From: Jakub Kicinski <jakub.kicinski@netronome.com>
To: netdev@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, jiri@resnulli.us,
john.fastabend@gmail.com, kubakici@wp.pl,
Jakub Kicinski <jakub.kicinski@netronome.com>
Subject: [PATCHv3 net-next 04/15] bpf: don't (ab)use instructions to store state
Date: Wed, 14 Sep 2016 20:00:12 +0100 [thread overview]
Message-ID: <1473879623-15382-5-git-send-email-jakub.kicinski@netronome.com> (raw)
In-Reply-To: <1473879623-15382-1-git-send-email-jakub.kicinski@netronome.com>
Storing state in reserved fields of instructions makes
it impossible to run validator on programs already
marked as read-only. Allocate and use an array of
per-instruction state instead.
While touching the error path rename and move existing
jump target.
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
---
v3:
- new patch.
---
kernel/bpf/verifier.c | 51 ++++++++++++++++++++++++++++++++-------------------
1 file changed, 32 insertions(+), 19 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 086b3979380c..ce9c0d1721c6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -181,6 +181,10 @@ struct verifier_stack_elem {
struct verifier_stack_elem *next;
};
+struct bpf_insn_aux_data {
+ enum bpf_reg_type ptr_type; /* pointer type for load/store insns */
+};
+
#define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
/* single container for all structs
@@ -196,6 +200,7 @@ struct verifier_env {
u32 used_map_cnt; /* number of used maps */
u32 id_gen; /* used to generate unique reg IDs */
bool allow_ptr_leaks;
+ struct bpf_insn_aux_data *insn_aux_data; /* array of per-insn state */
};
#define BPF_COMPLEXITY_LIMIT_INSNS 65536
@@ -2340,7 +2345,7 @@ static int do_check(struct verifier_env *env)
return err;
} else if (class == BPF_LDX) {
- enum bpf_reg_type src_reg_type;
+ enum bpf_reg_type *prev_src_type, src_reg_type;
/* check for reserved fields is already done */
@@ -2370,16 +2375,18 @@ static int do_check(struct verifier_env *env)
continue;
}
- if (insn->imm == 0) {
+ prev_src_type = &env->insn_aux_data[insn_idx].ptr_type;
+
+ if (*prev_src_type == NOT_INIT) {
/* saw a valid insn
* dst_reg = *(u32 *)(src_reg + off)
- * use reserved 'imm' field to mark this insn
+ * save type to validate intersecting paths
*/
- insn->imm = src_reg_type;
+ *prev_src_type = src_reg_type;
- } else if (src_reg_type != insn->imm &&
+ } else if (src_reg_type != *prev_src_type &&
(src_reg_type == PTR_TO_CTX ||
- insn->imm == PTR_TO_CTX)) {
+ *prev_src_type == PTR_TO_CTX)) {
/* ABuser program is trying to use the same insn
* dst_reg = *(u32*) (src_reg + off)
* with different pointer types:
@@ -2392,7 +2399,7 @@ static int do_check(struct verifier_env *env)
}
} else if (class == BPF_STX) {
- enum bpf_reg_type dst_reg_type;
+ enum bpf_reg_type *prev_dst_type, dst_reg_type;
if (BPF_MODE(insn->code) == BPF_XADD) {
err = check_xadd(env, insn);
@@ -2420,11 +2427,13 @@ static int do_check(struct verifier_env *env)
if (err)
return err;
- if (insn->imm == 0) {
- insn->imm = dst_reg_type;
- } else if (dst_reg_type != insn->imm &&
+ prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type;
+
+ if (*prev_dst_type == NOT_INIT) {
+ *prev_dst_type = dst_reg_type;
+ } else if (dst_reg_type != *prev_dst_type &&
(dst_reg_type == PTR_TO_CTX ||
- insn->imm == PTR_TO_CTX)) {
+ *prev_dst_type == PTR_TO_CTX)) {
verbose("same insn cannot be used with different pointers\n");
return -EINVAL;
}
@@ -2703,11 +2712,8 @@ static int convert_ctx_accesses(struct verifier_env *env)
else
continue;
- if (insn->imm != PTR_TO_CTX) {
- /* clear internal mark */
- insn->imm = 0;
+ if (env->insn_aux_data[i].ptr_type != PTR_TO_CTX)
continue;
- }
cnt = env->prog->aux->ops->
convert_ctx_access(type, insn->dst_reg, insn->src_reg,
@@ -2772,6 +2778,11 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
if (!env)
return -ENOMEM;
+ env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) *
+ (*prog)->len);
+ ret = -ENOMEM;
+ if (!env->insn_aux_data)
+ goto err_free_env;
env->prog = *prog;
/* grab the mutex to protect few globals used by verifier */
@@ -2790,12 +2801,12 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
/* log_* values have to be sane */
if (log_size < 128 || log_size > UINT_MAX >> 8 ||
log_level == 0 || log_ubuf == NULL)
- goto free_env;
+ goto err_unlock;
ret = -ENOMEM;
log_buf = vmalloc(log_size);
if (!log_buf)
- goto free_env;
+ goto err_unlock;
} else {
log_level = 0;
}
@@ -2864,14 +2875,16 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
free_log_buf:
if (log_level)
vfree(log_buf);
-free_env:
if (!env->prog->aux->used_maps)
/* if we didn't copy map pointers into bpf_prog_info, release
* them now. Otherwise free_bpf_prog_info() will release them.
*/
release_maps(env);
*prog = env->prog;
- kfree(env);
+err_unlock:
mutex_unlock(&bpf_verifier_lock);
+ vfree(env->insn_aux_data);
+err_free_env:
+ kfree(env);
return ret;
}
--
1.9.1
next prev parent reply other threads:[~2016-09-14 19:00 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-14 19:00 [PATCHv3 net-next 00/15] BPF hardware offload (cls_bpf for now) Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 01/15] net: cls_bpf: add hardware offload Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 02/15] net: cls_bpf: limit hardware offload by software-only flag Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 03/15] net: cls_bpf: add support for marking filters as hardware-only Jakub Kicinski
2016-09-14 19:00 ` Jakub Kicinski [this message]
2016-09-14 22:58 ` [PATCHv3 net-next 04/15] bpf: don't (ab)use instructions to store state Alexei Starovoitov
2016-09-14 19:00 ` [PATCHv3 net-next 05/15] bpf: enable non-core use of the verfier Jakub Kicinski
2016-09-14 23:05 ` Alexei Starovoitov
2016-09-15 7:52 ` Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 06/15] bpf: prefix structures in bpf_parser.h with bpf_ Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 07/15] bpf: recognize 64bit immediate loads as consts Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 08/15] nfp: add BPF to NFP code translator Jakub Kicinski
2016-09-14 23:15 ` Alexei Starovoitov
2016-09-15 7:53 ` Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 09/15] nfp: bpf: add hardware bpf offload Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 10/15] net: cls_bpf: allow offloaded filters to update stats Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 11/15] net: bpf: " Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 12/15] nfp: bpf: add packet marking support Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 13/15] net: act_mirred: allow statistic updates from offloaded actions Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 14/15] nfp: bpf: add support for legacy redirect action Jakub Kicinski
2016-09-14 19:00 ` [PATCHv3 net-next 15/15] nfp: bpf: add offload of TC direct action mode Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1473879623-15382-5-git-send-email-jakub.kicinski@netronome.com \
--to=jakub.kicinski@netronome.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=jiri@resnulli.us \
--cc=john.fastabend@gmail.com \
--cc=kubakici@wp.pl \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).