier_log *log, const struct bpf_prog *pr struct bpf_prog *bpf_prog_by_id(u32 id); struct bpf_link *bpf_link_by_id(u32 id); -const struct bpf_func_proto *bpf_base_func_proto(enum bpf_func_id func_id); +const struct bpf_func_proto *bpf_base_func_proto(enum bpf_func_id func_id, + const struct bpf_prog *prog); void bpf_task_storage_free(struct task_struct *task); void bpf_cgrp_storage_free(struct cgroup *cgroup); bool bpf_prog_has_kfunc_call(const struct bpf_prog *prog); @@ -2602,7 +2603,7 @@ static inline int btf_struct_access(struct bpf_verifier_log *log, } static inline const struct bpf_func_proto * -bpf_base_func_proto(enum bpf_func_id func_id) +bpf_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { return NULL; } diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 5b2741aa0d9b..39d6cfb6f304 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -1615,7 +1615,7 @@ cgroup_dev_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_FUNC_perf_event_output: return &bpf_event_output_data_proto; default: - return bpf_base_func_proto(func_id); + return bpf_base_func_proto(func_id, prog); } } @@ -2173,7 +2173,7 @@ sysctl_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_FUNC_perf_event_output: return &bpf_event_output_data_proto; default: - return bpf_base_func_proto(func_id); + return bpf_base_func_proto(func_id, prog); } } @@ -2330,7 +2330,7 @@ cg_sockopt_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_FUNC_perf_event_output: return &bpf_event_output_data_proto; default: - return bpf_base_func_proto(func_id); + return bpf_base_func_proto(func_id, prog); } } diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 4ef4c4f8a355..31cd0b956c7e 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -1663,7 +1663,7 @@ const struct bpf_func_proto bpf_probe_read_kernel_str_proto __weak; const struct bpf_func_proto bpf_task_pt_regs_proto __weak; const struct bpf_func_proto * -bpf_base_func_proto(enum bpf_func_id func_id) +bpf_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { switch (func_id) { case BPF_FUNC_map_lookup_elem: @@ -1714,7 +1714,7 @@ bpf_base_func_proto(enum bpf_func_id func_id) break; } - if (!bpf_capable()) + if (!bpf_token_capable(prog->aux->token, CAP_BPF)) return NULL; switch (func_id) { @@ -1772,7 +1772,7 @@ bpf_base_func_proto(enum bpf_func_id func_id) break; } - if (!perfmon_capable()) + if (!bpf_token_capable(prog->aux->token, CAP_PERFMON)) return NULL; switch (func_id) { diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index e02688bebf8e..4ec366f20760 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -5528,7 +5528,7 @@ static const struct bpf_func_proto bpf_sys_bpf_proto = { const struct bpf_func_proto * __weak tracing_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { - return bpf_base_func_proto(func_id); + return bpf_base_func_proto(func_id, prog); } BPF_CALL_1(bpf_sys_close, u32, fd) @@ -5578,7 +5578,8 @@ syscall_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { switch (func_id) { case BPF_FUNC_sys_bpf: - return !perfmon_capable() ? NULL : &bpf_sys_bpf_proto; + return !bpf_token_capable(prog->aux->token, CAP_PERFMON) + ? NULL : &bpf_sys_bpf_proto; case BPF_FUNC_btf_find_by_name_kind: return &bpf_btf_find_by_name_kind_proto; case BPF_FUNC_sys_close: diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 2bc41e6ac9fe..f5382d8bb690 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -1511,7 +1511,7 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_FUNC_trace_vprintk: return bpf_get_trace_vprintk_proto(); default: - return bpf_base_func_proto(func_id); + return bpf_base_func_proto(func_id, prog); } } diff --git a/net/core/filter.c b/net/core/filter.c index 968139f4a1ac..10d655c140c9 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -83,7 +83,7 @@ #include <net/netfilter/nf_conntrack_bpf.h> static const struct bpf_func_proto * -bpf_sk_base_func_proto(enum bpf_func_id func_id); +bpf_sk_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog); int copy_bpf_fprog_from_user(struct sock_fprog *dst, sockptr_t src, int len) { @@ -7726,7 +7726,7 @@ sock_filter_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_FUNC_ktime_get_coarse_ns: return &bpf_ktime_get_coarse_ns_proto; default: - return bpf_base_func_proto(func_id); + return bpf_base_func_proto(func_id, prog); } } @@ -7809,7 +7809,7 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return NULL; } default: - return bpf_sk_base_func_proto(func_id); + return bpf_sk_base_func_proto(func_id, prog); } } @@ -7828,7 +7828,7 @@ sk_filter_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_FUNC_perf_event_output: return &bpf_skb_event_output_proto; default: - return bpf_sk_base_func_proto(func_id); + return bpf_sk_base_func_proto(func_id, prog); } } @@ -8015,7 +8015,7 @@ tc_cls_act_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) #endif #endif default: - return bpf_sk_base_func_proto(func_id); + return bpf_sk_base_func_proto(func_id, prog); } } @@ -8074,7 +8074,7 @@ xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) #endif #endif default: - return bpf_sk_base_func_proto(func_id); + return bpf_sk_base_func_proto(func_id, prog); } #if IS_MODULE(CONFIG_NF_CONNTRACK) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES) @@ -8135,7 +8135,7 @@ sock_ops_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return &bpf_tcp_sock_proto; #endif /* CONFIG_INET */ default: - return bpf_sk_base_func_proto(func_id); + return bpf_sk_base_func_proto(func_id, prog); } } @@ -8177,7 +8177,7 @@ sk_msg_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return &bpf_get_cgroup_classid_curr_proto; #endif default: - return bpf_sk_base_func_proto(func_id); + return bpf_sk_base_func_proto(func_id, prog); } } @@ -8221,7 +8221,7 @@ sk_skb_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return &bpf_skc_lookup_tcp_proto; #endif default: - return bpf_sk_base_func_proto(func_id); + return bpf_sk_base_func_proto(func_id, prog); } } @@ -8232,7 +8232,7 @@ flow_dissector_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_FUNC_skb_load_bytes: return &bpf_flow_dissector_load_bytes_proto; default: - return bpf_sk_base_func_proto(func_id); + return bpf_sk_base_func_proto(func_id, prog); } } @@ -8259,7 +8259,7 @@ lwt_out_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_FUNC_skb_under_cgroup: return &bpf_skb_under_cgroup_proto; default: - return bpf_sk_base_func_proto(func_id); + return bpf_sk_base_func_proto(func_id, prog); } } @@ -11090,7 +11090,7 @@ sk_reuseport_func_proto(enum bpf_func_id func_id, case BPF_FUNC_ktime_get_coarse_ns: return &bpf_ktime_get_coarse_ns_proto; default: - return bpf_base_func_proto(func_id); + return bpf_base_func_proto(func_id, prog); } } @@ -11272,7 +11272,7 @@ sk_lookup_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_FUNC_sk_release: return &bpf_sk_release_proto; default: - return bpf_sk_base_func_proto(func_id); + return bpf_sk_base_func_proto(func_id, prog); } } @@ -11606,7 +11606,7 @@ const struct bpf_func_proto bpf_sock_from_file_proto = { }; static const struct bpf_func_proto * -bpf_sk_base_func_proto(enum bpf_func_id func_id) +bpf_sk_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { const struct bpf_func_proto *func; @@ -11635,10 +11635,10 @@ bpf_sk_base_func_proto(enum bpf_func_id func_id) case BPF_FUNC_ktime_get_coarse_ns: return &bpf_ktime_get_coarse_ns_proto; default: - return bpf_base_func_proto(func_id); + return bpf_base_func_proto(func_id, prog); } - if (!perfmon_capable()) + if (!bpf_token_capable(prog->aux->token, CAP_PERFMON)) return NULL; return func; diff --git a/net/ipv4/bpf_tcp_ca.c b/net/ipv4/bpf_tcp_ca.c index 4406d796cc2f..0a3a60e7c282 100644 --- a/net/ipv4/bpf_tcp_ca.c +++ b/net/ipv4/bpf_tcp_ca.c @@ -193,7 +193,7 @@ bpf_tcp_ca_get_func_proto(enum bpf_func_id func_id, case BPF_FUNC_ktime_get_coarse_ns: return &bpf_ktime_get_coarse_ns_proto; default: - return bpf_base_func_proto(func_id); + return bpf_base_func_proto(func_id, prog); } } diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c index c36da56d756f..d7786ea9c01a 100644 --- a/net/netfilter/nf_bpf_link.c +++ b/net/netfilter/nf_bpf_link.c @@ -219,7 +219,7 @@ static bool nf_is_valid_access(int off, int size, enum bpf_access_type type, static const struct bpf_func_proto * bpf_nf_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { - return bpf_base_func_proto(func_id); + return bpf_base_func_proto(func_id, prog); } const struct bpf_verifier_ops netfilter_verifier_ops = {
Instead of performing unconditional system-wide bpf_capable() and perfmon_capable() calls inside bpf_base_func_proto() function (and other similar ones) to determine eligibility of a given BPF helper for a given program, use previously recorded BPF token during BPF_PROG_LOAD command handling to inform the decision. Signed-off-by: Andrii Nakryiko <andrii@kernel.org> --- drivers/media/rc/bpf-lirc.c | 2 +- include/linux/bpf.h | 5 +++-- kernel/bpf/cgroup.c | 6 +++--- kernel/bpf/helpers.c | 6 +++--- kernel/bpf/syscall.c | 5 +++-- kernel/trace/bpf_trace.c | 2 +- net/core/filter.c | 32 ++++++++++++++++---------------- net/ipv4/bpf_tcp_ca.c | 2 +- net/netfilter/nf_bpf_link.c | 2 +- 9 files changed, 32 insertions(+), 30 deletions(-)