From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dave Marchevsky <davemarchevsky@fb.com>,
Yonghong Song <yonghong.song@linux.dev>,
Alexei Starovoitov <ast@kernel.org>,
Sasha Levin <sashal@kernel.org>,
daniel@iogearbox.net, andrii@kernel.org, bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 6.4 40/41] bpf: Consider non-owning refs trusted
Date: Fri, 8 Sep 2023 14:15:54 -0400 [thread overview]
Message-ID: <20230908181555.3459640-40-sashal@kernel.org> (raw)
In-Reply-To: <20230908181555.3459640-1-sashal@kernel.org>
From: Dave Marchevsky <davemarchevsky@fb.com>
[ Upstream commit 2a6d50b50d6d589d43a90d6ca990b8b811e67701 ]
Recent discussions around default kptr "trustedness" led to changes such
as commit 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the
verifier."). One of the conclusions of those discussions, as expressed
in code and comments in that patch, is that we'd like to move away from
'raw' PTR_TO_BTF_ID without some type flag or other register state
indicating trustedness. Although PTR_TRUSTED and PTR_UNTRUSTED flags mark
this state explicitly, the verifier currently considers trustedness
implied by other register state. For example, owning refs to graph
collection nodes must have a nonzero ref_obj_id, so they pass the
is_trusted_reg check despite having no explicit PTR_{UN}TRUSTED flag.
This patch makes trustedness of non-owning refs to graph collection
nodes explicit as well.
By definition, non-owning refs are currently trusted. Although the ref
has no control over pointee lifetime, due to non-owning ref clobbering
rules (see invalidate_non_owning_refs) dereferencing a non-owning ref is
safe in the critical section controlled by bpf_spin_lock associated with
its owning collection.
Note that the previous statement does not hold true for nodes with shared
ownership due to the use-after-free issue that this series is
addressing. True shared ownership was disabled by commit 7deca5eae833
("bpf: Disable bpf_refcount_acquire kfunc calls until race conditions are fixed"),
though, so the statement holds for now. Further patches in the series will change
the trustedness state of non-owning refs before re-enabling
bpf_refcount_acquire.
Let's add NON_OWN_REF type flag to BPF_REG_TRUSTED_MODIFIERS such that a
non-owning ref reg state would pass is_trusted_reg check. Somewhat
surprisingly, this doesn't result in any change to user-visible
functionality elsewhere in the verifier: graph collection nodes are all
marked MEM_ALLOC, which tends to be handled in separate codepaths from
"raw" PTR_TO_BTF_ID. Regardless, let's be explicit here and document the
current state of things before changing it elsewhere in the series.
Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20230821193311.3290257-3-davemarchevsky@fb.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bpf_verifier.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index f70f9ac884d24..b6e58dab8e275 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -745,7 +745,7 @@ static inline bool bpf_prog_check_recur(const struct bpf_prog *prog)
}
}
-#define BPF_REG_TRUSTED_MODIFIERS (MEM_ALLOC | PTR_TRUSTED)
+#define BPF_REG_TRUSTED_MODIFIERS (MEM_ALLOC | PTR_TRUSTED | NON_OWN_REF)
static inline bool bpf_type_has_unsafe_modifiers(u32 type)
{
--
2.40.1
next prev parent reply other threads:[~2023-09-08 18:21 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-08 18:15 [PATCH AUTOSEL 6.4 01/41] devlink: remove reload failed checks in params get/set callbacks Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 02/41] crypto: lrw,xts - Replace strlcpy with strscpy Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 03/41] regulator: max77857: Add ADI MAX77857/59/MAX77831 Regulator Support Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 04/41] ice: Don't tx before switchdev is fully configured Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 05/41] wifi: ath9k: fix fortify warnings Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 06/41] wifi: ath9k: fix printk specifier Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 07/41] wifi: rtw88: delete timer and free skb queue when unloading Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 08/41] wifi: mwifiex: fix fortify warning Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 09/41] mt76: mt7921: don't assume adequate headroom for SDIO headers Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 10/41] wifi: wil6210: fix fortify warnings Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 11/41] can: sun4i_can: Add acceptance register quirk Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 12/41] can: sun4i_can: Add support for the Allwinner D1 Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 13/41] net: Use sockaddr_storage for getsockopt(SO_PEERNAME) Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 14/41] wifi: ath12k: Fix a NULL pointer dereference in ath12k_mac_op_hw_scan() Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 15/41] wifi: ath12k: avoid array overflow of hw mode for preferred_hw_mode Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 16/41] net/ipv4: return the real errno instead of -EINVAL Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 17/41] crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 18/41] Bluetooth: btusb: Add device 0489:e0f5 as MT7922 device Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 19/41] Bluetooth: btusb: Add a new VID/PID 0489/e0f6 for MT7922 Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 20/41] Bluetooth: btusb: Add new VID/PID 0489/e102 " Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 21/41] Bluetooth: btusb: Add new VID/PID 04ca/3804 " Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 22/41] Bluetooth: Fix hci_suspend_sync crash Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 23/41] Bluetooth: btusb: Add support for another MediaTek 7922 VID/PID Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 24/41] netlink: convert nlk->flags to atomic flags Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 25/41] tpm_tis: Resend command to recover from data transfer errors Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 26/41] mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450 Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 27/41] alx: fix OOB-read compiler warning Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 28/41] wifi: iwlwifi: pcie: avoid a warning in case prepare card failed Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 29/41] wifi: mac80211: check S1G action frame size Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 30/41] netfilter: ebtables: fix fortify warnings in size_entry_mwt() Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 31/41] wifi: cfg80211: reject auth/assoc to AP with our address Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 32/41] wifi: cfg80211: ocb: don't leave if not joined Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 33/41] wifi: mac80211: check for station first in client probe Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 34/41] wifi: mac80211_hwsim: drop short frames Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 35/41] libbpf: Free btf_vmlinux when closing bpf_object Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 36/41] wifi: ath12k: Fix memory leak in rx_desc and tx_desc Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 37/41] Bluetooth: btusb: Fix quirks table naming Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 38/41] wifi: ath12k: add check max message length while scanning with extraie Sasha Levin
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 39/41] Fix nomenclature for USB and PCI wireless devices Sasha Levin
2023-09-08 18:15 ` Sasha Levin [this message]
2023-09-08 18:15 ` [PATCH AUTOSEL 6.4 41/41] bpf: Consider non-owning refs to refcounted nodes RCU protected Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230908181555.3459640-40-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davemarchevsky@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).