From: Yonghong Song <yonghong.song@linux.dev>
To: Amery Hung <amery.hung@bytedance.com>, netdev@vger.kernel.org
Cc: bpf@vger.kernel.org, daniel@iogearbox.net, andrii@kernel.org,
alexei.starovoitov@gmail.com, martin.lau@kernel.org,
sinquersw@gmail.com, toke@redhat.com, jhs@mojatatu.com,
jiri@resnulli.us, stfomichev@gmail.com,
ekarani.silvestre@ccc.ufcg.edu.br, yangpeihao@sjtu.edu.cn,
xiyou.wangcong@gmail.com, yepeilin.cs@gmail.com,
ameryhung@gmail.com
Subject: Re: [PATCH bpf-next v1 02/13] selftests/bpf: Test referenced kptr arguments of struct_ops programs
Date: Wed, 18 Dec 2024 19:40:59 -0800 [thread overview]
Message-ID: <dd5e82d1-d00a-4bda-be4b-802204167352@linux.dev> (raw)
In-Reply-To: <20241213232958.2388301-3-amery.hung@bytedance.com>
On 12/13/24 3:29 PM, Amery Hung wrote:
> Test referenced kptr acquired through struct_ops argument tagged with
> "__ref". The success case checks whether 1) a reference to the correct
> type is acquired, and 2) the referenced kptr argument can be accessed in
> multiple paths as long as it hasn't been released. In the fail cases,
> we first confirm that a referenced kptr acquried through a struct_ops
> argument is not allowed to be leaked. Then, we make sure this new
> referenced kptr acquiring mechanism does not accidentally allow referenced
> kptrs to flow into global subprograms through their arguments.
>
> Signed-off-by: Amery Hung <amery.hung@bytedance.com>
> ---
> .../selftests/bpf/bpf_testmod/bpf_testmod.c | 7 ++
> .../selftests/bpf/bpf_testmod/bpf_testmod.h | 2 +
> .../prog_tests/test_struct_ops_refcounted.c | 58 ++++++++++++++++
> .../bpf/progs/struct_ops_refcounted.c | 67 +++++++++++++++++++
> ...ruct_ops_refcounted_fail__global_subprog.c | 32 +++++++++
> .../struct_ops_refcounted_fail__ref_leak.c | 17 +++++
> 6 files changed, 183 insertions(+)
> create mode 100644 tools/testing/selftests/bpf/prog_tests/test_struct_ops_refcounted.c
> create mode 100644 tools/testing/selftests/bpf/progs/struct_ops_refcounted.c
> create mode 100644 tools/testing/selftests/bpf/progs/struct_ops_refcounted_fail__global_subprog.c
> create mode 100644 tools/testing/selftests/bpf/progs/struct_ops_refcounted_fail__ref_leak.c
>
> diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
> index 987d41af71d2..244234546ae2 100644
> --- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
> +++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
> @@ -1135,10 +1135,17 @@ static int bpf_testmod_ops__test_maybe_null(int dummy,
> return 0;
> }
>
> +static int bpf_testmod_ops__test_refcounted(int dummy,
> + struct task_struct *task__ref)
> +{
> + return 0;
> +}
> +
> static struct bpf_testmod_ops __bpf_testmod_ops = {
> .test_1 = bpf_testmod_test_1,
> .test_2 = bpf_testmod_test_2,
> .test_maybe_null = bpf_testmod_ops__test_maybe_null,
> + .test_refcounted = bpf_testmod_ops__test_refcounted,
> };
>
> struct bpf_struct_ops bpf_bpf_testmod_ops = {
> diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
> index fb7dff47597a..0e31586c1353 100644
> --- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
> +++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
> @@ -36,6 +36,8 @@ struct bpf_testmod_ops {
> /* Used to test nullable arguments. */
> int (*test_maybe_null)(int dummy, struct task_struct *task);
> int (*unsupported_ops)(void);
> + /* Used to test ref_acquired arguments. */
> + int (*test_refcounted)(int dummy, struct task_struct *task);
>
> /* The following fields are used to test shadow copies. */
> char onebyte;
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_struct_ops_refcounted.c b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_refcounted.c
> new file mode 100644
> index 000000000000..976df951b700
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_refcounted.c
> @@ -0,0 +1,58 @@
> +#include <test_progs.h>
> +
> +#include "struct_ops_refcounted.skel.h"
> +#include "struct_ops_refcounted_fail__ref_leak.skel.h"
> +#include "struct_ops_refcounted_fail__global_subprog.skel.h"
> +
> +/* Test that the verifier accepts a program that first acquires a referenced
> + * kptr through context and then releases the reference
> + */
> +static void refcounted(void)
> +{
> + struct struct_ops_refcounted *skel;
> +
> + skel = struct_ops_refcounted__open_and_load();
> + if (!ASSERT_OK_PTR(skel, "struct_ops_module_open_and_load"))
> + return;
> +
> + struct_ops_refcounted__destroy(skel);
> +}
> +
> +/* Test that the verifier rejects a program that acquires a referenced
> + * kptr through context without releasing the reference
> + */
> +static void refcounted_fail__ref_leak(void)
> +{
> + struct struct_ops_refcounted_fail__ref_leak *skel;
> +
> + skel = struct_ops_refcounted_fail__ref_leak__open_and_load();
> + if (ASSERT_ERR_PTR(skel, "struct_ops_module_fail__open_and_load"))
> + return;
> +
> + struct_ops_refcounted_fail__ref_leak__destroy(skel);
> +}
> +
> +/* Test that the verifier rejects a program that contains a global
> + * subprogram with referenced kptr arguments
> + */
> +static void refcounted_fail__global_subprog(void)
> +{
> + struct struct_ops_refcounted_fail__global_subprog *skel;
> +
> + skel = struct_ops_refcounted_fail__global_subprog__open_and_load();
> + if (ASSERT_ERR_PTR(skel, "struct_ops_module_fail__open_and_load"))
> + return;
> +
> + struct_ops_refcounted_fail__global_subprog__destroy(skel);
> +}
> +
> +void test_struct_ops_refcounted(void)
> +{
> + if (test__start_subtest("refcounted"))
> + refcounted();
> + if (test__start_subtest("refcounted_fail__ref_leak"))
> + refcounted_fail__ref_leak();
> + if (test__start_subtest("refcounted_fail__global_subprog"))
> + refcounted_fail__global_subprog();
> +}
> +
> diff --git a/tools/testing/selftests/bpf/progs/struct_ops_refcounted.c b/tools/testing/selftests/bpf/progs/struct_ops_refcounted.c
> new file mode 100644
> index 000000000000..2c1326668b92
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/struct_ops_refcounted.c
> @@ -0,0 +1,67 @@
> +#include <vmlinux.h>
> +#include <bpf/bpf_tracing.h>
> +#include "../bpf_testmod/bpf_testmod.h"
> +#include "bpf_misc.h"
> +
> +char _license[] SEC("license") = "GPL";
> +
> +extern void bpf_task_release(struct task_struct *p) __ksym;
> +
> +/* This is a test BPF program that uses struct_ops to access a referenced
> + * kptr argument. This is a test for the verifier to ensure that it
> + * 1) recongnizes the task as a referenced object (i.e., ref_obj_id > 0), and
> + * 2) the same reference can be acquired from multiple paths as long as it
> + * has not been released.
> + *
> + * test_refcounted() is equivalent to the C code below. It is written in assembly
> + * to avoid reads from task (i.e., getting referenced kptrs to task) being merged
> + * into single path by the compiler.
> + *
> + * int test_refcounted(int dummy, struct task_struct *task)
> + * {
> + * if (dummy % 2)
> + * bpf_task_release(task);
> + * else
> + * bpf_task_release(task);
> + * return 0;
> + * }
> + */
> +SEC("struct_ops/test_refcounted")
> +int test_refcounted(unsigned long long *ctx)
> +{
> + asm volatile (" \
> + /* r6 = dummy */ \
> + r6 = *(u64 *)(r1 + 0x0); \
> + /* if (r6 & 0x1 != 0) */ \
> + r6 &= 0x1; \
> + if r6 == 0 goto l0_%=; \
> + /* r1 = task */ \
> + r1 = *(u64 *)(r1 + 0x8); \
> + call %[bpf_task_release]; \
> + goto l1_%=; \
> +l0_%=: /* r1 = task */ \
> + r1 = *(u64 *)(r1 + 0x8); \
> + call %[bpf_task_release]; \
> +l1_%=: /* return 0 */ \
> +" :
> + : __imm(bpf_task_release)
> + : __clobber_all);
> + return 0;
> +}
You can use clang nomerge attribute to prevent bpf_task_release(task) merging. For example,
$ cat t.c
struct task_struct {
int a;
int b;
int d[20];
};
__attribute__((nomerge)) extern void bpf_task_release(struct task_struct *task);
int test_refcounted(int dummy, struct task_struct *task)
{
if (dummy % 2)
bpf_task_release(task);
else
bpf_task_release(task);
return 0;
}
$ clang --version
clang version 19.1.5 (https://github.com/llvm/llvm-project.git ab4b5a2db582958af1ee308a790cfdb42bd24720)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/yhs/work/llvm-project/llvm/build.19/Release/bin
$ clang --target=bpf -O2 -mcpu=v3 -S t.c
$ cat t.s
.text
.file "t.c"
.globl test_refcounted # -- Begin function test_refcounted
.p2align 3
.type test_refcounted,@function
test_refcounted: # @test_refcounted
# %bb.0:
w1 &= 1
if w1 == 0 goto LBB0_2
# %bb.1:
r1 = r2
call bpf_task_release
goto LBB0_3
LBB0_2:
r1 = r2
call bpf_task_release
LBB0_3:
w0 = 0
exit
.Lfunc_end0:
.size test_refcounted, .Lfunc_end0-test_refcounted
# -- End function
.addrsig
> +
> +/* BTF FUNC records are not generated for kfuncs referenced
> + * from inline assembly. These records are necessary for
> + * libbpf to link the program. The function below is a hack
> + * to ensure that BTF FUNC records are generated.
> + */
> +void __btf_root(void)
> +{
> + bpf_task_release(NULL);
> +}
> +
> +SEC(".struct_ops.link")
> +struct bpf_testmod_ops testmod_refcounted = {
> + .test_refcounted = (void *)test_refcounted,
> +};
> +
> +
> diff --git a/tools/testing/selftests/bpf/progs/struct_ops_refcounted_fail__global_subprog.c b/tools/testing/selftests/bpf/progs/struct_ops_refcounted_fail__global_subprog.c
> new file mode 100644
> index 000000000000..c7e84e63b053
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/struct_ops_refcounted_fail__global_subprog.c
> @@ -0,0 +1,32 @@
> +#include <vmlinux.h>
> +#include <bpf/bpf_tracing.h>
> +#include "../bpf_testmod/bpf_testmod.h"
> +
> +char _license[] SEC("license") = "GPL";
> +
> +extern void bpf_task_release(struct task_struct *p) __ksym;
> +
> +__noinline int subprog_release(__u64 *ctx __arg_ctx)
> +{
> + struct task_struct *task = (struct task_struct *)ctx[1];
> + int dummy = (int)ctx[0];
> +
> + bpf_task_release(task);
> +
> + return dummy + 1;
> +}
> +
> +SEC("struct_ops/test_refcounted")
> +int test_refcounted(unsigned long long *ctx)
> +{
> + struct task_struct *task = (struct task_struct *)ctx[1];
> +
> + bpf_task_release(task);
> +
> + return subprog_release(ctx);
> +}
> +
> +SEC(".struct_ops.link")
> +struct bpf_testmod_ops testmod_ref_acquire = {
> + .test_refcounted = (void *)test_refcounted,
> +};
> diff --git a/tools/testing/selftests/bpf/progs/struct_ops_refcounted_fail__ref_leak.c b/tools/testing/selftests/bpf/progs/struct_ops_refcounted_fail__ref_leak.c
> new file mode 100644
> index 000000000000..6e82859eb187
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/struct_ops_refcounted_fail__ref_leak.c
> @@ -0,0 +1,17 @@
> +#include <vmlinux.h>
> +#include <bpf/bpf_tracing.h>
> +#include "../bpf_testmod/bpf_testmod.h"
> +
> +char _license[] SEC("license") = "GPL";
> +
> +SEC("struct_ops/test_refcounted")
> +int BPF_PROG(test_refcounted, int dummy,
> + struct task_struct *task)
> +{
> + return 0;
> +}
> +
> +SEC(".struct_ops.link")
> +struct bpf_testmod_ops testmod_ref_acquire = {
> + .test_refcounted = (void *)test_refcounted,
> +};
next prev parent reply other threads:[~2024-12-19 3:41 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-13 23:29 [PATCH bpf-next v1 00/13] bpf qdisc Amery Hung
2024-12-13 23:29 ` [PATCH bpf-next v1 01/13] bpf: Support getting referenced kptr from struct_ops argument Amery Hung
2024-12-18 0:58 ` Martin KaFai Lau
2024-12-18 1:24 ` Alexei Starovoitov
2024-12-18 16:09 ` Amery Hung
2024-12-18 17:20 ` Alexei Starovoitov
2024-12-18 1:44 ` Jakub Kicinski
2024-12-18 16:57 ` Amery Hung
2024-12-19 23:06 ` Martin KaFai Lau
2024-12-13 23:29 ` [PATCH bpf-next v1 02/13] selftests/bpf: Test referenced kptr arguments of struct_ops programs Amery Hung
2024-12-18 1:17 ` Martin KaFai Lau
2024-12-18 16:10 ` Amery Hung
2024-12-19 3:40 ` Yonghong Song [this message]
2024-12-19 20:49 ` Amery Hung
2024-12-13 23:29 ` [PATCH bpf-next v1 03/13] bpf: Allow struct_ops prog to return referenced kptr Amery Hung
2024-12-18 22:29 ` Martin KaFai Lau
2024-12-13 23:29 ` [PATCH bpf-next v1 04/13] selftests/bpf: Test returning referenced kptr from struct_ops programs Amery Hung
2024-12-13 23:29 ` [PATCH bpf-next v1 05/13] bpf: net_sched: Support implementation of Qdisc_ops in bpf Amery Hung
2024-12-14 4:51 ` Cong Wang
2024-12-18 23:37 ` Martin KaFai Lau
2024-12-13 23:29 ` [PATCH bpf-next v1 06/13] bpf: net_sched: Add basic bpf qdisc kfuncs Amery Hung
2024-12-18 17:11 ` Amery Hung
2024-12-19 7:37 ` Martin KaFai Lau
2024-12-20 0:32 ` Amery Hung
2024-12-13 23:29 ` [PATCH bpf-next v1 07/13] bpf: net_sched: Add a qdisc watchdog timer Amery Hung
2024-12-19 1:16 ` Martin KaFai Lau
2024-12-20 19:24 ` Amery Hung
2024-12-13 23:29 ` [PATCH bpf-next v1 08/13] bpf: net_sched: Support updating bstats Amery Hung
2024-12-13 23:29 ` [PATCH bpf-next v1 09/13] bpf: net_sched: Support updating qstats Amery Hung
2024-12-13 23:29 ` [PATCH bpf-next v1 10/13] bpf: net_sched: Allow writing to more Qdisc members Amery Hung
2024-12-13 23:29 ` [PATCH bpf-next v1 11/13] libbpf: Support creating and destroying qdisc Amery Hung
2024-12-17 18:32 ` Andrii Nakryiko
2024-12-17 19:08 ` Amery Hung
2024-12-13 23:29 ` [PATCH bpf-next v1 12/13] selftests: Add a basic fifo qdisc test Amery Hung
2024-12-13 23:29 ` [PATCH bpf-next v1 13/13] selftests: Add a bpf fq qdisc to selftest Amery Hung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd5e82d1-d00a-4bda-be4b-802204167352@linux.dev \
--to=yonghong.song@linux.dev \
--cc=alexei.starovoitov@gmail.com \
--cc=amery.hung@bytedance.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=ekarani.silvestre@ccc.ufcg.edu.br \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=martin.lau@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sinquersw@gmail.com \
--cc=stfomichev@gmail.com \
--cc=toke@redhat.com \
--cc=xiyou.wangcong@gmail.com \
--cc=yangpeihao@sjtu.edu.cn \
--cc=yepeilin.cs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).