Commit c69431aa authored by Lorenz Bauer's avatar Lorenz Bauer Committed by Alexei Starovoitov

bpf: verifier: Improve function state reallocation

Resizing and copying stack and reference tracking state currently
does a lot of kfree / kmalloc when the size of the tracked set changes.
The logic in copy_*_state and realloc_*_state is also hard to follow.

Refactor this into two core functions. copy_array copies from a source
into a destination. It avoids reallocation by taking the allocated
size of the destination into account via ksize(). The function is
essentially krealloc_array, with the difference that the contents of
dst are not preserved. realloc_array changes the size of an array and
zeroes newly allocated items. Contrary to krealloc both functions don't
free the destination if the size is zero. Instead we rely on free_func_state
to clean up.

realloc_stack_state is renamed to grow_stack_state to better convey
that it never shrinks the stack state.
Signed-off-by: default avatarLorenz Bauer <lmb@cloudflare.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20210429134656.122225-2-lmb@cloudflare.com
parent b7415964
...@@ -737,81 +737,104 @@ static void print_verifier_state(struct bpf_verifier_env *env, ...@@ -737,81 +737,104 @@ static void print_verifier_state(struct bpf_verifier_env *env,
verbose(env, "\n"); verbose(env, "\n");
} }
#define COPY_STATE_FN(NAME, COUNT, FIELD, SIZE) \ /* copy array src of length n * size bytes to dst. dst is reallocated if it's too
static int copy_##NAME##_state(struct bpf_func_state *dst, \ * small to hold src. This is different from krealloc since we don't want to preserve
const struct bpf_func_state *src) \ * the contents of dst.
{ \ *
if (!src->FIELD) \ * Leaves dst untouched if src is NULL or length is zero. Returns NULL if memory could
return 0; \ * not be allocated.
if (WARN_ON_ONCE(dst->COUNT < src->COUNT)) { \ */
/* internal bug, make state invalid to reject the program */ \ static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t flags)
memset(dst, 0, sizeof(*dst)); \ {
return -EFAULT; \ size_t bytes;
} \
memcpy(dst->FIELD, src->FIELD, \ if (ZERO_OR_NULL_PTR(src))
sizeof(*src->FIELD) * (src->COUNT / SIZE)); \ goto out;
return 0; \
} if (unlikely(check_mul_overflow(n, size, &bytes)))
/* copy_reference_state() */ return NULL;
COPY_STATE_FN(reference, acquired_refs, refs, 1)
/* copy_stack_state() */ if (ksize(dst) < bytes) {
COPY_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE) kfree(dst);
#undef COPY_STATE_FN dst = kmalloc_track_caller(bytes, flags);
if (!dst)
#define REALLOC_STATE_FN(NAME, COUNT, FIELD, SIZE) \ return NULL;
static int realloc_##NAME##_state(struct bpf_func_state *state, int size, \ }
bool copy_old) \
{ \ memcpy(dst, src, bytes);
u32 old_size = state->COUNT; \ out:
struct bpf_##NAME##_state *new_##FIELD; \ return dst ? dst : ZERO_SIZE_PTR;
int slot = size / SIZE; \ }
\
if (size <= old_size || !size) { \ /* resize an array from old_n items to new_n items. the array is reallocated if it's too
if (copy_old) \ * small to hold new_n items. new items are zeroed out if the array grows.
return 0; \ *
state->COUNT = slot * SIZE; \ * Contrary to krealloc_array, does not free arr if new_n is zero.
if (!size && old_size) { \ */
kfree(state->FIELD); \ static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size)
state->FIELD = NULL; \ {
} \ if (!new_n || old_n == new_n)
return 0; \ goto out;
} \
new_##FIELD = kmalloc_array(slot, sizeof(struct bpf_##NAME##_state), \ arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
GFP_KERNEL); \ if (!arr)
if (!new_##FIELD) \ return NULL;
return -ENOMEM; \
if (copy_old) { \ if (new_n > old_n)
if (state->FIELD) \ memset(arr + old_n * size, 0, (new_n - old_n) * size);
memcpy(new_##FIELD, state->FIELD, \
sizeof(*new_##FIELD) * (old_size / SIZE)); \ out:
memset(new_##FIELD + old_size / SIZE, 0, \ return arr ? arr : ZERO_SIZE_PTR;
sizeof(*new_##FIELD) * (size - old_size) / SIZE); \ }
} \
state->COUNT = slot * SIZE; \ static int copy_reference_state(struct bpf_func_state *dst, const struct bpf_func_state *src)
kfree(state->FIELD); \ {
state->FIELD = new_##FIELD; \ dst->refs = copy_array(dst->refs, src->refs, src->acquired_refs,
return 0; \ sizeof(struct bpf_reference_state), GFP_KERNEL);
} if (!dst->refs)
/* realloc_reference_state() */ return -ENOMEM;
REALLOC_STATE_FN(reference, acquired_refs, refs, 1)
/* realloc_stack_state() */ dst->acquired_refs = src->acquired_refs;
REALLOC_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE) return 0;
#undef REALLOC_STATE_FN }
/* do_check() starts with zero-sized stack in struct bpf_verifier_state to static int copy_stack_state(struct bpf_func_state *dst, const struct bpf_func_state *src)
* make it consume minimal amount of memory. check_stack_write() access from {
* the program calls into realloc_func_state() to grow the stack size. size_t n = src->allocated_stack / BPF_REG_SIZE;
* Note there is a non-zero 'parent' pointer inside bpf_verifier_state
* which realloc_stack_state() copies over. It points to previous dst->stack = copy_array(dst->stack, src->stack, n, sizeof(struct bpf_stack_state),
* bpf_verifier_state which is never reallocated. GFP_KERNEL);
*/ if (!dst->stack)
static int realloc_func_state(struct bpf_func_state *state, int stack_size, return -ENOMEM;
int refs_size, bool copy_old)
{ dst->allocated_stack = src->allocated_stack;
int err = realloc_reference_state(state, refs_size, copy_old); return 0;
if (err) }
return err;
return realloc_stack_state(state, stack_size, copy_old); static int resize_reference_state(struct bpf_func_state *state, size_t n)
{
state->refs = realloc_array(state->refs, state->acquired_refs, n,
sizeof(struct bpf_reference_state));
if (!state->refs)
return -ENOMEM;
state->acquired_refs = n;
return 0;
}
static int grow_stack_state(struct bpf_func_state *state, int size)
{
size_t old_n = state->allocated_stack / BPF_REG_SIZE, n = size / BPF_REG_SIZE;
if (old_n >= n)
return 0;
state->stack = realloc_array(state->stack, old_n, n, sizeof(struct bpf_stack_state));
if (!state->stack)
return -ENOMEM;
state->allocated_stack = size;
return 0;
} }
/* Acquire a pointer id from the env and update the state->refs to include /* Acquire a pointer id from the env and update the state->refs to include
...@@ -825,7 +848,7 @@ static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx) ...@@ -825,7 +848,7 @@ static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx)
int new_ofs = state->acquired_refs; int new_ofs = state->acquired_refs;
int id, err; int id, err;
err = realloc_reference_state(state, state->acquired_refs + 1, true); err = resize_reference_state(state, state->acquired_refs + 1);
if (err) if (err)
return err; return err;
id = ++env->id_gen; id = ++env->id_gen;
...@@ -854,18 +877,6 @@ static int release_reference_state(struct bpf_func_state *state, int ptr_id) ...@@ -854,18 +877,6 @@ static int release_reference_state(struct bpf_func_state *state, int ptr_id)
return -EINVAL; return -EINVAL;
} }
static int transfer_reference_state(struct bpf_func_state *dst,
struct bpf_func_state *src)
{
int err = realloc_reference_state(dst, src->acquired_refs, false);
if (err)
return err;
err = copy_reference_state(dst, src);
if (err)
return err;
return 0;
}
static void free_func_state(struct bpf_func_state *state) static void free_func_state(struct bpf_func_state *state)
{ {
if (!state) if (!state)
...@@ -904,10 +915,6 @@ static int copy_func_state(struct bpf_func_state *dst, ...@@ -904,10 +915,6 @@ static int copy_func_state(struct bpf_func_state *dst,
{ {
int err; int err;
err = realloc_func_state(dst, src->allocated_stack, src->acquired_refs,
false);
if (err)
return err;
memcpy(dst, src, offsetof(struct bpf_func_state, acquired_refs)); memcpy(dst, src, offsetof(struct bpf_func_state, acquired_refs));
err = copy_reference_state(dst, src); err = copy_reference_state(dst, src);
if (err) if (err)
...@@ -2590,8 +2597,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, ...@@ -2590,8 +2597,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
u32 dst_reg = env->prog->insnsi[insn_idx].dst_reg; u32 dst_reg = env->prog->insnsi[insn_idx].dst_reg;
struct bpf_reg_state *reg = NULL; struct bpf_reg_state *reg = NULL;
err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE), err = grow_stack_state(state, round_up(slot + 1, BPF_REG_SIZE));
state->acquired_refs, true);
if (err) if (err)
return err; return err;
/* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0, /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
...@@ -2753,8 +2759,7 @@ static int check_stack_write_var_off(struct bpf_verifier_env *env, ...@@ -2753,8 +2759,7 @@ static int check_stack_write_var_off(struct bpf_verifier_env *env,
if (value_reg && register_is_null(value_reg)) if (value_reg && register_is_null(value_reg))
writing_zero = true; writing_zero = true;
err = realloc_func_state(state, round_up(-min_off, BPF_REG_SIZE), err = grow_stack_state(state, round_up(-min_off, BPF_REG_SIZE));
state->acquired_refs, true);
if (err) if (err)
return err; return err;
...@@ -5629,7 +5634,7 @@ static int __check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn ...@@ -5629,7 +5634,7 @@ static int __check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn
subprog /* subprog number within this prog */); subprog /* subprog number within this prog */);
/* Transfer references to the callee */ /* Transfer references to the callee */
err = transfer_reference_state(callee, caller); err = copy_reference_state(callee, caller);
if (err) if (err)
return err; return err;
...@@ -5780,7 +5785,7 @@ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx) ...@@ -5780,7 +5785,7 @@ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
} }
/* Transfer references to the caller */ /* Transfer references to the caller */
err = transfer_reference_state(caller, callee); err = copy_reference_state(caller, callee);
if (err) if (err)
return err; return err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment