From: Martin KaFai Lau <martin.lau@linux.dev>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Kui-Feng Lee <thinker.li@gmail.com>,
kernel-team@meta.com
Subject: [PATCH v6 bpf-next 02/12] bpf: Handle BPF_UPTR in verifier
Date: Wed, 23 Oct 2024 16:47:49 -0700 [thread overview]
Message-ID: <20241023234759.860539-3-martin.lau@linux.dev> (raw)
In-Reply-To: <20241023234759.860539-1-martin.lau@linux.dev>
From: Kui-Feng Lee <thinker.li@gmail.com>
This patch adds BPF_UPTR support to the verifier. Not that only the
map_value will support the "__uptr" type tag.
This patch enforces only BPF_LDX is allowed to the value of an uptr.
After BPF_LDX, it will mark the dst_reg as PTR_TO_MEM | PTR_MAYBE_NULL
with size deduced from the field.kptr.btf_id. This will make the
dst_reg pointed memory to be readable and writable as scalar.
There is a redundant "val_reg = reg_state(env, value_regno);" statement
in the check_map_kptr_access(). This patch takes this chance to remove
it also.
Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
---
Changes in v5:
- The "if (kptr_field->type == BPF_UPTR)" addition in v4 in
map_kptr_match_type() is removed. It will not be reached.
meta->kptr_field is for kptr only.
- Use btf_field_type_name() for the verbose() log in check_map_access().
- Directly use t->size in mark_uptr_ld_reg. "t" must be a struct.
kernel/bpf/verifier.c | 39 +++++++++++++++++++++++++++++++++------
1 file changed, 33 insertions(+), 6 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f514247ba8ba..1bd0c3f41f2f 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5485,6 +5485,22 @@ static u32 btf_ld_kptr_type(struct bpf_verifier_env *env, struct btf_field *kptr
return ret;
}
+static int mark_uptr_ld_reg(struct bpf_verifier_env *env, u32 regno,
+ struct btf_field *field)
+{
+ struct bpf_reg_state *reg;
+ const struct btf_type *t;
+
+ t = btf_type_by_id(field->kptr.btf, field->kptr.btf_id);
+ mark_reg_known_zero(env, cur_regs(env), regno);
+ reg = reg_state(env, regno);
+ reg->type = PTR_TO_MEM | PTR_MAYBE_NULL;
+ reg->mem_size = t->size;
+ reg->id = ++env->id_gen;
+
+ return 0;
+}
+
static int check_map_kptr_access(struct bpf_verifier_env *env, u32 regno,
int value_regno, int insn_idx,
struct btf_field *kptr_field)
@@ -5513,9 +5529,15 @@ static int check_map_kptr_access(struct bpf_verifier_env *env, u32 regno,
verbose(env, "store to referenced kptr disallowed\n");
return -EACCES;
}
+ if (class != BPF_LDX && kptr_field->type == BPF_UPTR) {
+ verbose(env, "store to uptr disallowed\n");
+ return -EACCES;
+ }
if (class == BPF_LDX) {
- val_reg = reg_state(env, value_regno);
+ if (kptr_field->type == BPF_UPTR)
+ return mark_uptr_ld_reg(env, value_regno, kptr_field);
+
/* We can simply mark the value_regno receiving the pointer
* value from map as PTR_TO_BTF_ID, with the correct type.
*/
@@ -5573,21 +5595,26 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno,
case BPF_KPTR_UNREF:
case BPF_KPTR_REF:
case BPF_KPTR_PERCPU:
+ case BPF_UPTR:
if (src != ACCESS_DIRECT) {
- verbose(env, "kptr cannot be accessed indirectly by helper\n");
+ verbose(env, "%s cannot be accessed indirectly by helper\n",
+ btf_field_type_name(field->type));
return -EACCES;
}
if (!tnum_is_const(reg->var_off)) {
- verbose(env, "kptr access cannot have variable offset\n");
+ verbose(env, "%s access cannot have variable offset\n",
+ btf_field_type_name(field->type));
return -EACCES;
}
if (p != off + reg->var_off.value) {
- verbose(env, "kptr access misaligned expected=%u off=%llu\n",
+ verbose(env, "%s access misaligned expected=%u off=%llu\n",
+ btf_field_type_name(field->type),
p, off + reg->var_off.value);
return -EACCES;
}
if (size != bpf_size_to_bytes(BPF_DW)) {
- verbose(env, "kptr access size must be BPF_DW\n");
+ verbose(env, "%s access size must be BPF_DW\n",
+ btf_field_type_name(field->type));
return -EACCES;
}
break;
@@ -6953,7 +6980,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
return err;
if (tnum_is_const(reg->var_off))
kptr_field = btf_record_find(reg->map_ptr->record,
- off + reg->var_off.value, BPF_KPTR);
+ off + reg->var_off.value, BPF_KPTR | BPF_UPTR);
if (kptr_field) {
err = check_map_kptr_access(env, regno, value_regno, insn_idx, kptr_field);
} else if (t == BPF_READ && value_regno >= 0) {
--
2.43.5
next prev parent reply other threads:[~2024-10-23 23:48 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-23 23:47 [PATCH v6 bpf-next 00/12] Share user memory to BPF program through task storage map Martin KaFai Lau
2024-10-23 23:47 ` [PATCH v6 bpf-next 01/12] bpf: Support __uptr type tag in BTF Martin KaFai Lau
2024-10-23 23:47 ` Martin KaFai Lau [this message]
2024-10-23 23:47 ` [PATCH v6 bpf-next 03/12] bpf: Add "bool swap_uptrs" arg to bpf_local_storage_update() and bpf_selem_alloc() Martin KaFai Lau
2024-10-23 23:47 ` [PATCH v6 bpf-next 04/12] bpf: Postpone bpf_selem_free() in bpf_selem_unlink_storage_nolock() Martin KaFai Lau
2024-10-23 23:47 ` [PATCH v6 bpf-next 05/12] bpf: Postpone bpf_obj_free_fields to the rcu callback Martin KaFai Lau
2024-10-23 23:47 ` [PATCH v6 bpf-next 06/12] bpf: Add uptr support in the map_value of the task local storage Martin KaFai Lau
2024-10-24 5:23 ` Shakeel Butt
2024-10-23 23:47 ` [PATCH v6 bpf-next 07/12] libbpf: define __uptr Martin KaFai Lau
2024-10-23 23:47 ` [PATCH v6 bpf-next 08/12] selftests/bpf: Some basic __uptr tests Martin KaFai Lau
2024-10-23 23:47 ` [PATCH v6 bpf-next 09/12] selftests/bpf: Test a uptr struct spanning across pages Martin KaFai Lau
2024-10-23 23:47 ` [PATCH v6 bpf-next 10/12] selftests/bpf: Add update_elem failure test for task storage uptr Martin KaFai Lau
2024-10-23 23:47 ` [PATCH v6 bpf-next 11/12] selftests/bpf: Add uptr failure verifier tests Martin KaFai Lau
2024-10-23 23:47 ` [PATCH v6 bpf-next 12/12] selftests/bpf: Create task_local_storage map with invalid uptr's struct Martin KaFai Lau
2024-10-24 17:40 ` [PATCH v6 bpf-next 00/12] Share user memory to BPF program through task storage map patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241023234759.860539-3-martin.lau@linux.dev \
--to=martin.lau@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@meta.com \
--cc=thinker.li@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox