Patch "bpf: Consider non-owning refs trusted" has been added to the 6.5-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    bpf: Consider non-owning refs trusted

to the 6.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-consider-non-owning-refs-trusted.patch
and it can be found in the queue-6.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit edf42ff1b974487da39b94b4287ffcd252589250
Author: Dave Marchevsky <davemarchevsky@xxxxxx>
Date:   Mon Aug 21 12:33:06 2023 -0700

    bpf: Consider non-owning refs trusted
    
    [ Upstream commit 2a6d50b50d6d589d43a90d6ca990b8b811e67701 ]
    
    Recent discussions around default kptr "trustedness" led to changes such
    as commit 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the
    verifier."). One of the conclusions of those discussions, as expressed
    in code and comments in that patch, is that we'd like to move away from
    'raw' PTR_TO_BTF_ID without some type flag or other register state
    indicating trustedness. Although PTR_TRUSTED and PTR_UNTRUSTED flags mark
    this state explicitly, the verifier currently considers trustedness
    implied by other register state. For example, owning refs to graph
    collection nodes must have a nonzero ref_obj_id, so they pass the
    is_trusted_reg check despite having no explicit PTR_{UN}TRUSTED flag.
    This patch makes trustedness of non-owning refs to graph collection
    nodes explicit as well.
    
    By definition, non-owning refs are currently trusted. Although the ref
    has no control over pointee lifetime, due to non-owning ref clobbering
    rules (see invalidate_non_owning_refs) dereferencing a non-owning ref is
    safe in the critical section controlled by bpf_spin_lock associated with
    its owning collection.
    
    Note that the previous statement does not hold true for nodes with shared
    ownership due to the use-after-free issue that this series is
    addressing. True shared ownership was disabled by commit 7deca5eae833
    ("bpf: Disable bpf_refcount_acquire kfunc calls until race conditions are fixed"),
    though, so the statement holds for now. Further patches in the series will change
    the trustedness state of non-owning refs before re-enabling
    bpf_refcount_acquire.
    
    Let's add NON_OWN_REF type flag to BPF_REG_TRUSTED_MODIFIERS such that a
    non-owning ref reg state would pass is_trusted_reg check. Somewhat
    surprisingly, this doesn't result in any change to user-visible
    functionality elsewhere in the verifier: graph collection nodes are all
    marked MEM_ALLOC, which tends to be handled in separate codepaths from
    "raw" PTR_TO_BTF_ID. Regardless, let's be explicit here and document the
    current state of things before changing it elsewhere in the series.
    
    Signed-off-by: Dave Marchevsky <davemarchevsky@xxxxxx>
    Acked-by: Yonghong Song <yonghong.song@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20230821193311.3290257-3-davemarchevsky@xxxxxx
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index f70f9ac884d24..b6e58dab8e275 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -745,7 +745,7 @@ static inline bool bpf_prog_check_recur(const struct bpf_prog *prog)
 	}
 }
 
-#define BPF_REG_TRUSTED_MODIFIERS (MEM_ALLOC | PTR_TRUSTED)
+#define BPF_REG_TRUSTED_MODIFIERS (MEM_ALLOC | PTR_TRUSTED | NON_OWN_REF)
 
 static inline bool bpf_type_has_unsafe_modifiers(u32 type)
 {



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux