Commit 26f45317 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 

Daniel Borkmann says:

====================
pull-request: bpf-next 2024-07-12

We've added 23 non-merge commits during the last 3 day(s) which contain
a total of 18 files changed, 234 insertions(+), 243 deletions(-).

The main changes are:

1) Improve BPF verifier by utilizing overflow.h helpers to check
   for overflows, from Shung-Hsi Yu.

2) Fix NULL pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT
   when attr->attach_prog_fd was not specified, from Tengda Wu.

3) Fix arm64 BPF JIT when generating code for BPF trampolines with
   BPF_TRAMP_F_CALL_ORIG which corrupted upper address bits,
   from Puranjay Mohan.

4) Remove test_run callback from lwt_seg6local_prog_ops which never worked
   in the first place and caused syzbot reports,
   from Sebastian Andrzej Siewior.

5) Relax BPF verifier to accept non-zero offset on KF_TRUSTED_ARGS/
   /KF_RCU-typed BPF kfuncs, from Matt Bobrowski.

6) Fix a long standing bug in libbpf with regards to handling of BPF
   skeleton's forward and backward compatibility, from Andrii Nakryiko.

7) Annotate btf_{seq,snprintf}_show functions with __printf,
   from Alan Maguire.

8) BPF selftest improvements to reuse common network helpers in sk_lookup
   test and dropping the open-coded inetaddr_len() and make_socket() ones,
   from Geliang Tang.

* tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next: (23 commits)
  selftests/bpf: Test for null-pointer-deref bugfix in resolve_prog_type()
  bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT
  selftests/bpf: DENYLIST.aarch64: Skip fexit_sleep again
  bpf: use check_sub_overflow() to check for subtraction overflows
  bpf: use check_add_overflow() to check for addition overflows
  bpf: fix overflow check in adjust_jmp_off()
  bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o
  bpf: annotate BTF show functions with __printf
  bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG
  selftests/bpf: Close obj in error path in xdp_adjust_tail
  selftests/bpf: Null checks for links in bpf_tcp_ca
  selftests/bpf: Use connect_fd_to_fd in sk_lookup
  selftests/bpf: Use start_server_addr in sk_lookup
  selftests/bpf: Use start_server_str in sk_lookup
  selftests/bpf: Close fd in error path in drop_on_reuseport
  selftests/bpf: Add ASSERT_OK_FD macro
  selftests/bpf: Add backlog for network_helper_opts
  selftests/bpf: fix compilation failure when CONFIG_NF_FLOW_TABLE=m
  bpf: Remove tst_run from lwt_seg6local_prog_ops.
  bpf: relax zero fixed offset constraint on KF_TRUSTED_ARGS/KF_RCU
  ...
====================

Link: https://patch.msgid.link/20240712212448.5378-1-daniel@iogearbox.net


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents e5abd12f e435b043

arch/arm64/net/bpf_jit_comp.c

+2 −2
Original line number Diff line number Diff line
@@ -2147,7 +2147,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im, 
	emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx);



	if (flags & BPF_TRAMP_F_CALL_ORIG) {

		emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);

		emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);

		emit_call((const u64)__bpf_tramp_enter, ctx);

	}
@@ -2191,7 +2191,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im, 


	if (flags & BPF_TRAMP_F_CALL_ORIG) {

		im->ip_epilogue = ctx->ro_image + ctx->idx;

		emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);

		emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);

		emit_call((const u64)__bpf_tramp_exit, ctx);

	}

include/linux/bpf_verifier.h

+1 −1
Original line number Diff line number Diff line
@@ -856,7 +856,7 @@ static inline u32 type_flag(u32 type) 
/* only use after check_attach_btf_id() */

static inline enum bpf_prog_type resolve_prog_type(const struct bpf_prog *prog)

{

	return prog->type == BPF_PROG_TYPE_EXT ?

	return (prog->type == BPF_PROG_TYPE_EXT && prog->aux->dst_prog) ?

		prog->aux->dst_prog->type : prog->type;

}

kernel/bpf/btf.c

+5 −5
Original line number Diff line number Diff line
@@ -415,7 +415,7 @@ const char *btf_type_str(const struct btf_type *t) 
struct btf_show {

	u64 flags;

	void *target;	/* target of show operation (seq file, buffer) */

	void (*showfn)(struct btf_show *show, const char *fmt, va_list args);

	__printf(2, 0) void (*showfn)(struct btf_show *show, const char *fmt, va_list args);

	const struct btf *btf;

	/* below are used during iteration */

	struct {
@@ -7538,7 +7538,7 @@ static void btf_type_show(const struct btf *btf, u32 type_id, void *obj, 
	btf_type_ops(t)->show(btf, t, type_id, obj, 0, show);

}



static void btf_seq_show(struct btf_show *show, const char *fmt,

__printf(2, 0) static void btf_seq_show(struct btf_show *show, const char *fmt,

					va_list args)

{

	seq_vprintf((struct seq_file *)show->target, fmt, args);
@@ -7572,7 +7572,7 @@ struct btf_show_snprintf { 
	int len;		/* length we would have written */

};



static void btf_snprintf_show(struct btf_show *show, const char *fmt,

__printf(2, 0) static void btf_snprintf_show(struct btf_show *show, const char *fmt,

					     va_list args)

{

	struct btf_show_snprintf *ssnprintf = (struct btf_show_snprintf *)show;

kernel/bpf/verifier.c

+51 −129
Original line number Diff line number Diff line
@@ -11335,7 +11335,9 @@ static int process_kf_arg_ptr_to_btf_id(struct bpf_verifier_env *env, 
	    btf_type_ids_nocast_alias(&env->log, reg_btf, reg_ref_id, meta->btf, ref_id))

		strict_type_match = true;









	WARN_ON_ONCE(is_kfunc_trusted_args(meta) && reg->off);









	WARN_ON_ONCE(is_kfunc_release(meta) &&









		     (reg->off || !tnum_is_const(reg->var_off) ||









		      reg->var_off.value));

















	reg_ref_t = btf_type_skip_modifiers(reg_btf, reg_ref_id, &reg_ref_id);









	reg_ref_tname = btf_name_by_offset(reg_btf, reg_ref_t->name_off);








@@ -11917,12 +11919,8 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_







					return -EINVAL;









				}









			}

















			fallthrough;









		case KF_ARG_PTR_TO_CTX:









			/* Trusted arguments have the same offset checks as release arguments */









			arg_type |= OBJ_RELEASE;









			break;









		case KF_ARG_PTR_TO_DYNPTR:









		case KF_ARG_PTR_TO_ITER:









		case KF_ARG_PTR_TO_LIST_HEAD:








@@ -11935,7 +11933,6 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_







		case KF_ARG_PTR_TO_REFCOUNTED_KPTR:









		case KF_ARG_PTR_TO_CONST_STR:









		case KF_ARG_PTR_TO_WORKQUEUE:









			/* Trusted by default */









			break;









		default:









			WARN_ON_ONCE(1);








@@ -12729,56 +12726,6 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,







	return 0;









}

















static bool signed_add_overflows(s64 a, s64 b)









{









	/* Do the add in u64, where overflow is well-defined */









	s64 res = (s64)((u64)a + (u64)b);

















	if (b < 0)









		return res > a;









	return res < a;









}

















static bool signed_add32_overflows(s32 a, s32 b)









{









	/* Do the add in u32, where overflow is well-defined */









	s32 res = (s32)((u32)a + (u32)b);

















	if (b < 0)









		return res > a;









	return res < a;









}

















static bool signed_add16_overflows(s16 a, s16 b)









{









	/* Do the add in u16, where overflow is well-defined */









	s16 res = (s16)((u16)a + (u16)b);

















	if (b < 0)









		return res > a;









	return res < a;









}

















static bool signed_sub_overflows(s64 a, s64 b)









{









	/* Do the sub in u64, where overflow is well-defined */









	s64 res = (s64)((u64)a - (u64)b);

















	if (b < 0)









		return res < a;









	return res > a;









}

















static bool signed_sub32_overflows(s32 a, s32 b)









{









	/* Do the sub in u32, where overflow is well-defined */









	s32 res = (s32)((u32)a - (u32)b);

















	if (b < 0)









		return res < a;









	return res > a;









}

















static bool check_reg_sane_offset(struct bpf_verifier_env *env,









				  const struct bpf_reg_state *reg,









				  enum bpf_reg_type type)








@@ -13260,21 +13207,15 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,







		 * added into the variable offset, and we copy the fixed offset









		 * from ptr_reg.









		 */









		if (signed_add_overflows(smin_ptr, smin_val) ||









		    signed_add_overflows(smax_ptr, smax_val)) {









		if (check_add_overflow(smin_ptr, smin_val, &dst_reg->smin_value) ||









		    check_add_overflow(smax_ptr, smax_val, &dst_reg->smax_value)) {









			dst_reg->smin_value = S64_MIN;









			dst_reg->smax_value = S64_MAX;









		} else {









			dst_reg->smin_value = smin_ptr + smin_val;









			dst_reg->smax_value = smax_ptr + smax_val;









		}









		if (umin_ptr + umin_val < umin_ptr ||









		    umax_ptr + umax_val < umax_ptr) {









		if (check_add_overflow(umin_ptr, umin_val, &dst_reg->umin_value) ||









		    check_add_overflow(umax_ptr, umax_val, &dst_reg->umax_value)) {









			dst_reg->umin_value = 0;









			dst_reg->umax_value = U64_MAX;









		} else {









			dst_reg->umin_value = umin_ptr + umin_val;









			dst_reg->umax_value = umax_ptr + umax_val;









		}









		dst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off);









		dst_reg->off = ptr_reg->off;








@@ -13317,14 +13258,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,







		/* A new variable offset is created.  If the subtrahend is known









		 * nonnegative, then any reg->range we had before is still good.









		 */









		if (signed_sub_overflows(smin_ptr, smax_val) ||









		    signed_sub_overflows(smax_ptr, smin_val)) {









		if (check_sub_overflow(smin_ptr, smax_val, &dst_reg->smin_value) ||









		    check_sub_overflow(smax_ptr, smin_val, &dst_reg->smax_value)) {









			/* Overflow possible, we know nothing */









			dst_reg->smin_value = S64_MIN;









			dst_reg->smax_value = S64_MAX;









		} else {









			dst_reg->smin_value = smin_ptr - smax_val;









			dst_reg->smax_value = smax_ptr - smin_val;









		}









		if (umin_ptr < umax_val) {









			/* Overflow possible, we know nothing */








@@ -13377,71 +13315,56 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,







static void scalar32_min_max_add(struct bpf_reg_state *dst_reg,









				 struct bpf_reg_state *src_reg)









{









	s32 smin_val = src_reg->s32_min_value;









	s32 smax_val = src_reg->s32_max_value;









	u32 umin_val = src_reg->u32_min_value;









	u32 umax_val = src_reg->u32_max_value;









	s32 *dst_smin = &dst_reg->s32_min_value;









	s32 *dst_smax = &dst_reg->s32_max_value;









	u32 *dst_umin = &dst_reg->u32_min_value;









	u32 *dst_umax = &dst_reg->u32_max_value;

















	if (signed_add32_overflows(dst_reg->s32_min_value, smin_val) ||









	    signed_add32_overflows(dst_reg->s32_max_value, smax_val)) {









		dst_reg->s32_min_value = S32_MIN;









		dst_reg->s32_max_value = S32_MAX;









	} else {









		dst_reg->s32_min_value += smin_val;









		dst_reg->s32_max_value += smax_val;









	if (check_add_overflow(*dst_smin, src_reg->s32_min_value, dst_smin) ||









	    check_add_overflow(*dst_smax, src_reg->s32_max_value, dst_smax)) {









		*dst_smin = S32_MIN;









		*dst_smax = S32_MAX;









	}









	if (dst_reg->u32_min_value + umin_val < umin_val ||









	    dst_reg->u32_max_value + umax_val < umax_val) {









		dst_reg->u32_min_value = 0;









		dst_reg->u32_max_value = U32_MAX;









	} else {









		dst_reg->u32_min_value += umin_val;









		dst_reg->u32_max_value += umax_val;









	if (check_add_overflow(*dst_umin, src_reg->u32_min_value, dst_umin) ||









	    check_add_overflow(*dst_umax, src_reg->u32_max_value, dst_umax)) {









		*dst_umin = 0;









		*dst_umax = U32_MAX;









	}









}

















static void scalar_min_max_add(struct bpf_reg_state *dst_reg,









			       struct bpf_reg_state *src_reg)









{









	s64 smin_val = src_reg->smin_value;









	s64 smax_val = src_reg->smax_value;









	u64 umin_val = src_reg->umin_value;









	u64 umax_val = src_reg->umax_value;









	s64 *dst_smin = &dst_reg->smin_value;









	s64 *dst_smax = &dst_reg->smax_value;









	u64 *dst_umin = &dst_reg->umin_value;









	u64 *dst_umax = &dst_reg->umax_value;

















	if (signed_add_overflows(dst_reg->smin_value, smin_val) ||









	    signed_add_overflows(dst_reg->smax_value, smax_val)) {









		dst_reg->smin_value = S64_MIN;









		dst_reg->smax_value = S64_MAX;









	} else {









		dst_reg->smin_value += smin_val;









		dst_reg->smax_value += smax_val;









	if (check_add_overflow(*dst_smin, src_reg->smin_value, dst_smin) ||









	    check_add_overflow(*dst_smax, src_reg->smax_value, dst_smax)) {









		*dst_smin = S64_MIN;









		*dst_smax = S64_MAX;









	}









	if (dst_reg->umin_value + umin_val < umin_val ||









	    dst_reg->umax_value + umax_val < umax_val) {









		dst_reg->umin_value = 0;









		dst_reg->umax_value = U64_MAX;









	} else {









		dst_reg->umin_value += umin_val;









		dst_reg->umax_value += umax_val;









	if (check_add_overflow(*dst_umin, src_reg->umin_value, dst_umin) ||









	    check_add_overflow(*dst_umax, src_reg->umax_value, dst_umax)) {









		*dst_umin = 0;









		*dst_umax = U64_MAX;









	}









}

















static void scalar32_min_max_sub(struct bpf_reg_state *dst_reg,









				 struct bpf_reg_state *src_reg)









{









	s32 smin_val = src_reg->s32_min_value;









	s32 smax_val = src_reg->s32_max_value;









	s32 *dst_smin = &dst_reg->s32_min_value;









	s32 *dst_smax = &dst_reg->s32_max_value;









	u32 umin_val = src_reg->u32_min_value;









	u32 umax_val = src_reg->u32_max_value;

















	if (signed_sub32_overflows(dst_reg->s32_min_value, smax_val) ||









	    signed_sub32_overflows(dst_reg->s32_max_value, smin_val)) {









	if (check_sub_overflow(*dst_smin, src_reg->s32_max_value, dst_smin) ||









	    check_sub_overflow(*dst_smax, src_reg->s32_min_value, dst_smax)) {









		/* Overflow possible, we know nothing */









		dst_reg->s32_min_value = S32_MIN;









		dst_reg->s32_max_value = S32_MAX;









	} else {









		dst_reg->s32_min_value -= smax_val;









		dst_reg->s32_max_value -= smin_val;









		*dst_smin = S32_MIN;









		*dst_smax = S32_MAX;









	}









	if (dst_reg->u32_min_value < umax_val) {









		/* Overflow possible, we know nothing */








@@ -13457,19 +13380,16 @@ static void scalar32_min_max_sub(struct bpf_reg_state *dst_reg,







static void scalar_min_max_sub(struct bpf_reg_state *dst_reg,









			       struct bpf_reg_state *src_reg)









{









	s64 smin_val = src_reg->smin_value;









	s64 smax_val = src_reg->smax_value;









	s64 *dst_smin = &dst_reg->smin_value;









	s64 *dst_smax = &dst_reg->smax_value;









	u64 umin_val = src_reg->umin_value;









	u64 umax_val = src_reg->umax_value;

















	if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||









	    signed_sub_overflows(dst_reg->smax_value, smin_val)) {









	if (check_sub_overflow(*dst_smin, src_reg->smax_value, dst_smin) ||









	    check_sub_overflow(*dst_smax, src_reg->smin_value, dst_smax)) {









		/* Overflow possible, we know nothing */









		dst_reg->smin_value = S64_MIN;









		dst_reg->smax_value = S64_MAX;









	} else {









		dst_reg->smin_value -= smax_val;









		dst_reg->smax_value -= smin_val;









		*dst_smin = S64_MIN;









		*dst_smax = S64_MAX;









	}









	if (dst_reg->umin_value < umax_val) {









		/* Overflow possible, we know nothing */








@@ -18838,6 +18758,8 @@ static int adjust_jmp_off(struct bpf_prog *prog, u32 tgt_idx, u32 delta)







{









	struct bpf_insn *insn = prog->insnsi;









	u32 insn_cnt = prog->len, i;









	s32 imm;









	s16 off;

















	for (i = 0; i < insn_cnt; i++, insn++) {









		u8 code = insn->code;








@@ -18849,15 +18771,15 @@ static int adjust_jmp_off(struct bpf_prog *prog, u32 tgt_idx, u32 delta)







		if (insn->code == (BPF_JMP32 | BPF_JA)) {









			if (i + 1 + insn->imm != tgt_idx)









				continue;









			if (signed_add32_overflows(insn->imm, delta))









			if (check_add_overflow(insn->imm, delta, &imm))









				return -ERANGE;









			insn->imm += delta;









			insn->imm = imm;









		} else {









			if (i + 1 + insn->off != tgt_idx)









				continue;









			if (signed_add16_overflows(insn->imm, delta))









			if (check_add_overflow(insn->off, delta, &off))









				return -ERANGE;









			insn->off += delta;









			insn->off = off;









		}









	}









	return 0;

























net/core/filter.c



+0
−1






























Original line number
Diff line number
Diff line







@@ -11053,7 +11053,6 @@ const struct bpf_verifier_ops lwt_seg6local_verifier_ops = {







};



















const struct bpf_prog_ops lwt_seg6local_prog_ops = {









	.test_run		= bpf_prog_test_run_skb,









};



















const struct bpf_verifier_ops cg_sock_verifier_ops = {