Re: [PATCH HID for-next v2 1/4] bpf: do not rely on ALLOW_ERROR_INJECTION for fmod_ret

From: Alexei Starovoitov
Date: Mon Dec 05 2022 - 16:59:51 EST

Next message: Tedd Ho-Jeong An: "Re: [PATCH] Bluetooth: btintel: Fix missing free skb in btintel_setup_combined()"
Previous message: Dmitry Baryshkov: "Re: [PATCH v4 12/23] phy: qcom-qmp-ufs: Add HS G4 mode support to SC8280XP SoC"
In reply to: Benjamin Tissoires: "[PATCH HID for-next v2 1/4] bpf: do not rely on ALLOW_ERROR_INJECTION for fmod_ret"
Next in thread: Benjamin Tissoires: "[PATCH HID for-next v2 3/4] HID: bpf: enforce HID_BPF dependencies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Dec 05, 2022 at 05:48:53PM +0100, Benjamin Tissoires wrote:
> The current way of expressing that a non-bpf kernel component is willing
> to accept that bpf programs can be attached to it and that they can change
> the return value is to abuse ALLOW_ERROR_INJECTION.
> This is debated in the link below, and the result is that it is not a
> reasonable thing to do.
>
> Reuse the kfunc declaration structure to also tag the kernel functions
> we want to be fmodret. This way we can control from any subsystem which
> functions are being modified by bpf without touching the verifier.
>
>
> Link: https://lore.kernel.org/all/20221121104403.1545f9b5@xxxxxxxxxxxxxxxxxx/
> Suggested-by: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>
> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx>
> ---
> include/linux/btf.h | 3 +++
> kernel/bpf/btf.c | 41 +++++++++++++++++++++++++++++++++++++++++
> kernel/bpf/verifier.c | 17 +++++++++++++++--
> net/bpf/test_run.c | 14 +++++++++++---
> 4 files changed, 70 insertions(+), 5 deletions(-)
>
> diff --git a/include/linux/btf.h b/include/linux/btf.h
> index f9aababc5d78..f71cfb20b9bf 100644
> --- a/include/linux/btf.h
> +++ b/include/linux/btf.h
> @@ -412,8 +412,11 @@ struct btf *bpf_prog_get_target_btf(const struct bpf_prog *prog);
> u32 *btf_kfunc_id_set_contains(const struct btf *btf,
> enum bpf_prog_type prog_type,
> u32 kfunc_btf_id);
> +u32 *btf_kern_func_is_modify_return(const struct btf *btf,
> + u32 kfunc_btf_id);
> int register_btf_kfunc_id_set(enum bpf_prog_type prog_type,
> const struct btf_kfunc_id_set *s);
> +int register_btf_fmodret_id_set(const struct btf_kfunc_id_set *kset);
> s32 btf_find_dtor_kfunc(struct btf *btf, u32 btf_id);
> int register_btf_id_dtor_kfuncs(const struct btf_id_dtor_kfunc *dtors, u32 add_cnt,
> struct module *owner);
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 35c07afac924..a22f3f45aca3 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -204,6 +204,7 @@ enum btf_kfunc_hook {
> BTF_KFUNC_HOOK_STRUCT_OPS,
> BTF_KFUNC_HOOK_TRACING,
> BTF_KFUNC_HOOK_SYSCALL,
> + BTF_KFUNC_HOOK_FMODRET,
> BTF_KFUNC_HOOK_MAX,
> };
>
> @@ -7448,6 +7449,19 @@ u32 *btf_kfunc_id_set_contains(const struct btf *btf,
> return __btf_kfunc_id_set_contains(btf, hook, kfunc_btf_id);
> }
>
> +/* Caution:
> + * Reference to the module (obtained using btf_try_get_module) corresponding to
> + * the struct btf *MUST* be held when calling this function from verifier
> + * context. This is usually true as we stash references in prog's kfunc_btf_tab;
> + * keeping the reference for the duration of the call provides the necessary
> + * protection for looking up a well-formed btf->kfunc_set_tab.
> + */

There is no need to copy paste that comment from btf_kfunc_id_set_contains().
One place is enough.

> +u32 *btf_kern_func_is_modify_return(const struct btf *btf,
> + u32 kfunc_btf_id)

How about btf_kfunc_is_modify_return ?
For consistency.

> +{
> + return __btf_kfunc_id_set_contains(btf, BTF_KFUNC_HOOK_FMODRET, kfunc_btf_id);
> +}
> +
> /* This function must be invoked only from initcalls/module init functions */
> int register_btf_kfunc_id_set(enum bpf_prog_type prog_type,
> const struct btf_kfunc_id_set *kset)
> @@ -7478,6 +7492,33 @@ int register_btf_kfunc_id_set(enum bpf_prog_type prog_type,
> }
> EXPORT_SYMBOL_GPL(register_btf_kfunc_id_set);
>
> +/* This function must be invoked only from initcalls/module init functions */
> +int register_btf_fmodret_id_set(const struct btf_kfunc_id_set *kset)
> +{
> + struct btf *btf;
> + int ret;
> +
> + btf = btf_get_module_btf(kset->owner);
> + if (!btf) {
> + if (!kset->owner && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) {
> + pr_err("missing vmlinux BTF, cannot register kfuncs\n");
> + return -ENOENT;
> + }
> + if (kset->owner && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES)) {
> + pr_err("missing module BTF, cannot register kfuncs\n");
> + return -ENOENT;
> + }
> + return 0;
> + }
> + if (IS_ERR(btf))
> + return PTR_ERR(btf);
> +
> + ret = btf_populate_kfunc_set(btf, BTF_KFUNC_HOOK_FMODRET, kset->set);
> + btf_put(btf);
> + return ret;
> +}

This is a bit too much copy-paste from register_btf_kfunc_id_set().
Please share the code. Like:

int __register_btf_kfunc_id_set(enum btf_kfunc_hook hook, const struct btf_kfunc_id_set *kset)
{
...
}

int register_btf_kfunc_id_set(enum bpf_prog_type prog_type,
const struct btf_kfunc_id_set *kset)
{
hook = bpf_prog_type_to_kfunc_hook(prog_type);
return __register_btf_kfunc_id_set(hook, kset);
}

int register_btf_fmodret_id_set(const struct btf_kfunc_id_set *kset)
{
return __register_btf_kfunc_id_set(BTF_KFUNC_HOOK_FMODRET, kset);
}

Next message: Tedd Ho-Jeong An: "Re: [PATCH] Bluetooth: btintel: Fix missing free skb in btintel_setup_combined()"
Previous message: Dmitry Baryshkov: "Re: [PATCH v4 12/23] phy: qcom-qmp-ufs: Add HS G4 mode support to SC8280XP SoC"
In reply to: Benjamin Tissoires: "[PATCH HID for-next v2 1/4] bpf: do not rely on ALLOW_ERROR_INJECTION for fmod_ret"
Next in thread: Benjamin Tissoires: "[PATCH HID for-next v2 3/4] HID: bpf: enforce HID_BPF dependencies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]