From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Yonghong Song <yhs@fb.com>, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andriin@fb.com>, Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, bpf@vger.kernel.org,
clang-built-linux@googlegroups.com
Subject: [PATCH AUTOSEL 5.9 060/147] bpf: Permit map_ptr arithmetic with opcode add and offset 0
Date: Mon, 26 Oct 2020 19:47:38 -0400 [thread overview]
Message-ID: <20201026234905.1022767-60-sashal@kernel.org> (raw)
In-Reply-To: <20201026234905.1022767-1-sashal@kernel.org>
From: Yonghong Song <yhs@fb.com>
[ Upstream commit 7c6967326267bd5c0dded0a99541357d70dd11ac ]
Commit 41c48f3a98231 ("bpf: Support access
to bpf map fields") added support to access map fields
with CORE support. For example,
struct bpf_map {
__u32 max_entries;
} __attribute__((preserve_access_index));
struct bpf_array {
struct bpf_map map;
__u32 elem_size;
} __attribute__((preserve_access_index));
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
__uint(max_entries, 4);
__type(key, __u32);
__type(value, __u32);
} m_array SEC(".maps");
SEC("cgroup_skb/egress")
int cg_skb(void *ctx)
{
struct bpf_array *array = (struct bpf_array *)&m_array;
/* .. array->map.max_entries .. */
}
In kernel, bpf_htab has similar structure,
struct bpf_htab {
struct bpf_map map;
...
}
In the above cg_skb(), to access array->map.max_entries, with CORE, the clang will
generate two builtin's.
base = &m_array;
/* access array.map */
map_addr = __builtin_preserve_struct_access_info(base, 0, 0);
/* access array.map.max_entries */
max_entries_addr = __builtin_preserve_struct_access_info(map_addr, 0, 0);
max_entries = *max_entries_addr;
In the current llvm, if two builtin's are in the same function or
in the same function after inlining, the compiler is smart enough to chain
them together and generates like below:
base = &m_array;
max_entries = *(base + reloc_offset); /* reloc_offset = 0 in this case */
and we are fine.
But if we force no inlining for one of functions in test_map_ptr() selftest, e.g.,
check_default(), the above two __builtin_preserve_* will be in two different
functions. In this case, we will have code like:
func check_hash():
reloc_offset_map = 0;
base = &m_array;
map_base = base + reloc_offset_map;
check_default(map_base, ...)
func check_default(map_base, ...):
max_entries = *(map_base + reloc_offset_max_entries);
In kernel, map_ptr (CONST_PTR_TO_MAP) does not allow any arithmetic.
The above "map_base = base + reloc_offset_map" will trigger a verifier failure.
; VERIFY(check_default(&hash->map, map));
0: (18) r7 = 0xffffb4fe8018a004
2: (b4) w1 = 110
3: (63) *(u32 *)(r7 +0) = r1
R1_w=invP110 R7_w=map_value(id=0,off=4,ks=4,vs=8,imm=0) R10=fp0
; VERIFY_TYPE(BPF_MAP_TYPE_HASH, check_hash);
4: (18) r1 = 0xffffb4fe8018a000
6: (b4) w2 = 1
7: (63) *(u32 *)(r1 +0) = r2
R1_w=map_value(id=0,off=0,ks=4,vs=8,imm=0) R2_w=invP1 R7_w=map_value(id=0,off=4,ks=4,vs=8,imm=0) R10=fp0
8: (b7) r2 = 0
9: (18) r8 = 0xffff90bcb500c000
11: (18) r1 = 0xffff90bcb500c000
13: (0f) r1 += r2
R1 pointer arithmetic on map_ptr prohibited
To fix the issue, let us permit map_ptr + 0 arithmetic which will
result in exactly the same map_ptr.
Signed-off-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Andrii Nakryiko <andriin@fb.com>
Link: https://lore.kernel.org/bpf/20200908175702.2463625-1-yhs@fb.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index fba52d9ec8fc4..8c0f605e5ee94 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5219,6 +5219,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
dst, reg_type_str[ptr_reg->type]);
return -EACCES;
case CONST_PTR_TO_MAP:
+ /* smin_val represents the known value */
+ if (known && smin_val == 0 && opcode == BPF_ADD)
+ break;
+ /* fall-through */
case PTR_TO_PACKET_END:
case PTR_TO_SOCKET:
case PTR_TO_SOCKET_OR_NULL:
--
2.25.1
next prev parent reply other threads:[~2020-10-27 0:42 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20201026234905.1022767-1-sashal@kernel.org>
2020-10-26 23:47 ` [PATCH AUTOSEL 5.9 030/147] ath10k: fix retry packets update in station dump Sasha Levin
2020-10-26 23:47 ` [PATCH AUTOSEL 5.9 035/147] ath10k: start recovery process when payload length exceeds max htc length for sdio Sasha Levin
2020-10-26 23:47 ` [PATCH AUTOSEL 5.9 036/147] ath10k: fix VHT NSS calculation when STBC is enabled Sasha Levin
2020-10-26 23:47 ` [PATCH AUTOSEL 5.9 053/147] brcmfmac: increase F2 watermark for BCM4329 Sasha Levin
2020-10-26 23:47 ` [PATCH AUTOSEL 5.9 054/147] sfc: add and use efx_tx_send_pending in tx.c Sasha Levin
2020-10-27 13:24 ` Edward Cree
2020-11-01 23:52 ` Sasha Levin
2020-10-26 23:47 ` Sasha Levin [this message]
2020-10-26 23:47 ` [PATCH AUTOSEL 5.9 066/147] nfc: s3fwrn5: Add missing CRYPTO_HASH dependency Sasha Levin
2020-10-26 23:47 ` [PATCH AUTOSEL 5.9 067/147] selftests/bpf: Define string const as global for test_sysctl_prog.c Sasha Levin
2020-10-26 23:47 ` [PATCH AUTOSEL 5.9 069/147] samples/bpf: Fix possible deadlock in xdpsock Sasha Levin
2020-10-26 23:47 ` [PATCH AUTOSEL 5.9 077/147] mac80211: add missing queue/hash initialization to 802.3 xmit Sasha Levin
2020-10-26 23:47 ` [PATCH AUTOSEL 5.9 079/147] SUNRPC: Mitigate cond_resched() in xprt_transmit() Sasha Levin
2020-10-26 23:48 ` [PATCH AUTOSEL 5.9 082/147] can: flexcan: disable clocks during stop mode Sasha Levin
2020-10-26 23:48 ` [PATCH AUTOSEL 5.9 088/147] octeontx2-af: fix LD CUSTOM LTYPE aliasing Sasha Levin
2020-10-26 23:48 ` [PATCH AUTOSEL 5.9 090/147] brcmfmac: Fix warning message after dongle setup failed Sasha Levin
2020-10-26 23:48 ` [PATCH AUTOSEL 5.9 091/147] ath11k: Use GFP_ATOMIC instead of GFP_KERNEL in ath11k_dp_htt_get_ppdu_desc Sasha Levin
2020-10-26 23:48 ` [PATCH AUTOSEL 5.9 092/147] ath11k: fix warning caused by lockdep_assert_held Sasha Levin
2020-10-26 23:48 ` [PATCH AUTOSEL 5.9 093/147] ath11k: change to disable softirqs for ath11k_regd_update to solve deadlock Sasha Levin
2020-10-26 23:48 ` [PATCH AUTOSEL 5.9 094/147] drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values Sasha Levin
2020-10-26 23:48 ` [PATCH AUTOSEL 5.9 107/147] bnxt_en: Log unknown link speed appropriately Sasha Levin
2020-10-26 23:48 ` [PATCH AUTOSEL 5.9 115/147] net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201026234905.1022767-60-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clang-built-linux@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).