From patchwork Fri Feb 9 23:09:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrii Nakryiko X-Patchwork-Id: 13551974 X-Patchwork-Delegate: bpf@iogearbox.net Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1657D1E4AD for ; Fri, 9 Feb 2024 23:09:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707520156; cv=none; b=IgyTc+b9t0aGDHTaAravFWSVjOhpdJjUJGPZJ4W5BzdqJu84m7xpZUtMmt2Rf6uO4jHwkDDMaKBIkxu7+t4fboKWXB6DjmDvq3ZSt6deSiFvSPJfu7m5pyBAJx6t1+/55u5oix8Kp3+LG0HdUsdF2Aj3C61atiVHyNYU8iMUIj4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707520156; c=relaxed/simple; bh=pQ43CjuavD2cJf3e3059LzfMFrFofhdI3oUP5Lw5Fjk=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=UfGwVc1BJdd8BXBnwvWv0X1ydfHZl7VLzshjb+azEZzyw6YcW3DYDadGZksqs/URcc+U6hsTFZuh4oJz+rYBGjROxD9YTPac5xEJRgU+wsni3bEBs+e6oYvz/I03eHX1/vgITaQO/qVAWxqCLSoIIWiy2D9mPpISGE3A23wGRCU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Go+54p0M; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Go+54p0M" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 54866C433F1; Fri, 9 Feb 2024 23:09:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1707520155; bh=pQ43CjuavD2cJf3e3059LzfMFrFofhdI3oUP5Lw5Fjk=; h=From:To:Cc:Subject:Date:From; b=Go+54p0Mhnp93tbYSdGPSIa6Zy/uy619cP2XOsLKgDvhgrfqZqGcxL6L/7UMqf+lh zMVKX0OLIgFZ8NCFD2C0Znqn8HyD4Xqi2XLYJjjV0V37OM9SrMJtSVpyyFpL9JYEXi 2dk0rXIp+qXRCEKJN/TWJbX+5y/0DttoPK9s8rgcxWBehrfcEkmrTmNulKPu1Sp9v8 QpNfe/+C/abW2V/kyyDRhHSGecip4cEB7bWnLI71B36V7/5qE7iGQ66asBSVpvxtoP Hla901US9AHgPqvmiNUt1g+YkCAxFN8ljqFmMxrOSb2BOLgftTG+058WyGKd/EWexb vjpzxTWIAPSAw== From: Andrii Nakryiko To: bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, martin.lau@kernel.org Cc: andrii@kernel.org, kernel-team@meta.com Subject: [PATCH bpf-next 1/2] bpf: don't infer PTR_TO_CTX for programs with unnamed context type Date: Fri, 9 Feb 2024 15:09:07 -0800 Message-Id: <20240209230908.2380782-1-andrii@kernel.org> X-Mailer: git-send-email 2.39.3 Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net For program types that don't have named context type name (e.g., BPF iterator programs or tracepoint programs), ctx_tname will be a non-NULL empty string. For such programs it shouldn't be possible to have PTR_TO_CTX argument for global subprogs based on type name alone. arg:ctx tag is the only way to have PTR_TO_CTX passed into global subprog for such program types. Fix this loop hole, which currently would assume PTR_TO_CTX whenever user uses a pointer to anonymous struct as an argument to their global subprogs. This happens in practice with the following (quite common, in practice) approach: typedef struct { /* anonymous */ int x; } my_type_t; int my_subprog(my_type_t *arg) { ... } User's intent is to have PTR_TO_MEM argument for `arg`, but verifier will complain about expecting PTR_TO_CTX. Fixes: 91cc1a99740e ("bpf: Annotate context types") Signed-off-by: Andrii Nakryiko --- kernel/bpf/btf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 8e06d29961f1..d6021290caba 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -5725,6 +5725,9 @@ btf_get_prog_ctx_type(struct bpf_verifier_log *log, const struct btf *btf, bpf_log(log, "Please fix kernel include/linux/bpf_types.h\n"); return NULL; } + /* program types without named context types work only with arg:ctx tag */ + if (ctx_tname[0] == '\0') + return NULL; /* only compare that prog's ctx type name is the same as * kernel expects. No need to compare field by field. * It's ok for bpf prog to do: From patchwork Fri Feb 9 23:09:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrii Nakryiko X-Patchwork-Id: 13551975 X-Patchwork-Delegate: bpf@iogearbox.net Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 176031E4AD for ; Fri, 9 Feb 2024 23:09:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707520159; cv=none; b=XBCt3sK1+VoK9ZcVvV0C9hnTvke0S574yhOcoWYaJB/ADea1fQgZKR36jPD+YAY41Zd3t+Wv+jEv8KiwxA9pEouD9q1iVIKpv2NzK3aVrFjSjPIqOcTQNs6lU0Qq721lc9hwv6X6CgVNX2OafVUY95+iCOn2vJ6/5bAsVhYj9Yw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707520159; c=relaxed/simple; bh=peNHuCp0hVvKAmLOF5CeQ2pDRxZpVOFKhKvpMynj7DE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ChMbinH1Ww6JmuyrAdRA17IqxA88ODxQkx9ZpzoWir9EcDZzWvMIaJ6MrB03GK8w5/j+N2m1j6dDS9Dbfw4JUXrWrgUn3HgkNMpEvYbRaylAoQvxoZl5EN5qK+8IwBX2Q7OhO9jdEeUAhlzRAxTJgqsrAxFUrBwrMWKp2oCwV4s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=CVvk5ckK; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="CVvk5ckK" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 821E3C433C7; Fri, 9 Feb 2024 23:09:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1707520158; bh=peNHuCp0hVvKAmLOF5CeQ2pDRxZpVOFKhKvpMynj7DE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CVvk5ckKvHdPY83PO2Wr4la9t9IaAugHI3Ve9O5/JcF+qcDxH55DZaxXiydHmbBZf n8lBXf6WkUUwfIvqBNrp+wvyKLl0BRPn8j5IyJHSEK2oCLHVA3g4kdo9uw0Jjkegwd 5rM/HL0q28LwpPUtpUvCcFhyuspSi8EwIwns2RqZpcS/+5hrNpYViAbxKLSb7x+d/H vrLpCYo60fa9XFrzjEoVGO5uM0UsqlK+0SvppgE20HLbhvVgau+FkMxstkur5tV7i+ MXzm36LVcRrYlDHJRmzGimuVQHDDrrQRXxrpygixyYir869DWg5oo9/ANVLWmHPfy/ QLzut/IV8iBZg== From: Andrii Nakryiko To: bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, martin.lau@kernel.org Cc: andrii@kernel.org, kernel-team@meta.com Subject: [PATCH bpf-next 2/2] selftests/bpf: add anonymous user struct as global subprog arg test Date: Fri, 9 Feb 2024 15:09:08 -0800 Message-Id: <20240209230908.2380782-2-andrii@kernel.org> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20240209230908.2380782-1-andrii@kernel.org> References: <20240209230908.2380782-1-andrii@kernel.org> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net Add tests validating that kernel handles pointer to anonymous struct argument as PTR_TO_MEM case, not as PTR_TO_CTX case. Signed-off-by: Andrii Nakryiko --- .../bpf/progs/verifier_global_subprogs.c | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_global_subprogs.c b/tools/testing/selftests/bpf/progs/verifier_global_subprogs.c index 67dddd941891..fed847bc1911 100644 --- a/tools/testing/selftests/bpf/progs/verifier_global_subprogs.c +++ b/tools/testing/selftests/bpf/progs/verifier_global_subprogs.c @@ -115,6 +115,35 @@ int arg_tag_nullable_ptr_fail(void *ctx) return subprog_nullable_ptr_bad(&x); } +typedef struct { + int x; +} user_struct_t; + +__noinline __weak int subprog_user_anon_mem(user_struct_t *t) +{ + return t ? t->x : 0; +} + +SEC("?tracepoint") +__failure __log_level(2) +__msg("invalid bpf_context access") +__msg("Caller passes invalid args into func#1 ('subprog_user_anon_mem')") +int anon_user_mem_invalid(void *ctx) +{ + /* can't pass PTR_TO_CTX as user memory */ + return subprog_user_anon_mem(ctx) & 1; +} + +SEC("?tracepoint") +__success __log_level(2) +__msg("Func#1 ('subprog_user_anon_mem') is safe for any args that match its prototype") +int anon_user_mem_valid(void *ctx) +{ + user_struct_t t = { .x = 42 }; + + return subprog_user_anon_mem(&t); +} + __noinline __weak int subprog_nonnull_ptr_good(int *p1 __arg_nonnull, int *p2 __arg_nonnull) { return (*p1) * (*p2); /* good, no need for NULL checks */