From: Dave Marchevsky <davemarchevsky@fb.com>
To: <bpf@vger.kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Kernel Team <kernel-team@fb.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Tejun Heo <tj@kernel.org>,
Dave Marchevsky <davemarchevsky@fb.com>
Subject: [PATCH v2 bpf-next 01/13] bpf: Support multiple arg regs w/ ref_obj_id for kfuncs
Date: Sat, 17 Dec 2022 00:24:54 -0800 [thread overview]
Message-ID: <20221217082506.1570898-2-davemarchevsky@fb.com> (raw)
In-Reply-To: <20221217082506.1570898-1-davemarchevsky@fb.com>
Currently, kfuncs marked KF_RELEASE indicate that they release some
previously-acquired arg. The verifier assumes that such a function will
only have one arg reg w/ ref_obj_id set, and that that arg is the one to
be released. Multiple kfunc arg regs have ref_obj_id set is considered
an invalid state.
For helpers, RELEASE is used to tag a particular arg in the function
proto, not the function itself. The arg with OBJ_RELEASE type tag is the
arg that the helper will release. There can only be one such tagged arg.
When verifying arg regs, multiple helper arg regs w/ ref_obj_id set is
also considered an invalid state.
Later patches in this series will result in some linked_list helpers
marked KF_RELEASE having a valid reason to take two ref_obj_id args.
Specifically, bpf_list_push_{front,back} can push a node to a list head
which is itself part of a list node. In such a scenario both arguments
to these functions would have ref_obj_id > 0, thus would fail
verification under current logic.
This patch changes kfunc ref_obj_id searching logic to find the last arg
reg w/ ref_obj_id and consider that the reg-to-release. This should be
backwards-compatible with all current kfuncs as they only expect one
such arg reg.
Currently the ref_obj_id and OBJ_RELEASE searching is done in the code
that examines each individual arg (check_func_arg for helpers and
check_kfunc_args inner loop for kfuncs). This patch pulls out this
searching to occur before individual arg type handling, resulting in a
cleaner separation of logic.
Two new helpers are added:
* args_find_ref_obj_id_regno
* For helpers and kfuncs. Searches through arg regs to find
ref_obj_id reg and returns its regno. Helpers set allow_multi =
false, retaining "only one ref_obj_id arg" behavior, while kfuncs
set allow_multi = true and get the last ref_obj_id arg reg back.
* helper_proto_find_release_arg_regno
* For helpers only. Searches through fn proto args to find the
OBJ_RELEASE arg and returns the corresponding regno.
Aside from the intentional semantic change for kfuncs, the rest of the
refactoring strives to keep failure logic and error messages unchanged.
However, because the release arg searching is now done before any
arg-specific type checking, verifier states that are invalid due to both
invalid release arg state _and_ some type- or helper-specific checking
might see release arg-related error message first.
Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
---
kernel/bpf/verifier.c | 206 ++++++++++++++++++++++++++++--------------
1 file changed, 138 insertions(+), 68 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a5255a0dcbb6..824e2242eae5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6412,49 +6412,6 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
return err;
skip_type_check:
- if (arg_type_is_release(arg_type)) {
- if (arg_type_is_dynptr(arg_type)) {
- struct bpf_func_state *state = func(env, reg);
- int spi;
-
- /* Only dynptr created on stack can be released, thus
- * the get_spi and stack state checks for spilled_ptr
- * should only be done before process_dynptr_func for
- * PTR_TO_STACK.
- */
- if (reg->type == PTR_TO_STACK) {
- spi = get_spi(reg->off);
- if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS) ||
- !state->stack[spi].spilled_ptr.ref_obj_id) {
- verbose(env, "arg %d is an unacquired reference\n", regno);
- return -EINVAL;
- }
- } else {
- verbose(env, "cannot release unowned const bpf_dynptr\n");
- return -EINVAL;
- }
- } else if (!reg->ref_obj_id && !register_is_null(reg)) {
- verbose(env, "R%d must be referenced when passed to release function\n",
- regno);
- return -EINVAL;
- }
- if (meta->release_regno) {
- verbose(env, "verifier internal error: more than one release argument\n");
- return -EFAULT;
- }
- meta->release_regno = regno;
- }
-
- if (reg->ref_obj_id) {
- if (meta->ref_obj_id) {
- verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
- regno, reg->ref_obj_id,
- meta->ref_obj_id);
- return -EFAULT;
- }
- meta->ref_obj_id = reg->ref_obj_id;
- }
-
switch (base_type(arg_type)) {
case ARG_CONST_MAP_PTR:
/* bpf_map_xxx(map_ptr) call: remember that map_ptr */
@@ -6565,6 +6522,27 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
err = check_mem_size_reg(env, reg, regno, true, meta);
break;
case ARG_PTR_TO_DYNPTR:
+ if (meta->release_regno == regno) {
+ struct bpf_func_state *state = func(env, reg);
+ int spi;
+
+ /* Only dynptr created on stack can be released, thus
+ * the get_spi and stack state checks for spilled_ptr
+ * should only be done before process_dynptr_func for
+ * PTR_TO_STACK.
+ */
+ if (reg->type == PTR_TO_STACK) {
+ spi = get_spi(reg->off);
+ if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS) ||
+ !state->stack[spi].spilled_ptr.ref_obj_id) {
+ verbose(env, "arg %d is an unacquired reference\n", regno);
+ return -EINVAL;
+ }
+ } else {
+ verbose(env, "cannot release unowned const bpf_dynptr\n");
+ return -EINVAL;
+ }
+ }
err = process_dynptr_func(env, regno, arg_type, meta);
if (err)
return err;
@@ -7699,10 +7677,78 @@ static void update_loop_inline_state(struct bpf_verifier_env *env, u32 subprogno
state->callback_subprogno == subprogno);
}
+/* Call arg meta's ref_obj_id is used to either:
+ * - For release funcs, keep track of ref that needs to be released
+ * - For other funcs, keep track of ref that needs to be propagated to retval
+ *
+ * Find and return:
+ * - Regno that should become meta->ref_obj_id on success
+ * (regno > 0 since BPF_REG_1 is first arg)
+ * - 0 if no arg had ref_obj_id set
+ * - Negative err if some invalid arg reg state
+ *
+ * allow_multi controls whether multiple args w/ ref_obj_id set is valid
+ * - true: regno of _last_ such arg reg is returned
+ * - false: err if multiple args w/ ref_obj_id set are seen
+ */
+static int args_find_ref_obj_id_regno(struct bpf_verifier_env *env, struct bpf_reg_state *regs,
+ u32 nargs, bool allow_multi)
+{
+ struct bpf_reg_state *reg;
+ u32 i, regno, found_regno = 0;
+
+ for (i = 0; i < nargs; i++) {
+ regno = i + 1;
+ reg = ®s[regno];
+
+ if (!reg->ref_obj_id)
+ continue;
+
+ if (!allow_multi && found_regno) {
+ verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
+ regno, reg->ref_obj_id, regs[found_regno].ref_obj_id);
+ return -EFAULT;
+ }
+
+ found_regno = regno;
+ }
+
+ return found_regno;
+}
+
+/* Find the OBJ_RELEASE arg in helper func proto and return:
+ * - regno of single OBJ_RELEASE arg
+ * - 0 if no arg in the proto was OBJ_RELEASE
+ * - Negative err if some invalid func proto state
+ */
+static int helper_proto_find_release_arg_regno(struct bpf_verifier_env *env,
+ const struct bpf_func_proto *fn, u32 nargs)
+{
+ enum bpf_arg_type arg_type;
+ int i, release_regno = 0;
+
+ for (i = 0; i < nargs; i++) {
+ arg_type = fn->arg_type[i];
+
+ if (!arg_type_is_release(arg_type))
+ continue;
+
+ if (release_regno) {
+ verbose(env, "verifier internal error: more than one release argument\n");
+ return -EFAULT;
+ }
+
+ release_regno = i + BPF_REG_1;
+ }
+
+ return release_regno;
+}
+
static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
int *insn_idx_p)
{
enum bpf_prog_type prog_type = resolve_prog_type(env->prog);
+ int i, err, func_id, nargs, release_regno, ref_regno;
const struct bpf_func_proto *fn = NULL;
enum bpf_return_type ret_type;
enum bpf_type_flag ret_flag;
@@ -7710,7 +7756,6 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
struct bpf_call_arg_meta meta;
int insn_idx = *insn_idx_p;
bool changes_data;
- int i, err, func_id;
/* find function prototype */
func_id = insn->imm;
@@ -7774,8 +7819,38 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
}
meta.func_id = func_id;
+ regs = cur_regs(env);
+
+ /* find actual arg count */
+ for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++)
+ if (fn->arg_type[i] == ARG_DONTCARE)
+ break;
+ nargs = i;
+
+ release_regno = helper_proto_find_release_arg_regno(env, fn, nargs);
+ if (release_regno < 0)
+ return release_regno;
+
+ ref_regno = args_find_ref_obj_id_regno(env, regs, nargs, false);
+ if (ref_regno < 0)
+ return ref_regno;
+ else if (ref_regno > 0)
+ meta.ref_obj_id = regs[ref_regno].ref_obj_id;
+
+ if (release_regno > 0) {
+ if (!regs[release_regno].ref_obj_id &&
+ !register_is_null(®s[release_regno]) &&
+ !arg_type_is_dynptr(fn->arg_type[release_regno - BPF_REG_1])) {
+ verbose(env, "R%d must be referenced when passed to release function\n",
+ release_regno);
+ return -EINVAL;
+ }
+
+ meta.release_regno = release_regno;
+ }
+
/* check args */
- for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++) {
+ for (i = 0; i < nargs; i++) {
err = check_func_arg(env, i, &meta, fn);
if (err)
return err;
@@ -7799,8 +7874,6 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
return err;
}
- regs = cur_regs(env);
-
/* This can only be set for PTR_TO_STACK, as CONST_PTR_TO_DYNPTR cannot
* be reinitialized by any dynptr helper. Hence, mark_stack_slots_dynptr
* is safe to do directly.
@@ -8795,10 +8868,11 @@ static int process_kf_arg_ptr_to_list_node(struct bpf_verifier_env *env,
static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_arg_meta *meta)
{
const char *func_name = meta->func_name, *ref_tname;
+ struct bpf_reg_state *regs = cur_regs(env);
const struct btf *btf = meta->btf;
const struct btf_param *args;
u32 i, nargs;
- int ret;
+ int ret, ref_regno;
args = (const struct btf_param *)(meta->func_proto + 1);
nargs = btf_type_vlen(meta->func_proto);
@@ -8808,17 +8882,31 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
return -EINVAL;
}
+ ref_regno = args_find_ref_obj_id_regno(env, cur_regs(env), nargs, true);
+ if (ref_regno < 0) {
+ return ref_regno;
+ } else if (!ref_regno && is_kfunc_release(meta)) {
+ verbose(env, "release kernel function %s expects refcounted PTR_TO_BTF_ID\n",
+ func_name);
+ return -EINVAL;
+ }
+
+ meta->ref_obj_id = regs[ref_regno].ref_obj_id;
+ if (is_kfunc_release(meta))
+ meta->release_regno = ref_regno;
+
/* Check that BTF function arguments match actual types that the
* verifier sees.
*/
for (i = 0; i < nargs; i++) {
- struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[i + 1];
const struct btf_type *t, *ref_t, *resolve_ret;
enum bpf_arg_type arg_type = ARG_DONTCARE;
u32 regno = i + 1, ref_id, type_size;
bool is_ret_buf_sz = false;
+ struct bpf_reg_state *reg;
int kf_arg_type;
+ reg = ®s[regno];
t = btf_type_skip_modifiers(btf, args[i].type, NULL);
if (is_kfunc_arg_ignore(btf, &args[i]))
@@ -8875,18 +8963,6 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
return -EINVAL;
}
- if (reg->ref_obj_id) {
- if (is_kfunc_release(meta) && meta->ref_obj_id) {
- verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
- regno, reg->ref_obj_id,
- meta->ref_obj_id);
- return -EFAULT;
- }
- meta->ref_obj_id = reg->ref_obj_id;
- if (is_kfunc_release(meta))
- meta->release_regno = regno;
- }
-
ref_t = btf_type_skip_modifiers(btf, t->type, &ref_id);
ref_tname = btf_name_by_offset(btf, ref_t->name_off);
@@ -8929,7 +9005,7 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
return -EFAULT;
}
- if (is_kfunc_release(meta) && reg->ref_obj_id)
+ if (is_kfunc_release(meta) && regno == meta->release_regno)
arg_type |= OBJ_RELEASE;
ret = check_func_arg_reg_off(env, reg, regno, arg_type);
if (ret < 0)
@@ -9049,12 +9125,6 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
}
}
- if (is_kfunc_release(meta) && !meta->release_regno) {
- verbose(env, "release kernel function %s expects refcounted PTR_TO_BTF_ID\n",
- func_name);
- return -EINVAL;
- }
-
return 0;
}
--
2.30.2
next prev parent reply other threads:[~2022-12-17 8:25 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-17 8:24 [PATCH v2 bpf-next 00/13] BPF rbtree next-gen datastructure Dave Marchevsky
2022-12-17 8:24 ` Dave Marchevsky [this message]
2022-12-29 3:24 ` [PATCH v2 bpf-next 01/13] bpf: Support multiple arg regs w/ ref_obj_id for kfuncs Alexei Starovoitov
2022-12-29 6:40 ` David Vernet
2022-12-29 16:50 ` Alexei Starovoitov
2022-12-29 17:00 ` David Vernet
2023-01-17 17:26 ` Dave Marchevsky
2023-01-17 17:36 ` Alexei Starovoitov
2023-01-17 23:12 ` Dave Marchevsky
2023-01-20 5:13 ` David Vernet
2022-12-17 8:24 ` [PATCH v2 bpf-next 02/13] bpf: Migrate release_on_unlock logic to non-owning ref semantics Dave Marchevsky
2022-12-17 9:21 ` Dave Marchevsky
2022-12-28 23:46 ` David Vernet
2022-12-29 15:39 ` David Vernet
2022-12-29 3:56 ` Alexei Starovoitov
2022-12-29 16:54 ` David Vernet
2023-01-17 16:54 ` Dave Marchevsky
2023-01-17 16:07 ` Dave Marchevsky
2023-01-17 16:56 ` Alexei Starovoitov
2022-12-17 8:24 ` [PATCH v2 bpf-next 03/13] selftests/bpf: Update linked_list tests for " Dave Marchevsky
2022-12-17 8:24 ` [PATCH v2 bpf-next 04/13] bpf: rename list_head -> graph_root in field info types Dave Marchevsky
2022-12-17 8:24 ` [PATCH v2 bpf-next 05/13] bpf: Add basic bpf_rb_{root,node} support Dave Marchevsky
2022-12-17 8:24 ` [PATCH v2 bpf-next 06/13] bpf: Add bpf_rbtree_{add,remove,first} kfuncs Dave Marchevsky
2022-12-17 8:25 ` [PATCH v2 bpf-next 07/13] bpf: Add support for bpf_rb_root and bpf_rb_node in kfunc args Dave Marchevsky
2022-12-29 4:00 ` Alexei Starovoitov
2022-12-17 8:25 ` [PATCH v2 bpf-next 08/13] bpf: Add callback validation to kfunc verifier logic Dave Marchevsky
2022-12-17 8:25 ` [PATCH v2 bpf-next 09/13] bpf: Special verifier handling for bpf_rbtree_{remove, first} Dave Marchevsky
2022-12-29 4:02 ` Alexei Starovoitov
2022-12-17 8:25 ` [PATCH v2 bpf-next 10/13] bpf: Add bpf_rbtree_{add,remove,first} decls to bpf_experimental.h Dave Marchevsky
2022-12-17 8:25 ` [PATCH v2 bpf-next 11/13] libbpf: Make BTF mandatory if program BTF has spin_lock or alloc_obj type Dave Marchevsky
2022-12-22 18:50 ` Andrii Nakryiko
2022-12-17 8:25 ` [PATCH v2 bpf-next 12/13] selftests/bpf: Add rbtree selftests Dave Marchevsky
2022-12-17 8:25 ` [PATCH v2 bpf-next 13/13] bpf, documentation: Add graph documentation for non-owning refs Dave Marchevsky
2022-12-28 21:26 ` David Vernet
2023-01-18 2:16 ` Dave Marchevsky
2023-01-20 4:45 ` David Vernet
2022-12-17 10:23 [PATCH v2 bpf-next 02/13] bpf: Migrate release_on_unlock logic to non-owning ref semantics kernel test robot
2022-12-23 10:51 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221217082506.1570898-2-davemarchevsky@fb.com \
--to=davemarchevsky@fb.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@fb.com \
--cc=memxor@gmail.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.