From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eduard Zingerman <eddyz87@gmail.com>,
Alexei Starovoitov <ast@kernel.org>,
Sasha Levin <sashal@kernel.org>,
daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, shuah@kernel.org, leon.hwang@linux.dev,
yonghong.song@linux.dev, bpf@vger.kernel.org,
netdev@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: [PATCH AUTOSEL 6.12 29/29] bpf: consider that tail calls invalidate packet pointers
Date: Fri, 20 Dec 2024 12:11:30 -0500 [thread overview]
Message-ID: <20241220171130.511389-29-sashal@kernel.org> (raw)
In-Reply-To: <20241220171130.511389-1-sashal@kernel.org>
From: Eduard Zingerman <eddyz87@gmail.com>
[ Upstream commit 1a4607ffba35bf2a630aab299e34dd3f6e658d70 ]
Tail-called programs could execute any of the helpers that invalidate
packet pointers. Hence, conservatively assume that each tail call
invalidates packet pointers.
Making the change in bpf_helper_changes_pkt_data() automatically makes
use of check_cfg() logic that computes 'changes_pkt_data' effect for
global sub-programs, such that the following program could be
rejected:
int tail_call(struct __sk_buff *sk)
{
bpf_tail_call_static(sk, &jmp_table, 0);
return 0;
}
SEC("tc")
int not_safe(struct __sk_buff *sk)
{
int *p = (void *)(long)sk->data;
... make p valid ...
tail_call(sk);
*p = 42; /* this is unsafe */
...
}
The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that
can invalidate packet pointers. Otherwise, it can't be freplaced with
tailcall_freplace.c:entry_freplace() that does a tail call.
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20241210041100.1898468-8-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 2 ++
tools/testing/selftests/bpf/progs/tc_bpf2bpf.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 33125317994e..bbd0c08072cb 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -7934,6 +7934,8 @@ bool bpf_helper_changes_pkt_data(enum bpf_func_id func_id)
case BPF_FUNC_xdp_adjust_head:
case BPF_FUNC_xdp_adjust_meta:
case BPF_FUNC_xdp_adjust_tail:
+ /* tail-called program could call any of the above */
+ case BPF_FUNC_tail_call:
return true;
default:
return false;
diff --git a/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c b/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c
index 8a0632c37839..79f5087dade2 100644
--- a/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c
+++ b/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c
@@ -10,6 +10,8 @@ int subprog(struct __sk_buff *skb)
int ret = 1;
__sink(ret);
+ /* let verifier know that 'subprog_tc' can change pointers to skb->data */
+ bpf_skb_change_proto(skb, 0, 0);
return ret;
}
--
2.39.5
prev parent reply other threads:[~2024-12-20 17:12 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-20 17:11 [PATCH AUTOSEL 6.12 01/29] perf/x86/intel: Add Arrow Lake U support Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 02/29] wifi: mac80211: fix mbss changed flags corruption on 32 bit systems Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 03/29] wifi: cfg80211: clear link ID from bitmap during link delete after clean up Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 04/29] wifi: mac80211: wake the queues in case of failure in resume Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 05/29] drm/amdgpu: use sjt mec fw on gfx943 for sriov Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 06/29] drm/amdkfd: Correct the migration DMA map direction Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 07/29] ALSA: hda: cs35l56: Remove calls to cs35l56_force_sync_asp1_registers_from_cache() Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 08/29] ALSA: hda/realtek - Add support for ASUS Zen AIO 27 Z272SD_A272SD audio Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 09/29] btrfs: handle bio_split() errors Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 10/29] btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 11/29] ALSA: hda/ca0132: Use standard HD-audio quirk matching helpers Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 12/29] ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 13/29] sound: usb: enable DSD output for ddHiFi TC44C Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 14/29] sound: usb: format: don't warn that raw DSD is unsupported Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 15/29] spi: spi-cadence-qspi: Disable STIG mode for Altera SoCFPGA Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 16/29] ASoC: audio-graph-card: Call of_node_put() on correct node Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 17/29] ARC: build: disallow invalid PAE40 + 4K page config Sasha Levin
2024-12-20 17:11 ` Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 18/29] ARC: build: Use __force to suppress per-CPU cmpxchg warnings Sasha Levin
2024-12-20 17:11 ` Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 19/29] ARC: bpf: Correct conditional check in 'check_jmp_32' Sasha Levin
2024-12-20 17:11 ` Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 20/29] bpf: fix potential error return Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 21/29] ksmbd: retry iterate_dir in smb2_query_dir Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 22/29] ksmbd: set ATTR_CTIME flags when setting mtime Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 23/29] smb: client: destroy cfid_put_wq on module exit Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 24/29] net: usb: qmi_wwan: add Telit FE910C04 compositions Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 25/29] Bluetooth: hci_core: Fix sleeping function called from invalid context Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 26/29] irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 27/29] ARC: build: Try to guess GCC variant of cross compiler Sasha Levin
2024-12-20 17:11 ` Sasha Levin
2024-12-20 17:11 ` [PATCH AUTOSEL 6.12 28/29] bpf: refactor bpf_helper_changes_pkt_data to use helper number Sasha Levin
2024-12-20 17:11 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241220171130.511389-29-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=leon.hwang@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=shuah@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.