[01/26] bpf: verifier: Allow for multiple packets

Message ID	20220926231822.994383-2-drosen@google.com (mailing list archive)
State	Changes Requested
Delegated to:	BPF
Headers	show Return-Path: <bpf-owner@kernel.org> Date: Mon, 26 Sep 2022 16:17:57 -0700 In-Reply-To: <20220926231822.994383-1-drosen@google.com> Mime-Version: 1.0 References: <20220926231822.994383-1-drosen@google.com> Message-ID: <20220926231822.994383-2-drosen@google.com> Subject: [PATCH 01/26] bpf: verifier: Allow for multiple packets From: Daniel Rosenberg <drosen@google.com> To: Miklos Szeredi <miklos@szeredi.hu>, Alexei Starovoitov <ast@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, John Fastabend <john.fastabend@gmail.com> Cc: Andrii Nakryiko <andrii@kernel.org>, Martin KaFai Lau <martin.lau@linux.dev>, Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>, KP Singh <kpsingh@kernel.org>, Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>, Daniel Rosenberg <drosen@google.com>, Paul Lawrence <paullawrence@google.com>, Alessio Balsini <balsini@google.com>, David Anderson <dvander@google.com>, Sandeep Patil <sspatil@google.com>, linux-fsdevel@vger.kernel.org, bpf@vger.kernel.org, kernel-team@android.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk
Series	FUSE BPF: A Stacked Filesystem Extension for FUSE \| expand [00/26] FUSE BPF: A Stacked Filesystem Extension for FUSE [01/26] bpf: verifier: Allow for multiple packets [02/26] bpf: verifier: Allow single packet invalidation [03/26] fuse-bpf: Update uapi for fuse-bpf [04/26] fuse-bpf: Add BPF supporting functions [05/26] fs: Generic function to convert iocb to rw flags [06/26] bpf: Export bpf_prog_fops [07/26] fuse-bpf: Prepare for fuse-bpf patch [08/26] fuse: Add fuse-bpf, a stacked fs extension for FUSE [09/26] fuse-bpf: Don't support export_operations [10/26] fuse-bpf: Partially add mapping support [11/26] fuse-bpf: Add lseek support [12/26] fuse-bpf: Add support for fallocate [13/26] fuse-bpf: Support file/dir open/close [14/26] fuse-bpf: Support mknod/unlink/mkdir/rmdir [15/26] fuse-bpf: Add support for read/write iter [16/26] fuse-bpf: support FUSE_READDIR [17/26] fuse-bpf: Add support for sync operations [18/26] fuse-bpf: Add Rename support [19/26] fuse-bpf: Add attr support [20/26] fuse-bpf: Add support for FUSE_COPY_FILE_RANGE [21/26] fuse-bpf: Add xattr support [22/26] fuse-bpf: Add symlink/link support [23/26] fuse-bpf: allow mounting with no userspace daemon [24/26] fuse-bpf: Call bpf for pre/post filters [25/26] fuse-bpf: Add userspace pre/post filters

Context	Check	Description
bpf/vmtest-bpf-PR	fail	PR summary
bpf/vmtest-bpf-VM_Test-1	pending	Logs for ${{ matrix.test }} on ${{ matrix.arch }} with ${{ matrix.toolchain }}
bpf/vmtest-bpf-VM_Test-2	fail	Logs for build for s390x with gcc
bpf/vmtest-bpf-VM_Test-3	fail	Logs for build for x86_64 with gcc
bpf/vmtest-bpf-VM_Test-4	fail	Logs for build for x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-5	success	Logs for llvm-toolchain
bpf/vmtest-bpf-VM_Test-6	success	Logs for set-matrix

diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 20c26aed7896..07086e375487 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -633,6 +633,7 @@ struct bpf_insn_access_aux { struct btf *btf; u32 btf_id; }; + int data_id; }; struct bpf_verifier_log *log; /* for verbose logs */ }; diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 2e3bad8640dc..feae965e08a4 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -50,7 +50,10 @@ struct bpf_reg_state { s32 off; union { /* valid when type == PTR_TO_PACKET */ - int range; + struct { + int range; + u32 data_id; + }; /* valid when type == CONST_PTR_TO_MAP | PTR_TO_MAP_VALUE | * PTR_TO_MAP_VALUE_OR_NULL diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 3eadb14e090b..d28cb22d5ee5 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3544,8 +3544,9 @@ static int __check_mem_access(struct bpf_verifier_env *env, int regno, case PTR_TO_PACKET: case PTR_TO_PACKET_META: case PTR_TO_PACKET_END: - verbose(env, "invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", - off, size, regno, reg->id, off, mem_size); + verbose(env, + "invalid access to packet %d, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", + reg->data_id, off, size, regno, reg->id, off, mem_size); break; case PTR_TO_MEM: default: @@ -3938,7 +3939,7 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, /* check access to 'struct bpf_context' fields. Supports fixed offsets only */ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size, enum bpf_access_type t, enum bpf_reg_type *reg_type, - struct btf **btf, u32 *btf_id) + struct btf **btf, u32 *btf_id, u32 *data_id) { struct bpf_insn_access_aux info = { .reg_type = *reg_type, @@ -3959,6 +3960,8 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, if (base_type(*reg_type) == PTR_TO_BTF_ID) { *btf = info.btf; *btf_id = info.btf_id; + } else if (*reg_type == PTR_TO_PACKET || *reg_type == PTR_TO_PACKET_END) { + *data_id = info.data_id; } else { env->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size; } @@ -4788,6 +4791,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn enum bpf_reg_type reg_type = SCALAR_VALUE; struct btf *btf = NULL; u32 btf_id = 0; + u32 data_id = 0; if (t == BPF_WRITE && value_regno >= 0 && is_pointer_value(env, value_regno)) { @@ -4800,7 +4804,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn return err; err = check_ctx_access(env, insn_idx, off, size, t, &reg_type, &btf, - &btf_id); + &btf_id, &data_id); if (err) verbose_linfo(env, insn_idx, "; "); if (!err && t == BPF_READ && value_regno >= 0) { @@ -4824,6 +4828,10 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn if (base_type(reg_type) == PTR_TO_BTF_ID) { regs[value_regno].btf = btf; regs[value_regno].btf_id = btf_id; + } else if (reg_type == PTR_TO_PACKET || + reg_type == PTR_TO_PACKET_END || + reg_type == PTR_TO_PACKET_META) { + regs[value_regno].data_id = data_id; } } regs[value_regno].type = reg_type; @@ -9921,18 +9929,20 @@ static bool try_match_pkt_pointers(const struct bpf_insn *insn, switch (BPF_OP(insn->code)) { case BPF_JGT: - if ((dst_reg->type == PTR_TO_PACKET && + if (dst_reg->data_id == src_reg->data_id && + ((dst_reg->type == PTR_TO_PACKET && src_reg->type == PTR_TO_PACKET_END) || (dst_reg->type == PTR_TO_PACKET_META && - reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { + reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET)))) { /* pkt_data' > pkt_end, pkt_meta' > pkt_data */ find_good_pkt_pointers(this_branch, dst_reg, dst_reg->type, false); mark_pkt_end(other_branch, insn->dst_reg, true); - } else if ((dst_reg->type == PTR_TO_PACKET_END && + } else if (dst_reg->data_id == src_reg->data_id && + ((dst_reg->type == PTR_TO_PACKET_END && src_reg->type == PTR_TO_PACKET) || (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && - src_reg->type == PTR_TO_PACKET_META)) { + src_reg->type == PTR_TO_PACKET_META))) { /* pkt_end > pkt_data', pkt_data > pkt_meta' */ find_good_pkt_pointers(other_branch, src_reg, src_reg->type, true); @@ -9942,18 +9952,20 @@ static bool try_match_pkt_pointers(const struct bpf_insn *insn, } break; case BPF_JLT: - if ((dst_reg->type == PTR_TO_PACKET && - src_reg->type == PTR_TO_PACKET_END) || + if (dst_reg->data_id == src_reg->data_id && + ((dst_reg->type == PTR_TO_PACKET && + src_reg->type == PTR_TO_PACKET_END && dst_reg->data_id == src_reg->data_id) || (dst_reg->type == PTR_TO_PACKET_META && - reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { + reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET)))) { /* pkt_data' < pkt_end, pkt_meta' < pkt_data */ find_good_pkt_pointers(other_branch, dst_reg, dst_reg->type, true); mark_pkt_end(this_branch, insn->dst_reg, false); - } else if ((dst_reg->type == PTR_TO_PACKET_END && + } else if (dst_reg->data_id == src_reg->data_id && + ((dst_reg->type == PTR_TO_PACKET_END && src_reg->type == PTR_TO_PACKET) || (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && - src_reg->type == PTR_TO_PACKET_META)) { + src_reg->type == PTR_TO_PACKET_META))) { /* pkt_end < pkt_data', pkt_data > pkt_meta' */ find_good_pkt_pointers(this_branch, src_reg, src_reg->type, false); @@ -9963,18 +9975,20 @@ static bool try_match_pkt_pointers(const struct bpf_insn *insn, } break; case BPF_JGE: - if ((dst_reg->type == PTR_TO_PACKET && + if (dst_reg->data_id == src_reg->data_id && + ((dst_reg->type == PTR_TO_PACKET && src_reg->type == PTR_TO_PACKET_END) || (dst_reg->type == PTR_TO_PACKET_META && - reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { + reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET)))) { /* pkt_data' >= pkt_end, pkt_meta' >= pkt_data */ find_good_pkt_pointers(this_branch, dst_reg, dst_reg->type, true); mark_pkt_end(other_branch, insn->dst_reg, false); - } else if ((dst_reg->type == PTR_TO_PACKET_END && + } else if (dst_reg->data_id == src_reg->data_id && + ((dst_reg->type == PTR_TO_PACKET_END && src_reg->type == PTR_TO_PACKET) || (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && - src_reg->type == PTR_TO_PACKET_META)) { + src_reg->type == PTR_TO_PACKET_META))) { /* pkt_end >= pkt_data', pkt_data >= pkt_meta' */ find_good_pkt_pointers(other_branch, src_reg, src_reg->type, false); @@ -9984,18 +9998,20 @@ static bool try_match_pkt_pointers(const struct bpf_insn *insn, } break; case BPF_JLE: - if ((dst_reg->type == PTR_TO_PACKET && - src_reg->type == PTR_TO_PACKET_END) || + if (dst_reg->data_id == src_reg->data_id && + ((dst_reg->type == PTR_TO_PACKET && + src_reg->type == PTR_TO_PACKET_END && dst_reg->data_id == src_reg->data_id) || (dst_reg->type == PTR_TO_PACKET_META && - reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { + reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET)))) { /* pkt_data' <= pkt_end, pkt_meta' <= pkt_data */ find_good_pkt_pointers(other_branch, dst_reg, dst_reg->type, false); mark_pkt_end(this_branch, insn->dst_reg, true); - } else if ((dst_reg->type == PTR_TO_PACKET_END && + } else if (dst_reg->data_id == src_reg->data_id && + ((dst_reg->type == PTR_TO_PACKET_END && src_reg->type == PTR_TO_PACKET) || (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && - src_reg->type == PTR_TO_PACKET_META)) { + src_reg->type == PTR_TO_PACKET_META))) { /* pkt_end <= pkt_data', pkt_data <= pkt_meta' */ find_good_pkt_pointers(this_branch, src_reg, src_reg->type, true);

[01/26] bpf: verifier: Allow for multiple packets

Checks

Commit Message

Patch