Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp795499pxb; Tue, 3 Nov 2020 12:45:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJzFUpCdjhxWd8JJn69P+1NKXmD+1u1++LNv+muiGkbxmm3QbhACsL2bZN5ecnYTuvyajut0 X-Received: by 2002:a17:906:2b83:: with SMTP id m3mr21674367ejg.456.1604436325268; Tue, 03 Nov 2020 12:45:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604436325; cv=none; d=google.com; s=arc-20160816; b=ountaiK+mPYpV8EatYAPaAG+jU+7bZ6dX7XLj2ZQdAAesiU3t9xNFiAAakIgU2nuo4 dTpf5hM4W67ARW1BG6Fhzs4dKVQit55HU3WggF/aOrAyW93l+1Xh0WqJShTym17eG6J7 BsdpoQJEh+k43DhU7pvCVxmbwmufHOxdWpxZq0uaf0LTKayXSLfKVnYQ9b7+liHG0xB3 GumUQKy3Dx/rEiUZfwWqpIGOLWWIEBV+AXD+u+urklelB7Ee39oEwlMYYiNMprtPHeF/ RgIWoGyN5seltbHJNKyDbBsfKy6/Ksf2U/f+yJh6g20qFJT+RrRJFFKCuR6eLWdUCJ38 KVww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=tNLRjPK4t+JSb89vHC1OAeA8i9x8WMz+0kC/pJlDsNc=; b=iYH1ziy2029L6Bqkg9HJEX/vn2Q3Z+bPkfykayyP81VTh/SQW2N4G0SrCkhWLMCkfg 10XZgT0lxn2idbTWZ7lvPZhVOvj5ePiegmMFYPegGX8vPWWeJYdSQDVpH1da4MNd6h4f w0D2Ik2gCL+JdiJxr5uEbRIByuVaXZ/OFw7mSmPhWLB8cVg+ollL5McjTalI78JcKw14 yft9Y8E6hkGyqN7mUPUk6UpxomyoYoJccdlBOlMRjRJrXbZVSmvUXuleM4R08ElqNCWf reWvTs/a9a0IS6H0ajACsW/m4eKowHB2BnXg8F80+u+k7OIZxKeTJ7/SjbheC+NUE1Gi /9pw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mpywPmeV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t8si2442561edy.496.2020.11.03.12.45.02; Tue, 03 Nov 2020 12:45:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mpywPmeV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729867AbgKCUmp (ORCPT + 99 others); Tue, 3 Nov 2020 15:42:45 -0500 Received: from mail.kernel.org ([198.145.29.99]:55150 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730552AbgKCUmh (ORCPT ); Tue, 3 Nov 2020 15:42:37 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 539D2223AC; Tue, 3 Nov 2020 20:42:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604436156; bh=qBz9r+O8by4MqOUqv3143GEHb0Ow3ZwHhY5g3cYhB0U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mpywPmeVwDP9YiylVqUATHIE1qBYV5pUfwwrpl/9vtbucsvty6uiVDOw5IAX5Kdq2 hvWxrKlYQQcOfcDcVYyrNhhHWG4LRB6Wv7bvpurzLAKPYcHWAqCOKk9Ary+ge8QKs7 lGYEwddeCztlkLid7r33lsUeLuFPU6dWznEQkzZc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yonghong Song , Alexei Starovoitov , Andrii Nakryiko , Sasha Levin Subject: [PATCH 5.9 100/391] bpf: Permit map_ptr arithmetic with opcode add and offset 0 Date: Tue, 3 Nov 2020 21:32:31 +0100 Message-Id: <20201103203353.591465660@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201103203348.153465465@linuxfoundation.org> References: <20201103203348.153465465@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yonghong Song [ Upstream commit 7c6967326267bd5c0dded0a99541357d70dd11ac ] Commit 41c48f3a98231 ("bpf: Support access to bpf map fields") added support to access map fields with CORE support. For example, struct bpf_map { __u32 max_entries; } __attribute__((preserve_access_index)); struct bpf_array { struct bpf_map map; __u32 elem_size; } __attribute__((preserve_access_index)); struct { __uint(type, BPF_MAP_TYPE_ARRAY); __uint(max_entries, 4); __type(key, __u32); __type(value, __u32); } m_array SEC(".maps"); SEC("cgroup_skb/egress") int cg_skb(void *ctx) { struct bpf_array *array = (struct bpf_array *)&m_array; /* .. array->map.max_entries .. */ } In kernel, bpf_htab has similar structure, struct bpf_htab { struct bpf_map map; ... } In the above cg_skb(), to access array->map.max_entries, with CORE, the clang will generate two builtin's. base = &m_array; /* access array.map */ map_addr = __builtin_preserve_struct_access_info(base, 0, 0); /* access array.map.max_entries */ max_entries_addr = __builtin_preserve_struct_access_info(map_addr, 0, 0); max_entries = *max_entries_addr; In the current llvm, if two builtin's are in the same function or in the same function after inlining, the compiler is smart enough to chain them together and generates like below: base = &m_array; max_entries = *(base + reloc_offset); /* reloc_offset = 0 in this case */ and we are fine. But if we force no inlining for one of functions in test_map_ptr() selftest, e.g., check_default(), the above two __builtin_preserve_* will be in two different functions. In this case, we will have code like: func check_hash(): reloc_offset_map = 0; base = &m_array; map_base = base + reloc_offset_map; check_default(map_base, ...) func check_default(map_base, ...): max_entries = *(map_base + reloc_offset_max_entries); In kernel, map_ptr (CONST_PTR_TO_MAP) does not allow any arithmetic. The above "map_base = base + reloc_offset_map" will trigger a verifier failure. ; VERIFY(check_default(&hash->map, map)); 0: (18) r7 = 0xffffb4fe8018a004 2: (b4) w1 = 110 3: (63) *(u32 *)(r7 +0) = r1 R1_w=invP110 R7_w=map_value(id=0,off=4,ks=4,vs=8,imm=0) R10=fp0 ; VERIFY_TYPE(BPF_MAP_TYPE_HASH, check_hash); 4: (18) r1 = 0xffffb4fe8018a000 6: (b4) w2 = 1 7: (63) *(u32 *)(r1 +0) = r2 R1_w=map_value(id=0,off=0,ks=4,vs=8,imm=0) R2_w=invP1 R7_w=map_value(id=0,off=4,ks=4,vs=8,imm=0) R10=fp0 8: (b7) r2 = 0 9: (18) r8 = 0xffff90bcb500c000 11: (18) r1 = 0xffff90bcb500c000 13: (0f) r1 += r2 R1 pointer arithmetic on map_ptr prohibited To fix the issue, let us permit map_ptr + 0 arithmetic which will result in exactly the same map_ptr. Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200908175702.2463625-1-yhs@fb.com Signed-off-by: Sasha Levin --- kernel/bpf/verifier.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 43cd175c66a55..718bbdc8b3c66 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5246,6 +5246,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, dst, reg_type_str[ptr_reg->type]); return -EACCES; case CONST_PTR_TO_MAP: + /* smin_val represents the known value */ + if (known && smin_val == 0 && opcode == BPF_ADD) + break; + /* fall-through */ case PTR_TO_PACKET_END: case PTR_TO_SOCKET: case PTR_TO_SOCKET_OR_NULL: -- 2.27.0