<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/kernel/bpf/verifier.c, branch v5.18</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
</subtitle>
<id>https://git.shady.money/linux/atom?h=v5.18</id>
<link rel='self' href='https://git.shady.money/linux/atom?h=v5.18'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/'/>
<updated>2022-03-21T20:29:16Z</updated>
<entry>
<title>bpf: Fix warning for cast from restricted gfp_t in verifier</title>
<updated>2022-03-21T20:29:16Z</updated>
<author>
<name>Joanne Koong</name>
<email>joannelkoong@gmail.com</email>
</author>
<published>2022-03-21T18:58:02Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=d56c9fe6a06820d5ef8188d96bf4345c7bdba249'/>
<id>urn:sha1:d56c9fe6a06820d5ef8188d96bf4345c7bdba249</id>
<content type='text'>
This fixes the sparse warning reported by the kernel test robot:

kernel/bpf/verifier.c:13499:47: sparse: warning: cast from restricted gfp_t
kernel/bpf/verifier.c:13501:47: sparse: warning: cast from restricted gfp_t

This fix can be verified locally by running:
1) wget
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross
-O make.cross

2) chmod +x ~/bin/make.cross

3) COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 ./make.cross
C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'

Fixes: b00fa38a9c1c ("bpf: Enable non-atomic allocations in local storage")
Reported-by: kernel test robot &lt;lkp@intel.com&gt;
Signed-off-by: Joanne Koong &lt;joannelkoong@gmail.com&gt;
Signed-off-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Link: https://lore.kernel.org/bpf/20220321185802.824223-1-joannekoong@fb.com
</content>
</entry>
<entry>
<title>Revert "bpf: Add support to inline bpf_get_func_ip helper on x86"</title>
<updated>2022-03-21T13:53:42Z</updated>
<author>
<name>Jiri Olsa</name>
<email>jolsa@kernel.org</email>
</author>
<published>2022-03-21T07:01:12Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=f705ec764b34323412f14b9bd95412e9bcb8770b'/>
<id>urn:sha1:f705ec764b34323412f14b9bd95412e9bcb8770b</id>
<content type='text'>
This reverts commit 97ee4d20ee67eb462581a7af01442de6586e390b.

Following change is adding more complexity to bpf_get_func_ip
helper for kprobe_multi programs, which can't be inlined easily.

Signed-off-by: Jiri Olsa &lt;jolsa@kernel.org&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Link: https://lore.kernel.org/bpf/20220321070113.1449167-2-jolsa@kernel.org
</content>
</entry>
<entry>
<title>bpf: Enable non-atomic allocations in local storage</title>
<updated>2022-03-21T01:55:05Z</updated>
<author>
<name>Joanne Koong</name>
<email>joannelkoong@gmail.com</email>
</author>
<published>2022-03-18T04:55:52Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=b00fa38a9c1cba044a32a601b49a55a18ed719d1'/>
<id>urn:sha1:b00fa38a9c1cba044a32a601b49a55a18ed719d1</id>
<content type='text'>
Currently, local storage memory can only be allocated atomically
(GFP_ATOMIC). This restriction is too strict for sleepable bpf
programs.

In this patch, the verifier detects whether the program is sleepable,
and passes the corresponding GFP_KERNEL or GFP_ATOMIC flag as a
5th argument to bpf_task/sk/inode_storage_get. This flag will propagate
down to the local storage functions that allocate memory.

Please note that bpf_task/sk/inode_storage_update_elem functions are
invoked by userspace applications through syscalls. Preemption is
disabled before bpf_task/sk/inode_storage_update_elem is called, which
means they will always have to allocate memory atomically.

Signed-off-by: Joanne Koong &lt;joannelkoong@gmail.com&gt;
Signed-off-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Acked-by: KP Singh &lt;kpsingh@kernel.org&gt;
Acked-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Link: https://lore.kernel.org/bpf/20220318045553.3091807-2-joannekoong@fb.com
</content>
</entry>
<entry>
<title>bpf: Add support to inline bpf_get_func_ip helper on x86</title>
<updated>2022-03-18T03:17:19Z</updated>
<author>
<name>Jiri Olsa</name>
<email>jolsa@kernel.org</email>
</author>
<published>2022-03-16T12:24:11Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=97ee4d20ee67eb462581a7af01442de6586e390b'/>
<id>urn:sha1:97ee4d20ee67eb462581a7af01442de6586e390b</id>
<content type='text'>
Adding support to inline it on x86, because it's single
load instruction.

Signed-off-by: Jiri Olsa &lt;jolsa@kernel.org&gt;
Signed-off-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Link: https://lore.kernel.org/bpf/20220316122419.933957-6-jolsa@kernel.org
</content>
</entry>
<entry>
<title>bpf: Fix net.core.bpf_jit_harden race</title>
<updated>2022-03-16T22:13:36Z</updated>
<author>
<name>Hou Tao</name>
<email>houtao1@huawei.com</email>
</author>
<published>2022-03-09T12:33:20Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=d2a3b7c5becc3992f8e7d2b9bf5eacceeedb9a48'/>
<id>urn:sha1:d2a3b7c5becc3992f8e7d2b9bf5eacceeedb9a48</id>
<content type='text'>
It is the bpf_jit_harden counterpart to commit 60b58afc96c9 ("bpf: fix
net.core.bpf_jit_enable race"). bpf_jit_harden will be tested twice
for each subprog if there are subprogs in bpf program and constant
blinding may increase the length of program, so when running
"./test_progs -t subprogs" and toggling bpf_jit_harden between 0 and 2,
jit_subprogs may fail because constant blinding increases the length
of subprog instructions during extra passs.

So cache the value of bpf_jit_blinding_enabled() during program
allocation, and use the cached value during constant blinding, subprog
JITing and args tracking of tail call.

Signed-off-by: Hou Tao &lt;houtao1@huawei.com&gt;
Signed-off-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Link: https://lore.kernel.org/bpf/20220309123321.2400262-4-houtao1@huawei.com
</content>
</entry>
<entry>
<title>bpf: Use offsetofend() to simplify macro definition</title>
<updated>2022-03-10T22:04:47Z</updated>
<author>
<name>Yuntao Wang</name>
<email>ytcoode@gmail.com</email>
</author>
<published>2022-03-10T16:15:18Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=1b773d0003aa90e60953d263c2ee31e6fb4a8a69'/>
<id>urn:sha1:1b773d0003aa90e60953d263c2ee31e6fb4a8a69</id>
<content type='text'>
Use offsetofend() instead of offsetof() + sizeof() to simplify
MIN_BPF_LINEINFO_SIZE macro definition.

Signed-off-by: Yuntao Wang &lt;ytcoode@gmail.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Yonghong Song &lt;yhs@fb.com&gt;
Acked-by: Joanne Koong &lt;joannelkoong@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20220310161518.534544-1-ytcoode@gmail.com
</content>
</entry>
<entry>
<title>bpf: Determine buf_info inside check_buffer_access()</title>
<updated>2022-03-08T14:36:45Z</updated>
<author>
<name>Shung-Hsi Yu</name>
<email>shung-hsi.yu@suse.com</email>
</author>
<published>2022-03-07T05:29:18Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=44e9a741cad824f45112b79c21d88c201d5aec13'/>
<id>urn:sha1:44e9a741cad824f45112b79c21d88c201d5aec13</id>
<content type='text'>
Instead of determining buf_info string in the caller of check_buffer_access(),
we can determine whether the register type is read-only through
type_is_rdonly_mem() helper inside check_buffer_access() and construct
buf_info, making the code slightly cleaner.

Signed-off-by: Shung-Hsi Yu &lt;shung-hsi.yu@suse.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Yonghong Song &lt;yhs@fb.com&gt;
Link: https://lore.kernel.org/bpf/YiWYLnAkEZXBP/gH@syu-laptop
</content>
</entry>
<entry>
<title>bpf: Reject programs that try to load __percpu memory.</title>
<updated>2022-03-06T02:38:15Z</updated>
<author>
<name>Hao Luo</name>
<email>haoluo@google.com</email>
</author>
<published>2022-03-04T19:16:56Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=5844101a1be9b8636024cb31c865ef13c7cc6db3'/>
<id>urn:sha1:5844101a1be9b8636024cb31c865ef13c7cc6db3</id>
<content type='text'>
With the introduction of the btf_type_tag "percpu", we can add a
MEM_PERCPU to identify those pointers that point to percpu memory.
The ability of differetiating percpu pointers from regular memory
pointers have two benefits:

 1. It forbids unexpected use of percpu pointers, such as direct loads.
    In kernel, there are special functions used for accessing percpu
    memory. Directly loading percpu memory is meaningless. We already
    have BPF helpers like bpf_per_cpu_ptr() and bpf_this_cpu_ptr() that
    wrap the kernel percpu functions. So we can now convert percpu
    pointers into regular pointers in a safe way.

 2. Previously, bpf_per_cpu_ptr() and bpf_this_cpu_ptr() only work on
    PTR_TO_PERCPU_BTF_ID, a special reg_type which describes static
    percpu variables in kernel (we rely on pahole to encode them into
    vmlinux BTF). Now, since we can identify __percpu tagged pointers,
    we can also identify dynamically allocated percpu memory as well.
    It means we can use bpf_xxx_cpu_ptr() on dynamic percpu memory.
    This would be very convenient when accessing fields like
    "cgroup-&gt;rstat_cpu".

Signed-off-by: Hao Luo &lt;haoluo@google.com&gt;
Signed-off-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Acked-by: Yonghong Song &lt;yhs@fb.com&gt;
Link: https://lore.kernel.org/bpf/20220304191657.981240-4-haoluo@google.com
</content>
</entry>
<entry>
<title>bpf: Fix checking PTR_TO_BTF_ID in check_mem_access</title>
<updated>2022-03-06T02:38:15Z</updated>
<author>
<name>Hao Luo</name>
<email>haoluo@google.com</email>
</author>
<published>2022-03-04T19:16:54Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=bff61f6faedb36db6b135da898840d29aa74cbbb'/>
<id>urn:sha1:bff61f6faedb36db6b135da898840d29aa74cbbb</id>
<content type='text'>
With the introduction of MEM_USER in

 commit c6f1bfe89ac9 ("bpf: reject program if a __user tagged memory accessed in kernel way")

PTR_TO_BTF_ID can be combined with a MEM_USER tag. Therefore, most
likely, when we compare reg_type against PTR_TO_BTF_ID, we want to use
the reg's base_type. Previously the check in check_mem_access() wants
to say: if the reg is BTF_ID but not NULL, the execution flow falls
into the 'then' branch. But now a reg of (BTF_ID | MEM_USER), which
should go into the 'then' branch, goes into the 'else'.

The end results before and after this patch are the same: regs tagged
with MEM_USER get rejected, but not in a way we intended. So fix the
condition, the error message now is correct.

Before (log from commit 696c39011538):

  $ ./test_progs -v -n 22/3
  ...
  libbpf: prog 'test_user1': BPF program load failed: Permission denied
  libbpf: prog 'test_user1': -- BEGIN PROG LOAD LOG --
  R1 type=ctx expected=fp
  0: R1=ctx(id=0,off=0,imm=0) R10=fp0
  ; int BPF_PROG(test_user1, struct bpf_testmod_btf_type_tag_1 *arg)
  0: (79) r1 = *(u64 *)(r1 +0)
  func 'bpf_testmod_test_btf_type_tag_user_1' arg0 has btf_id 136561 type STRUCT 'bpf_testmod_btf_type_tag_1'
  1: R1_w=user_ptr_bpf_testmod_btf_type_tag_1(id=0,off=0,imm=0)
  ; g = arg-&gt;a;
  1: (61) r1 = *(u32 *)(r1 +0)
  R1 invalid mem access 'user_ptr_'

Now:

  libbpf: prog 'test_user1': BPF program load failed: Permission denied
  libbpf: prog 'test_user1': -- BEGIN PROG LOAD LOG --
  R1 type=ctx expected=fp
  0: R1=ctx(id=0,off=0,imm=0) R10=fp0
  ; int BPF_PROG(test_user1, struct bpf_testmod_btf_type_tag_1 *arg)
  0: (79) r1 = *(u64 *)(r1 +0)
  func 'bpf_testmod_test_btf_type_tag_user_1' arg0 has btf_id 104036 type STRUCT 'bpf_testmod_btf_type_tag_1'
  1: R1_w=user_ptr_bpf_testmod_btf_type_tag_1(id=0,ref_obj_id=0,off=0,imm=0)
  ; g = arg-&gt;a;
  1: (61) r1 = *(u32 *)(r1 +0)
  R1 is ptr_bpf_testmod_btf_type_tag_1 access user memory: off=0

Note the error message for the reason of rejection.

Fixes: c6f1bfe89ac9 ("bpf: reject program if a __user tagged memory accessed in kernel way")
Signed-off-by: Hao Luo &lt;haoluo@google.com&gt;
Signed-off-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Acked-by: Yonghong Song &lt;yhs@fb.com&gt;
Link: https://lore.kernel.org/bpf/20220304191657.981240-2-haoluo@google.com
</content>
</entry>
<entry>
<title>bpf: Harden register offset checks for release helpers and kfuncs</title>
<updated>2022-03-05T23:29:35Z</updated>
<author>
<name>Kumar Kartikeya Dwivedi</name>
<email>memxor@gmail.com</email>
</author>
<published>2022-03-04T22:46:41Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/linux/commit/?id=24d5bb806c7e2c0b9972564fd493069f612d90dd'/>
<id>urn:sha1:24d5bb806c7e2c0b9972564fd493069f612d90dd</id>
<content type='text'>
Let's ensure that the PTR_TO_BTF_ID reg being passed in to release BPF
helpers and kfuncs always has its offset set to 0. While not a real
problem now, there's a very real possibility this will become a problem
when more and more kfuncs are exposed, and more BPF helpers are added
which can release PTR_TO_BTF_ID.

Previous commits already protected against non-zero var_off. One of the
case we are concerned about now is when we have a type that can be
returned by e.g. an acquire kfunc:

struct foo {
	int a;
	int b;
	struct bar b;
};

... and struct bar is also a type that can be returned by another
acquire kfunc.

Then, doing the following sequence:

	struct foo *f = bpf_get_foo(); // acquire kfunc
	if (!f)
		return 0;
	bpf_put_bar(&amp;f-&gt;b); // release kfunc

... would work with the current code, since the btf_struct_ids_match
takes reg-&gt;off into account for matching pointer type with release kfunc
argument type, but would obviously be incorrect, and most likely lead to
a kernel crash. A test has been included later to prevent regressions in
this area.

Signed-off-by: Kumar Kartikeya Dwivedi &lt;memxor@gmail.com&gt;
Signed-off-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Link: https://lore.kernel.org/bpf/20220304224645.3677453-5-memxor@gmail.com
</content>
</entry>
</feed>
