From patchwork Fri Aug  9 00:51:27 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13758268
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com
 [209.85.219.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56BBB2F26
	for <bpf@vger.kernel.org>; Fri,  9 Aug 2024 00:51:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1723164707; cv=none;
 b=gXxkWmGlZzW0EAvvKLvpmsfzF6U9BuSEKZKAdS7Lq+BppNCG5KPULYqfhg8tVitw/p8MzyyBmR+hGCWz7eWlBaV98OtRj1XwcrbnLkzpUfANvjP7jtYedY8M+oOUmelQMMHPBt8u+UjSnCr0DjWy7ZSfTXiruUBUv874SBwl/uU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1723164707; c=relaxed/simple;
	bh=ZbuGl+8slczYMrERdOlmf3zPBD3iy9Dk9eC5UxB3+NI=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=Q9yckcpOT3lRMdX8MjAgqjvwDY1DXMWPv2wuojD59xKjywjDWgIOoaQ/A5/XzgP6uR/Z21IhRVYiptYYrHgP9qBrGWIs7iYwTyow+2jWJjRzkwD7Z2/lGy7uoIMSbxm+SyOOLSSmvTsYJ624kv2kyY40UfVe8S2VMl732kKzreE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=LOQNjP+8; arc=none smtp.client-ip=209.85.219.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="LOQNjP+8"
Received: by mail-qv1-f47.google.com with SMTP id
 6a1803df08f44-6bb687c3cceso8544746d6.0
        for <bpf@vger.kernel.org>; Thu, 08 Aug 2024 17:51:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1723164705; x=1723769505;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=3f+vxYAkQBb6D65mIrVwyGHBCVZADOdI72CspIF7Izc=;
        b=LOQNjP+8HUoYUPqm/WJo+nX5WH9WXCUKVXSMG29BCASuXZdK8a4ot1mBbq9jaiISWG
         D8IXR17XJ0gXswvaIcBXr/zwJu9c1bpgwurkcGkXkRWUXrzpw/pl8sNezsoTRJxo+abL
         kei9sOiMkXZvyI7PstBrFORTXZDB1dBQYAj0TJ6x1vhpfd1C5iIWaB4aJz2KO/xq9fiC
         TWIL5nnu/foeZ7ggGm492955K+bo65feppyFyRrUld4r8AKyWelcB+GEdLhdmnc7+hWg
         S7W/y+0l2RwCxgpnIThcHPOO+UmveY9fckGRKDD9ZtI5K4cfv53suU/F/UGs8r4gAoyR
         g9LA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1723164705; x=1723769505;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=3f+vxYAkQBb6D65mIrVwyGHBCVZADOdI72CspIF7Izc=;
        b=ILBS7Gc1v3PQ5EZn5LjfBtgyPXKx5gjv8ayd3hjmxKWvD7OkFeV9MDNouei3Uj5fgD
         H7wV9OF7xqJAJ990I6bCMAkjvlh1ZTeV5hNy2Ik0PZEN6kzifZau9rMgOp764bXfjJot
         zRkEqvtVLPIcyS2PZWjtsgsKpQEyeboFWrIHMVpILnlYx87Q8szYwCC7R7jtXPyQA2H2
         oCy4+pR7eWTcJ+W9RxyTsPqfC62UpERKQLsAvT4+s3tCcB6Jnj7VvGdIHM7s+AgsDuWA
         juMty6tVVYriQNFqqbdEhz67tlf6jLo1mx6I9UNo/S3t8YFrbj2NYNBXcTub8SdAmyVe
         ULhA==
X-Gm-Message-State: AOJu0YytRhn66YLTQLxKrsIgQF8B+6tUvFrBgAa86/hROAwlR5g1/PKW
	ZAZJyF/XhGF2YBXvE6TzXObJnr2kUtJD8GWaXoo387V1CU4qYrvleBDRUA==
X-Google-Smtp-Source: 
 AGHT+IF9LkF7HdDe3MsNucAfL3JjD3tFBC8wU6cruFO/+VNkFkMbwbaOtS7qgrB6JLCc7qNVBhE3XQ==
X-Received: by 2002:a05:6214:568f:b0:6b5:e3ee:f804 with SMTP id
 6a1803df08f44-6bd78d18773mr132996d6.16.1723164705117;
        Thu, 08 Aug 2024 17:51:45 -0700 (PDT)
Received: from n36-183-057.byted.org ([130.44.212.99])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bb9c797dbdsm71485826d6.52.2024.08.08.17.51.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 08 Aug 2024 17:51:44 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: bpf@vger.kernel.org
Cc: daniel@iogearbox.net,
	andrii@kernel.org,
	alexei.starovoitov@gmail.com,
	martin.lau@kernel.org,
	houtao@huaweicloud.com,
	sinquersw@gmail.com,
	davemarchevsky@fb.com,
	ameryhung@gmail.com,
	Amery Hung <amery.hung@bytedance.com>
Subject: [PATCH v3 bpf-next 1/5] bpf: Let callers of btf_parse_kptr() track
 life cycle of prog btf
Date: Fri,  9 Aug 2024 00:51:27 +0000
Message-Id: <20240809005131.3916464-2-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240809005131.3916464-1-amery.hung@bytedance.com>
References: <20240809005131.3916464-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

btf_parse_kptr() and btf_record_free() do btf_get() and btf_put()
respectively when working on btf_record in program and map if there are
kptr fields. If the kptr is from program BTF, since both callers has
already tracked the life cycle of program BTF, it is safe to remove the
btf_get() and btf_put().

This change prevents memory leak of program BTF later when we start
searching for kptr fields when building btf_record for program. It can
happen when the btf fd is closed. The btf_put() corresponding to the
btf_get() in btf_parse_kptr() was supposed to be called by
btf_record_free() in btf_free_struct_meta_tab() in btf_free(). However,
it will never happen since the invocation of btf_free() depends on the
refcount of the btf to become 0 in the first place.

Signed-off-by: Amery Hung <amery.hung@bytedance.com>
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: Hou Tao <houtao1@huawei.com>
---
 kernel/bpf/btf.c     | 2 +-
 kernel/bpf/syscall.c | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 95426d5b634e..deacf9d7b276 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -3759,6 +3759,7 @@ static int btf_find_field(const struct btf *btf, const struct btf_type *t,
 	return -EINVAL;
 }
 
+/* Callers have to ensure the life cycle of btf if it is program BTF */
 static int btf_parse_kptr(const struct btf *btf, struct btf_field *field,
 			  struct btf_field_info *info)
 {
@@ -3787,7 +3788,6 @@ static int btf_parse_kptr(const struct btf *btf, struct btf_field *field,
 		field->kptr.dtor = NULL;
 		id = info->kptr.type_id;
 		kptr_btf = (struct btf *)btf;
-		btf_get(kptr_btf);
 		goto found_dtor;
 	}
 	if (id < 0)
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 869265852d51..4003e1025264 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -550,7 +550,8 @@ void btf_record_free(struct btf_record *rec)
 		case BPF_KPTR_PERCPU:
 			if (rec->fields[i].kptr.module)
 				module_put(rec->fields[i].kptr.module);
-			btf_put(rec->fields[i].kptr.btf);
+			if (btf_is_kernel(rec->fields[i].kptr.btf))
+				btf_put(rec->fields[i].kptr.btf);
 			break;
 		case BPF_LIST_HEAD:
 		case BPF_LIST_NODE:
@@ -596,7 +597,8 @@ struct btf_record *btf_record_dup(const struct btf_record *rec)
 		case BPF_KPTR_UNREF:
 		case BPF_KPTR_REF:
 		case BPF_KPTR_PERCPU:
-			btf_get(fields[i].kptr.btf);
+			if (btf_is_kernel(fields[i].kptr.btf))
+				btf_get(fields[i].kptr.btf);
 			if (fields[i].kptr.module && !try_module_get(fields[i].kptr.module)) {
 				ret = -ENXIO;
 				goto free;

From patchwork Fri Aug  9 00:51:28 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13758269
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qv1-f53.google.com (mail-qv1-f53.google.com
 [209.85.219.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22AC73D6D
	for <bpf@vger.kernel.org>; Fri,  9 Aug 2024 00:51:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.53
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1723164708; cv=none;
 b=gFfhP7sSL0id4zzq0gFawzPr9C7sumAIPS04+14+OXLcySbKH3CZMvrQvipNxdjip6GiBKea/xFTw7s0U1VPNc1mEWx9Up1dswwJfNEt4Rp4q/n/lU0nDR+LDOmcqHpRKXqXnsOaX7QsTAWV4vyn3UTTBu2tZIluU2hdm/B2Wls=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1723164708; c=relaxed/simple;
	bh=IpLSk3jSK5NyCFqJjnJH9W9P1Ev0KOpgLVSsUyuG/TE=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=WZTEzlMNeM5s0yvFN/HpFsba4ltla3n5HurX1NWcvHbdKNudHobhLsTVy02pIr/b6OTYBb98Z+n69piscLbEUnFWBqQL0bnBAs7Kyvf/SxrLCntVsRQBWySMzAkllc/v0SK3Wslz8nsrmwfIBL6XY7MrJHgCeQFa6Nnuz+5Moa4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=JfR4emZT; arc=none smtp.client-ip=209.85.219.53
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="JfR4emZT"
Received: by mail-qv1-f53.google.com with SMTP id
 6a1803df08f44-6bb96ef0e8eso8415046d6.2
        for <bpf@vger.kernel.org>; Thu, 08 Aug 2024 17:51:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1723164706; x=1723769506;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=XVANk0qcPcnFzzYVCHvRt+g00d4r6j9NIGZqOCp9Tu8=;
        b=JfR4emZTQ8R3DQrdgEfSB+2HuQhKQw1V9JD/pPvNjvfL3lA1dQSiYPg9MK7uEI0P1V
         FGAGKKBc5+nyRU7qYnMsn2rawnEOj0dP9vlo66YC7N3MhYzbx0xUbKj4JbsSccmrkimE
         6PsnrQy/Ja7jkh4wl3xJozWf2pvHNNyH58Jd9I7zyIYQwPlu9RQVZs8gt5z4CYQPsaHR
         2BA+c8SLOTc8mw5G87075pYFdgoiX1Ghwwan+YnlAia+SJHa4pGxwpdq4JAAGy+tAR+C
         jD7JcIIo98QrXaI1sj5mHY36mJ/nb90n/igYpd42TY4Fv0NpK/A5smrQGZqXaK1HN6as
         ZYnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1723164706; x=1723769506;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=XVANk0qcPcnFzzYVCHvRt+g00d4r6j9NIGZqOCp9Tu8=;
        b=nRCH6/npe10LPIVwp73/msmwCJs0GTHWKCSGZ4A05TVnK36ThvdDvfV+4dnTippk2l
         hGLiECtXCh81h2dRjhc0iy1yEeZRPZB8ZvH0q+qRLT0NRqEUwbgAvXmph6JI/yl/3WEv
         lrRVztXTZkXdCA1pimwJydl+Gqt9tzF8KeMgUxizXKFtbkmT+Llny9xWqcxCIZawgTTk
         qrPWPA29atkBoYF6Zz3BUdkaRdKy9o7xHZs7D7+KiuQZpQ47I99K0aGFPAfNyddbqfT3
         DJSlbHk8dlzcZ45xWIc2geh22I1FvRBht/Sjl+LPQvYmZyMhmZbeZto5uk9E0KD4rYt5
         fiGw==
X-Gm-Message-State: AOJu0YwD9gfBPVRwLJdddGqQ8/Ssf26VVBSrOVD/B02PXth1giC4Y6r1
	Z2iL/4E4+zgPDkqU/A+cfXgvByWLD0HDkKCqBcpgCg3vXk4MVzUY+iRQtw==
X-Google-Smtp-Source: 
 AGHT+IHeIRkem4EAypQ6pWaN/BUemwYKvKCXtphX/iw5loceXIKjOjFDkEj39RKKHSyZ6W4A2Mh6PQ==
X-Received: by 2002:a05:6214:5543:b0:6b5:8dd2:468b with SMTP id
 6a1803df08f44-6bd6bd97f37mr51967516d6.44.1723164705745;
        Thu, 08 Aug 2024 17:51:45 -0700 (PDT)
Received: from n36-183-057.byted.org ([130.44.212.99])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bb9c797dbdsm71485826d6.52.2024.08.08.17.51.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 08 Aug 2024 17:51:45 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: bpf@vger.kernel.org
Cc: daniel@iogearbox.net,
	andrii@kernel.org,
	alexei.starovoitov@gmail.com,
	martin.lau@kernel.org,
	houtao@huaweicloud.com,
	sinquersw@gmail.com,
	davemarchevsky@fb.com,
	ameryhung@gmail.com,
	Amery Hung <amery.hung@bytedance.com>
Subject: [PATCH v3 bpf-next 2/5] bpf: Search for kptrs in prog BTF structs
Date: Fri,  9 Aug 2024 00:51:28 +0000
Message-Id: <20240809005131.3916464-3-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240809005131.3916464-1-amery.hung@bytedance.com>
References: <20240809005131.3916464-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

From: Dave Marchevsky <davemarchevsky@fb.com>

Currently btf_parse_fields is used in two places to create struct
btf_record's for structs: when looking at mapval type, and when looking
at any struct in program BTF. The former looks for kptr fields while the
latter does not. This patch modifies the btf_parse_fields call made when
looking at prog BTF struct types to search for kptrs as well.

Before this series there was no reason to search for kptrs in non-mapval
types: a referenced kptr needs some owner to guarantee resource cleanup,
and map values were the only owner that supported this. If a struct with
a kptr field were to have some non-kptr-aware owner, the kptr field
might not be properly cleaned up and result in resources leaking. Only
searching for kptr fields in mapval was a simple way to avoid this
problem.

In practice, though, searching for BPF_KPTR when populating
struct_meta_tab does not expose us to this risk, as struct_meta_tab is
only accessed through btf_find_struct_meta helper, and that helper is
only called in contexts where recognizing the kptr field is safe:

  * PTR_TO_BTF_ID reg w/ MEM_ALLOC flag
    * Such a reg is a local kptr and must be free'd via bpf_obj_drop,
      which will correctly handle kptr field

  * When handling specific kfuncs which either expect MEM_ALLOC input or
    return MEM_ALLOC output (obj_{new,drop}, percpu_obj_{new,drop},
    list+rbtree funcs, refcount_acquire)
     * Will correctly handle kptr field for same reasons as above

  * When looking at kptr pointee type
     * Called by functions which implement "correct kptr resource
       handling"

  * In btf_check_and_fixup_fields
     * Helper that ensures no ownership loops for lists and rbtrees,
       doesn't care about kptr field existence

So we should be able to find BPF_KPTR fields in all prog BTF structs
without leaking resources.

Further patches in the series will build on this change to support
kptr_xchg into non-mapval local kptr. Without this change there would be
no kptr field found in such a type.

Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Signed-off-by: Amery Hung <amery.hung@bytedance.com>
Acked-by: Hou Tao <houtao1@huawei.com>
---
 kernel/bpf/btf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index deacf9d7b276..afc53ad396ab 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -5585,7 +5585,8 @@ btf_parse_struct_metas(struct bpf_verifier_log *log, struct btf *btf)
 		type = &tab->types[tab->cnt];
 		type->btf_id = i;
 		record = btf_parse_fields(btf, t, BPF_SPIN_LOCK | BPF_LIST_HEAD | BPF_LIST_NODE |
-						  BPF_RB_ROOT | BPF_RB_NODE | BPF_REFCOUNT, t->size);
+						  BPF_RB_ROOT | BPF_RB_NODE | BPF_REFCOUNT |
+						  BPF_KPTR, t->size);
 		/* The record cannot be unset, treat it as an error if so */
 		if (IS_ERR_OR_NULL(record)) {
 			ret = PTR_ERR_OR_ZERO(record) ?: -EFAULT;

From patchwork Fri Aug  9 00:51:29 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13758270
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qv1-f54.google.com (mail-qv1-f54.google.com
 [209.85.219.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E6941FDA
	for <bpf@vger.kernel.org>; Fri,  9 Aug 2024 00:51:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1723164709; cv=none;
 b=OlW6oApSnzbP3/61wtZKkW3CL/FxWj/wrQmRHmSe8rc9QsQUleUMS6y0sTFzeXYEe+lf+UsonrYjvd5cNj1gFqNaDHUagXlNXhxGwXjMxOg10fDWYh8j5TckKtkwFgxf6pogwr+V+toziPCZjilKZ2l9oqQ4G74lPQ80lTR3bng=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1723164709; c=relaxed/simple;
	bh=CBTN153jJzwjME+dO9P/o9STqxs6koh4Yk5fYysLgEo=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=qeea4Q4P688acbf+gXrSATPJSIAlWUKaujVjWPYbvj0lXLgIPRHWjsU70OsXt0+IQSh0+jGEmsVlYZUc1YEcVReZMZ5YH+t37HlIjEJJbFwgoSZUYrEAIT77tf8LX5nRc0VhX/dKczxadeG4kAqaKeyGP6K44s36N8s6JqTGfNs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=ONOU0Jdc; arc=none smtp.client-ip=209.85.219.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="ONOU0Jdc"
Received: by mail-qv1-f54.google.com with SMTP id
 6a1803df08f44-6b795574f9dso8728776d6.0
        for <bpf@vger.kernel.org>; Thu, 08 Aug 2024 17:51:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1723164706; x=1723769506;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=q6p8c1OUEhv+/PTai01JOAF17KOu2jscbjKAA2ruSl0=;
        b=ONOU0JdccLgBi/ml9hbHe4od557pZPZC4622zy6AE+fXwaEECcshPPjA3qzD+erjwG
         TeYSHGrXpMv6v1AVXqEBrJmTUVuY5p6g8e9lTYrBjLmLUOnUQjLrIUcn5mRwFvFFJC6K
         rBS7al8CPI8X7mm1BMab0vVtW54dozqTywvZ3sDzWSibdRnBKRvqCx1AOfBl6JUQozVV
         pMq7BzCuvLG3twEGdWYfDnHWsqlshXyKF51dU2FgIqC4fseGt5QuDsxfpjIwcjcFA5/H
         z6u1te100E3u8CEGnYN8UbJe1FGdmIrMEqlaPhiZnjSSZRSGP4612RGMv8+fuSSsc5eM
         rddw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1723164706; x=1723769506;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=q6p8c1OUEhv+/PTai01JOAF17KOu2jscbjKAA2ruSl0=;
        b=daHLJj7x1RmJpNe8GLkYmIBbQcOx/IHCPMs3TTkcY/KMHnoYDi6slnoYIZG6HnK8uC
         K//eVoSQCUWHDmZvBbJy9g1KCUIihJ0Z6+0euTCV/V1Rz8YuPBvPC18iOf5hjELWf7Ar
         VACNonwkK3FXNswdNq57fhQ9sHLcW4uzgYlgG7MlBseVSMuEoISphf8jzNyx1871FUts
         qHtePO272f+SyZdMyq/rQfC5xb02F4AEyujuBtox2TDq5jmesYVKz+YMKHyd7uoK/AVd
         N2uebG5v3+whbHISevhu34vGF8CV+fCohAJ2DN5yqBHr6d6/6kSADQ1f3cmF8nDWnJrJ
         HzVg==
X-Gm-Message-State: AOJu0YwvbE1Pk3trK5WMiEa3xm8E2Be2s5jVEqUtoOXP+tDhhkN9tLCH
	Dsx+8k+dYmXoQVRH1++5u8mXtZoZGT/3MOe5V2ivukKFVIzAatOQ+7gzrw==
X-Google-Smtp-Source: 
 AGHT+IEvWUGxiRWD+69fcSCQeJQMEbpj5Ln2HcF9UDldAdYi8DH7e51mJJPU+PhZ/70woiVKFfdvkA==
X-Received: by 2002:a05:6214:3385:b0:6b7:431c:1b19 with SMTP id
 6a1803df08f44-6bd78da62efmr12246d6.6.1723164706321;
        Thu, 08 Aug 2024 17:51:46 -0700 (PDT)
Received: from n36-183-057.byted.org ([130.44.212.99])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bb9c797dbdsm71485826d6.52.2024.08.08.17.51.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 08 Aug 2024 17:51:46 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: bpf@vger.kernel.org
Cc: daniel@iogearbox.net,
	andrii@kernel.org,
	alexei.starovoitov@gmail.com,
	martin.lau@kernel.org,
	houtao@huaweicloud.com,
	sinquersw@gmail.com,
	davemarchevsky@fb.com,
	ameryhung@gmail.com,
	Amery Hung <amery.hung@bytedance.com>
Subject: [PATCH v3 bpf-next 3/5] bpf: Rename ARG_PTR_TO_KPTR ->
 ARG_KPTR_XCHG_DEST
Date: Fri,  9 Aug 2024 00:51:29 +0000
Message-Id: <20240809005131.3916464-4-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240809005131.3916464-1-amery.hung@bytedance.com>
References: <20240809005131.3916464-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

From: Dave Marchevsky <davemarchevsky@fb.com>

ARG_PTR_TO_KPTR is currently only used by the bpf_kptr_xchg helper.
Although it limits reg types for that helper's first arg to
PTR_TO_MAP_VALUE, any arbitrary mapval won't do: further custom
verification logic ensures that the mapval reg being xchgd-into is
pointing to a kptr field. If this is not the case, it's not safe to xchg
into that reg's pointee.

Let's rename the bpf_arg_type to more accurately describe the fairly
specific expectations that this arg type encodes.

This is a nonfunctional change.

Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Signed-off-by: Amery Hung <amery.hung@bytedance.com>
---
 include/linux/bpf.h   | 2 +-
 kernel/bpf/helpers.c  | 2 +-
 kernel/bpf/verifier.c | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 7ad37cbdc815..f853e350c057 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -744,7 +744,7 @@ enum bpf_arg_type {
 	ARG_PTR_TO_STACK,	/* pointer to stack */
 	ARG_PTR_TO_CONST_STR,	/* pointer to a null terminated read-only string */
 	ARG_PTR_TO_TIMER,	/* pointer to bpf_timer */
-	ARG_PTR_TO_KPTR,	/* pointer to referenced kptr */
+	ARG_KPTR_XCHG_DEST,	/* pointer to destination that kptrs are bpf_kptr_xchg'd into */
 	ARG_PTR_TO_DYNPTR,      /* pointer to bpf_dynptr. See bpf_type_flag for dynptr type */
 	__BPF_ARG_TYPE_MAX,
 
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index d02ae323996b..8ecd8dc95f16 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1636,7 +1636,7 @@ static const struct bpf_func_proto bpf_kptr_xchg_proto = {
 	.gpl_only     = false,
 	.ret_type     = RET_PTR_TO_BTF_ID_OR_NULL,
 	.ret_btf_id   = BPF_PTR_POISON,
-	.arg1_type    = ARG_PTR_TO_KPTR,
+	.arg1_type    = ARG_KPTR_XCHG_DEST,
 	.arg2_type    = ARG_PTR_TO_BTF_ID_OR_NULL | OBJ_RELEASE,
 	.arg2_btf_id  = BPF_PTR_POISON,
 };
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 1f5302fb0957..9f2964b13b46 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8399,7 +8399,7 @@ static const struct bpf_reg_types func_ptr_types = { .types = { PTR_TO_FUNC } };
 static const struct bpf_reg_types stack_ptr_types = { .types = { PTR_TO_STACK } };
 static const struct bpf_reg_types const_str_ptr_types = { .types = { PTR_TO_MAP_VALUE } };
 static const struct bpf_reg_types timer_types = { .types = { PTR_TO_MAP_VALUE } };
-static const struct bpf_reg_types kptr_types = { .types = { PTR_TO_MAP_VALUE } };
+static const struct bpf_reg_types kptr_xchg_dest_types = { .types = { PTR_TO_MAP_VALUE } };
 static const struct bpf_reg_types dynptr_types = {
 	.types = {
 		PTR_TO_STACK,
@@ -8431,7 +8431,7 @@ static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {
 	[ARG_PTR_TO_STACK]		= &stack_ptr_types,
 	[ARG_PTR_TO_CONST_STR]		= &const_str_ptr_types,
 	[ARG_PTR_TO_TIMER]		= &timer_types,
-	[ARG_PTR_TO_KPTR]		= &kptr_types,
+	[ARG_KPTR_XCHG_DEST]		= &kptr_xchg_dest_types,
 	[ARG_PTR_TO_DYNPTR]		= &dynptr_types,
 };
 
@@ -9031,7 +9031,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 			return err;
 		break;
 	}
-	case ARG_PTR_TO_KPTR:
+	case ARG_KPTR_XCHG_DEST:
 		err = process_kptr_func(env, regno, meta);
 		if (err)
 			return err;

From patchwork Fri Aug  9 00:51:30 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13758271
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-vs1-f44.google.com (mail-vs1-f44.google.com
 [209.85.217.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 564E979D0
	for <bpf@vger.kernel.org>; Fri,  9 Aug 2024 00:51:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.217.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1723164710; cv=none;
 b=E2GQ4ifc8wX9cOB+HDxCFKwSxIjpxCIGnYBdeoa3/Wu43/cYsGEr+5r4lN3ZDEpvTA1xoh9ElSCrQwP+B60NZkI0FQyLvrVutXDmzn/KGvhw376TdeQNd9NI20Yw2AsDjUVBi+Kb74PxeBJbHWS+22kpQG1lbFHlqL8ojxxb58c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1723164710; c=relaxed/simple;
	bh=9bVt2RqQHMBiLL+bNtCoVf9m2FTiqTamJTbmrLYY5Ks=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=MpSYRUV03Zk2+svyxYNv6zZn2x/hRRGYjYVpW/ZpNVu/k84dSVxQONeSWf0NVn4WeP2HJ21S1DSWjI59cB23XYeP6NQe4SxebCPG2XQn+eOslSZv1iKnQPgk0kg/JOv8ouuz63jLRx4B+aPq5JvcPcWWSZRb5fzYke62getcLvI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=icd5gUmH; arc=none smtp.client-ip=209.85.217.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="icd5gUmH"
Received: by mail-vs1-f44.google.com with SMTP id
 ada2fe7eead31-493d748ba72so535683137.3
        for <bpf@vger.kernel.org>; Thu, 08 Aug 2024 17:51:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1723164707; x=1723769507;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=kSdXUIc8I8ipGRJ21IkX+BG97y/uudEncK49JhUrZvI=;
        b=icd5gUmHfRrRYfORlzm4rahd6hUeQQ2GQcuUt/PRpPwEcn3l73v9n22tJHswv1h+eM
         NiUkq4skyrsjCSa1xTy4GNaCx0pqvR4PNDDAiPRqfCaekBIBkmu0LUQda15YPXoGAVOj
         C3LNDGJCqXLAf1Ky44QTLOkoeIfb3OaqqGomP88lJfOhQOi4dp/v9yqnjDG0H4QrGRzR
         B72zUtwk+u0D1eMB0In6oprrB1YvNFhdMTmaoS/Pi54iTo0/loNiBr3QJfcj5heo5XI4
         l2b5/ZG+ccF1y8/VL3aNQRYu9gpmzrfOQ5rMgne/EVvgxr+Yu4IUZnfdCTkJeR2jndjD
         i/bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1723164707; x=1723769507;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=kSdXUIc8I8ipGRJ21IkX+BG97y/uudEncK49JhUrZvI=;
        b=Ull9YK05HabtfEiSywQMetiA1w1ntxWS4y/CxkpvmskKLh4gB18BB13HbLPwhyypsD
         6n2z928XNhzoTKbfD0nlYgHQ81RMsMSn4OHdlaZbdEM4Wt+c3lplMRck175+AKmtGQ6U
         MEbBcn1+np9zO4k0r0bXrf0Vnn7VbvprZajoomaqUKdZKXX87vLLDqewUbvjhO4eYKp4
         MbTvcHF1Q5HhPogseJfK4/tWP0PTC5r63IdrT1oOVzm8nEKKQLiyy+inyMeU5jovzpxx
         onkLNW7cKqGLWzzr09JXnlZFx+HZqPTBE0KxF8GNfheZ4N8OtbgE6vx47ZTXLPBBq8Ae
         9YWg==
X-Gm-Message-State: AOJu0YxuoiCXklnsQhM2p7HRBD2m1fagMbXRDpiNbEK0qCCYw/8daPzO
	Pj6f6DaIaj+u19WC+tFsNiCO6LiS15PpnIzTR+WmS6IsgxRb1ddFj/RyzA==
X-Google-Smtp-Source: 
 AGHT+IF3L+Uf15x4N682FOROoQCjZtCHI9KDfNd/T/dtGD3Y8YdpmMRufLiFEDQFzJHwfVebmx5nkw==
X-Received: by 2002:a05:6102:3052:b0:493:b719:efaf with SMTP id
 ada2fe7eead31-495c5c33af9mr4201563137.20.1723164706918;
        Thu, 08 Aug 2024 17:51:46 -0700 (PDT)
Received: from n36-183-057.byted.org ([130.44.212.99])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bb9c797dbdsm71485826d6.52.2024.08.08.17.51.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 08 Aug 2024 17:51:46 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: bpf@vger.kernel.org
Cc: daniel@iogearbox.net,
	andrii@kernel.org,
	alexei.starovoitov@gmail.com,
	martin.lau@kernel.org,
	houtao@huaweicloud.com,
	sinquersw@gmail.com,
	davemarchevsky@fb.com,
	ameryhung@gmail.com,
	Amery Hung <amery.hung@bytedance.com>
Subject: [PATCH v3 bpf-next 4/5] bpf: Support bpf_kptr_xchg into local kptr
Date: Fri,  9 Aug 2024 00:51:30 +0000
Message-Id: <20240809005131.3916464-5-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240809005131.3916464-1-amery.hung@bytedance.com>
References: <20240809005131.3916464-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

From: Dave Marchevsky <davemarchevsky@fb.com>

Currently, users can only stash kptr into map values with bpf_kptr_xchg().
This patch further supports stashing kptr into local kptr by adding local
kptr as a valid destination type.

When stashing into local kptr, btf_record in program BTF is used instead
of btf_record in map to search for the btf_field of the local kptr.

The local kptr specific checks in check_reg_type() only apply when the
source argument of bpf_kptr_xchg() is local kptr. Therefore, we make the
scope of the check explicit as the destination now can also be local kptr.

Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Signed-off-by: Amery Hung <amery.hung@bytedance.com>
---
 include/uapi/linux/bpf.h |  9 ++++----
 kernel/bpf/helpers.c     |  4 ++--
 kernel/bpf/verifier.c    | 44 +++++++++++++++++++++++++++-------------
 3 files changed, 37 insertions(+), 20 deletions(-)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 35bcf52dbc65..e2629457d72d 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -5519,11 +5519,12 @@ union bpf_attr {
  *		**-EOPNOTSUPP** if the hash calculation failed or **-EINVAL** if
  *		invalid arguments are passed.
  *
- * void *bpf_kptr_xchg(void *map_value, void *ptr)
+ * void *bpf_kptr_xchg(void *dst, void *ptr)
  *	Description
- *		Exchange kptr at pointer *map_value* with *ptr*, and return the
- *		old value. *ptr* can be NULL, otherwise it must be a referenced
- *		pointer which will be released when this helper is called.
+ *		Exchange kptr at pointer *dst* with *ptr*, and return the old value.
+ *		*dst* can be map value or local kptr. *ptr* can be NULL, otherwise
+ *		it must be a referenced pointer which will be released when this helper
+ *		is called.
  *	Return
  *		The old value of kptr (which can be NULL). The returned pointer
  *		if not NULL, is a reference which must be released using its
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 8ecd8dc95f16..d1a39734894c 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1619,9 +1619,9 @@ void bpf_wq_cancel_and_free(void *val)
 	schedule_work(&work->delete_work);
 }
 
-BPF_CALL_2(bpf_kptr_xchg, void *, map_value, void *, ptr)
+BPF_CALL_2(bpf_kptr_xchg, void *, dst, void *, ptr)
 {
-	unsigned long *kptr = map_value;
+	unsigned long *kptr = dst;
 
 	/* This helper may be inlined by verifier. */
 	return xchg(kptr, (unsigned long)ptr);
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 9f2964b13b46..5a4ca7e29272 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7803,29 +7803,38 @@ static int process_kptr_func(struct bpf_verifier_env *env, int regno,
 			     struct bpf_call_arg_meta *meta)
 {
 	struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
-	struct bpf_map *map_ptr = reg->map_ptr;
 	struct btf_field *kptr_field;
+	struct bpf_map *map_ptr;
+	struct btf_record *rec;
 	u32 kptr_off;
 
+	if (type_is_ptr_alloc_obj(reg->type)) {
+		rec = reg_btf_record(reg);
+	} else { /* PTR_TO_MAP_VALUE */
+		map_ptr = reg->map_ptr;
+		if (!map_ptr->btf) {
+			verbose(env, "map '%s' has to have BTF in order to use bpf_kptr_xchg\n",
+				map_ptr->name);
+			return -EINVAL;
+		}
+		rec = map_ptr->record;
+		meta->map_ptr = map_ptr;
+	}
+
 	if (!tnum_is_const(reg->var_off)) {
 		verbose(env,
 			"R%d doesn't have constant offset. kptr has to be at the constant offset\n",
 			regno);
 		return -EINVAL;
 	}
-	if (!map_ptr->btf) {
-		verbose(env, "map '%s' has to have BTF in order to use bpf_kptr_xchg\n",
-			map_ptr->name);
-		return -EINVAL;
-	}
-	if (!btf_record_has_field(map_ptr->record, BPF_KPTR)) {
-		verbose(env, "map '%s' has no valid kptr\n", map_ptr->name);
+
+	if (!btf_record_has_field(rec, BPF_KPTR)) {
+		verbose(env, "R%d has no valid kptr\n", regno);
 		return -EINVAL;
 	}
 
-	meta->map_ptr = map_ptr;
 	kptr_off = reg->off + reg->var_off.value;
-	kptr_field = btf_record_find(map_ptr->record, kptr_off, BPF_KPTR);
+	kptr_field = btf_record_find(rec, kptr_off, BPF_KPTR);
 	if (!kptr_field) {
 		verbose(env, "off=%d doesn't point to kptr\n", kptr_off);
 		return -EACCES;
@@ -8399,7 +8408,12 @@ static const struct bpf_reg_types func_ptr_types = { .types = { PTR_TO_FUNC } };
 static const struct bpf_reg_types stack_ptr_types = { .types = { PTR_TO_STACK } };
 static const struct bpf_reg_types const_str_ptr_types = { .types = { PTR_TO_MAP_VALUE } };
 static const struct bpf_reg_types timer_types = { .types = { PTR_TO_MAP_VALUE } };
-static const struct bpf_reg_types kptr_xchg_dest_types = { .types = { PTR_TO_MAP_VALUE } };
+static const struct bpf_reg_types kptr_xchg_dest_types = {
+	.types = {
+		PTR_TO_MAP_VALUE,
+		PTR_TO_BTF_ID | MEM_ALLOC
+	}
+};
 static const struct bpf_reg_types dynptr_types = {
 	.types = {
 		PTR_TO_STACK,
@@ -8470,7 +8484,8 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
 	if (base_type(arg_type) == ARG_PTR_TO_MEM)
 		type &= ~DYNPTR_TYPE_FLAG_MASK;
 
-	if (meta->func_id == BPF_FUNC_kptr_xchg && type_is_alloc(type)) {
+	/* Local kptr types are allowed as the source argument of bpf_kptr_xchg */
+	if (meta->func_id == BPF_FUNC_kptr_xchg && type_is_alloc(type) && regno == BPF_REG_2) {
 		type &= ~MEM_ALLOC;
 		type &= ~MEM_PERCPU;
 	}
@@ -8563,7 +8578,8 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
 			verbose(env, "verifier internal error: unimplemented handling of MEM_ALLOC\n");
 			return -EFAULT;
 		}
-		if (meta->func_id == BPF_FUNC_kptr_xchg) {
+		/* Check if local kptr in src arg matches kptr in dst arg */
+		if (meta->func_id == BPF_FUNC_kptr_xchg && regno == BPF_REG_2) {
 			if (map_kptr_match_type(env, meta->kptr_field, reg, regno))
 				return -EACCES;
 		}
@@ -8874,7 +8890,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 		meta->release_regno = regno;
 	}
 
-	if (reg->ref_obj_id) {
+	if (reg->ref_obj_id && base_type(arg_type) != ARG_KPTR_XCHG_DEST) {
 		if (meta->ref_obj_id) {
 			verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
 				regno, reg->ref_obj_id,

From patchwork Fri Aug  9 00:51:31 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13758272
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qv1-f52.google.com (mail-qv1-f52.google.com
 [209.85.219.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B3EDC79F5
	for <bpf@vger.kernel.org>; Fri,  9 Aug 2024 00:51:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.52
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1723164710; cv=none;
 b=SR6vznRxjbTLJ8/Sj4L98GH50aHtzHK0mbetYGEU6iI/kW7VLrBeImKRyed8rAuXlrDU/G4x5+Hh3p23xJSLIL3RNJAI4A0dozYvIiFGkIpYmTR/5KVmgcO9EGn1YnuUA73N3ZlV5VQ7BEmsafSpMxR5ZMBkGpXIwZpjCyhUINM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1723164710; c=relaxed/simple;
	bh=M5Eo2vDfQ+2Pl4OGJh+k5AzK/n7vl/1e/IUpR4QMsXM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=QUZ5H8/s1141odt2ih9DNiAw7Vrj1+HBp5hM/JQ2Et9XukiAtSK/85+Gw6r6agHjgIW0vQOGsCEVIyfhcYiDtsNnWd/WJ+YOlNy4AkKB4c+4LYaUBw86KNAjPX5eX6GEub8XMJSyAGp9L9UGnyikfWB3Jm/iSY/2ZdCQVBrKtvw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=QMJs5U76; arc=none smtp.client-ip=209.85.219.52
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="QMJs5U76"
Received: by mail-qv1-f52.google.com with SMTP id
 6a1803df08f44-6b796667348so13181716d6.0
        for <bpf@vger.kernel.org>; Thu, 08 Aug 2024 17:51:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1723164707; x=1723769507;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=VWExKpUbRtRNFkWQNseA9PZIgXxrgTns6/2vb+pRNB4=;
        b=QMJs5U76plPg71uVFbf30oj8Wko/QnS6ljBOHS67EtrI07dlJLG59bFVK7YUqYrp4/
         gWGAT7oSmu/DkynFNDb4VWV4d7NaCZge9KiyWMIhXPfbF/JO8WcUl+Id95qB9GmUUnCk
         FIZo9Co0HP5RxoHXtX9YhR5UlB5x2sfzVNzXJSoV4tb7UmPBtHpzQpCBvwm3jTnSmcY5
         KOIXABKsVSI9ziczwkWhWtsV/A0lQzCRRrrsNGSfih1ofEuI+V/wiiacdPJaJ/msE/Sv
         S/8HgbSKGcq+X0K9vTkLJSjgGpl/HtrxBsI8FsGDLRCkOZt2DWeYCTeQfZOeyhkq7mrp
         X/TA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1723164707; x=1723769507;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=VWExKpUbRtRNFkWQNseA9PZIgXxrgTns6/2vb+pRNB4=;
        b=S0giMEZiAWhpedMEqcA4ay7dPrBjktcEeV++K+RAEUSfjZJR65WC28vRJPlvOdB7bs
         c4sUMgN/fmndbBNYs709LhEDsNsf7+gp2sfUCb+AOhN2dIYcvvb/IYgNiW+BZ2vRZGNC
         wdp8Eae14CeCEyyKPNLmuIEoEsf8wD8fhVkKP1bpkLPJZagodg1IIXYUPatY2gpGGacJ
         UiVwgJVUGOTx+7H8fDLR/06xprpyvkbsmuWFuLLcP63jjPvcdNKEtIJnzNSY2Z9G8cmm
         YCkYKKFKqNoe5/ihZoU3aswNor1rYBWubT+wJkbA6fxSce8IMzZjpAHrUUnSHT7PyMmp
         WgFg==
X-Gm-Message-State: AOJu0Yx23DoNPl5p+LDsdnRVADALzuLaq4WUIpkLZGYm4umbDh+L49A7
	g4OvGeBt6m8Q2cHQgEY7rgeD2uM0GgTro2CKIeLbgC5Zo+d75MncWjObpw==
X-Google-Smtp-Source: 
 AGHT+IHiKiq04CdO4vdcNqMmxIpA1b0qWEUTrqgQsRNmYhMidFxy05lC56wnQqIAMpHtr1kIW9PTzA==
X-Received: by 2002:a05:6214:c2e:b0:6b5:2aa3:3a7f with SMTP id
 6a1803df08f44-6bd6cb46a5amr64229166d6.20.1723164707397;
        Thu, 08 Aug 2024 17:51:47 -0700 (PDT)
Received: from n36-183-057.byted.org ([130.44.212.99])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bb9c797dbdsm71485826d6.52.2024.08.08.17.51.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 08 Aug 2024 17:51:47 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: bpf@vger.kernel.org
Cc: daniel@iogearbox.net,
	andrii@kernel.org,
	alexei.starovoitov@gmail.com,
	martin.lau@kernel.org,
	houtao@huaweicloud.com,
	sinquersw@gmail.com,
	davemarchevsky@fb.com,
	ameryhung@gmail.com,
	Amery Hung <amery.hung@bytedance.com>
Subject: [PATCH v3 bpf-next 5/5] selftests/bpf: Test bpf_kptr_xchg stashing
 into local kptr
Date: Fri,  9 Aug 2024 00:51:31 +0000
Message-Id: <20240809005131.3916464-6-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240809005131.3916464-1-amery.hung@bytedance.com>
References: <20240809005131.3916464-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

From: Dave Marchevsky <davemarchevsky@fb.com>

Test stashing both referenced kptr and local kptr into local kptrs. Then,
test unstashing them.

Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Signed-off-by: Amery Hung <amery.hung@bytedance.com>
Acked-by: Hou Tao <houtao1@huawei.com>
---
 .../selftests/bpf/progs/local_kptr_stash.c    | 58 ++++++++++++++++++-
 1 file changed, 56 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/bpf/progs/local_kptr_stash.c b/tools/testing/selftests/bpf/progs/local_kptr_stash.c
index 75043ffc5dad..ce7bf7790917 100644
--- a/tools/testing/selftests/bpf/progs/local_kptr_stash.c
+++ b/tools/testing/selftests/bpf/progs/local_kptr_stash.c
@@ -8,9 +8,13 @@
 #include "../bpf_experimental.h"
 #include "../bpf_testmod/bpf_testmod_kfunc.h"
 
+struct plain_local;
+
 struct node_data {
 	long key;
 	long data;
+	struct prog_test_ref_kfunc __kptr *stashed_in_kptr;
+	struct plain_local __kptr *stashed_in_local_kptr;
 	struct bpf_rb_node node;
 };
 
@@ -85,18 +89,52 @@ static bool less(struct bpf_rb_node *a, const struct bpf_rb_node *b)
 
 static int create_and_stash(int idx, int val)
 {
+	struct prog_test_ref_kfunc *inner_kptr;
+	struct plain_local *inner_local_kptr;
 	struct map_value *mapval;
 	struct node_data *res;
+	unsigned long dummy;
 
 	mapval = bpf_map_lookup_elem(&some_nodes, &idx);
 	if (!mapval)
 		return 1;
 
+	dummy = 0;
+	inner_kptr = bpf_kfunc_call_test_acquire(&dummy);
+	if (!inner_kptr)
+		return 2;
+
+	inner_local_kptr = bpf_obj_new(typeof(*inner_local_kptr));
+	if (!inner_local_kptr) {
+		bpf_kfunc_call_test_release(inner_kptr);
+		return 3;
+	}
+
 	res = bpf_obj_new(typeof(*res));
-	if (!res)
-		return 1;
+	if (!res) {
+		bpf_kfunc_call_test_release(inner_kptr);
+		bpf_obj_drop(inner_local_kptr);
+		return 4;
+	}
 	res->key = val;
 
+	inner_kptr = bpf_kptr_xchg(&res->stashed_in_kptr, inner_kptr);
+	if (inner_kptr) {
+		/* Should never happen, we just obj_new'd res */
+		bpf_kfunc_call_test_release(inner_kptr);
+		bpf_obj_drop(inner_local_kptr);
+		bpf_obj_drop(res);
+		return 5;
+	}
+
+	inner_local_kptr = bpf_kptr_xchg(&res->stashed_in_local_kptr, inner_local_kptr);
+	if (inner_local_kptr) {
+		/* Should never happen, we just obj_new'd res */
+		bpf_obj_drop(inner_local_kptr);
+		bpf_obj_drop(res);
+		return 6;
+	}
+
 	res = bpf_kptr_xchg(&mapval->node, res);
 	if (res)
 		bpf_obj_drop(res);
@@ -169,6 +207,8 @@ long stash_local_with_root(void *ctx)
 SEC("tc")
 long unstash_rb_node(void *ctx)
 {
+	struct prog_test_ref_kfunc *inner_kptr = NULL;
+	struct plain_local *inner_local_kptr = NULL;
 	struct map_value *mapval;
 	struct node_data *res;
 	long retval;
@@ -180,6 +220,20 @@ long unstash_rb_node(void *ctx)
 
 	res = bpf_kptr_xchg(&mapval->node, NULL);
 	if (res) {
+		inner_kptr = bpf_kptr_xchg(&res->stashed_in_kptr, inner_kptr);
+		if (!inner_kptr) {
+			bpf_obj_drop(res);
+			return 1;
+		}
+		bpf_kfunc_call_test_release(inner_kptr);
+
+		inner_local_kptr = bpf_kptr_xchg(&res->stashed_in_local_kptr, inner_local_kptr);
+		if (!inner_local_kptr) {
+			bpf_obj_drop(res);
+			return 1;
+		}
+		bpf_obj_drop(inner_local_kptr);
+
 		retval = res->key;
 		bpf_obj_drop(res);
 		return retval;