1. 22 Nov, 2022 3 commits
  2. 21 Nov, 2022 12 commits
  3. 20 Nov, 2022 11 commits
    • Alexei Starovoitov's avatar
      Merge branch 'bpf: Implement two type cast kfuncs' · 99429b22
      Alexei Starovoitov authored
      Yonghong Song says:
      
      ====================
      
      Currenty, a non-tracing bpf program typically has a single 'context' argument
      with predefined uapi struct type. Following these uapi struct, user is able
      to access other fields defined in uapi header. Inside the kernel, the
      user-seen 'context' argument is replaced with 'kernel context' (or 'kctx'
      in short) which can access more information than what uapi header provides.
      To access other info not in uapi header, people typically do two things:
        (1). extend uapi to access more fields rooted from 'context'.
        (2). use bpf_probe_read_kernl() helper to read particular field based on
          kctx.
      Using (1) needs uapi change and using (2) makes code more complex since
      direct memory access is not allowed.
      
      There are already a few instances trying to access more information from
      kctx:
        . trying to access some fields from perf_event kctx ([1]).
        . trying to access some fields from xdp kctx ([2]).
      
      This patch set tried to allow direct memory access for kctx fields
      by introducing bpf_cast_to_kern_ctx() kfunc.
      
      Martin mentioned a use case like type casting below:
        #define skb_shinfo(SKB) ((struct skb_shared_info *)(skb_end_pointer(SKB)))
      basically a 'unsigned char *" casted to 'struct skb_shared_info *'. This patch
      set tries to support such a use case as well with bpf_rdonly_cast().
      
      For the patch series, Patch 1 added support for a kfunc available to all
      prog types. Patch 2 added bpf_cast_to_kern_ctx() kfunc. Patch 3 added
      bpf_rdonly_cast() kfunc. Patch 4 added a few positive and negative tests.
      
        [1] https://lore.kernel.org/bpf/ad15b398-9069-4a0e-48cb-4bb651ec3088@meta.com/
        [2] https://lore.kernel.org/bpf/20221109215242.1279993-1-john.fastabend@gmail.com/
      
      Changelog:
        v3 -> v4:
          - remove unnecessary bpf_ctx_convert.t error checking
          - add and use meta.ret_btf_id instead of meta.arg_constant.value for
            bpf_cast_to_kern_ctx().
          - add PTR_TRUSTED to the return PTR_TO_BTF_ID type for bpf_cast_to_kern_ctx().
        v2 -> v3:
          - rebase on top of bpf-next (for merging conflicts)
          - add the selftest to s390x deny list
        rfcv1 -> v2:
          - break original one kfunc into two.
          - add missing error checks and error logs.
          - adapt to the new conventions in
            https://lore.kernel.org/all/20221118015614.2013203-1-memxor@gmail.com/
            for example, with __ign and __k suffix.
          - added support in fixup_kfunc_call() to replace kfunc calls with a single mov.
      ====================
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      99429b22
    • Yonghong Song's avatar
      bpf: Add type cast unit tests · 58d84bee
      Yonghong Song authored
      Three tests are added. One is from John Fastabend ({1]) which tests
      tracing style access for xdp program from the kernel ctx.
      Another is a tc test to test both kernel ctx tracing style access
      and explicit non-ctx type cast. The third one is for negative tests
      including two tests, a tp_bpf test where the bpf_rdonly_cast()
      returns a untrusted ptr which cannot be used as helper argument,
      and a tracepoint test where the kernel ctx is a u64.
      
      Also added the test to DENYLIST.s390x since s390 does not currently
      support calling kernel functions in JIT mode.
      
        [1] https://lore.kernel.org/bpf/20221109215242.1279993-1-john.fastabend@gmail.com/Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/r/20221120195442.3114844-1-yhs@fb.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      58d84bee
    • Yonghong Song's avatar
      bpf: Add a kfunc for generic type cast · a35b9af4
      Yonghong Song authored
      Implement bpf_rdonly_cast() which tries to cast the object
      to a specified type. This tries to support use case like below:
        #define skb_shinfo(SKB) ((struct skb_shared_info *)(skb_end_pointer(SKB)))
      where skb_end_pointer(SKB) is a 'unsigned char *' and needs to
      be casted to 'struct skb_shared_info *'.
      
      The signature of bpf_rdonly_cast() looks like
         void *bpf_rdonly_cast(void *obj, __u32 btf_id)
      The function returns the same 'obj' but with PTR_TO_BTF_ID with
      btf_id. The verifier will ensure btf_id being a struct type.
      
      Since the supported type cast may not reflect what the 'obj'
      represents, the returned btf_id is marked as PTR_UNTRUSTED, so
      the return value and subsequent pointer chasing cannot be
      used as helper/kfunc arguments.
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/r/20221120195437.3114585-1-yhs@fb.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a35b9af4
    • Yonghong Song's avatar
      bpf: Add a kfunc to type cast from bpf uapi ctx to kernel ctx · fd264ca0
      Yonghong Song authored
      Implement bpf_cast_to_kern_ctx() kfunc which does a type cast
      of a uapi ctx object to the corresponding kernel ctx. Previously
      if users want to access some data available in kctx but not
      in uapi ctx, bpf_probe_read_kernel() helper is needed.
      The introduction of bpf_cast_to_kern_ctx() allows direct
      memory access which makes code simpler and easier to understand.
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/r/20221120195432.3113982-1-yhs@fb.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      fd264ca0
    • Yonghong Song's avatar
      bpf: Add support for kfunc set with common btf_ids · cfe14564
      Yonghong Song authored
      Later on, we will introduce kfuncs bpf_cast_to_kern_ctx() and
      bpf_rdonly_cast() which apply to all program types. Currently kfunc set
      only supports individual prog types. This patch added support for kfunc
      applying to all program types.
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Link: https://lore.kernel.org/r/20221120195426.3113828-1-yhs@fb.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      cfe14564
    • Kumar Kartikeya Dwivedi's avatar
      bpf: Disallow bpf_obj_new_impl call when bpf_mem_alloc_init fails · e181d3f1
      Kumar Kartikeya Dwivedi authored
      In the unlikely event that bpf_global_ma is not correctly initialized,
      instead of checking the boolean everytime bpf_obj_new_impl is called,
      simply check it while loading the program and return an error if
      bpf_global_ma_set is false.
      Suggested-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
      Link: https://lore.kernel.org/r/20221120212610.2361700-1-memxor@gmail.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      e181d3f1
    • Alexei Starovoitov's avatar
      Merge branch 'Support storing struct task_struct objects as kptrs' · efc1970d
      Alexei Starovoitov authored
      David Vernet says:
      
      ====================
      
      Now that BPF supports adding new kernel functions with kfuncs, and
      storing kernel objects in maps with kptrs, we can add a set of kfuncs
      which allow struct task_struct objects to be stored in maps as
      referenced kptrs.
      
      The possible use cases for doing this are plentiful.  During tracing,
      for example, it would be useful to be able to collect some tasks that
      performed a certain operation, and then periodically summarize who they
      are, which cgroup they're in, how much CPU time they've utilized, etc.
      Doing this now would require storing the tasks' pids along with some
      relevant data to be exported to user space, and later associating the
      pids to tasks in other event handlers where the data is recorded.
      Another useful by-product of this is that it allows a program to pin a
      task in a BPF program, and by proxy therefore also e.g. pin its task
      local storage.
      
      In order to support this, we'll need to expand KF_TRUSTED_ARGS to
      support receiving trusted, non-refcounted pointers. It currently only
      supports either PTR_TO_CTX pointers, or refcounted pointers. What this
      means in terms of the implementation is that check_kfunc_args() would
      have to also check for the PTR_TRUSTED or MEM_ALLOC type modifiers when
      determining if a trusted KF_ARG_PTR_TO_ALLOC_BTF_ID or
      KF_ARG_PTR_TO_BTF_ID pointer requires a refcount.
      
      Note that PTR_UNTRUSTED is insufficient for this purpose, as it does not
      cover all of the possible types of potentially unsafe pointers. For
      example, a pointer obtained from walking a struct is not PTR_UNTRUSTED.
      To account for this and enable us to expand KF_TRUSTED_ARGS to include
      allow-listed arguments such as those passed by the kernel to tracepoints
      and struct_ops callbacks, this patch set also introduces a new
      PTR_TRUSTED type flag modifier which records if a pointer was obtained
      passed from the kernel in a trusted context.
      
      Currently, both PTR_TRUSTED and MEM_ALLOC are used to imply that a
      pointer is trusted. Longer term, PTR_TRUSTED should be the sole source
      of truth for whether a pointer is trusted. This requires us to set
      PTR_TRUSTED when appropriate (e.g. when setting MEM_ALLOC), and unset it
      when appropriate (e.g. when setting PTR_UNTRUSTED). We don't do that in
      this patch, as we need to do more clean up before this can be done in a
      clear and well-defined manner.
      
      In closing, this patch set:
      
      1. Adds the new PTR_TRUSTED register type modifier flag, and updates the
         verifier and existing selftests accordingly. Also expands
         KF_TRUSTED_ARGS to also include trusted pointers that were not obtained
         from walking structs.
      2. Adds a new set of kfuncs that allows struct task_struct* objects to be
         used as kptrs.
      3. Adds a new selftest suite to validate these new task kfuncs.
      ---
      Changelog:
      v8 -> v9:
      - Moved check for release register back to where we check for
        !PTR_TO_BTF_ID || socket. Change the verifier log message to
        reflect really what's being tested (the presence of unsafe
        modifiers) (Alexei)
      - Fix verifier_test error tests to reflect above changes
      - Remove unneeded parens around bitwise operator checks (Alexei)
      - Move updates to reg_type_str() which allow multiple type modifiers
        to be present in the prefix string, to a separate patch (Alexei)
      - Increase TYPE_STR_BUF_LEN size to 128 to reflect larger prefix size
        in reg_type_str().
      
      v7 -> v8:
      - Rebased onto Kumar's latest patch set which, adds a new MEM_ALLOC reg
        type modifier for bpf_obj_new() calls.
      - Added comments to bpf_task_kptr_get() describing some of the subtle
        races we're protecting against (Alexei and John)
      - Slightly rework process_kf_arg_ptr_to_btf_id(), and add a new
        reg_has_unsafe_modifiers() function which validates that a register
        containing a kfunc release arg doesn't have unsafe modifiers. Note
        that this is slightly different than the check for KF_TRUSTED_ARGS.
        An alternative here would be to treat KF_RELEASE as implicitly
        requiring KF_TRUSTED_ARGS.
      - Export inline bpf_type_has_unsafe_modifiers() function from
        bpf_verifier.h so that it can be used from bpf_tcp_ca.c. Eventually this
        function should likely be changed to bpf_type_is_trusted(), once
        PTR_TRUSTED is the real source of truth.
      
      v6 -> v7:
      - Removed the PTR_WALKED type modifier, and instead define a new
        PTR_TRUSTED type modifier which is set on registers containing
        pointers passed from trusted contexts (i.e. as tracepoint or
        struct_ops callback args) (Alexei)
      - Remove the new KF_OWNED_ARGS kfunc flag. This can be accomplished
        by defining a new type that wraps an existing type, such as with
        struct nf_conn___init (Alexei)
      - Add a test_task_current_acquire_release testcase which verifies we can
        acquire a task struct returned from bpf_get_current_task_btf().
      - Make bpf_task_acquire() no longer return NULL, as it can no longer be
        called with a NULL task.
      - Removed unnecessary is_test_kfunc_task() checks from failure
        testcases.
      
      v5 -> v6:
      - Add a new KF_OWNED_ARGS kfunc flag which may be used by kfuncs to
        express that they require trusted, refcounted args (Kumar)
      - Rename PTR_NESTED -> PTR_WALKED in the verifier (Kumar)
      - Convert reg_type_str() prefixes to use snprintf() instead of strncpy()
        (Kumar)
      - Add PTR_TO_BTF_ID | PTR_WALKED to missing struct btf_reg_type
        instances -- specifically btf_id_sock_common_types, and
        percpu_btf_ptr_types.
      - Add a missing PTR_TO_BTF_ID | PTR_WALKED switch case entry in
        check_func_arg_reg_off(), which is required when validating helper
        calls (Kumar)
      - Update reg_type_mismatch_ok() to check base types for the registers
        (i.e. to accommodate type modifiers). Additionally, add a lengthy
        comment that explains why this is being done (Kumar)
      - Update convert_ctx_accesses() to also issue probe reads for
        PTR_TO_BTF_ID | PTR_WALKED (Kumar)
      - Update selftests to expect new prefix reg type strings.
      - Rename task_kfunc_acquire_trusted_nested testcase to
        task_kfunc_acquire_trusted_walked, and fix a comment (Kumar)
      - Remove KF_TRUSTED_ARGS from bpf_task_release(), which already includes
        KF_RELEASE (Kumar)
      - Add bpf-next in patch subject lines (Kumar)
      
      v4 -> v5:
      - Fix an improperly formatted patch title.
      
      v3 -> v4:
      - Remove an unnecessary check from my repository that I forgot to remove
        after debugging something.
      
      v2 -> v3:
      - Make bpf_task_acquire() check for NULL, and include KF_RET_NULL
        (Martin)
      - Include new PTR_NESTED register modifier type flag which specifies
        whether a pointer was obtained from walking a struct. Use this to
        expand the meaning of KF_TRUSTED_ARGS to include trusted pointers that
        were passed from the kernel (Kumar)
      - Add more selftests to the task_kfunc selftest suite which verify that
        you cannot pass a walked pointer to bpf_task_acquire().
      - Update bpf_task_acquire() to also specify KF_TRUSTED_ARGS.
      
      v1 -> v2:
      - Rename tracing_btf_ids to generic_kfunc_btf_ids, and add the new
        kfuncs to that list instead of making a separate btf id list (Alexei).
      - Don't run the new selftest suite on s390x, which doesn't appear to
        support invoking kfuncs.
      - Add a missing __diag_ignore block for -Wmissing-prototypes
        (lkp@intel.com).
      - Fix formatting on some of the SPDX-License-Identifier tags.
      - Clarified the function header comment a bit on bpf_task_kptr_get().
      ====================
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      efc1970d
    • David Vernet's avatar
      bpf/selftests: Add selftests for new task kfuncs · fe147956
      David Vernet authored
      A previous change added a series of kfuncs for storing struct
      task_struct objects as referenced kptrs. This patch adds a new
      task_kfunc test suite for validating their expected behavior.
      Signed-off-by: default avatarDavid Vernet <void@manifault.com>
      Link: https://lore.kernel.org/r/20221120051004.3605026-5-void@manifault.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      fe147956
    • David Vernet's avatar
      bpf: Add kfuncs for storing struct task_struct * as a kptr · 90660309
      David Vernet authored
      Now that BPF supports adding new kernel functions with kfuncs, and
      storing kernel objects in maps with kptrs, we can add a set of kfuncs
      which allow struct task_struct objects to be stored in maps as
      referenced kptrs. The possible use cases for doing this are plentiful.
      During tracing, for example, it would be useful to be able to collect
      some tasks that performed a certain operation, and then periodically
      summarize who they are, which cgroup they're in, how much CPU time
      they've utilized, etc.
      
      In order to enable this, this patch adds three new kfuncs:
      
      struct task_struct *bpf_task_acquire(struct task_struct *p);
      struct task_struct *bpf_task_kptr_get(struct task_struct **pp);
      void bpf_task_release(struct task_struct *p);
      
      A follow-on patch will add selftests validating these kfuncs.
      Signed-off-by: default avatarDavid Vernet <void@manifault.com>
      Link: https://lore.kernel.org/r/20221120051004.3605026-4-void@manifault.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      90660309
    • David Vernet's avatar
      bpf: Allow trusted pointers to be passed to KF_TRUSTED_ARGS kfuncs · 3f00c523
      David Vernet authored
      Kfuncs currently support specifying the KF_TRUSTED_ARGS flag to signal
      to the verifier that it should enforce that a BPF program passes it a
      "safe", trusted pointer. Currently, "safe" means that the pointer is
      either PTR_TO_CTX, or is refcounted. There may be cases, however, where
      the kernel passes a BPF program a safe / trusted pointer to an object
      that the BPF program wishes to use as a kptr, but because the object
      does not yet have a ref_obj_id from the perspective of the verifier, the
      program would be unable to pass it to a KF_ACQUIRE | KF_TRUSTED_ARGS
      kfunc.
      
      The solution is to expand the set of pointers that are considered
      trusted according to KF_TRUSTED_ARGS, so that programs can invoke kfuncs
      with these pointers without getting rejected by the verifier.
      
      There is already a PTR_UNTRUSTED flag that is set in some scenarios,
      such as when a BPF program reads a kptr directly from a map
      without performing a bpf_kptr_xchg() call. These pointers of course can
      and should be rejected by the verifier. Unfortunately, however,
      PTR_UNTRUSTED does not cover all the cases for safety that need to
      be addressed to adequately protect kfuncs. Specifically, pointers
      obtained by a BPF program "walking" a struct are _not_ considered
      PTR_UNTRUSTED according to BPF. For example, say that we were to add a
      kfunc called bpf_task_acquire(), with KF_ACQUIRE | KF_TRUSTED_ARGS, to
      acquire a struct task_struct *. If we only used PTR_UNTRUSTED to signal
      that a task was unsafe to pass to a kfunc, the verifier would mistakenly
      allow the following unsafe BPF program to be loaded:
      
      SEC("tp_btf/task_newtask")
      int BPF_PROG(unsafe_acquire_task,
                   struct task_struct *task,
                   u64 clone_flags)
      {
              struct task_struct *acquired, *nested;
      
              nested = task->last_wakee;
      
              /* Would not be rejected by the verifier. */
              acquired = bpf_task_acquire(nested);
              if (!acquired)
                      return 0;
      
              bpf_task_release(acquired);
              return 0;
      }
      
      To address this, this patch defines a new type flag called PTR_TRUSTED
      which tracks whether a PTR_TO_BTF_ID pointer is safe to pass to a
      KF_TRUSTED_ARGS kfunc or a BPF helper function. PTR_TRUSTED pointers are
      passed directly from the kernel as a tracepoint or struct_ops callback
      argument. Any nested pointer that is obtained from walking a PTR_TRUSTED
      pointer is no longer PTR_TRUSTED. From the example above, the struct
      task_struct *task argument is PTR_TRUSTED, but the 'nested' pointer
      obtained from 'task->last_wakee' is not PTR_TRUSTED.
      
      A subsequent patch will add kfuncs for storing a task kfunc as a kptr,
      and then another patch will add selftests to validate.
      Signed-off-by: default avatarDavid Vernet <void@manifault.com>
      Link: https://lore.kernel.org/r/20221120051004.3605026-3-void@manifault.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      3f00c523
    • David Vernet's avatar
      bpf: Allow multiple modifiers in reg_type_str() prefix · ef66c547
      David Vernet authored
      reg_type_str() in the verifier currently only allows a single register
      type modifier to be present in the 'prefix' string which is eventually
      stored in the env type_str_buf. This currently works fine because there
      are no overlapping type modifiers, but once PTR_TRUSTED is added, that
      will no longer be the case. This patch updates reg_type_str() to support
      having multiple modifiers in the prefix string, and updates the size of
      type_str_buf to be 128 bytes.
      Signed-off-by: default avatarDavid Vernet <void@manifault.com>
      Link: https://lore.kernel.org/r/20221120051004.3605026-2-void@manifault.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      ef66c547
  4. 18 Nov, 2022 14 commits