[PATCH bpf] bpf: Resolve fext program type when checking map compatibility

[PATCH bpf] bpf: Resolve fext program type when checking map compatibility

[Toke Høiland-Jørgensen]

The bpf_prog_map_compatible() check makes sure that BPF program types are
not mixed inside BPF map types that can contain programs (tail call maps,
cpumaps and devmaps). It does this by setting the fields of the map->owner
struct to the values of the first program being checked against, and
rejecting any subsequent programs if the values don't match.

One of the values being set in the map owner struct is the program type,
and since the code did not resolve the prog type for fext programs, the map
owner type would be set to PROG_TYPE_EXT and subsequent loading of programs
of the target type into the map would fail.

This bug is seen in particular for XDP programs that are loaded as
PROG_TYPE_EXT using libxdp; these cannot insert programs into devmaps and
cpumaps because the check fails as described above.

Fix the bug by resolving the fext program type to its target program type
as elsewhere in the verifier. This requires constifying the parameter of
resolve_prog_type() to avoid a compiler warning from the new call site.

Fixes: f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
 include/linux/bpf_verifier.h | 2 +-
 kernel/bpf/core.c            | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 9e1e6965f407..0eb8f035b3d9 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -642,7 +642,7 @@ static inline u32 type_flag(u32 type)
 }
 
 /* only use after check_attach_btf_id() */
-static inline enum bpf_prog_type resolve_prog_type(struct bpf_prog *prog)
+static inline enum bpf_prog_type resolve_prog_type(const struct bpf_prog *prog)
 {
 	return prog->type == BPF_PROG_TYPE_EXT ?
 		prog->aux->dst_prog->type : prog->type;
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 25a54e04560e..17ab3e15ac25 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2088,6 +2088,7 @@ static unsigned int __bpf_prog_ret0_warn(const void *ctx,
 bool bpf_prog_map_compatible(struct bpf_map *map,
 			     const struct bpf_prog *fp)
 {
+	enum bpf_prog_type prog_type = resolve_prog_type(fp);
 	bool ret;
 
 	if (fp->kprobe_override)
@@ -2098,12 +2099,12 @@ bool bpf_prog_map_compatible(struct bpf_map *map,
 		/* There's no owner yet where we could check for
 		 * compatibility.
 		 */
-		map->owner.type  = fp->type;
+		map->owner.type  = prog_type;
 		map->owner.jited = fp->jited;
 		map->owner.xdp_has_frags = fp->aux->xdp_has_frags;
 		ret = true;
 	} else {
-		ret = map->owner.type  == fp->type &&
+		ret = map->owner.type  == prog_type &&
 		      map->owner.jited == fp->jited &&
 		      map->owner.xdp_has_frags == fp->aux->xdp_has_frags;
 	}
-- 
2.38.1

Re: [PATCH bpf] bpf: Resolve fext program type when checking map compatibility

[Yonghong Song]

On 12/7/22 4:35 PM, Toke Høiland-Jørgensen wrote:
> The bpf_prog_map_compatible() check makes sure that BPF program types are
> not mixed inside BPF map types that can contain programs (tail call maps,
> cpumaps and devmaps). It does this by setting the fields of the map->owner
> struct to the values of the first program being checked against, and
> rejecting any subsequent programs if the values don't match.
> 
> One of the values being set in the map owner struct is the program type,
> and since the code did not resolve the prog type for fext programs, the map
> owner type would be set to PROG_TYPE_EXT and subsequent loading of programs
> of the target type into the map would fail.
> 
> This bug is seen in particular for XDP programs that are loaded as
> PROG_TYPE_EXT using libxdp; these cannot insert programs into devmaps and
> cpumaps because the check fails as described above.
> 
> Fix the bug by resolving the fext program type to its target program type
> as elsewhere in the verifier. This requires constifying the parameter of
> resolve_prog_type() to avoid a compiler warning from the new call site.
> 
> Fixes: f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>

Could you construct a test case for this problem?

> ---
>   include/linux/bpf_verifier.h | 2 +-
>   kernel/bpf/core.c            | 5 +++--
>   2 files changed, 4 insertions(+), 3 deletions(-)
> 
[...]

Re: [PATCH bpf] bpf: Resolve fext program type when checking map compatibility

[Toke Høiland-Jørgensen]

Yonghong Song <yhs@meta.com> writes:

> On 12/7/22 4:35 PM, Toke Høiland-Jørgensen wrote:
>> The bpf_prog_map_compatible() check makes sure that BPF program types are
>> not mixed inside BPF map types that can contain programs (tail call maps,
>> cpumaps and devmaps). It does this by setting the fields of the map->owner
>> struct to the values of the first program being checked against, and
>> rejecting any subsequent programs if the values don't match.
>> 
>> One of the values being set in the map owner struct is the program type,
>> and since the code did not resolve the prog type for fext programs, the map
>> owner type would be set to PROG_TYPE_EXT and subsequent loading of programs
>> of the target type into the map would fail.
>> 
>> This bug is seen in particular for XDP programs that are loaded as
>> PROG_TYPE_EXT using libxdp; these cannot insert programs into devmaps and
>> cpumaps because the check fails as described above.
>> 
>> Fix the bug by resolving the fext program type to its target program type
>> as elsewhere in the verifier. This requires constifying the parameter of
>> resolve_prog_type() to avoid a compiler warning from the new call site.
>> 
>> Fixes: f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
>> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
>
> Could you construct a test case for this problem?

Sure, will add a selftest and send a v2.

-Toke