Commit 99845220 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 

Daniel Borkmann says:

====================
pull-request: bpf 2022-01-19

We've added 12 non-merge commits during the last 8 day(s) which contain
a total of 12 files changed, 262 insertions(+), 64 deletions(-).

The main changes are:

1) Various verifier fixes mainly around register offset handling when
   passed to helper functions, from Daniel Borkmann.

2) Fix XDP BPF link handling to assert program type,
   from Toke Høiland-Jørgensen.

3) Fix regression in mount parameter handling for BPF fs,
   from Yafang Shao.

4) Fix incorrect integer literal when marking scratched stack slots
   in verifier, from Christy Lee.

* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
  bpf, selftests: Add ringbuf memory type confusion test
  bpf, selftests: Add various ringbuf tests with invalid offset
  bpf: Fix ringbuf memory type confusion when passing to helpers
  bpf: Fix out of bounds access for ringbuf helpers
  bpf: Generally fix helper register offset check
  bpf: Mark PTR_TO_FUNC register initially with zero offset
  bpf: Generalize check_ctx_reg for reuse with other types
  bpf: Fix incorrect integer literal used for marking scratched stack.
  bpf/selftests: Add check for updating XDP bpf_link with wrong program type
  bpf/selftests: convert xdp_link test to ASSERT_* macros
  xdp: check prog type before updating BPF link
  bpf: Fix mount source show for bpffs
====================

Link: https://lore.kernel.org/r/20220119011825.9082-1-daniel@iogearbox.net


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 2836615a 37c8d480

include/linux/bpf.h

+7 −2
Original line number Diff line number Diff line
@@ -316,7 +316,12 @@ enum bpf_type_flag { 
	 */

	MEM_RDONLY		= BIT(1 + BPF_BASE_TYPE_BITS),



	__BPF_TYPE_LAST_FLAG	= MEM_RDONLY,

	/* MEM was "allocated" from a different helper, and cannot be mixed

	 * with regular non-MEM_ALLOC'ed MEM types.

	 */

	MEM_ALLOC		= BIT(2 + BPF_BASE_TYPE_BITS),



	__BPF_TYPE_LAST_FLAG	= MEM_ALLOC,

};



/* Max number of base types. */
@@ -400,7 +405,7 @@ enum bpf_return_type { 
	RET_PTR_TO_SOCKET_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_SOCKET,

	RET_PTR_TO_TCP_SOCK_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_TCP_SOCK,

	RET_PTR_TO_SOCK_COMMON_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_SOCK_COMMON,

	RET_PTR_TO_ALLOC_MEM_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_ALLOC_MEM,

	RET_PTR_TO_ALLOC_MEM_OR_NULL	= PTR_MAYBE_NULL | MEM_ALLOC | RET_PTR_TO_ALLOC_MEM,

	RET_PTR_TO_BTF_ID_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_BTF_ID,



	/* This must be the last entry. Its purpose is to ensure the enum is

include/linux/bpf_verifier.h

+2 −2
Original line number Diff line number Diff line
@@ -519,7 +519,7 @@ bpf_prog_offload_replace_insn(struct bpf_verifier_env *env, u32 off, 
void

bpf_prog_offload_remove_insns(struct bpf_verifier_env *env, u32 off, u32 cnt);



int check_ctx_reg(struct bpf_verifier_env *env,

int check_ptr_off_reg(struct bpf_verifier_env *env,

		      const struct bpf_reg_state *reg, int regno);

int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,

		   u32 regno, u32 mem_size);

kernel/bpf/btf.c

+1 −1
Original line number Diff line number Diff line
@@ -5686,7 +5686,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env, 
					i, btf_type_str(t));

				return -EINVAL;

			}

			if (check_ctx_reg(env, reg, regno))

			if (check_ptr_off_reg(env, reg, regno))

				return -EINVAL;

		} else if (is_kfunc && (reg->type == PTR_TO_BTF_ID || reg2btf_ids[reg->type])) {

			const struct btf_type *reg_ref_t;

kernel/bpf/inode.c

+12 −2
Original line number Diff line number Diff line
@@ -648,12 +648,22 @@ static int bpf_parse_param(struct fs_context *fc, struct fs_parameter *param) 
	int opt;



	opt = fs_parse(fc, bpf_fs_parameters, param, &result);

	if (opt < 0)

	if (opt < 0) {

		/* We might like to report bad mount options here, but

		 * traditionally we've ignored all mount options, so we'd

		 * better continue to ignore non-existing options for bpf.

		 */

		return opt == -ENOPARAM ? 0 : opt;

		if (opt == -ENOPARAM) {

			opt = vfs_parse_fs_param_source(fc, param);

			if (opt != -ENOPARAM)

				return opt;



			return 0;

		}



		if (opt < 0)

			return opt;

	}



	switch (opt) {

	case OPT_MODE:

kernel/bpf/verifier.c

+56 −25
Original line number Diff line number Diff line
@@ -570,6 +570,8 @@ static const char *reg_type_str(struct bpf_verifier_env *env, 


	if (type & MEM_RDONLY)

		strncpy(prefix, "rdonly_", 16);

	if (type & MEM_ALLOC)

		strncpy(prefix, "alloc_", 16);



	snprintf(env->type_str_buf, TYPE_STR_BUF_LEN, "%s%s%s",

		 prefix, str[base_type(type)], postfix);
@@ -616,7 +618,7 @@ static void mark_reg_scratched(struct bpf_verifier_env *env, u32 regno) 


static void mark_stack_slot_scratched(struct bpf_verifier_env *env, u32 spi)

{

	env->scratched_stack_slots |= 1UL << spi;

	env->scratched_stack_slots |= 1ULL << spi;

}



static bool reg_scratched(const struct bpf_verifier_env *env, u32 regno)
@@ -637,14 +639,14 @@ static bool verifier_state_scratched(const struct bpf_verifier_env *env) 
static void mark_verifier_state_clean(struct bpf_verifier_env *env)

{

	env->scratched_regs = 0U;

	env->scratched_stack_slots = 0UL;

	env->scratched_stack_slots = 0ULL;

}



/* Used for printing the entire verifier state. */

static void mark_verifier_state_scratched(struct bpf_verifier_env *env)

{

	env->scratched_regs = ~0U;

	env->scratched_stack_slots = ~0UL;

	env->scratched_stack_slots = ~0ULL;

}



/* The reg state of a pointer or a bounded scalar was saved when
@@ -3969,16 +3971,17 @@ static int get_callee_stack_depth(struct bpf_verifier_env *env, 
}

#endif



int check_ctx_reg(struct bpf_verifier_env *env,

		  const struct bpf_reg_state *reg, int regno)

static int __check_ptr_off_reg(struct bpf_verifier_env *env,

			       const struct bpf_reg_state *reg, int regno,

			       bool fixed_off_ok)

{

	/* Access to ctx or passing it to a helper is only allowed in

	 * its original, unmodified form.

	/* Access to this pointer-typed register or passing it to a helper

	 * is only allowed in its original, unmodified form.

	 */



	if (reg->off) {

		verbose(env, "dereference of modified ctx ptr R%d off=%d disallowed\n",

			regno, reg->off);

	if (!fixed_off_ok && reg->off) {

		verbose(env, "dereference of modified %s ptr R%d off=%d disallowed\n",

			reg_type_str(env, reg->type), regno, reg->off);

		return -EACCES;

	}
@@ -3986,13 +3989,20 @@ int check_ctx_reg(struct bpf_verifier_env *env, 
		char tn_buf[48];



		tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);

		verbose(env, "variable ctx access var_off=%s disallowed\n", tn_buf);

		verbose(env, "variable %s access var_off=%s disallowed\n",

			reg_type_str(env, reg->type), tn_buf);

		return -EACCES;

	}



	return 0;

}



int check_ptr_off_reg(struct bpf_verifier_env *env,

		      const struct bpf_reg_state *reg, int regno)

{

	return __check_ptr_off_reg(env, reg, regno, false);

}



static int __check_buffer_access(struct bpf_verifier_env *env,

				 const char *buf_info,

				 const struct bpf_reg_state *reg,
@@ -4437,7 +4447,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn 
			return -EACCES;

		}



		err = check_ctx_reg(env, reg, regno);

		err = check_ptr_off_reg(env, reg, regno);

		if (err < 0)

			return err;
@@ -5127,6 +5137,7 @@ static const struct bpf_reg_types mem_types = { 
		PTR_TO_MAP_KEY,

		PTR_TO_MAP_VALUE,

		PTR_TO_MEM,

		PTR_TO_MEM | MEM_ALLOC,

		PTR_TO_BUF,

	},

};
@@ -5144,7 +5155,7 @@ static const struct bpf_reg_types int_ptr_types = { 
static const struct bpf_reg_types fullsock_types = { .types = { PTR_TO_SOCKET } };

static const struct bpf_reg_types scalar_types = { .types = { SCALAR_VALUE } };

static const struct bpf_reg_types context_types = { .types = { PTR_TO_CTX } };

static const struct bpf_reg_types alloc_mem_types = { .types = { PTR_TO_MEM } };

static const struct bpf_reg_types alloc_mem_types = { .types = { PTR_TO_MEM | MEM_ALLOC } };

static const struct bpf_reg_types const_map_ptr_types = { .types = { CONST_PTR_TO_MAP } };

static const struct bpf_reg_types btf_ptr_types = { .types = { PTR_TO_BTF_ID } };

static const struct bpf_reg_types spin_lock_types = { .types = { PTR_TO_MAP_VALUE } };
@@ -5244,12 +5255,6 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno, 
				kernel_type_name(btf_vmlinux, *arg_btf_id));

			return -EACCES;

		}



		if (!tnum_is_const(reg->var_off) || reg->var_off.value) {

			verbose(env, "R%d is a pointer to in-kernel struct with non-zero offset\n",

				regno);

			return -EACCES;

		}

	}



	return 0;
@@ -5304,10 +5309,33 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, 
	if (err)

		return err;



	if (type == PTR_TO_CTX) {

		err = check_ctx_reg(env, reg, regno);

	switch ((u32)type) {

	case SCALAR_VALUE:

	/* Pointer types where reg offset is explicitly allowed: */

	case PTR_TO_PACKET:

	case PTR_TO_PACKET_META:

	case PTR_TO_MAP_KEY:

	case PTR_TO_MAP_VALUE:

	case PTR_TO_MEM:

	case PTR_TO_MEM | MEM_RDONLY:

	case PTR_TO_MEM | MEM_ALLOC:

	case PTR_TO_BUF:

	case PTR_TO_BUF | MEM_RDONLY:

	case PTR_TO_STACK:

		/* Some of the argument types nevertheless require a

		 * zero register offset.

		 */

		if (arg_type == ARG_PTR_TO_ALLOC_MEM)

			goto force_off_check;

		break;

	/* All the rest must be rejected: */

	default:

force_off_check:

		err = __check_ptr_off_reg(env, reg, regno,

					  type == PTR_TO_BTF_ID);

		if (err < 0)

			return err;

		break;

	}



skip_type_check:
@@ -9507,9 +9535,13 @@ static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn) 
		return 0;

	}



	if (insn->src_reg == BPF_PSEUDO_BTF_ID) {

	/* All special src_reg cases are listed below. From this point onwards

	 * we either succeed and assign a corresponding dst_reg->type after

	 * zeroing the offset, or fail and reject the program.

	 */

	mark_reg_known_zero(env, regs, insn->dst_reg);



	if (insn->src_reg == BPF_PSEUDO_BTF_ID) {

		dst_reg->type = aux->btf_var.reg_type;

		switch (base_type(dst_reg->type)) {

		case PTR_TO_MEM:
@@ -9547,7 +9579,6 @@ static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn) 
	}



	map = env->used_maps[aux->map_index];

	mark_reg_known_zero(env, regs, insn->dst_reg);

	dst_reg->map_ptr = map;



	if (insn->src_reg == BPF_PSEUDO_MAP_VALUE ||
@@ -9651,7 +9682,7 @@ static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) 
			return err;

	}



	err = check_ctx_reg(env, &regs[ctx_reg], ctx_reg);

	err = check_ptr_off_reg(env, &regs[ctx_reg], ctx_reg);

	if (err < 0)

		return err;