Hao Luo says:
====================
This patch set consists of two changes:
- a cleanup of arg_type, ret_type and reg_type which try to make those
types composable. (patch 1/9 - patch 6/9)
- a bug fix that prevents bpf programs from writing kernel memory.
(patch 7/9 - patch 9/9)
The purpose of the cleanup is to find a scalable way to express type
nullness and read-onliness. This patchset introduces two flags that
can be applied on all three types: PTR_MAYBE_NULL and MEM_RDONLY.
Previous types such as ARG_XXX_OR_NULL can now be written as
ARG_XXX | PTR_MAYBE_NULL
Similarly, PTR_TO_RDONLY_BUF is now "PTR_TO_BUF | MEM_RDONLY".
Flags can be composed, as ARGs can be both MEM_RDONLY and MAYBE_NULL.
ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY
Based on this new composable types, patch 7/9 applies MEM_RDONLY on
PTR_TO_MEM, in order to tag the returned memory from per_cpu_ptr as
read-only. Therefore fixing a previous bug that one can leverage
per_cpu_ptr to modify kernel memory within BPF programs.
Patch 8/9 generalizes the use of MEM_RDONLY further by tagging a set of
helper arguments ARG_PTR_TO_MEM with MEM_RDONLY. Some helper functions
may override their arguments, such as bpf_d_path, bpf_snprintf. In this
patch, we narrow the ARG_PTR_TO_MEM to be compatible with only a subset
of memory types. This prevents these helpers from writing read-only
memories. For the helpers that do not write its arguments, we add tag
MEM_RDONLY to allow taking a RDONLY memory as argument.
Changes since v1:
- use %u to print base_type(type) instead of %lu. (Andrii, patch 3/9)
- improve reg_type_str() by appending '_or_null' and prepending 'rdonly_'.
use preallocated buffer in 'bpf_env'.
- unified handling of the previous XXX_OR_NULL in adjust_ptr_min_max_vals
(Andrii, patch 4/9)
- move PTR_TO_MAP_KEY up to PTR_TO_MAP_VALUE so that we don't have
to change to drivers that assume the numeric values of bpf_reg.
(patch 4/9)
- reintroduce the typo from previous commits in fixes tags (Andrii, patch 7/9)
- extensive comments on the reason behind folding flags in
check_reg_type (Andrii, patch 8/9)
Changes since RFC v2:
- renamed BPF_BASE_TYPE to a more succinct name base_type and move its
definition to bpf_verifier.h. Same for BPF_TYPE_FLAG. (Alexei)
- made checking MEM_RDONLY in check_reg_type() universal (Alexei)
- ran through majority of test_progs and fixed bugs in RFC v2:
- fixed incorrect BPF_BASE_TYPE_MASK. The high bit of GENMASK should
be BITS - 1, rather than BITS. patch 1/9.
- fixed incorrect conditions when checking ARG_PTR_TO_MAP_VALUE in
check_func_arg(). See patch 2/9.
- fixed a bug where PTR_TO_BTF_ID may be combined with MEM_RDONLY,
causing the check in check_mem_access() to fall through to the
'else' branch. See check_helper_call() in patch 7/9.
- fixed build failure on netronome driver. Entries in bpf_reg_type have
been ordered. patch 4/9.
- fixed build warnings of using '%d' to print base_type. patch 4/9
- unify arg_type_may_be_null() and reg_type_may_be_null() into a single
type_may_be_null().
Previous versions:
v1:
https://lwn.net/Articles/877938/
RFC v2:
https://lwn.net/Articles/877171/
RFC v1:
https://lore.kernel.org/bpf/
20211109003052.
3499225-1-haoluo@google.com/T/
https://lore.kernel.org/bpf/
20211109021624.
1140446-8-haoluo@google.com/T/
====================
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
projects / linux-2.6-microblaze.git / commitdiff