1. 25 Jan, 2023 5 commits
    • David Vernet's avatar
      selftests/bpf: Add nested trust selftests suite · a6541f4d
      David Vernet authored
      Now that defining trusted fields in a struct is supported, we should add
      selftests to verify the behavior. This patch adds a few such testcases.
      Signed-off-by: default avatarDavid Vernet <void@manifault.com>
      Link: https://lore.kernel.org/r/20230125143816.721952-4-void@manifault.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a6541f4d
    • David Vernet's avatar
      bpf: Enable cpumasks to be queried and used as kptrs · 516f4d33
      David Vernet authored
      Certain programs may wish to be able to query cpumasks. For example, if
      a program that is tracing percpu operations wishes to track which tasks
      end up running on which CPUs, it could be useful to associate that with
      the tasks' cpumasks. Similarly, programs tracking NUMA allocations, CPU
      scheduling domains, etc, could potentially benefit from being able to
      see which CPUs a task could be migrated to.
      
      This patch enables these types of use cases by introducing a series of
      bpf_cpumask_* kfuncs. Amongst these kfuncs, there are two separate
      "classes" of operations:
      
      1. kfuncs which allow the caller to allocate and mutate their own
         cpumask kptrs in the form of a struct bpf_cpumask * object. Such
         kfuncs include e.g. bpf_cpumask_create() to allocate the cpumask, and
         bpf_cpumask_or() to mutate it. "Regular" cpumasks such as p->cpus_ptr
         may not be passed to these kfuncs, and the verifier will ensure this
         is the case by comparing BTF IDs.
      
      2. Read-only operations which operate on const struct cpumask *
         arguments. For example, bpf_cpumask_test_cpu(), which tests whether a
         CPU is set in the cpumask. Any trusted struct cpumask * or struct
         bpf_cpumask * may be passed to these kfuncs. The verifier allows
         struct bpf_cpumask * even though the kfunc is defined with struct
         cpumask * because the first element of a struct bpf_cpumask is a
         cpumask_t, so it is safe to cast.
      
      A follow-on patch will add selftests which validate these kfuncs, and
      another will document them.
      Signed-off-by: default avatarDavid Vernet <void@manifault.com>
      Link: https://lore.kernel.org/r/20230125143816.721952-3-void@manifault.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      516f4d33
    • David Vernet's avatar
      bpf: Disallow NULLable pointers for trusted kfuncs · caf713c3
      David Vernet authored
      KF_TRUSTED_ARGS kfuncs currently have a subtle and insidious bug in
      validating pointers to scalars. Say that you have a kfunc like the
      following, which takes an array as the first argument:
      
      bool bpf_cpumask_empty(const struct cpumask *cpumask)
      {
      	return cpumask_empty(cpumask);
      }
      
      ...
      BTF_ID_FLAGS(func, bpf_cpumask_empty, KF_TRUSTED_ARGS)
      ...
      
      If a BPF program were to invoke the kfunc with a NULL argument, it would
      crash the kernel. The reason is that struct cpumask is defined as a
      bitmap, which is itself defined as an array, and is accessed as a memory
      address by bitmap operations. So when the verifier analyzes the
      register, it interprets it as a pointer to a scalar struct, which is an
      array of size 8. check_mem_reg() then sees that the register is NULL and
      returns 0, and the kfunc crashes when it passes it down to the cpumask
      wrappers.
      
      To fix this, this patch adds a check for KF_ARG_PTR_TO_MEM which
      verifies that the register doesn't contain a possibly-NULL pointer if
      the kfunc is KF_TRUSTED_ARGS.
      Signed-off-by: default avatarDavid Vernet <void@manifault.com>
      Link: https://lore.kernel.org/r/20230125143816.721952-2-void@manifault.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      caf713c3
    • David Vernet's avatar
      bpf: Allow trusted args to walk struct when checking BTF IDs · b613d335
      David Vernet authored
      When validating BTF types for KF_TRUSTED_ARGS kfuncs, the verifier
      currently enforces that the top-level type must match when calling
      the kfunc. In other words, the verifier does not allow the BPF program
      to pass a bitwise equivalent struct, despite it being allowed according
      to the C standard.
      
      For example, if you have the following type:
      
      struct  nf_conn___init {
      	struct nf_conn ct;
      };
      
      The C standard stipulates that it would be safe to pass a struct
      nf_conn___init to a kfunc expecting a struct nf_conn. The verifier
      currently disallows this, however, as semantically kfuncs may want to
      enforce that structs that have equivalent types according to the C
      standard, but have different BTF IDs, are not able to be passed to
      kfuncs expecting one or the other. For example, struct nf_conn___init
      may not be queried / looked up, as it is allocated but may not yet be
      fully initialized.
      
      On the other hand, being able to pass types that are equivalent
      according to the C standard will be useful for other types of kfunc /
      kptrs enabled by BPF.  For example, in a follow-on patch, a series of
      kfuncs will be added which allow programs to do bitwise queries on
      cpumasks that are either allocated by the program (in which case they'll
      be a 'struct bpf_cpumask' type that wraps a cpumask_t as its first
      element), or a cpumask that was allocated by the main kernel (in which
      case it will just be a straight cpumask_t, as in task->cpus_ptr).
      
      Having the two types of cpumasks allows us to distinguish between the
      two for when a cpumask is read-only vs. mutatable. A struct bpf_cpumask
      can be mutated by e.g. bpf_cpumask_clear(), whereas a regular cpumask_t
      cannot be. On the other hand, a struct bpf_cpumask can of course be
      queried in the exact same manner as a cpumask_t, with e.g.
      bpf_cpumask_test_cpu().
      
      If we were to enforce that top level types match, then a user that's
      passing a struct bpf_cpumask to a read-only cpumask_t argument would
      have to cast with something like bpf_cast_to_kern_ctx() (which itself
      would need to be updated to expect the alias, and currently it only
      accommodates a single alias per prog type). Additionally, not specifying
      KF_TRUSTED_ARGS is not an option, as some kfuncs take one argument as a
      struct bpf_cpumask *, and another as a struct cpumask *
      (i.e. cpumask_t).
      
      In order to enable this, this patch relaxes the constraint that a
      KF_TRUSTED_ARGS kfunc must have strict type matching, and instead only
      enforces strict type matching if a type is observed to be a "no-cast
      alias" (i.e., that the type names are equivalent, but one is suffixed
      with ___init).
      
      Additionally, in order to try and be conservative and match existing
      behavior / expectations, this patch also enforces strict type checking
      for acquire kfuncs. We were already enforcing it for release kfuncs, so
      this should also improve the consistency of the semantics for kfuncs.
      Signed-off-by: default avatarDavid Vernet <void@manifault.com>
      Link: https://lore.kernel.org/r/20230120192523.3650503-3-void@manifault.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      b613d335
    • David Vernet's avatar
      bpf: Enable annotating trusted nested pointers · 57539b1c
      David Vernet authored
      In kfuncs, a "trusted" pointer is a pointer that the kfunc can assume is
      safe, and which the verifier will allow to be passed to a
      KF_TRUSTED_ARGS kfunc. Currently, a KF_TRUSTED_ARGS kfunc disallows any
      pointer to be passed at a nonzero offset, but sometimes this is in fact
      safe if the "nested" pointer's lifetime is inherited from its parent.
      For example, the const cpumask_t *cpus_ptr field in a struct task_struct
      will remain valid until the task itself is destroyed, and thus would
      also be safe to pass to a KF_TRUSTED_ARGS kfunc.
      
      While it would be conceptually simple to enable this by using BTF tags,
      gcc unfortunately does not yet support this. In the interim, this patch
      enables support for this by using a type-naming convention. A new
      BTF_TYPE_SAFE_NESTED macro is defined in verifier.c which allows a
      developer to specify the nested fields of a type which are considered
      trusted if its parent is also trusted. The verifier is also updated to
      account for this. A patch with selftests will be added in a follow-on
      change, along with documentation for this feature.
      Signed-off-by: default avatarDavid Vernet <void@manifault.com>
      Link: https://lore.kernel.org/r/20230120192523.3650503-2-void@manifault.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      57539b1c
  2. 24 Jan, 2023 1 commit
  3. 23 Jan, 2023 34 commits