From patchwork Tue Apr 4 04:50:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13199127 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40F94C7618D for ; Tue, 4 Apr 2023 04:50:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233070AbjDDEul (ORCPT ); Tue, 4 Apr 2023 00:50:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40064 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232736AbjDDEuj (ORCPT ); Tue, 4 Apr 2023 00:50:39 -0400 Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 202981FFA; Mon, 3 Apr 2023 21:50:38 -0700 (PDT) Received: by mail-pg1-x52c.google.com with SMTP id x37so18880962pga.1; Mon, 03 Apr 2023 21:50:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680583837; x=1683175837; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6UeHRiVQiuVug2QCd8JwR0rmeb9wuxhyGp0d7KYKKh4=; b=YjhtQMC5KdKYLRhNcL68YCcISrdhyw0BU09+Sa4milJHnV7L52FcXOJa19gFHP2J9D SxV9BbjtDfpyVakP/dToVgfIUEduZTX5XWIQQ2sNYJmPSBvjXm3vAEpO6eBzTAA9dyYz P6t79TkM8+x/rNcgEiytlu/dZ5CXsl0hArXvkHRDlvhDb5QBEc/6Xpr9tzyKYbwCt056 STYw07dKSTrN6B9QeLvWKyMLCRROA1GoCLs1B991F2axupGhmZ3WQxZoCK263lIHvKJY A0ShE+qBX7ez8WJmvAlMvorfGNBRLROJMCIpdR06qbtAvP7OtfDyP3p3hzcCL3Bsozs3 LS5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680583837; x=1683175837; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6UeHRiVQiuVug2QCd8JwR0rmeb9wuxhyGp0d7KYKKh4=; b=t3qMCSJEKjw1ipaEwIZw3D6Mhi7Bn61S/WbnDd9pRUhyE1m62ZP4kFV4oY9e1fOrqS SSOf0r1/KNy7R1u+yS0PuntAVzl9iD4iEmxI9uIBq/vjX8nkjrN0tNgDTf4IQIM5dcU5 InJISpVbYoOt/vckS0bnBDwvzBkaRur1yw0iAwmShVRtg16NF6MgHp8TKVMleIUH0BDF Y7fQfJt4exeExS1rAXsllEkG5Kfbh9PCsTfIZLEnmoqlMdcsXdZvbMwwrOdgqjY7ytuO o2qLvwWQkW5dRW8Kl2eIj7Vi2ZJlzDb1BsCyTq34mVqtuV/xeCSI/cYQaoAZPd+5n0EV y/iA== X-Gm-Message-State: AAQBX9dgduyvGOYqwBQr3+FWWwmY7GO2GJq8cJz3FIs3CaiXOTBDcLWh 6v/LQmb+VP366Ok3l2we12A= X-Google-Smtp-Source: AKy350YP5txTp/G8xZ+MFDk18m1wHMa+Df7WAXsXso5vRDs9x81U4Co1LP3OjCu2cM16QX1GGn/bbw== X-Received: by 2002:aa7:978a:0:b0:627:f9ac:8a31 with SMTP id o10-20020aa7978a000000b00627f9ac8a31mr987238pfp.2.1680583837343; Mon, 03 Apr 2023 21:50:37 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:3c8]) by smtp.gmail.com with ESMTPSA id c7-20020aa78e07000000b005abc30d9445sm7749554pfr.180.2023.04.03.21.50.35 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 03 Apr 2023 21:50:36 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 1/8] bpf: Invoke btf_struct_access() callback only for writes. Date: Mon, 3 Apr 2023 21:50:22 -0700 Message-Id: <20230404045029.82870-2-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230404045029.82870-1-alexei.starovoitov@gmail.com> References: <20230404045029.82870-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov Remove duplicated if (atype == BPF_READ) btf_struct_access() from btf_struct_access() callback and invoke it only for writes. Signed-off-by: Alexei Starovoitov --- kernel/bpf/verifier.c | 2 +- net/bpf/bpf_dummy_struct_ops.c | 2 +- net/core/filter.c | 6 ------ net/ipv4/bpf_tcp_ca.c | 3 --- 4 files changed, 2 insertions(+), 11 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index eaf9c5291cf0..83984568ccb4 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5504,7 +5504,7 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, return -EACCES; } - if (env->ops->btf_struct_access && !type_is_alloc(reg->type)) { + if (env->ops->btf_struct_access && !type_is_alloc(reg->type) && atype == BPF_WRITE) { if (!btf_is_kernel(reg->btf)) { verbose(env, "verifier internal error: reg->btf must be kernel btf\n"); return -EFAULT; diff --git a/net/bpf/bpf_dummy_struct_ops.c b/net/bpf/bpf_dummy_struct_ops.c index ff4f89a2b02a..9535c8506cda 100644 --- a/net/bpf/bpf_dummy_struct_ops.c +++ b/net/bpf/bpf_dummy_struct_ops.c @@ -198,7 +198,7 @@ static int bpf_dummy_ops_btf_struct_access(struct bpf_verifier_log *log, if (err < 0) return err; - return atype == BPF_READ ? err : NOT_INIT; + return NOT_INIT; } static const struct bpf_verifier_ops bpf_dummy_verifier_ops = { diff --git a/net/core/filter.c b/net/core/filter.c index 3370efad1dda..8b9f409a2ec3 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -8753,9 +8753,6 @@ static int tc_cls_act_btf_struct_access(struct bpf_verifier_log *log, { int ret = -EACCES; - if (atype == BPF_READ) - return btf_struct_access(log, reg, off, size, atype, next_btf_id, flag); - mutex_lock(&nf_conn_btf_access_lock); if (nfct_btf_struct_access) ret = nfct_btf_struct_access(log, reg, off, size, atype, next_btf_id, flag); @@ -8830,9 +8827,6 @@ static int xdp_btf_struct_access(struct bpf_verifier_log *log, { int ret = -EACCES; - if (atype == BPF_READ) - return btf_struct_access(log, reg, off, size, atype, next_btf_id, flag); - mutex_lock(&nf_conn_btf_access_lock); if (nfct_btf_struct_access) ret = nfct_btf_struct_access(log, reg, off, size, atype, next_btf_id, flag); diff --git a/net/ipv4/bpf_tcp_ca.c b/net/ipv4/bpf_tcp_ca.c index ea21c96c03aa..d6465876bbf6 100644 --- a/net/ipv4/bpf_tcp_ca.c +++ b/net/ipv4/bpf_tcp_ca.c @@ -78,9 +78,6 @@ static int bpf_tcp_ca_btf_struct_access(struct bpf_verifier_log *log, const struct btf_type *t; size_t end; - if (atype == BPF_READ) - return btf_struct_access(log, reg, off, size, atype, next_btf_id, flag); - t = btf_type_by_id(reg->btf, reg->btf_id); if (t != tcp_sock_type) { bpf_log(log, "only read is supported\n"); From patchwork Tue Apr 4 04:50:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13199128 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10AB8C6FD1D for ; Tue, 4 Apr 2023 04:50:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233121AbjDDEup (ORCPT ); Tue, 4 Apr 2023 00:50:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232736AbjDDEun (ORCPT ); Tue, 4 Apr 2023 00:50:43 -0400 Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D5D219B6; Mon, 3 Apr 2023 21:50:42 -0700 (PDT) Received: by mail-pl1-x62a.google.com with SMTP id n14so14321595plc.8; Mon, 03 Apr 2023 21:50:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680583841; x=1683175841; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XRV8NBbXdQHSBPKySVW/N3uls5gmhkscUAC+YSKpnxc=; b=CEtZ5kx0ey+K84A5EPxxTiDF3C8LXM+Nqaae32P42l/EVhmz9OzFlkAuJXGNxM5els EOBCq4FqvuGUU3OFgM34q7hQeDRD4VpY2jsW6zi3TBe0EShxqMLigicNwCMO2jb2t6R+ aOsW6WoX9iJu1SUEIgL/sA6/ihvnnNjba+tFA7Bul2bxcWVcQOOm8lOPd4D3sr88cx41 T/DPLXv+HgPFj7dL2VLyi/ywVY9OmGfGBU7Bx+luX/pKh1UY784aoAbE5OsGV/Xb5PmH MUcNZN33pXD1uGlxJkJuMUVokRBU9r07RVtffntIGCkeg6wgGjfZsRpMzfb89MauA0r0 AwvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680583841; x=1683175841; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XRV8NBbXdQHSBPKySVW/N3uls5gmhkscUAC+YSKpnxc=; b=fxGMg5ADCOiU2Ib9s5h7xX+0OkHNNXQd3ZbwGZMRfbtqmyRAmvRDWNhQ46DD1StMzq xSkuyTR6L44d80VwfZIzfXCtdvO9QJ4dffSZATVwmwXUaJ9lyScGakDNdx0Qp9tCCwgu EOf8pQA5mmC4M/4Yw2xaIYN6Nevy1Pbb1f8WPffgvMuAmAeqcaP0BM4AnwibqCRJPRHZ dj6wvEDC/OiflQiPsgcIpMsUEj6rqqQUZGB3kvz6V2Evw7Sn/G5eZGmiMAeyoaUeJmbw lHzF67lOVeoIWfHMVbHNDZPExRj1rfonWn7JG3qXQhRQ45fmr4D/MMf5CQlgFJz5Ya6j Xing== X-Gm-Message-State: AAQBX9c/NNY7FAhXuxSPXOn+Q/kEes1CroyXl5otQHS+vdZwbT6m2Pni tTnQKiKXy45zh2rOVm4JXODACVzHWCk= X-Google-Smtp-Source: AKy350ZHeaL1bAGu0v2d8QAr0GViXxV6tRTHth6Lwr/pkWAe3BUc9e0tvqOCGIIipSQIZHcw9er0TA== X-Received: by 2002:a17:90b:1d8e:b0:23f:29a:5554 with SMTP id pf14-20020a17090b1d8e00b0023f029a5554mr1159426pjb.48.1680583841398; Mon, 03 Apr 2023 21:50:41 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:3c8]) by smtp.gmail.com with ESMTPSA id q3-20020a17090a938300b0023b15e61f07sm7085896pjo.12.2023.04.03.21.50.39 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 03 Apr 2023 21:50:41 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 2/8] bpf: Remove unused arguments from btf_struct_access(). Date: Mon, 3 Apr 2023 21:50:23 -0700 Message-Id: <20230404045029.82870-3-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230404045029.82870-1-alexei.starovoitov@gmail.com> References: <20230404045029.82870-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov Remove unused arguments from btf_struct_access() callback. Signed-off-by: Alexei Starovoitov --- include/linux/bpf.h | 3 +-- include/linux/filter.h | 3 +-- kernel/bpf/verifier.c | 4 ++-- net/bpf/bpf_dummy_struct_ops.c | 12 +++++------- net/core/filter.c | 13 +++++-------- net/ipv4/bpf_tcp_ca.c | 3 +-- net/netfilter/nf_conntrack_bpf.c | 3 +-- 7 files changed, 16 insertions(+), 25 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 2d8f3f639e68..4f689dda748f 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -893,8 +893,7 @@ struct bpf_verifier_ops { struct bpf_prog *prog, u32 *target_size); int (*btf_struct_access)(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, - int off, int size, enum bpf_access_type atype, - u32 *next_btf_id, enum bpf_type_flag *flag); + int off, int size); }; struct bpf_prog_offload_ops { diff --git a/include/linux/filter.h b/include/linux/filter.h index 23c08c31bea9..5364b0c52c1d 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -571,8 +571,7 @@ DECLARE_STATIC_KEY_FALSE(bpf_stats_enabled_key); extern struct mutex nf_conn_btf_access_lock; extern int (*nfct_btf_struct_access)(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, - int off, int size, enum bpf_access_type atype, - u32 *next_btf_id, enum bpf_type_flag *flag); + int off, int size); typedef unsigned int (*bpf_dispatcher_fn)(const void *ctx, const struct bpf_insn *insnsi, diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 83984568ccb4..5ca520e5eddf 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5459,7 +5459,7 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, const struct btf_type *t = btf_type_by_id(reg->btf, reg->btf_id); const char *tname = btf_name_by_offset(reg->btf, t->name_off); enum bpf_type_flag flag = 0; - u32 btf_id; + u32 btf_id = 0; int ret; if (!env->allow_ptr_leaks) { @@ -5509,7 +5509,7 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, verbose(env, "verifier internal error: reg->btf must be kernel btf\n"); return -EFAULT; } - ret = env->ops->btf_struct_access(&env->log, reg, off, size, atype, &btf_id, &flag); + ret = env->ops->btf_struct_access(&env->log, reg, off, size); } else { /* Writes are permitted with default btf_struct_access for * program allocated objects (which always have ref_obj_id > 0), diff --git a/net/bpf/bpf_dummy_struct_ops.c b/net/bpf/bpf_dummy_struct_ops.c index 9535c8506cda..5918d1b32e19 100644 --- a/net/bpf/bpf_dummy_struct_ops.c +++ b/net/bpf/bpf_dummy_struct_ops.c @@ -173,14 +173,11 @@ static int bpf_dummy_ops_check_member(const struct btf_type *t, static int bpf_dummy_ops_btf_struct_access(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, - int off, int size, enum bpf_access_type atype, - u32 *next_btf_id, - enum bpf_type_flag *flag) + int off, int size) { const struct btf_type *state; const struct btf_type *t; s32 type_id; - int err; type_id = btf_find_by_name_kind(reg->btf, "bpf_dummy_ops_state", BTF_KIND_STRUCT); @@ -194,9 +191,10 @@ static int bpf_dummy_ops_btf_struct_access(struct bpf_verifier_log *log, return -EACCES; } - err = btf_struct_access(log, reg, off, size, atype, next_btf_id, flag); - if (err < 0) - return err; + if (off + size > sizeof(struct bpf_dummy_ops_state)) { + bpf_log(log, "write access at off %d with size %d\n", off, size); + return -EACCES; + } return NOT_INIT; } diff --git a/net/core/filter.c b/net/core/filter.c index 8b9f409a2ec3..1f2abf0f60e6 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -8742,20 +8742,18 @@ EXPORT_SYMBOL_GPL(nf_conn_btf_access_lock); int (*nfct_btf_struct_access)(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, - int off, int size, enum bpf_access_type atype, - u32 *next_btf_id, enum bpf_type_flag *flag); + int off, int size); EXPORT_SYMBOL_GPL(nfct_btf_struct_access); static int tc_cls_act_btf_struct_access(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, - int off, int size, enum bpf_access_type atype, - u32 *next_btf_id, enum bpf_type_flag *flag) + int off, int size) { int ret = -EACCES; mutex_lock(&nf_conn_btf_access_lock); if (nfct_btf_struct_access) - ret = nfct_btf_struct_access(log, reg, off, size, atype, next_btf_id, flag); + ret = nfct_btf_struct_access(log, reg, off, size); mutex_unlock(&nf_conn_btf_access_lock); return ret; @@ -8822,14 +8820,13 @@ EXPORT_SYMBOL_GPL(bpf_warn_invalid_xdp_action); static int xdp_btf_struct_access(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, - int off, int size, enum bpf_access_type atype, - u32 *next_btf_id, enum bpf_type_flag *flag) + int off, int size) { int ret = -EACCES; mutex_lock(&nf_conn_btf_access_lock); if (nfct_btf_struct_access) - ret = nfct_btf_struct_access(log, reg, off, size, atype, next_btf_id, flag); + ret = nfct_btf_struct_access(log, reg, off, size); mutex_unlock(&nf_conn_btf_access_lock); return ret; diff --git a/net/ipv4/bpf_tcp_ca.c b/net/ipv4/bpf_tcp_ca.c index d6465876bbf6..4406d796cc2f 100644 --- a/net/ipv4/bpf_tcp_ca.c +++ b/net/ipv4/bpf_tcp_ca.c @@ -72,8 +72,7 @@ static bool bpf_tcp_ca_is_valid_access(int off, int size, static int bpf_tcp_ca_btf_struct_access(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, - int off, int size, enum bpf_access_type atype, - u32 *next_btf_id, enum bpf_type_flag *flag) + int off, int size) { const struct btf_type *t; size_t end; diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c index 002e9d24a1e9..3f821b7ba646 100644 --- a/net/netfilter/nf_conntrack_bpf.c +++ b/net/netfilter/nf_conntrack_bpf.c @@ -192,8 +192,7 @@ BTF_ID(struct, nf_conn___init) /* Check writes into `struct nf_conn` */ static int _nf_conntrack_btf_struct_access(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, - int off, int size, enum bpf_access_type atype, - u32 *next_btf_id, enum bpf_type_flag *flag) + int off, int size) { const struct btf_type *ncit, *nct, *t; size_t end; From patchwork Tue Apr 4 04:50:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13199129 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC237C7618D for ; Tue, 4 Apr 2023 04:50:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231750AbjDDEux (ORCPT ); Tue, 4 Apr 2023 00:50:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40120 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232888AbjDDEus (ORCPT ); Tue, 4 Apr 2023 00:50:48 -0400 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 286E9199C; Mon, 3 Apr 2023 21:50:46 -0700 (PDT) Received: by mail-pl1-x62b.google.com with SMTP id u10so30175816plz.7; Mon, 03 Apr 2023 21:50:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680583845; x=1683175845; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yiJcdfDoc3/0e6NQqry8oM48cRo4ZhqE+pBAZOE85NE=; b=EnNRTiX+EpEWm41uLXAMo+kYPeAk9FBGJ9C0Pch9fGfo047VguH2xhxNon8mEYoOV2 b+g0H6hUj4m1/Ccez6Kw35dIVDurqIx5V6B+k5fK+uH8gkUCveF5Bqz025M03ql0R0vY ABhaqNCaYvRNc+sa1W/TK5ReWlFYamz5ozqcDQlWIBVvzLf40OT39o0b5KLDdP8S3/3q 4iqnC7BlJms0oYn5Na2gcR84s5ADCPYGpTjTWxyDJqvxTcqtGXCQ5Y9zpIe8IQKIrKKb vNceiBH1KXTn74bzcaWo8HuTaUtkDcwVkU97TtEfTbpyHZ8GQwOVvTiP9OX0lL0gR0ht zuNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680583845; x=1683175845; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yiJcdfDoc3/0e6NQqry8oM48cRo4ZhqE+pBAZOE85NE=; b=MX+AO6nQWZQVXPyfKCBMOTED9poWPttQmUcD6gMzZYQ1jKGT+xGqrLn9hB8mIFuBR5 TSugccUu3m3+faMjLI1mGAgvpU4hPpTLx1rlBxVdLUi3tOP63eQsNY4PllEZ0Zav2ZKM Ps409zCupoUX93iX2QvB1RFTTVAV0ATO8MmfJtkTEKPTuiVk/+4qojWimxKPVJ3rqEWW bfy8TdOTPR4MloUMAYa5lwORCjLmM1eBBKp1KT9mldVVKgeMQ3uDVCIFlt/hPUpqrU5J 4MAJVaRnJNISnVZWQpxrmgCCxhalpXjWv0uNxIE2oFYpiQ3NuXGGoylj7mQVgqgjWnl1 uwHw== X-Gm-Message-State: AAQBX9eUrhGh3midMUx1E8+02hJZTL1KLkXkOxKVaDWSAK7e9HnCGJEz FNjdYBHJSmqRBXDjW4AZxlI= X-Google-Smtp-Source: AKy350Y1kR3ncMinPJvmwLwawEcOTBcY6f14bEp1+HBc1FchVB+n0oAwRiL46+D1+LjVuyRnc4eFCA== X-Received: by 2002:a17:902:d2ca:b0:1a1:be45:9857 with SMTP id n10-20020a170902d2ca00b001a1be459857mr1462162plc.1.1680583845482; Mon, 03 Apr 2023 21:50:45 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:3c8]) by smtp.gmail.com with ESMTPSA id f19-20020a170902e99300b0019acd3151d0sm7416637plb.114.2023.04.03.21.50.43 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 03 Apr 2023 21:50:45 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 3/8] bpf: Refactor btf_nested_type_is_trusted(). Date: Mon, 3 Apr 2023 21:50:24 -0700 Message-Id: <20230404045029.82870-4-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230404045029.82870-1-alexei.starovoitov@gmail.com> References: <20230404045029.82870-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov btf_nested_type_is_trusted() tries to find a struct member at corresponding offset. It works for flat structures and falls apart in more complex structs with nested structs. The offset->member search is already performed by btf_struct_walk() including nested structs. Reuse this work and pass {field name, field btf id} into btf_nested_type_is_trusted() instead of offset to make BTF_TYPE_SAFE*() logic more robust. Signed-off-by: Alexei Starovoitov --- include/linux/bpf.h | 7 ++++--- kernel/bpf/btf.c | 44 +++++++++++++++++-------------------------- kernel/bpf/verifier.c | 23 +++++++++++----------- 3 files changed, 33 insertions(+), 41 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 4f689dda748f..002a811b6b90 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -2263,7 +2263,7 @@ static inline bool bpf_tracing_btf_ctx_access(int off, int size, int btf_struct_access(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, int off, int size, enum bpf_access_type atype, - u32 *next_btf_id, enum bpf_type_flag *flag); + u32 *next_btf_id, enum bpf_type_flag *flag, const char **field_name); bool btf_struct_ids_match(struct bpf_verifier_log *log, const struct btf *btf, u32 id, int off, const struct btf *need_btf, u32 need_type_id, @@ -2302,7 +2302,7 @@ struct bpf_core_ctx { bool btf_nested_type_is_trusted(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, - int off, const char *suffix); + const char *field_name, u32 btf_id, const char *suffix); bool btf_type_ids_nocast_alias(struct bpf_verifier_log *log, const struct btf *reg_btf, u32 reg_id, @@ -2517,7 +2517,8 @@ static inline struct bpf_prog *bpf_prog_by_id(u32 id) static inline int btf_struct_access(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, int off, int size, enum bpf_access_type atype, - u32 *next_btf_id, enum bpf_type_flag *flag) + u32 *next_btf_id, enum bpf_type_flag *flag, + const char **field_name) { return -EACCES; } diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index b7e5a5510b91..593c45a294d0 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -6166,7 +6166,8 @@ enum bpf_struct_walk_result { static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf, const struct btf_type *t, int off, int size, - u32 *next_btf_id, enum bpf_type_flag *flag) + u32 *next_btf_id, enum bpf_type_flag *flag, + const char **field_name) { u32 i, moff, mtrue_end, msize = 0, total_nelems = 0; const struct btf_type *mtype, *elem_type = NULL; @@ -6395,6 +6396,8 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf, if (btf_type_is_struct(stype)) { *next_btf_id = id; *flag |= tmp_flag; + if (field_name) + *field_name = mname; return WALK_PTR; } } @@ -6421,7 +6424,8 @@ static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf *btf, int btf_struct_access(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, int off, int size, enum bpf_access_type atype __maybe_unused, - u32 *next_btf_id, enum bpf_type_flag *flag) + u32 *next_btf_id, enum bpf_type_flag *flag, + const char **field_name) { const struct btf *btf = reg->btf; enum bpf_type_flag tmp_flag = 0; @@ -6453,7 +6457,7 @@ int btf_struct_access(struct bpf_verifier_log *log, t = btf_type_by_id(btf, id); do { - err = btf_struct_walk(log, btf, t, off, size, &id, &tmp_flag); + err = btf_struct_walk(log, btf, t, off, size, &id, &tmp_flag, field_name); switch (err) { case WALK_PTR: @@ -6528,7 +6532,7 @@ bool btf_struct_ids_match(struct bpf_verifier_log *log, type = btf_type_by_id(btf, id); if (!type) return false; - err = btf_struct_walk(log, btf, type, off, 1, &id, &flag); + err = btf_struct_walk(log, btf, type, off, 1, &id, &flag, NULL); if (err != WALK_STRUCT) return false; @@ -8488,16 +8492,15 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, bool btf_nested_type_is_trusted(struct bpf_verifier_log *log, const struct bpf_reg_state *reg, - int off, const char *suffix) + const char *field_name, u32 btf_id, const char *suffix) { struct btf *btf = reg->btf; const struct btf_type *walk_type, *safe_type; const char *tname; char safe_tname[64]; long ret, safe_id; - const struct btf_member *member, *m_walk = NULL; + const struct btf_member *member; u32 i; - const char *walk_name; walk_type = btf_type_by_id(btf, reg->btf_id); if (!walk_type) @@ -8517,30 +8520,17 @@ bool btf_nested_type_is_trusted(struct bpf_verifier_log *log, if (!safe_type) return false; - for_each_member(i, walk_type, member) { - u32 moff; - - /* We're looking for the PTR_TO_BTF_ID member in the struct - * type we're walking which matches the specified offset. - * Below, we'll iterate over the fields in the safe variant of - * the struct and see if any of them has a matching type / - * name. - */ - moff = __btf_member_bit_offset(walk_type, member) / 8; - if (off == moff) { - m_walk = member; - break; - } - } - if (m_walk == NULL) - return false; - - walk_name = __btf_name_by_offset(btf, m_walk->name_off); for_each_member(i, safe_type, member) { const char *m_name = __btf_name_by_offset(btf, member->name_off); + const struct btf_type *mtype = btf_type_by_id(btf, member->type); + u32 id; + + if (!btf_type_is_ptr(mtype)) + continue; + btf_type_skip_modifiers(btf, mtype->type, &id); /* If we match on both type and name, the field is considered trusted. */ - if (m_walk->type == member->type && !strcmp(walk_name, m_name)) + if (btf_id == id && !strcmp(field_name, m_name)) return true; } diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 5ca520e5eddf..2cd2e0b725cd 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5400,12 +5400,12 @@ BTF_TYPE_SAFE_RCU(struct css_set) { /* full trusted: these fields are trusted even outside of RCU CS and never NULL */ BTF_TYPE_SAFE_TRUSTED(struct bpf_iter_meta) { - __bpf_md_ptr(struct seq_file *, seq); + struct seq_file *seq; }; BTF_TYPE_SAFE_TRUSTED(struct bpf_iter__task) { - __bpf_md_ptr(struct bpf_iter_meta *, meta); - __bpf_md_ptr(struct task_struct *, task); + struct bpf_iter_meta *meta; + struct task_struct *task; }; BTF_TYPE_SAFE_TRUSTED(struct linux_binprm) { @@ -5427,17 +5427,17 @@ BTF_TYPE_SAFE_TRUSTED(struct socket) { static bool type_is_rcu(struct bpf_verifier_env *env, struct bpf_reg_state *reg, - int off) + const char *field_name, u32 btf_id) { BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU(struct task_struct)); BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU(struct css_set)); - return btf_nested_type_is_trusted(&env->log, reg, off, "__safe_rcu"); + return btf_nested_type_is_trusted(&env->log, reg, field_name, btf_id, "__safe_rcu"); } static bool type_is_trusted(struct bpf_verifier_env *env, struct bpf_reg_state *reg, - int off) + const char *field_name, u32 btf_id) { BTF_TYPE_EMIT(BTF_TYPE_SAFE_TRUSTED(struct bpf_iter_meta)); BTF_TYPE_EMIT(BTF_TYPE_SAFE_TRUSTED(struct bpf_iter__task)); @@ -5446,7 +5446,7 @@ static bool type_is_trusted(struct bpf_verifier_env *env, BTF_TYPE_EMIT(BTF_TYPE_SAFE_TRUSTED(struct dentry)); BTF_TYPE_EMIT(BTF_TYPE_SAFE_TRUSTED(struct socket)); - return btf_nested_type_is_trusted(&env->log, reg, off, "__safe_trusted"); + return btf_nested_type_is_trusted(&env->log, reg, field_name, btf_id, "__safe_trusted"); } static int check_ptr_to_btf_access(struct bpf_verifier_env *env, @@ -5458,6 +5458,7 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, struct bpf_reg_state *reg = regs + regno; const struct btf_type *t = btf_type_by_id(reg->btf, reg->btf_id); const char *tname = btf_name_by_offset(reg->btf, t->name_off); + const char *field_name = NULL; enum bpf_type_flag flag = 0; u32 btf_id = 0; int ret; @@ -5526,7 +5527,7 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, return -EFAULT; } - ret = btf_struct_access(&env->log, reg, off, size, atype, &btf_id, &flag); + ret = btf_struct_access(&env->log, reg, off, size, atype, &btf_id, &flag, &field_name); } if (ret < 0) @@ -5554,10 +5555,10 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, * A regular RCU-protected pointer with __rcu tag can also be deemed * trusted if we are in an RCU CS. Such pointer can be NULL. */ - if (type_is_trusted(env, reg, off)) { + if (type_is_trusted(env, reg, field_name, btf_id)) { flag |= PTR_TRUSTED; } else if (in_rcu_cs(env) && !type_may_be_null(reg->type)) { - if (type_is_rcu(env, reg, off)) { + if (type_is_rcu(env, reg, field_name, btf_id)) { /* ignore __rcu tag and mark it MEM_RCU */ flag |= MEM_RCU; } else if (flag & MEM_RCU) { @@ -5640,7 +5641,7 @@ static int check_ptr_to_map_access(struct bpf_verifier_env *env, /* Simulate access to a PTR_TO_BTF_ID */ memset(&map_reg, 0, sizeof(map_reg)); mark_btf_ld_reg(env, &map_reg, 0, PTR_TO_BTF_ID, btf_vmlinux, *map->ops->map_btf_id, 0); - ret = btf_struct_access(&env->log, &map_reg, off, size, atype, &btf_id, &flag); + ret = btf_struct_access(&env->log, &map_reg, off, size, atype, &btf_id, &flag, NULL); if (ret < 0) return ret; From patchwork Tue Apr 4 04:50:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13199130 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55CF8C761A6 for ; Tue, 4 Apr 2023 04:51:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233143AbjDDEvA (ORCPT ); Tue, 4 Apr 2023 00:51:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40120 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233150AbjDDEux (ORCPT ); Tue, 4 Apr 2023 00:50:53 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D49E2110; Mon, 3 Apr 2023 21:50:50 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id f6-20020a17090ac28600b0023b9bf9eb63so32748185pjt.5; Mon, 03 Apr 2023 21:50:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680583850; x=1683175850; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BGlR3BgQY7WI43Q4Q1n5v+gOkH/+j7VZUA+m+7jK1f8=; b=Heg8+BF/m/R9UnwyTMaSDVJtMfDV5t+cwFmyHuMNWtyjwbVZkma6AxHjZ7s4XXDXw3 O+Br/wBixIQafmcm5M/3FKPPcPTanxKZaw7a6WC2UzfaOPn4sg54/9qfwMTIpRClNhfA 5x29qwaT7woNmLFehU9qeBb46nWNN8APcAjs9rfxXQYpP1dKYlw3MJlBWRLO+smHcW1G Q3uuaPmdGYyhcUM3J4P+IUqDcFLOr6xCuDaXSNmL7U9+oq8FtfwloLyRLe0IaW9AgYcf uB+W19Hweh/DhKn2oT4oXZPdaEMjFxYqKqywKvRcgjQmMDRo7hmN88y33QAveySbyKV7 oeew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680583850; x=1683175850; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BGlR3BgQY7WI43Q4Q1n5v+gOkH/+j7VZUA+m+7jK1f8=; b=jMF9A9zXKfypt9Y0divAblCvSm9PyM8td84wJsi+VyPPILVSFdfGV8qBEnXg/D0pUq qhHaJQXLnvuiemDL9FJes6YJjh4KQrTU7gIZhJ2IgW+L3yJILLflVF8vj2WGGfR406n9 6wiBs7w1J1+ywhd1ZXRFesnTjNwhLbIbilI02NPTsYJzmRynT6KdIIae5G/9E9EricqK EfuV6Jj8RoqIrTcYuPIsid/qFTy9n/KUucAYZekKDkwea4krCmV69oJgQ+dq5dA8y4CP KIX4rgr//Cn5WheFUQA2b2d7NZvKjWXx0P7OxabhM+9fztUjc/2AK9OI/Bohcf/Eeqax 46Ew== X-Gm-Message-State: AAQBX9cOSzC2m5MHfeEF39yaDyeZ8KQBbFURXaZu7MJMznij7Dp5HkS3 pU1asvLH66s116g6DEhn/w4= X-Google-Smtp-Source: AKy350ZtZT0/tzFlkaRPB9xEExHjg+8DhH+pFNY9Ko3a7ttKFADQR2j7FFsCtbSBmevgKhRrcBoSzQ== X-Received: by 2002:a17:902:c98a:b0:1a1:b3c0:4228 with SMTP id g10-20020a170902c98a00b001a1b3c04228mr1204410plc.19.1680583849609; Mon, 03 Apr 2023 21:50:49 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:3c8]) by smtp.gmail.com with ESMTPSA id e8-20020a170902b78800b001a20791250esm7415104pls.22.2023.04.03.21.50.47 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 03 Apr 2023 21:50:49 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 4/8] bpf: Teach verifier that certain helpers accept NULL pointer. Date: Mon, 3 Apr 2023 21:50:25 -0700 Message-Id: <20230404045029.82870-5-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230404045029.82870-1-alexei.starovoitov@gmail.com> References: <20230404045029.82870-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov bpf_[sk|inode|task|cgrp]_storage_[get|delete]() and bpf_get_socket_cookie() helpers perform run-time check that sk|inode|task|cgrp pointer != NULL. Teach verifier about this fact and allow bpf programs to pass PTR_TO_BTF_ID | PTR_MAYBE_NULL into such helpers. It will be used in the subsequent patch that will do bpf_sk_storage_get(.., skb->sk, ...); Even when 'skb' pointer is trusted the 'sk' pointer may be NULL. Signed-off-by: Alexei Starovoitov --- kernel/bpf/bpf_cgrp_storage.c | 4 ++-- kernel/bpf/bpf_inode_storage.c | 4 ++-- kernel/bpf/bpf_task_storage.c | 8 ++++---- net/core/bpf_sk_storage.c | 4 ++-- net/core/filter.c | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/kernel/bpf/bpf_cgrp_storage.c b/kernel/bpf/bpf_cgrp_storage.c index d17d5b694668..d44fe8dd9732 100644 --- a/kernel/bpf/bpf_cgrp_storage.c +++ b/kernel/bpf/bpf_cgrp_storage.c @@ -224,7 +224,7 @@ const struct bpf_func_proto bpf_cgrp_storage_get_proto = { .gpl_only = false, .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_PTR_TO_BTF_ID, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, .arg2_btf_id = &bpf_cgroup_btf_id[0], .arg3_type = ARG_PTR_TO_MAP_VALUE_OR_NULL, .arg4_type = ARG_ANYTHING, @@ -235,6 +235,6 @@ const struct bpf_func_proto bpf_cgrp_storage_delete_proto = { .gpl_only = false, .ret_type = RET_INTEGER, .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_PTR_TO_BTF_ID, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, .arg2_btf_id = &bpf_cgroup_btf_id[0], }; diff --git a/kernel/bpf/bpf_inode_storage.c b/kernel/bpf/bpf_inode_storage.c index e17ad581b9be..a4d93df78c75 100644 --- a/kernel/bpf/bpf_inode_storage.c +++ b/kernel/bpf/bpf_inode_storage.c @@ -229,7 +229,7 @@ const struct bpf_func_proto bpf_inode_storage_get_proto = { .gpl_only = false, .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_PTR_TO_BTF_ID, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, .arg2_btf_id = &bpf_inode_storage_btf_ids[0], .arg3_type = ARG_PTR_TO_MAP_VALUE_OR_NULL, .arg4_type = ARG_ANYTHING, @@ -240,6 +240,6 @@ const struct bpf_func_proto bpf_inode_storage_delete_proto = { .gpl_only = false, .ret_type = RET_INTEGER, .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_PTR_TO_BTF_ID, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, .arg2_btf_id = &bpf_inode_storage_btf_ids[0], }; diff --git a/kernel/bpf/bpf_task_storage.c b/kernel/bpf/bpf_task_storage.c index d1af0c8f9ce4..adf6dfe0ba68 100644 --- a/kernel/bpf/bpf_task_storage.c +++ b/kernel/bpf/bpf_task_storage.c @@ -338,7 +338,7 @@ const struct bpf_func_proto bpf_task_storage_get_recur_proto = { .gpl_only = false, .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_PTR_TO_BTF_ID, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, .arg2_btf_id = &btf_tracing_ids[BTF_TRACING_TYPE_TASK], .arg3_type = ARG_PTR_TO_MAP_VALUE_OR_NULL, .arg4_type = ARG_ANYTHING, @@ -349,7 +349,7 @@ const struct bpf_func_proto bpf_task_storage_get_proto = { .gpl_only = false, .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_PTR_TO_BTF_ID, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, .arg2_btf_id = &btf_tracing_ids[BTF_TRACING_TYPE_TASK], .arg3_type = ARG_PTR_TO_MAP_VALUE_OR_NULL, .arg4_type = ARG_ANYTHING, @@ -360,7 +360,7 @@ const struct bpf_func_proto bpf_task_storage_delete_recur_proto = { .gpl_only = false, .ret_type = RET_INTEGER, .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_PTR_TO_BTF_ID, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, .arg2_btf_id = &btf_tracing_ids[BTF_TRACING_TYPE_TASK], }; @@ -369,6 +369,6 @@ const struct bpf_func_proto bpf_task_storage_delete_proto = { .gpl_only = false, .ret_type = RET_INTEGER, .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_PTR_TO_BTF_ID, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, .arg2_btf_id = &btf_tracing_ids[BTF_TRACING_TYPE_TASK], }; diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c index 085025c7130a..d4172534dfa8 100644 --- a/net/core/bpf_sk_storage.c +++ b/net/core/bpf_sk_storage.c @@ -412,7 +412,7 @@ const struct bpf_func_proto bpf_sk_storage_get_tracing_proto = { .gpl_only = false, .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_PTR_TO_BTF_ID, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, .arg2_btf_id = &btf_sock_ids[BTF_SOCK_TYPE_SOCK_COMMON], .arg3_type = ARG_PTR_TO_MAP_VALUE_OR_NULL, .arg4_type = ARG_ANYTHING, @@ -424,7 +424,7 @@ const struct bpf_func_proto bpf_sk_storage_delete_tracing_proto = { .gpl_only = false, .ret_type = RET_INTEGER, .arg1_type = ARG_CONST_MAP_PTR, - .arg2_type = ARG_PTR_TO_BTF_ID, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, .arg2_btf_id = &btf_sock_ids[BTF_SOCK_TYPE_SOCK_COMMON], .allowed = bpf_sk_storage_tracing_allowed, }; diff --git a/net/core/filter.c b/net/core/filter.c index 1f2abf0f60e6..727c5269867d 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4998,7 +4998,7 @@ const struct bpf_func_proto bpf_get_socket_ptr_cookie_proto = { .func = bpf_get_socket_ptr_cookie, .gpl_only = false, .ret_type = RET_INTEGER, - .arg1_type = ARG_PTR_TO_BTF_ID_SOCK_COMMON, + .arg1_type = ARG_PTR_TO_BTF_ID_SOCK_COMMON | PTR_MAYBE_NULL, }; BPF_CALL_1(bpf_get_socket_cookie_sock_ops, struct bpf_sock_ops_kern *, ctx) From patchwork Tue Apr 4 04:50:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13199131 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B66BC6FD1D for ; Tue, 4 Apr 2023 04:51:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233116AbjDDEvH (ORCPT ); Tue, 4 Apr 2023 00:51:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233184AbjDDEu6 (ORCPT ); Tue, 4 Apr 2023 00:50:58 -0400 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 946111FEE; Mon, 3 Apr 2023 21:50:54 -0700 (PDT) Received: by mail-pj1-x102a.google.com with SMTP id lr16-20020a17090b4b9000b0023f187954acso32752998pjb.2; Mon, 03 Apr 2023 21:50:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680583854; x=1683175854; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M9EIIrkyDfeXGi2D7arXqdGRO5YUqjTAwchDB5thL54=; b=Q+SuKfHJD06lA1i2DyA6LOFYBH3LO9Ur4zxvd/KEeNvFozkM+ooH1liPmclIownv9L X4ty2EXczPKNPwKXqgGJmTMj4E7qsC15QG8Ph+mBWXHuT2DddOrVmElohSeTi9WYNjzL Ets3rOIjT0slvX+kmWVpcLmFSHuyHpsbyEBq25FQ/nZH7ydObgitX6j1VzRK3j5oSVlK Y/ksTKNtN8Pl6QgbAjvH4QznrqHJZUMb5RjYrOfthFGyy5WHGhqb8ZiMDZiJLH5TWPgQ ZQ/+DwGYjBaoyMMw9LAI/iP588+mHLsTZEeTsZrmq63MvKokACdR002mEQ4VAEqQhfAN Z4pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680583854; x=1683175854; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M9EIIrkyDfeXGi2D7arXqdGRO5YUqjTAwchDB5thL54=; b=vrhpsab3J65c+8Pwx2Qhl21u6a0xYarirPaWd3xJcnnEZ3AlaJHGCWc3pKQOw4jXkc zbULeNcI0VZvZ10B1Fa8kCbasROT/LaAhOHpgXwzz8p9nm/saAv2bLkFZvKmF9KChNV9 GlEdnb5R16cG+0By8pHZDJcwazGDbrB8K5XCSJXKOQwzmNyNvKs2zS/PmBKdbo3kKBUl YlkD7jMym5qBP0N4Anmrm0pzbIkx1KEDnZxeTDRsC8hCkLGEprgoBkzwFaFGhbnyR/a2 sPlWOcHLtp01KCoN0r57qKahhPaKZIJ7SC8dp6j4FMpFLSQZdn1FShL8GaP8h61uYfRD SnNw== X-Gm-Message-State: AAQBX9e6vz93htemq7/zjjqsxCMd3fAjKrYDIpquoGZJ3hRQIrEKJFcQ /BQiY7Jd03LJSbdT2mGPdqs= X-Google-Smtp-Source: AKy350YqcMfCuCiUSZQ9hn0YxhVy+vZGG+StVfntyIbpropFQXU366RiQTvNDlq2AzBjcmOOWLA1dA== X-Received: by 2002:a17:90b:38cd:b0:240:ce2f:5fc1 with SMTP id nn13-20020a17090b38cd00b00240ce2f5fc1mr1301909pjb.46.1680583853825; Mon, 03 Apr 2023 21:50:53 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:3c8]) by smtp.gmail.com with ESMTPSA id u3-20020a17090abb0300b0023371cb020csm10493731pjr.34.2023.04.03.21.50.52 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 03 Apr 2023 21:50:53 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 5/8] bpf: Refactor NULL-ness check in check_reg_type(). Date: Mon, 3 Apr 2023 21:50:26 -0700 Message-Id: <20230404045029.82870-6-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230404045029.82870-1-alexei.starovoitov@gmail.com> References: <20230404045029.82870-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov check_reg_type() unconditionally disallows PTR_TO_BTF_ID | PTR_MAYBE_NULL. It's problematic for helpers that allow ARG_PTR_TO_BTF_ID_OR_NULL like bpf_sk_storage_get(). Allow passing PTR_TO_BTF_ID | PTR_MAYBE_NULL into such helpers. That technically includes bpf_kptr_xchg() helper, but in practice: bpf_kptr_xchg(..., bpf_cpumask_create()); is still disallowed because bpf_cpumask_create() returns ref counted pointer with ref_obj_id > 0. Signed-off-by: Alexei Starovoitov --- kernel/bpf/verifier.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 2cd2e0b725cd..4e7d671497f4 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -7168,6 +7168,8 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno, case PTR_TO_BTF_ID: case PTR_TO_BTF_ID | PTR_TRUSTED: case PTR_TO_BTF_ID | MEM_RCU: + case PTR_TO_BTF_ID | PTR_MAYBE_NULL: + case PTR_TO_BTF_ID | PTR_MAYBE_NULL | MEM_RCU: { /* For bpf_sk_release, it needs to match against first member * 'struct sock_common', hence make an exception for it. This @@ -7176,6 +7178,12 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno, bool strict_type_match = arg_type_is_release(arg_type) && meta->func_id != BPF_FUNC_sk_release; + if (type_may_be_null(reg->type) && + (!type_may_be_null(arg_type) || arg_type_is_release(arg_type))) { + verbose(env, "Possibly NULL pointer passed to helper arg%d\n", regno); + return -EACCES; + } + if (!arg_btf_id) { if (!compatible->btf_id) { verbose(env, "verifier internal error: missing arg compatible BTF ID\n"); @@ -7206,10 +7214,6 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno, } break; } - case PTR_TO_BTF_ID | PTR_MAYBE_NULL: - case PTR_TO_BTF_ID | PTR_MAYBE_NULL | MEM_RCU: - verbose(env, "Possibly NULL pointer passed to helper arg%d\n", regno); - return -EACCES; case PTR_TO_BTF_ID | MEM_ALLOC: if (meta->func_id != BPF_FUNC_spin_lock && meta->func_id != BPF_FUNC_spin_unlock && meta->func_id != BPF_FUNC_kptr_xchg) { From patchwork Tue Apr 4 04:50:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13199132 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DFDEC7618D for ; Tue, 4 Apr 2023 04:51:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233171AbjDDEvR (ORCPT ); Tue, 4 Apr 2023 00:51:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40234 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233226AbjDDEvG (ORCPT ); Tue, 4 Apr 2023 00:51:06 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9806219BE; Mon, 3 Apr 2023 21:50:58 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id ml21so7395766pjb.4; Mon, 03 Apr 2023 21:50:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680583858; x=1683175858; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=76CWmxuX1SyXCWRsf9iQqc6Xq2EOWu8B/zkczM90/Qo=; b=EshsSV9y5lgItYXm5ZEDwdHkapKXW4Ljl1zr6kzMgNznhOfXEg9aVrcr6ssq4ZGMfy +bOm5XhFY78edTfksSTvcOfspFUzk8i7MgIlh8u7JjsRVGHXx1ou6qM0Ezkl+Oo5fva2 NwYoZ0sw2HkA4xtZt5+ajWbzmvQq6NEhh9W6F2ifq9VYZe8wl8kUWEC59YwCbEHTD5fj Sj76eTJS8Q47EMaeUiHVSJvtJCZxzhw3uLNh+5kohLdpfgF/PZihtO28KIxegqrqkvBl bb30/QuoCAZvauABseASMVT+GPG/kHB6FhuF0S7Prf43HrP5pUZkcq0nr8nJM7oRQZVt RYsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680583858; x=1683175858; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=76CWmxuX1SyXCWRsf9iQqc6Xq2EOWu8B/zkczM90/Qo=; b=sCncQ8LH304B4lKlVQr4U6luDNYXcrB7wCEyPgJMioE41kX25l5xMqINEeO9JBCFlO Wqxr8mxOT8Kv67kOhFet6APf/v2tahyL6SHYjhiAsLavrLmLjvkeSWVNK6C5BkoEO34Z qxkYPa4Y5I6w/1uxs8aKM6P4RHOnXr0UjZMyl1tKvrSpNbE56wyjFFIjV50tVF1Fni9C jchzKH10xO/A9NzZjUZ3hdmQDR1/PgfpRkQ2g7ZpD8ZqGlfqmmHgwIE52qKldvzfssvW W1vvDp+6Li2XGNQKiLMQmk7TokDQ+ySS9jARvsIPKPGrfF0pt2NLBi6L5UAuRE+2jUz0 N2fA== X-Gm-Message-State: AAQBX9e7hrs9YjkqoOhaV5B3oA/th4k/7dbS642FpC18REPXXYGb6iU2 vl8T5rrRfzwwZqDa9Deh2tM= X-Google-Smtp-Source: AKy350ZVeyrL0ATa66Fy7PIYpfKvdh3+4gXiDdnXNECj4s8Y/xtzu90fsBVksc2vp/wGHs5ZPwgb/Q== X-Received: by 2002:a17:90a:190f:b0:23f:990d:b5b1 with SMTP id 15-20020a17090a190f00b0023f990db5b1mr1371387pjg.46.1680583857934; Mon, 03 Apr 2023 21:50:57 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:3c8]) by smtp.gmail.com with ESMTPSA id s3-20020a17090a13c300b0023d16f05dd8sm6956945pjf.36.2023.04.03.21.50.56 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 03 Apr 2023 21:50:57 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 6/8] bpf: Allowlist few fields similar to __rcu tag. Date: Mon, 3 Apr 2023 21:50:27 -0700 Message-Id: <20230404045029.82870-7-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230404045029.82870-1-alexei.starovoitov@gmail.com> References: <20230404045029.82870-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov Allow bpf program access cgrp->kn, mm->exe_file, skb->sk, req->sk. Signed-off-by: Alexei Starovoitov --- kernel/bpf/verifier.c | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 4e7d671497f4..fd90ba498ccc 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5378,6 +5378,7 @@ static int bpf_map_direct_read(struct bpf_map *map, int off, int size, u64 *val) } #define BTF_TYPE_SAFE_RCU(__type) __PASTE(__type, __safe_rcu) +#define BTF_TYPE_SAFE_RCU_OR_NULL(__type) __PASTE(__type, __safe_rcu_or_null) #define BTF_TYPE_SAFE_TRUSTED(__type) __PASTE(__type, __safe_trusted) /* @@ -5394,10 +5395,31 @@ BTF_TYPE_SAFE_RCU(struct task_struct) { struct task_struct *group_leader; }; +BTF_TYPE_SAFE_RCU(struct cgroup) { + /* cgrp->kn is always accessible as documented in kernel/cgroup/cgroup.c */ + struct kernfs_node *kn; +}; + BTF_TYPE_SAFE_RCU(struct css_set) { struct cgroup *dfl_cgrp; }; +/* RCU trusted: these fields are trusted in RCU CS and can be NULL */ +BTF_TYPE_SAFE_RCU_OR_NULL(struct mm_struct) { + struct file __rcu *exe_file; +}; + +/* skb->sk, req->sk are not RCU protected, but we mark them as such + * because bpf prog accessible sockets are SOCK_RCU_FREE. + */ +BTF_TYPE_SAFE_RCU_OR_NULL(struct sk_buff) { + struct sock *sk; +}; + +BTF_TYPE_SAFE_RCU_OR_NULL(struct request_sock) { + struct sock *sk; +}; + /* full trusted: these fields are trusted even outside of RCU CS and never NULL */ BTF_TYPE_SAFE_TRUSTED(struct bpf_iter_meta) { struct seq_file *seq; @@ -5430,11 +5452,23 @@ static bool type_is_rcu(struct bpf_verifier_env *env, const char *field_name, u32 btf_id) { BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU(struct task_struct)); + BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU(struct cgroup)); BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU(struct css_set)); return btf_nested_type_is_trusted(&env->log, reg, field_name, btf_id, "__safe_rcu"); } +static bool type_is_rcu_or_null(struct bpf_verifier_env *env, + struct bpf_reg_state *reg, + const char *field_name, u32 btf_id) +{ + BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU_OR_NULL(struct mm_struct)); + BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU_OR_NULL(struct sk_buff)); + BTF_TYPE_EMIT(BTF_TYPE_SAFE_RCU_OR_NULL(struct request_sock)); + + return btf_nested_type_is_trusted(&env->log, reg, field_name, btf_id, "__safe_rcu_or_null"); +} + static bool type_is_trusted(struct bpf_verifier_env *env, struct bpf_reg_state *reg, const char *field_name, u32 btf_id) @@ -5561,9 +5595,10 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, if (type_is_rcu(env, reg, field_name, btf_id)) { /* ignore __rcu tag and mark it MEM_RCU */ flag |= MEM_RCU; - } else if (flag & MEM_RCU) { + } else if (flag & MEM_RCU || + type_is_rcu_or_null(env, reg, field_name, btf_id)) { /* __rcu tagged pointers can be NULL */ - flag |= PTR_MAYBE_NULL; + flag |= MEM_RCU | PTR_MAYBE_NULL; } else if (flag & (MEM_PERCPU | MEM_USER)) { /* keep as-is */ } else { From patchwork Tue Apr 4 04:50:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13199133 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4058DC761A6 for ; Tue, 4 Apr 2023 04:51:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232888AbjDDEvS (ORCPT ); Tue, 4 Apr 2023 00:51:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233182AbjDDEvJ (ORCPT ); Tue, 4 Apr 2023 00:51:09 -0400 Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B05152697; Mon, 3 Apr 2023 21:51:02 -0700 (PDT) Received: by mail-pf1-x430.google.com with SMTP id z11so20629375pfh.4; Mon, 03 Apr 2023 21:51:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680583862; x=1683175862; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gYCczLlj+qI2Rf3310jhdvz1Q1q9UTepuX5/jYcvRP0=; b=OxQmHX3NxS4UedNoIietUQB5stCXClbPVKSPw3uCxvDmIr3uoe4/T3OvI0ybR8y36I 50gW5JWWCmxTIeyZvecvahqpdFVid+b/1D5f8vAHFHLMJU3sv4NQ9brjhQWsIOVPYd6J 9tdsRNsuzTMBBeSul/vgrxTLA50SKi2hx1sUgGp96Ehcdu9tYhZtr1Rk+h6miRCqaqRM IeYunshZt9VHjWFBFoRwFIVyMRyXPociKDkvwy1Ab8C7FqKKr7Ek9ai3fVn89slLR1sd jvfI8Oja2mNa/D8xClYqOMCVjkPc//muQqE4cf91z6EyDz9foxsJ5oQoqOhGC++kDHZ5 FZrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680583862; x=1683175862; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gYCczLlj+qI2Rf3310jhdvz1Q1q9UTepuX5/jYcvRP0=; b=ppObmOG76NucHVr2m1taL1W9v4pBy/ZWriadAiPHJU88rAIJckoUzsDlAk+rEw9GPr gbJ0K6KLbyM/OvEFf0nV3d0EBPE0KCrHME01vqgMLxsAmtd60RDKRhDG8q3QaJuGpFn/ LMLAESOln0fQLl7opuinZkMMGvICeKP3XtX70KOjnjtU+2pWEglL/TwKxhTcPkZNAwdU EtoruhzZLVQNkREbgbXrjc89EJz/gpU2QuAZcOCH1ib0k1IWFQ8JhiQRzv0iPN+7oNyq P7mwSuRDul5dseWM3C4BVxPUoDSNiCvr8wX8uvZt9rFzsxNBsmuaRZrEDdgqx3AnVKgI kdJw== X-Gm-Message-State: AAQBX9eHLcasOiB1foApGntb8nqbCgDUB/9l9/JdxQM2+msQ5+yrByVK IkWL/ItzI5cbjCodxJaEkcY= X-Google-Smtp-Source: AKy350YW0ZSfjmnOUuyeFMixtydXRrsvXkUTRBxYNrcanrZkF4FJhTMCV3b1uhgRkvEqaxPRAjlsvA== X-Received: by 2002:a05:6a00:11:b0:625:fe60:9b5c with SMTP id h17-20020a056a00001100b00625fe609b5cmr1059525pfk.23.1680583862088; Mon, 03 Apr 2023 21:51:02 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:3c8]) by smtp.gmail.com with ESMTPSA id u4-20020a62ed04000000b005a84ef49c63sm7652120pfh.214.2023.04.03.21.51.00 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 03 Apr 2023 21:51:01 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 7/8] bpf: Undo strict enforcement for walking untagged fields. Date: Mon, 3 Apr 2023 21:50:28 -0700 Message-Id: <20230404045029.82870-8-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230404045029.82870-1-alexei.starovoitov@gmail.com> References: <20230404045029.82870-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov The commit 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the verifier.") broke several tracing bpf programs. Even in clang compiled kernels there are many fields that are not marked with __rcu that are safe to read and pass into helpers, but the verifier doesn't know that they're safe. Aggressively marking them as PTR_UNTRUSTED was premature. Fixes: 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the verifier.") Signed-off-by: Alexei Starovoitov --- kernel/bpf/verifier.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index fd90ba498ccc..56f569811f70 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4974,6 +4974,11 @@ static bool is_rcu_reg(const struct bpf_reg_state *reg) return reg->type & MEM_RCU; } +static void clear_trusted_flags(enum bpf_type_flag *flag) +{ + *flag &= ~(BPF_REG_TRUSTED_MODIFIERS | MEM_RCU); +} + static int check_pkt_ptr_alignment(struct bpf_verifier_env *env, const struct bpf_reg_state *reg, int off, int size, bool strict) @@ -5602,8 +5607,8 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, } else if (flag & (MEM_PERCPU | MEM_USER)) { /* keep as-is */ } else { - /* walking unknown pointers yields untrusted pointer */ - flag = PTR_UNTRUSTED; + /* walking unknown pointers yields old deprecated PTR_TO_BTF_ID */ + clear_trusted_flags(&flag); } } else { /* @@ -5617,7 +5622,7 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, } } else { /* Old compat. Deprecated */ - flag &= ~PTR_TRUSTED; + clear_trusted_flags(&flag); } if (atype == BPF_READ && value_regno >= 0) From patchwork Tue Apr 4 04:50:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 13199134 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19FCDC7618D for ; Tue, 4 Apr 2023 04:51:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233244AbjDDEva (ORCPT ); Tue, 4 Apr 2023 00:51:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233268AbjDDEvP (ORCPT ); Tue, 4 Apr 2023 00:51:15 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C35F8211D; Mon, 3 Apr 2023 21:51:06 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id j13so29356380pjd.1; Mon, 03 Apr 2023 21:51:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680583866; x=1683175866; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KEByK7ayQymGUwHV+hLag/ZuQOh0jiZxz8ClMc7Oq0s=; b=h13w4QJTAs/h80A3maG01T4HzM0Oayq3vx6kP/y7mq2laVMhDs1zovqc9ixeey2rBb M1AZV20HQ2EnwpY55NYgUSMYwmLEpIPH1EQCxkruh6Qz0Gsb/33lz7grTunmewXTveui 1zxvWqJ/15oWU0SzIlo8Q/MEKFQVeKWkdB2h4wCooepUxiScO9dWoqCeSOb0TFknL7Y3 5yR9cQ+pRvaQM7w2ErIF9HL1x04MbEOuF9xM5ecDChivCy8rqKYwqBYtmymSRSbYJqhP 2Hyd2BUpsWrhD+AiaSf8BrS9QgT5X889W65iTEVxDkIQZTj1f0PKOJIxxymCOFrbEwJO wjmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680583866; x=1683175866; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KEByK7ayQymGUwHV+hLag/ZuQOh0jiZxz8ClMc7Oq0s=; b=wm/1iErxwIz6FVQO2F/jBIkt/BW1ZtQHtmBKhL2RycMTl+8qiq1Sz/Tl1MsVCLuwvZ cMSembTLYcwWE36UzHFkR1CV+socL3SV62OAh5xxRaMm8t+iX990OEEvtBa/uGAOc1+v zX7O0vEmCrWYK9rGIDC/9Fz92YRZSK4QI7wAcu4/MGCuSq/rs5YUFpBxD4c4UrcoQzUB YVb9XvfpSsen4xpMI9zSELNAXnpKTVfiwSf1Q4Wyx0Eb2lKJfHpuvQnkjYUneg7zVAEH wmbVuNodCW65CgOk/yEUfaZ4anrLiJgD4utGjE+CvW5etZLI6BfUx5ycyuwgSpVYprUE 4yrg== X-Gm-Message-State: AAQBX9f+elnSzJR4qcLoCQtCOpq63eHMqdne3KccDbPbUlqoa0jvkhVf Wy2eJzDOhofr/IIdj6r04hc= X-Google-Smtp-Source: AKy350ZbKhIUGP0wn/uUtuKFfD20cUFAmYRLGUb0OTVGidgCmS5Jv1lMvw3ob2YZrWvc0+BpE1vjyA== X-Received: by 2002:a17:90b:3a91:b0:237:461c:b31a with SMTP id om17-20020a17090b3a9100b00237461cb31amr1380141pjb.32.1680583866150; Mon, 03 Apr 2023 21:51:06 -0700 (PDT) Received: from dhcp-172-26-102-232.DHCP.thefacebook.com ([2620:10d:c090:400::5:3c8]) by smtp.gmail.com with ESMTPSA id d4-20020a17090ac24400b002407750c3c3sm6902998pjx.37.2023.04.03.21.51.04 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 03 Apr 2023 21:51:05 -0700 (PDT) From: Alexei Starovoitov To: davem@davemloft.net Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, void@manifault.com, davemarchevsky@meta.com, tj@kernel.org, memxor@gmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com Subject: [PATCH bpf-next 8/8] selftests/bpf: Add tracing tests for walking skb and req. Date: Mon, 3 Apr 2023 21:50:29 -0700 Message-Id: <20230404045029.82870-9-alexei.starovoitov@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) In-Reply-To: <20230404045029.82870-1-alexei.starovoitov@gmail.com> References: <20230404045029.82870-1-alexei.starovoitov@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov Add tracing tests for walking skb->sk and req->sk. Signed-off-by: Alexei Starovoitov --- .../bpf/progs/test_sk_storage_tracing.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/test_sk_storage_tracing.c b/tools/testing/selftests/bpf/progs/test_sk_storage_tracing.c index 6dc1f28fc4b6..02e718f06e0f 100644 --- a/tools/testing/selftests/bpf/progs/test_sk_storage_tracing.c +++ b/tools/testing/selftests/bpf/progs/test_sk_storage_tracing.c @@ -92,4 +92,20 @@ int BPF_PROG(inet_csk_accept, struct sock *sk, int flags, int *err, bool kern, return 0; } +SEC("tp_btf/tcp_retransmit_synack") +int BPF_PROG(tcp_retransmit_synack, struct sock* sk, struct request_sock* req) +{ + /* load only test */ + bpf_sk_storage_get(&sk_stg_map, sk, 0, 0); + bpf_sk_storage_get(&sk_stg_map, req->sk, 0, 0); + return 0; +} + +SEC("tp_btf/tcp_bad_csum") +int BPF_PROG(tcp_bad_csum, struct sk_buff* skb) +{ + bpf_sk_storage_get(&sk_stg_map, skb->sk, 0, 0); + return 0; +} + char _license[] SEC("license") = "GPL";