> From: Kumar Kartikeya Dwivedi [mailto:memxor@xxxxxxxxx] > Sent: Thursday, July 28, 2022 10:45 AM > On Thu, 28 Jul 2022 at 10:18, Roberto Sassu <roberto.sassu@xxxxxxxxxx> > wrote: > > > > > From: Roberto Sassu [mailto:roberto.sassu@xxxxxxxxxx] > > > Sent: Thursday, July 28, 2022 9:46 AM > > > > From: Kumar Kartikeya Dwivedi [mailto:memxor@xxxxxxxxx] > > > > Sent: Wednesday, July 27, 2022 10:16 AM > > > > Similar to how we detect mem, size pairs in kfunc, teach verifier to > > > > treat __ref suffix on argument name to imply that it must be a trusted > > > > arg when passed to kfunc, similar to the effect of KF_TRUSTED_ARGS flag > > > > but limited to the specific parameter. This is required to ensure that > > > > kfunc that operate on some object only work on acquired pointers and not > > > > normal PTR_TO_BTF_ID with same type which can be obtained by pointer > > > > walking. Release functions need not specify such suffix on release > > > > arguments as they are already expected to receive one referenced > > > > argument. > > > > > > Thanks, Kumar. I will try it. > > > > Uhm. I realized that I was already using another suffix, > > __maybe_null, to indicate that a caller can pass NULL as > > argument. > > > > Wouldn't probably work well with two suffixes. > > > > Then you can maybe extend it to parse two suffixes at most (for now atleast)? > > > Have you considered to extend BTF_ID_FLAGS to take five > > extra arguments, to set flags for each kfunc parameter? > > > > I didn't understand this. Flags parameter is an OR of the flags you > set, why would we want to extend it to take 5 args? > You can just or f1 | f2 | f3 | f4 | f5, as many as you want. Instead of using the suffix as mechanism to set per-parameter flags, I would do: BTF_ID_FLAGS(func, bpf_verify_pkcs7_signature, KF_SLEEPABLE, 0, 0, KF_REF | KF_MAYBE_NULL, 0, 0) where the first argument after the kfunc name is used for function-wide flags, the second for first parameter flags, ... Roberto > > Thanks > > > > Roberto > > > > > Roberto > > > > > > > Cc: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > > > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> > > > > --- > > > > Documentation/bpf/kfuncs.rst | 18 +++++++++++++++++ > > > > kernel/bpf/btf.c | 39 ++++++++++++++++++++++++------------ > > > > net/bpf/test_run.c | 9 +++++++-- > > > > 3 files changed, 51 insertions(+), 15 deletions(-) > > > > > > > > diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst > > > > index c0b7dae6dbf5..41dff6337446 100644 > > > > --- a/Documentation/bpf/kfuncs.rst > > > > +++ b/Documentation/bpf/kfuncs.rst > > > > @@ -72,6 +72,24 @@ argument as its size. By default, without __sz > > > annotation, > > > > the size of the type > > > > of the pointer is used. Without __sz annotation, a kfunc cannot accept a > void > > > > pointer. > > > > > > > > +2.2.2 __ref Annotation > > > > +---------------------- > > > > + > > > > +This annotation is used to indicate that the argument is trusted, i.e. it will > > > > +be a pointer from an acquire function (defined later), and its offset will be > > > > +zero. This annotation has the same effect as the KF_TRUSTED_ARGS > kfunc > > > flag > > > > but > > > > +only on the parameter it is applied to. An example is shown below:: > > > > + > > > > + void bpf_task_send_signal(struct task_struct *task__ref, int signal) > > > > + { > > > > + ... > > > > + } > > > > + > > > > +Here, bpf_task_send_signal will only act on trusted task_struct pointers, > and > > > > +cannot be used on pointers obtained using pointer walking. This ensures > that > > > > +caller always calls this kfunc on a task whose lifetime is guaranteed for > the > > > > +duration of the call. > > > > + > > > > .. _BPF_kfunc_nodef: > > > > > > > > 2.3 Using an existing kernel function > > > > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c > > > > index 7ac971ea98d1..3ce9b2deef9c 100644 > > > > --- a/kernel/bpf/btf.c > > > > +++ b/kernel/bpf/btf.c > > > > @@ -6141,18 +6141,13 @@ static bool __btf_type_is_scalar_struct(struct > > > > bpf_verifier_log *log, > > > > return true; > > > > } > > > > > > > > -static bool is_kfunc_arg_mem_size(const struct btf *btf, > > > > - const struct btf_param *arg, > > > > - const struct bpf_reg_state *reg) > > > > +static bool btf_param_match_suffix(const struct btf *btf, > > > > + const struct btf_param *arg, > > > > + const char *suffix) > > > > { > > > > - int len, sfx_len = sizeof("__sz") - 1; > > > > - const struct btf_type *t; > > > > + int len, sfx_len = strlen(suffix); > > > > const char *param_name; > > > > > > > > - t = btf_type_skip_modifiers(btf, arg->type, NULL); > > > > - if (!btf_type_is_scalar(t) || reg->type != SCALAR_VALUE) > > > > - return false; > > > > - > > > > /* In the future, this can be ported to use BTF tagging */ > > > > param_name = btf_name_by_offset(btf, arg->name_off); > > > > if (str_is_empty(param_name)) > > > > @@ -6161,10 +6156,26 @@ static bool is_kfunc_arg_mem_size(const > struct > > > btf > > > > *btf, > > > > if (len < sfx_len) > > > > return false; > > > > param_name += len - sfx_len; > > > > - if (strncmp(param_name, "__sz", sfx_len)) > > > > + return !strncmp(param_name, suffix, sfx_len); > > > > +} > > > > + > > > > +static bool is_kfunc_arg_ref(const struct btf *btf, > > > > + const struct btf_param *arg) > > > > +{ > > > > + return btf_param_match_suffix(btf, arg, "__ref"); > > > > +} > > > > + > > > > +static bool is_kfunc_arg_mem_size(const struct btf *btf, > > > > + const struct btf_param *arg, > > > > + const struct bpf_reg_state *reg) > > > > +{ > > > > + const struct btf_type *t; > > > > + > > > > + t = btf_type_skip_modifiers(btf, arg->type, NULL); > > > > + if (!btf_type_is_scalar(t) || reg->type != SCALAR_VALUE) > > > > return false; > > > > > > > > - return true; > > > > + return btf_param_match_suffix(btf, arg, "__sz"); > > > > } > > > > > > > > static int btf_check_func_arg_match(struct bpf_verifier_env *env, > > > > @@ -6174,7 +6185,7 @@ static int btf_check_func_arg_match(struct > > > > bpf_verifier_env *env, > > > > u32 kfunc_flags) > > > > { > > > > enum bpf_prog_type prog_type = resolve_prog_type(env->prog); > > > > - bool rel = false, kptr_get = false, trusted_arg = false; > > > > + bool rel = false, kptr_get = false, kf_trusted_args = false; > > > > struct bpf_verifier_log *log = &env->log; > > > > u32 i, nargs, ref_id, ref_obj_id = 0; > > > > bool is_kfunc = btf_is_kernel(btf); > > > > @@ -6211,7 +6222,7 @@ static int btf_check_func_arg_match(struct > > > > bpf_verifier_env *env, > > > > /* Only kfunc can be release func */ > > > > rel = kfunc_flags & KF_RELEASE; > > > > kptr_get = kfunc_flags & KF_KPTR_GET; > > > > - trusted_arg = kfunc_flags & KF_TRUSTED_ARGS; > > > > + kf_trusted_args = kfunc_flags & KF_TRUSTED_ARGS; > > > > } > > > > > > > > /* check that BTF function arguments match actual types that the > > > > @@ -6221,6 +6232,7 @@ static int btf_check_func_arg_match(struct > > > > bpf_verifier_env *env, > > > > enum bpf_arg_type arg_type = ARG_DONTCARE; > > > > u32 regno = i + 1; > > > > struct bpf_reg_state *reg = ®s[regno]; > > > > + bool trusted_arg = false; > > > > > > > > t = btf_type_skip_modifiers(btf, args[i].type, NULL); > > > > if (btf_type_is_scalar(t)) { > > > > @@ -6239,6 +6251,7 @@ static int btf_check_func_arg_match(struct > > > > bpf_verifier_env *env, > > > > /* Check if argument must be a referenced pointer, args + i has > > > > * been verified to be a pointer (after skipping modifiers). > > > > */ > > > > + trusted_arg = kf_trusted_args || is_kfunc_arg_ref(btf, args + i); > > > > if (is_kfunc && trusted_arg && !reg->ref_obj_id) { > > > > bpf_log(log, "R%d must be referenced\n", regno); > > > > return -EINVAL; > > > > diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c > > > > index cbc9cd5058cb..247bfe52e585 100644 > > > > --- a/net/bpf/test_run.c > > > > +++ b/net/bpf/test_run.c > > > > @@ -691,7 +691,11 @@ noinline void > > > bpf_kfunc_call_test_mem_len_fail2(u64 > > > > *mem, int len) > > > > { > > > > } > > > > > > > > -noinline void bpf_kfunc_call_test_ref(struct prog_test_ref_kfunc *p) > > > > +noinline void bpf_kfunc_call_test_trusted(struct prog_test_ref_kfunc *p) > > > > +{ > > > > +} > > > > + > > > > +noinline void bpf_kfunc_call_test_ref(struct prog_test_ref_kfunc *p__ref) > > > > { > > > > } > > > > > > > > @@ -718,7 +722,8 @@ BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail3) > > > > BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_pass1) > > > > BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_fail1) > > > > BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_fail2) > > > > -BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_TRUSTED_ARGS) > > > > +BTF_ID_FLAGS(func, bpf_kfunc_call_test_trusted, KF_TRUSTED_ARGS) > > > > +BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref) > > > > BTF_SET8_END(test_sk_check_kfunc_ids) > > > > > > > > static void *bpf_test_init(const union bpf_attr *kattr, u32 user_size, > > > > -- > > > > 2.34.1 > >