[bpf-next,v3,2/6] bpf: Add verifier support for dynptrs and implement malloc dynptrs

Commit Message

Joanne Koong April 28, 2022, 9:10 p.m. UTC

This patch adds the bulk of the verifier work for supporting dynamic
pointers (dynptrs) in bpf. This patch implements malloc-type dynptrs
through 2 new APIs (bpf_dynptr_alloc and bpf_dynptr_put) that can be
called by a bpf program. Malloc-type dynptrs are dynptrs that dynamically
allocate memory on behalf of the program.

A bpf_dynptr is opaque to the bpf program. It is a 16-byte structure
defined internally as:

struct bpf_dynptr_kern {
    void *data;
    u32 size;
    u32 offset;
} __aligned(8);

The upper 8 bits of *size* is reserved (it contains extra metadata about
read-only status and dynptr type); consequently, a dynptr only supports
memory less than 16 MB.

The 2 new APIs for malloc-type dynptrs are:

long bpf_dynptr_alloc(u32 size, u64 flags, struct bpf_dynptr *ptr);
void bpf_dynptr_put(struct bpf_dynptr *ptr);

Please note that there *must* be a corresponding bpf_dynptr_put for
every bpf_dynptr_alloc (even if the alloc fails). This is enforced
by the verifier.

In the verifier, dynptr state information will be tracked in stack
slots. When the program passes in an uninitialized dynptr
(ARG_PTR_TO_DYNPTR | MEM_UNINIT), the stack slots corresponding
to the frame pointer where the dynptr resides at are marked STACK_DYNPTR.

For helper functions that take in initialized dynptrs (eg
bpf_dynptr_read + bpf_dynptr_write which are added later in this
patchset), the verifier enforces that the dynptr has been initialized
properly by checking that their corresponding stack slots have been marked
as STACK_DYNPTR. Dynptr release functions (eg bpf_dynptr_put) will clear the
stack slots. The verifier enforces at program exit that there are no
referenced dynptrs that haven't been released.

Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
---
 include/linux/bpf.h            |  60 ++++++++-
 include/linux/bpf_verifier.h   |  21 +++
 include/uapi/linux/bpf.h       |  30 +++++
 kernel/bpf/helpers.c           |  75 +++++++++++
 kernel/bpf/verifier.c          | 225 ++++++++++++++++++++++++++++++++-
 scripts/bpf_doc.py             |   2 +
 tools/include/uapi/linux/bpf.h |  30 +++++
 7 files changed, 440 insertions(+), 3 deletions(-)

Comments

Andrii Nakryiko May 6, 2022, 11:30 p.m. UTC | #1

On Thu, Apr 28, 2022 at 2:12 PM Joanne Koong <joannelkoong@gmail.com> wrote:
>
> This patch adds the bulk of the verifier work for supporting dynamic
> pointers (dynptrs) in bpf. This patch implements malloc-type dynptrs
> through 2 new APIs (bpf_dynptr_alloc and bpf_dynptr_put) that can be
> called by a bpf program. Malloc-type dynptrs are dynptrs that dynamically
> allocate memory on behalf of the program.
>
> A bpf_dynptr is opaque to the bpf program. It is a 16-byte structure
> defined internally as:
>
> struct bpf_dynptr_kern {
>     void *data;
>     u32 size;
>     u32 offset;
> } __aligned(8);
>
> The upper 8 bits of *size* is reserved (it contains extra metadata about
> read-only status and dynptr type); consequently, a dynptr only supports
> memory less than 16 MB.
>
> The 2 new APIs for malloc-type dynptrs are:
>
> long bpf_dynptr_alloc(u32 size, u64 flags, struct bpf_dynptr *ptr);
> void bpf_dynptr_put(struct bpf_dynptr *ptr);
>
> Please note that there *must* be a corresponding bpf_dynptr_put for
> every bpf_dynptr_alloc (even if the alloc fails). This is enforced
> by the verifier.
>
> In the verifier, dynptr state information will be tracked in stack
> slots. When the program passes in an uninitialized dynptr
> (ARG_PTR_TO_DYNPTR | MEM_UNINIT), the stack slots corresponding
> to the frame pointer where the dynptr resides at are marked STACK_DYNPTR.
>
> For helper functions that take in initialized dynptrs (eg
> bpf_dynptr_read + bpf_dynptr_write which are added later in this
> patchset), the verifier enforces that the dynptr has been initialized
> properly by checking that their corresponding stack slots have been marked
> as STACK_DYNPTR. Dynptr release functions (eg bpf_dynptr_put) will clear the
> stack slots. The verifier enforces at program exit that there are no
> referenced dynptrs that haven't been released.
>
> Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
> ---
>  include/linux/bpf.h            |  60 ++++++++-
>  include/linux/bpf_verifier.h   |  21 +++
>  include/uapi/linux/bpf.h       |  30 +++++
>  kernel/bpf/helpers.c           |  75 +++++++++++
>  kernel/bpf/verifier.c          | 225 ++++++++++++++++++++++++++++++++-
>  scripts/bpf_doc.py             |   2 +
>  tools/include/uapi/linux/bpf.h |  30 +++++
>  7 files changed, 440 insertions(+), 3 deletions(-)
>

[...]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 4565684839f1..16b7ea54a7e0 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -187,6 +187,11 @@ struct bpf_verifier_stack_elem {
>                                           POISON_POINTER_DELTA))
>  #define BPF_MAP_PTR(X)         ((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV))
>
> +/* forward declarations */

it's kind of obvious from C syntax, this comment doesn't really add value

> +static bool arg_type_is_mem_size(enum bpf_arg_type type);
> +static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx);
> +static int release_reference(struct bpf_verifier_env *env, int ref_obj_id);
> +

[...]

>  static struct bpf_func_state *func(struct bpf_verifier_env *env,
>                                    const struct bpf_reg_state *reg)
>  {
> @@ -646,6 +672,134 @@ static void mark_verifier_state_scratched(struct bpf_verifier_env *env)
>         env->scratched_stack_slots = ~0ULL;
>  }
>
> +#define DYNPTR_TYPE_FLAG_MASK          DYNPTR_TYPE_MALLOC

can this be put near where DYNPTR_TYPE_MALLOC is defined? It's quite
easy to forget to update this if it's somewhere far away

> +
> +static int arg_to_dynptr_type(enum bpf_arg_type arg_type)
> +{
> +       switch (arg_type & DYNPTR_TYPE_FLAG_MASK) {
> +       case DYNPTR_TYPE_MALLOC:
> +               return BPF_DYNPTR_TYPE_MALLOC;
> +       default:
> +               return BPF_DYNPTR_TYPE_INVALID;
> +       }
> +}
> +

[...]

> +static int unmark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
> +{
> +       struct bpf_func_state *state = func(env, reg);
> +       int spi, i;
> +
> +       spi = get_spi(reg->off);
> +
> +       if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))
> +               return -EINVAL;
> +
> +       for (i = 0; i < BPF_REG_SIZE; i++) {
> +               state->stack[spi].slot_type[i] = STACK_INVALID;
> +               state->stack[spi - 1].slot_type[i] = STACK_INVALID;
> +       }
> +
> +       /* Invalidate any slices associated with this dynptr */
> +       if (dynptr_type_refcounted(state->stack[spi].spilled_ptr.dynptr.type)) {
> +               release_reference(env, state->stack[spi].spilled_ptr.id);
> +               state->stack[spi].spilled_ptr.id = 0;
> +               state->stack[spi - 1].spilled_ptr.id = 0;
> +       }
> +
> +       state->stack[spi].spilled_ptr.dynptr.type = 0;
> +       state->stack[spi - 1].spilled_ptr.dynptr.type = 0;
> +
> +       state->stack[spi].spilled_ptr.dynptr.first_slot = false;

nit: given you marked slots as STACK_INVALID, we shouldn't even look
into spilled_ptr.dynptr, so this zeroing out isn't necessary, right?

> +
> +       return 0;
> +}
> +
> +static bool is_dynptr_reg_valid_uninit(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
> +{
> +       struct bpf_func_state *state = func(env, reg);
> +       int spi = get_spi(reg->off);
> +       int i;
> +
> +       if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))
> +               return true;

hm... if spi bounds are invalid, shouldn't that be an error?...

> +
> +       for (i = 0; i < BPF_REG_SIZE; i++) {
> +               if (state->stack[spi].slot_type[i] == STACK_DYNPTR ||
> +                   state->stack[spi - 1].slot_type[i] == STACK_DYNPTR)
> +                       return false;
> +       }
> +
> +       return true;
> +}
> +
> +static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
> +                                    enum bpf_arg_type arg_type)
> +{
> +       struct bpf_func_state *state = func(env, reg);
> +       int spi = get_spi(reg->off);
> +       int i;
> +
> +       if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS) ||
> +           !state->stack[spi].spilled_ptr.dynptr.first_slot)
> +               return false;
> +
> +       for (i = 0; i < BPF_REG_SIZE; i++) {
> +           if (state->stack[spi].slot_type[i] != STACK_DYNPTR ||
> +               state->stack[spi - 1].slot_type[i] != STACK_DYNPTR)
> +                   return false;
> +       }

minor, but seems like it's pretty common operation to set or check all
those "microslots" to STACK_DYNPTR, would two small helpers be useful
for this (e.g., is_stack_dynptr() and set_stack_dynptr() or something
along those lines)?

> +
> +       /* ARG_PTR_TO_DYNPTR takes any type of dynptr */
> +       if (arg_type == ARG_PTR_TO_DYNPTR)
> +               return true;
> +
> +       return state->stack[spi].spilled_ptr.dynptr.type == arg_to_dynptr_type(arg_type);
> +}
> +

[...]

> @@ -5837,6 +6011,35 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
>                 bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);
>
>                 err = check_mem_size_reg(env, reg, regno, zero_size_allowed, meta);
> +       } else if (arg_type_is_dynptr(arg_type)) {
> +               /* Can't pass in a dynptr at a weird offset */
> +               if (reg->off % BPF_REG_SIZE) {
> +                       verbose(env, "cannot pass in non-zero dynptr offset\n");
> +                       return -EINVAL;
> +               }
> +
> +               if (arg_type & MEM_UNINIT)  {
> +                       if (!is_dynptr_reg_valid_uninit(env, reg)) {
> +                               verbose(env, "Arg #%d dynptr has to be an uninitialized dynptr\n",
> +                                       arg + BPF_REG_1);
> +                               return -EINVAL;
> +                       }
> +
> +                       meta->uninit_dynptr_regno = arg + BPF_REG_1;

do we need a check that meta->uninit_dynptr_regno isn't already set?
I.e., prevent two uninit dynptr in a helper?

> +               } else if (!is_dynptr_reg_valid_init(env, reg, arg_type)) {
> +                       const char *err_extra = "";
> +
> +                       switch (arg_type & DYNPTR_TYPE_FLAG_MASK) {
> +                       case DYNPTR_TYPE_MALLOC:
> +                               err_extra = "malloc ";
> +                               break;
> +                       default:
> +                               break;
> +                       }
> +                       verbose(env, "Expected an initialized %sdynptr as arg #%d\n",
> +                               err_extra, arg + BPF_REG_1);
> +                       return -EINVAL;
> +               }
>         } else if (arg_type_is_alloc_size(arg_type)) {
>                 if (!tnum_is_const(reg->var_off)) {
>                         verbose(env, "R%d is not a known constant'\n",

[...]

Joanne Koong May 9, 2022, 6:58 p.m. UTC | #2

On Fri, May 6, 2022 at 4:30 PM Andrii Nakryiko
<andrii.nakryiko@gmail.com> wrote:
>
> On Thu, Apr 28, 2022 at 2:12 PM Joanne Koong <joannelkoong@gmail.com> wrote:
> >
> > This patch adds the bulk of the verifier work for supporting dynamic
> > pointers (dynptrs) in bpf. This patch implements malloc-type dynptrs
> > through 2 new APIs (bpf_dynptr_alloc and bpf_dynptr_put) that can be
> > called by a bpf program. Malloc-type dynptrs are dynptrs that dynamically
> > allocate memory on behalf of the program.
> >
> > A bpf_dynptr is opaque to the bpf program. It is a 16-byte structure
> > defined internally as:
> >
> > struct bpf_dynptr_kern {
> >     void *data;
> >     u32 size;
> >     u32 offset;
> > } __aligned(8);
> >
> > The upper 8 bits of *size* is reserved (it contains extra metadata about
> > read-only status and dynptr type); consequently, a dynptr only supports
> > memory less than 16 MB.
> >
> > The 2 new APIs for malloc-type dynptrs are:
> >
> > long bpf_dynptr_alloc(u32 size, u64 flags, struct bpf_dynptr *ptr);
> > void bpf_dynptr_put(struct bpf_dynptr *ptr);
> >
> > Please note that there *must* be a corresponding bpf_dynptr_put for
> > every bpf_dynptr_alloc (even if the alloc fails). This is enforced
> > by the verifier.
> >
> > In the verifier, dynptr state information will be tracked in stack
> > slots. When the program passes in an uninitialized dynptr
> > (ARG_PTR_TO_DYNPTR | MEM_UNINIT), the stack slots corresponding
> > to the frame pointer where the dynptr resides at are marked STACK_DYNPTR.
> >
> > For helper functions that take in initialized dynptrs (eg
> > bpf_dynptr_read + bpf_dynptr_write which are added later in this
> > patchset), the verifier enforces that the dynptr has been initialized
> > properly by checking that their corresponding stack slots have been marked
> > as STACK_DYNPTR. Dynptr release functions (eg bpf_dynptr_put) will clear the
> > stack slots. The verifier enforces at program exit that there are no
> > referenced dynptrs that haven't been released.
> >
> > Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
> > ---
> >  include/linux/bpf.h            |  60 ++++++++-
> >  include/linux/bpf_verifier.h   |  21 +++
> >  include/uapi/linux/bpf.h       |  30 +++++
> >  kernel/bpf/helpers.c           |  75 +++++++++++
> >  kernel/bpf/verifier.c          | 225 ++++++++++++++++++++++++++++++++-
> >  scripts/bpf_doc.py             |   2 +
> >  tools/include/uapi/linux/bpf.h |  30 +++++
> >  7 files changed, 440 insertions(+), 3 deletions(-)
> >
>
> [...]
>
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 4565684839f1..16b7ea54a7e0 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -187,6 +187,11 @@ struct bpf_verifier_stack_elem {
> >                                           POISON_POINTER_DELTA))
> >  #define BPF_MAP_PTR(X)         ((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV))
> >
> > +/* forward declarations */
>
> it's kind of obvious from C syntax, this comment doesn't really add value
>
> > +static bool arg_type_is_mem_size(enum bpf_arg_type type);
> > +static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx);
> > +static int release_reference(struct bpf_verifier_env *env, int ref_obj_id);
> > +
>
> [...]
>
> >  static struct bpf_func_state *func(struct bpf_verifier_env *env,
> >                                    const struct bpf_reg_state *reg)
> >  {
> > @@ -646,6 +672,134 @@ static void mark_verifier_state_scratched(struct bpf_verifier_env *env)
> >         env->scratched_stack_slots = ~0ULL;
> >  }
> >
> > +#define DYNPTR_TYPE_FLAG_MASK          DYNPTR_TYPE_MALLOC
>
> can this be put near where DYNPTR_TYPE_MALLOC is defined? It's quite
> easy to forget to update this if it's somewhere far away
Sounds great!
>
> > +
> > +static int arg_to_dynptr_type(enum bpf_arg_type arg_type)
> > +{
> > +       switch (arg_type & DYNPTR_TYPE_FLAG_MASK) {
> > +       case DYNPTR_TYPE_MALLOC:
> > +               return BPF_DYNPTR_TYPE_MALLOC;
> > +       default:
> > +               return BPF_DYNPTR_TYPE_INVALID;
> > +       }
> > +}
> > +
>
> [...]
>
> > +static int unmark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
> > +{
> > +       struct bpf_func_state *state = func(env, reg);
> > +       int spi, i;
> > +
> > +       spi = get_spi(reg->off);
> > +
> > +       if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))
> > +               return -EINVAL;
> > +
> > +       for (i = 0; i < BPF_REG_SIZE; i++) {
> > +               state->stack[spi].slot_type[i] = STACK_INVALID;
> > +               state->stack[spi - 1].slot_type[i] = STACK_INVALID;
> > +       }
> > +
> > +       /* Invalidate any slices associated with this dynptr */
> > +       if (dynptr_type_refcounted(state->stack[spi].spilled_ptr.dynptr.type)) {
> > +               release_reference(env, state->stack[spi].spilled_ptr.id);
> > +               state->stack[spi].spilled_ptr.id = 0;
> > +               state->stack[spi - 1].spilled_ptr.id = 0;
> > +       }
> > +
> > +       state->stack[spi].spilled_ptr.dynptr.type = 0;
> > +       state->stack[spi - 1].spilled_ptr.dynptr.type = 0;
> > +
> > +       state->stack[spi].spilled_ptr.dynptr.first_slot = false;
>
> nit: given you marked slots as STACK_INVALID, we shouldn't even look
> into spilled_ptr.dynptr, so this zeroing out isn't necessary, right?
My concern was that if the stack slot gets reused and we don't zero
this out, then this would lead to some erroneous state. Do you think
this is a valid concern or an unnecessary concern?
>
> > +
> > +       return 0;
> > +}
> > +
> > +static bool is_dynptr_reg_valid_uninit(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
> > +{
> > +       struct bpf_func_state *state = func(env, reg);
> > +       int spi = get_spi(reg->off);
> > +       int i;
> > +
> > +       if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))
> > +               return true;
>
> hm... if spi bounds are invalid, shouldn't that be an error?...
The spi bounds can be invalid if the uninitialized dynptr variable
hasn't yet been allocated on the stack. We do the stack allocation for
it in check_helper_call() after we check all the args (we call this
is_dynptr_reg_valid_uninit function when we check the args).
>
> > +
> > +       for (i = 0; i < BPF_REG_SIZE; i++) {
> > +               if (state->stack[spi].slot_type[i] == STACK_DYNPTR ||
> > +                   state->stack[spi - 1].slot_type[i] == STACK_DYNPTR)
> > +                       return false;
> > +       }
> > +
> > +       return true;
> > +}
> > +
> > +static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
> > +                                    enum bpf_arg_type arg_type)
> > +{
> > +       struct bpf_func_state *state = func(env, reg);
> > +       int spi = get_spi(reg->off);
> > +       int i;
> > +
> > +       if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS) ||
> > +           !state->stack[spi].spilled_ptr.dynptr.first_slot)
> > +               return false;
> > +
> > +       for (i = 0; i < BPF_REG_SIZE; i++) {
> > +           if (state->stack[spi].slot_type[i] != STACK_DYNPTR ||
> > +               state->stack[spi - 1].slot_type[i] != STACK_DYNPTR)
> > +                   return false;
> > +       }
>
> minor, but seems like it's pretty common operation to set or check all
> those "microslots" to STACK_DYNPTR, would two small helpers be useful
> for this (e.g., is_stack_dynptr() and set_stack_dynptr() or something
> along those lines)?
I think having is_stack_dynptr() might be misleading because
!is_stack_dynptr() does not mean the stack slots are not dynptr.
is_stack_dynptr() is true only if both stack slots are marked as
dynptr, !is_stack_dynptr() is therefore true if one or both slots are
not marked as dynptr, but really the stack slots are truly not dynptr
only if both slots are not marked as dynptr. (for example, if spi is
STACK_DYNPTR and spi - 1 is not, !is_stack_dynptr is true, but really
it is not a stack dynptr only if both slots are not marked as dynptr).

looking through the file, I think there is currently only one place
where we set the stack dynptr (in mark_stack_slots_dynptr) and test if
it is a stack dynptr (in is_dynptr_reg_valid_init), so maybe just
leaving this as is is okay? But I'm also happy to move these to
smaller helpers if you don't think the !is_stack_dynptr() is too
misleading/confusing.
>
> > +
> > +       /* ARG_PTR_TO_DYNPTR takes any type of dynptr */
> > +       if (arg_type == ARG_PTR_TO_DYNPTR)
> > +               return true;
> > +
> > +       return state->stack[spi].spilled_ptr.dynptr.type == arg_to_dynptr_type(arg_type);
> > +}
> > +
>
> [...]
>
> > @@ -5837,6 +6011,35 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
> >                 bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);
> >
> >                 err = check_mem_size_reg(env, reg, regno, zero_size_allowed, meta);
> > +       } else if (arg_type_is_dynptr(arg_type)) {
> > +               /* Can't pass in a dynptr at a weird offset */
> > +               if (reg->off % BPF_REG_SIZE) {
> > +                       verbose(env, "cannot pass in non-zero dynptr offset\n");
> > +                       return -EINVAL;
> > +               }
> > +
> > +               if (arg_type & MEM_UNINIT)  {
> > +                       if (!is_dynptr_reg_valid_uninit(env, reg)) {
> > +                               verbose(env, "Arg #%d dynptr has to be an uninitialized dynptr\n",
> > +                                       arg + BPF_REG_1);
> > +                               return -EINVAL;
> > +                       }
> > +
> > +                       meta->uninit_dynptr_regno = arg + BPF_REG_1;
>
> do we need a check that meta->uninit_dynptr_regno isn't already set?
> I.e., prevent two uninit dynptr in a helper?
I don't think we do because the helper functions only take in one
uninitialized dynptr at the moment, but adding this check would
prevent the case where in the future, there are more than 1
uninitialized dynptr args and this verifier code didn't get modified
to support that. I will add this in for v4.
>
> > +               } else if (!is_dynptr_reg_valid_init(env, reg, arg_type)) {
> > +                       const char *err_extra = "";
> > +
> > +                       switch (arg_type & DYNPTR_TYPE_FLAG_MASK) {
> > +                       case DYNPTR_TYPE_MALLOC:
> > +                               err_extra = "malloc ";
> > +                               break;
> > +                       default:
> > +                               break;
> > +                       }
> > +                       verbose(env, "Expected an initialized %sdynptr as arg #%d\n",
> > +                               err_extra, arg + BPF_REG_1);
> > +                       return -EINVAL;
> > +               }
> >         } else if (arg_type_is_alloc_size(arg_type)) {
> >                 if (!tnum_is_const(reg->var_off)) {
> >                         verbose(env, "R%d is not a known constant'\n",
>
> [...]

Andrii Nakryiko May 9, 2022, 7:26 p.m. UTC | #3

On Mon, May 9, 2022 at 11:58 AM Joanne Koong <joannelkoong@gmail.com> wrote:
>
> On Fri, May 6, 2022 at 4:30 PM Andrii Nakryiko
> <andrii.nakryiko@gmail.com> wrote:
> >
> > On Thu, Apr 28, 2022 at 2:12 PM Joanne Koong <joannelkoong@gmail.com> wrote:
> > >
> > > This patch adds the bulk of the verifier work for supporting dynamic
> > > pointers (dynptrs) in bpf. This patch implements malloc-type dynptrs
> > > through 2 new APIs (bpf_dynptr_alloc and bpf_dynptr_put) that can be
> > > called by a bpf program. Malloc-type dynptrs are dynptrs that dynamically
> > > allocate memory on behalf of the program.
> > >
> > > A bpf_dynptr is opaque to the bpf program. It is a 16-byte structure
> > > defined internally as:
> > >
> > > struct bpf_dynptr_kern {
> > >     void *data;
> > >     u32 size;
> > >     u32 offset;
> > > } __aligned(8);
> > >
> > > The upper 8 bits of *size* is reserved (it contains extra metadata about
> > > read-only status and dynptr type); consequently, a dynptr only supports
> > > memory less than 16 MB.
> > >
> > > The 2 new APIs for malloc-type dynptrs are:
> > >
> > > long bpf_dynptr_alloc(u32 size, u64 flags, struct bpf_dynptr *ptr);
> > > void bpf_dynptr_put(struct bpf_dynptr *ptr);
> > >
> > > Please note that there *must* be a corresponding bpf_dynptr_put for
> > > every bpf_dynptr_alloc (even if the alloc fails). This is enforced
> > > by the verifier.
> > >
> > > In the verifier, dynptr state information will be tracked in stack
> > > slots. When the program passes in an uninitialized dynptr
> > > (ARG_PTR_TO_DYNPTR | MEM_UNINIT), the stack slots corresponding
> > > to the frame pointer where the dynptr resides at are marked STACK_DYNPTR.
> > >
> > > For helper functions that take in initialized dynptrs (eg
> > > bpf_dynptr_read + bpf_dynptr_write which are added later in this
> > > patchset), the verifier enforces that the dynptr has been initialized
> > > properly by checking that their corresponding stack slots have been marked
> > > as STACK_DYNPTR. Dynptr release functions (eg bpf_dynptr_put) will clear the
> > > stack slots. The verifier enforces at program exit that there are no
> > > referenced dynptrs that haven't been released.
> > >
> > > Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
> > > ---
> > >  include/linux/bpf.h            |  60 ++++++++-
> > >  include/linux/bpf_verifier.h   |  21 +++
> > >  include/uapi/linux/bpf.h       |  30 +++++
> > >  kernel/bpf/helpers.c           |  75 +++++++++++
> > >  kernel/bpf/verifier.c          | 225 ++++++++++++++++++++++++++++++++-
> > >  scripts/bpf_doc.py             |   2 +
> > >  tools/include/uapi/linux/bpf.h |  30 +++++
> > >  7 files changed, 440 insertions(+), 3 deletions(-)
> > >
> >
> > [...]
> >
> > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > > index 4565684839f1..16b7ea54a7e0 100644
> > > --- a/kernel/bpf/verifier.c
> > > +++ b/kernel/bpf/verifier.c
> > > @@ -187,6 +187,11 @@ struct bpf_verifier_stack_elem {
> > >                                           POISON_POINTER_DELTA))
> > >  #define BPF_MAP_PTR(X)         ((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV))
> > >
> > > +/* forward declarations */
> >
> > it's kind of obvious from C syntax, this comment doesn't really add value
> >
> > > +static bool arg_type_is_mem_size(enum bpf_arg_type type);
> > > +static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx);
> > > +static int release_reference(struct bpf_verifier_env *env, int ref_obj_id);
> > > +
> >
> > [...]
> >
> > >  static struct bpf_func_state *func(struct bpf_verifier_env *env,
> > >                                    const struct bpf_reg_state *reg)
> > >  {
> > > @@ -646,6 +672,134 @@ static void mark_verifier_state_scratched(struct bpf_verifier_env *env)
> > >         env->scratched_stack_slots = ~0ULL;
> > >  }
> > >
> > > +#define DYNPTR_TYPE_FLAG_MASK          DYNPTR_TYPE_MALLOC
> >
> > can this be put near where DYNPTR_TYPE_MALLOC is defined? It's quite
> > easy to forget to update this if it's somewhere far away
> Sounds great!
> >
> > > +
> > > +static int arg_to_dynptr_type(enum bpf_arg_type arg_type)
> > > +{
> > > +       switch (arg_type & DYNPTR_TYPE_FLAG_MASK) {
> > > +       case DYNPTR_TYPE_MALLOC:
> > > +               return BPF_DYNPTR_TYPE_MALLOC;
> > > +       default:
> > > +               return BPF_DYNPTR_TYPE_INVALID;
> > > +       }
> > > +}
> > > +
> >
> > [...]
> >
> > > +static int unmark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
> > > +{
> > > +       struct bpf_func_state *state = func(env, reg);
> > > +       int spi, i;
> > > +
> > > +       spi = get_spi(reg->off);
> > > +
> > > +       if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))
> > > +               return -EINVAL;
> > > +
> > > +       for (i = 0; i < BPF_REG_SIZE; i++) {
> > > +               state->stack[spi].slot_type[i] = STACK_INVALID;
> > > +               state->stack[spi - 1].slot_type[i] = STACK_INVALID;
> > > +       }
> > > +
> > > +       /* Invalidate any slices associated with this dynptr */
> > > +       if (dynptr_type_refcounted(state->stack[spi].spilled_ptr.dynptr.type)) {
> > > +               release_reference(env, state->stack[spi].spilled_ptr.id);
> > > +               state->stack[spi].spilled_ptr.id = 0;
> > > +               state->stack[spi - 1].spilled_ptr.id = 0;
> > > +       }
> > > +
> > > +       state->stack[spi].spilled_ptr.dynptr.type = 0;
> > > +       state->stack[spi - 1].spilled_ptr.dynptr.type = 0;
> > > +
> > > +       state->stack[spi].spilled_ptr.dynptr.first_slot = false;
> >
> > nit: given you marked slots as STACK_INVALID, we shouldn't even look
> > into spilled_ptr.dynptr, so this zeroing out isn't necessary, right?
> My concern was that if the stack slot gets reused and we don't zero
> this out, then this would lead to some erroneous state. Do you think
> this is a valid concern or an unnecessary concern?

It depends whether we have such assumptions elsewhere right now. I
hope not, but if we do, then we might better zero-out when we
initialize the slot. In any case, memset() sounds like a more robust
solution here.

> >
> > > +
> > > +       return 0;
> > > +}
> > > +
> > > +static bool is_dynptr_reg_valid_uninit(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
> > > +{
> > > +       struct bpf_func_state *state = func(env, reg);
> > > +       int spi = get_spi(reg->off);
> > > +       int i;
> > > +
> > > +       if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))
> > > +               return true;
> >
> > hm... if spi bounds are invalid, shouldn't that be an error?...
> The spi bounds can be invalid if the uninitialized dynptr variable
> hasn't yet been allocated on the stack. We do the stack allocation for
> it in check_helper_call() after we check all the args (we call this
> is_dynptr_reg_valid_uninit function when we check the args).
> >
> > > +
> > > +       for (i = 0; i < BPF_REG_SIZE; i++) {
> > > +               if (state->stack[spi].slot_type[i] == STACK_DYNPTR ||
> > > +                   state->stack[spi - 1].slot_type[i] == STACK_DYNPTR)
> > > +                       return false;
> > > +       }
> > > +
> > > +       return true;
> > > +}
> > > +
> > > +static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
> > > +                                    enum bpf_arg_type arg_type)
> > > +{
> > > +       struct bpf_func_state *state = func(env, reg);
> > > +       int spi = get_spi(reg->off);
> > > +       int i;
> > > +
> > > +       if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS) ||
> > > +           !state->stack[spi].spilled_ptr.dynptr.first_slot)
> > > +               return false;
> > > +
> > > +       for (i = 0; i < BPF_REG_SIZE; i++) {
> > > +           if (state->stack[spi].slot_type[i] != STACK_DYNPTR ||
> > > +               state->stack[spi - 1].slot_type[i] != STACK_DYNPTR)
> > > +                   return false;
> > > +       }
> >
> > minor, but seems like it's pretty common operation to set or check all
> > those "microslots" to STACK_DYNPTR, would two small helpers be useful
> > for this (e.g., is_stack_dynptr() and set_stack_dynptr() or something
> > along those lines)?
> I think having is_stack_dynptr() might be misleading because
> !is_stack_dynptr() does not mean the stack slots are not dynptr.
> is_stack_dynptr() is true only if both stack slots are marked as
> dynptr, !is_stack_dynptr() is therefore true if one or both slots are
> not marked as dynptr, but really the stack slots are truly not dynptr
> only if both slots are not marked as dynptr. (for example, if spi is
> STACK_DYNPTR and spi - 1 is not, !is_stack_dynptr is true, but really
> it is not a stack dynptr only if both slots are not marked as dynptr).
>
> looking through the file, I think there is currently only one place
> where we set the stack dynptr (in mark_stack_slots_dynptr) and test if
> it is a stack dynptr (in is_dynptr_reg_valid_init), so maybe just
> leaving this as is is okay? But I'm also happy to move these to
> smaller helpers if you don't think the !is_stack_dynptr() is too
> misleading/confusing.

it's fine as is, this was minor thing

> >
> > > +
> > > +       /* ARG_PTR_TO_DYNPTR takes any type of dynptr */
> > > +       if (arg_type == ARG_PTR_TO_DYNPTR)
> > > +               return true;
> > > +
> > > +       return state->stack[spi].spilled_ptr.dynptr.type == arg_to_dynptr_type(arg_type);
> > > +}
> > > +
> >
> > [...]
> >
> > > @@ -5837,6 +6011,35 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
> > >                 bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);
> > >
> > >                 err = check_mem_size_reg(env, reg, regno, zero_size_allowed, meta);
> > > +       } else if (arg_type_is_dynptr(arg_type)) {
> > > +               /* Can't pass in a dynptr at a weird offset */
> > > +               if (reg->off % BPF_REG_SIZE) {
> > > +                       verbose(env, "cannot pass in non-zero dynptr offset\n");
> > > +                       return -EINVAL;
> > > +               }
> > > +
> > > +               if (arg_type & MEM_UNINIT)  {
> > > +                       if (!is_dynptr_reg_valid_uninit(env, reg)) {
> > > +                               verbose(env, "Arg #%d dynptr has to be an uninitialized dynptr\n",
> > > +                                       arg + BPF_REG_1);
> > > +                               return -EINVAL;
> > > +                       }
> > > +
> > > +                       meta->uninit_dynptr_regno = arg + BPF_REG_1;
> >
> > do we need a check that meta->uninit_dynptr_regno isn't already set?
> > I.e., prevent two uninit dynptr in a helper?
> I don't think we do because the helper functions only take in one
> uninitialized dynptr at the moment, but adding this check would
> prevent the case where in the future, there are more than 1
> uninitialized dynptr args and this verifier code didn't get modified
> to support that. I will add this in for v4.

That's the point of such checks: to guarantee that currently we don't
have helper definition that would break verifier with unexpected
argument combinations. If or when we extend this "only one out dynptr"
rule, we'll need to update various places in verifier to support that,
including this one. That's expected and good.

> >
> > > +               } else if (!is_dynptr_reg_valid_init(env, reg, arg_type)) {
> > > +                       const char *err_extra = "";
> > > +
> > > +                       switch (arg_type & DYNPTR_TYPE_FLAG_MASK) {
> > > +                       case DYNPTR_TYPE_MALLOC:
> > > +                               err_extra = "malloc ";
> > > +                               break;
> > > +                       default:
> > > +                               break;
> > > +                       }
> > > +                       verbose(env, "Expected an initialized %sdynptr as arg #%d\n",
> > > +                               err_extra, arg + BPF_REG_1);
> > > +                       return -EINVAL;
> > > +               }
> > >         } else if (arg_type_is_alloc_size(arg_type)) {
> > >                 if (!tnum_is_const(reg->var_off)) {
> > >                         verbose(env, "R%d is not a known constant'\n",
> >
> > [...]

Patch

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index d0c167865504..757440406962 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -391,7 +391,10 @@  enum bpf_type_flag {
 
 	MEM_UNINIT		= BIT(7 + BPF_BASE_TYPE_BITS),
 
-	__BPF_TYPE_LAST_FLAG	= MEM_UNINIT,
+	/* DYNPTR points to dynamically allocated memory. */
+	DYNPTR_TYPE_MALLOC	= BIT(8 + BPF_BASE_TYPE_BITS),
+
+	__BPF_TYPE_LAST_FLAG	= DYNPTR_TYPE_MALLOC,
 };
 
 /* Max number of base types. */
@@ -436,6 +439,7 @@  enum bpf_arg_type {
 	ARG_PTR_TO_CONST_STR,	/* pointer to a null terminated read-only string */
 	ARG_PTR_TO_TIMER,	/* pointer to bpf_timer */
 	ARG_PTR_TO_KPTR,	/* pointer to referenced kptr */
+	ARG_PTR_TO_DYNPTR,      /* pointer to bpf_dynptr. See bpf_type_flag for dynptr type */
 	__BPF_ARG_TYPE_MAX,
 
 	/* Extended arg_types. */
@@ -2347,4 +2351,58 @@  int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args,
 			u32 **bin_buf, u32 num_args);
 void bpf_bprintf_cleanup(void);
 
+/* the implementation of the opaque uapi struct bpf_dynptr */
+struct bpf_dynptr_kern {
+	void *data;
+	/* Size represents the number of usable bytes in the dynptr.
+	 * If for example the offset is at 200 for a malloc dynptr with
+	 * allocation size 256, the number of usable bytes is 56.
+	 *
+	 * The upper 8 bits are reserved.
+	 * Bit 31 denotes whether the dynptr is read-only.
+	 * Bits 28-30 denote the dynptr type.
+	 */
+	u32 size;
+	u32 offset;
+} __aligned(8);
+
+enum bpf_dynptr_type {
+	BPF_DYNPTR_TYPE_INVALID,
+	/* Memory allocated dynamically by the kernel for the dynptr */
+	BPF_DYNPTR_TYPE_MALLOC,
+};
+
+/* Since the upper 8 bits of dynptr->size is reserved, the
+ * maximum supported size is 2^24 - 1.
+ */
+#define DYNPTR_MAX_SIZE	((1UL << 24) - 1)
+#define DYNPTR_SIZE_MASK	0xFFFFFF
+#define DYNPTR_TYPE_SHIFT	28
+#define DYNPTR_TYPE_MASK	0x7
+
+static inline enum bpf_dynptr_type bpf_dynptr_get_type(struct bpf_dynptr_kern *ptr)
+{
+	return (ptr->size >> DYNPTR_TYPE_SHIFT) & DYNPTR_TYPE_MASK;
+}
+
+static inline void bpf_dynptr_set_type(struct bpf_dynptr_kern *ptr, enum bpf_dynptr_type type)
+{
+	ptr->size |= type << DYNPTR_TYPE_SHIFT;
+}
+
+static inline u32 bpf_dynptr_get_size(struct bpf_dynptr_kern *ptr)
+{
+	return ptr->size & DYNPTR_SIZE_MASK;
+}
+
+static inline int bpf_dynptr_check_size(u32 size)
+{
+	return size > DYNPTR_MAX_SIZE ? -E2BIG : 0;
+}
+
+void bpf_dynptr_init(struct bpf_dynptr_kern *ptr, void *data, enum bpf_dynptr_type type,
+		     u32 offset, u32 size);
+
+void bpf_dynptr_set_null(struct bpf_dynptr_kern *ptr);
+
 #endif /* _LINUX_BPF_H */
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 1f1e7f2ea967..830a0e11ae97 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -72,6 +72,18 @@  struct bpf_reg_state {
 
 		u32 mem_size; /* for PTR_TO_MEM | PTR_TO_MEM_OR_NULL */
 
+		/* For dynptr stack slots */
+		struct {
+			enum bpf_dynptr_type type;
+			/* A dynptr is 16 bytes so it takes up 2 stack slots.
+			 * We need to track which slot is the first slot
+			 * to protect against cases where the user may try to
+			 * pass in an address starting at the second slot of the
+			 * dynptr.
+			 */
+			bool first_slot;
+		} dynptr;
+
 		/* Max size from any of the above. */
 		struct {
 			unsigned long raw1;
@@ -88,6 +100,8 @@  struct bpf_reg_state {
 	 * for the purpose of tracking that it's freed.
 	 * For PTR_TO_SOCKET this is used to share which pointers retain the
 	 * same reference to the socket, to determine proper reference freeing.
+	 * For stack slots that are dynptrs, this is used to track references to
+	 * the dynptr to determine proper reference freeing.
 	 */
 	u32 id;
 	/* PTR_TO_SOCKET and PTR_TO_TCP_SOCK could be a ptr returned
@@ -174,9 +188,16 @@  enum bpf_stack_slot_type {
 	STACK_SPILL,      /* register spilled into stack */
 	STACK_MISC,	  /* BPF program wrote some data into this slot */
 	STACK_ZERO,	  /* BPF program wrote constant zero */
+	/* A dynptr is stored in this stack slot. The type of dynptr
+	 * is stored in bpf_stack_state->spilled_ptr.dynptr.type
+	 */
+	STACK_DYNPTR,
 };
 
 #define BPF_REG_SIZE 8	/* size of eBPF register in bytes */
+/* size of a struct bpf_dynptr in bytes */
+#define BPF_DYNPTR_SIZE sizeof(struct bpf_dynptr_kern)
+#define BPF_DYNPTR_NR_SLOTS (BPF_DYNPTR_SIZE / BPF_REG_SIZE)
 
 struct bpf_stack_state {
 	struct bpf_reg_state spilled_ptr;
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 444fe6f1cf35..5a87ed654016 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -5154,6 +5154,29 @@  union bpf_attr {
  *		if not NULL, is a reference which must be released using its
  *		corresponding release function, or moved into a BPF map before
  *		program exit.
+ *
+ * long bpf_dynptr_alloc(u32 size, u64 flags, struct bpf_dynptr *ptr)
+ *	Description
+ *		Allocate memory of *size* bytes.
+ *
+ *		Every call to bpf_dynptr_alloc must have a corresponding
+ *		bpf_dynptr_put, regardless of whether the bpf_dynptr_alloc
+ *		succeeded.
+ *
+ *		The maximum *size* supported is DYNPTR_MAX_SIZE.
+ *		Supported *flags* are __GFP_ZERO.
+ *	Return
+ *		0 on success, -ENOMEM if there is not enough memory for the
+ *		allocation, -E2BIG if the size exceeds DYNPTR_MAX_SIZE, -EINVAL
+ *		if the flags is not supported.
+ *
+ * void bpf_dynptr_put(struct bpf_dynptr *ptr)
+ *	Description
+ *		Free memory allocated by bpf_dynptr_alloc.
+ *
+ *		After this operation, *ptr* will be an invalidated dynptr.
+ *	Return
+ *		Void.
  */
 #define __BPF_FUNC_MAPPER(FN)		\
 	FN(unspec),			\
@@ -5351,6 +5374,8 @@  union bpf_attr {
 	FN(skb_set_tstamp),		\
 	FN(ima_file_hash),		\
 	FN(kptr_xchg),			\
+	FN(dynptr_alloc),		\
+	FN(dynptr_put),			\
 	/* */
 
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
@@ -6498,6 +6523,11 @@  struct bpf_timer {
 	__u64 :64;
 } __attribute__((aligned(8)));
 
+struct bpf_dynptr {
+	__u64 :64;
+	__u64 :64;
+} __attribute__((aligned(8)));
+
 struct bpf_sysctl {
 	__u32	write;		/* Sysctl is being read (= 0) or written (= 1).
 				 * Allows 1,2,4-byte read, but no write.
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 8a2398ac14c2..a4272e9239ea 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1396,6 +1396,77 @@  const struct bpf_func_proto bpf_kptr_xchg_proto = {
 	.arg2_btf_id  = BPF_PTR_POISON,
 };
 
+void bpf_dynptr_init(struct bpf_dynptr_kern *ptr, void *data, enum bpf_dynptr_type type,
+		     u32 offset, u32 size)
+{
+	ptr->data = data;
+	ptr->offset = offset;
+	ptr->size = size;
+	bpf_dynptr_set_type(ptr, type);
+}
+
+void bpf_dynptr_set_null(struct bpf_dynptr_kern *ptr)
+{
+	memset(ptr, 0, sizeof(*ptr));
+}
+
+BPF_CALL_3(bpf_dynptr_alloc, u32, size, u64, flags, struct bpf_dynptr_kern *, ptr)
+{
+	gfp_t gfp_flags = GFP_ATOMIC;
+	void *data;
+	int err;
+
+	err = bpf_dynptr_check_size(size);
+	if (err)
+		goto error;
+
+	if (flags) {
+		if (flags == __GFP_ZERO) {
+			gfp_flags |= flags;
+		} else {
+			err = -EINVAL;
+			goto error;
+		}
+	}
+
+	data = kmalloc(size, gfp_flags);
+	if (!data) {
+		err = -ENOMEM;
+		goto error;
+	}
+
+	bpf_dynptr_init(ptr, data, BPF_DYNPTR_TYPE_MALLOC, 0, size);
+
+	return 0;
+
+error:
+	bpf_dynptr_set_null(ptr);
+	return err;
+}
+
+const struct bpf_func_proto bpf_dynptr_alloc_proto = {
+	.func		= bpf_dynptr_alloc,
+	.gpl_only	= false,
+	.ret_type	= RET_INTEGER,
+	.arg1_type	= ARG_ANYTHING,
+	.arg2_type	= ARG_ANYTHING,
+	.arg3_type	= ARG_PTR_TO_DYNPTR | DYNPTR_TYPE_MALLOC | MEM_UNINIT,
+};
+
+BPF_CALL_1(bpf_dynptr_put, struct bpf_dynptr_kern *, dynptr)
+{
+	kfree(dynptr->data);
+	bpf_dynptr_set_null(dynptr);
+	return 0;
+}
+
+const struct bpf_func_proto bpf_dynptr_put_proto = {
+	.func		= bpf_dynptr_put,
+	.gpl_only	= false,
+	.ret_type	= RET_VOID,
+	.arg1_type	= ARG_PTR_TO_DYNPTR | DYNPTR_TYPE_MALLOC | OBJ_RELEASE,
+};
+
 const struct bpf_func_proto bpf_get_current_task_proto __weak;
 const struct bpf_func_proto bpf_get_current_task_btf_proto __weak;
 const struct bpf_func_proto bpf_probe_read_user_proto __weak;
@@ -1448,6 +1519,10 @@  bpf_base_func_proto(enum bpf_func_id func_id)
 		return &bpf_loop_proto;
 	case BPF_FUNC_strncmp:
 		return &bpf_strncmp_proto;
+	case BPF_FUNC_dynptr_alloc:
+		return &bpf_dynptr_alloc_proto;
+	case BPF_FUNC_dynptr_put:
+		return &bpf_dynptr_put_proto;
 	default:
 		break;
 	}
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 4565684839f1..16b7ea54a7e0 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -187,6 +187,11 @@  struct bpf_verifier_stack_elem {
 					  POISON_POINTER_DELTA))
 #define BPF_MAP_PTR(X)		((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV))
 
+/* forward declarations */
+static bool arg_type_is_mem_size(enum bpf_arg_type type);
+static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx);
+static int release_reference(struct bpf_verifier_env *env, int ref_obj_id);
+
 static bool bpf_map_ptr_poisoned(const struct bpf_insn_aux_data *aux)
 {
 	return BPF_MAP_PTR(aux->map_ptr_state) == BPF_MAP_PTR_POISON;
@@ -259,6 +264,7 @@  struct bpf_call_arg_meta {
 	u32 ret_btf_id;
 	u32 subprogno;
 	struct bpf_map_value_off_desc *kptr_off_desc;
+	u8 uninit_dynptr_regno;
 };
 
 struct btf *btf_vmlinux;
@@ -580,6 +586,7 @@  static char slot_type_char[] = {
 	[STACK_SPILL]	= 'r',
 	[STACK_MISC]	= 'm',
 	[STACK_ZERO]	= '0',
+	[STACK_DYNPTR]	= 'd',
 };
 
 static void print_liveness(struct bpf_verifier_env *env,
@@ -595,6 +602,25 @@  static void print_liveness(struct bpf_verifier_env *env,
 		verbose(env, "D");
 }
 
+static inline int get_spi(s32 off)
+{
+	return (-off - 1) / BPF_REG_SIZE;
+}
+
+static bool is_spi_bounds_valid(struct bpf_func_state *state, int spi, int nr_slots)
+{
+	int allocated_slots = state->allocated_stack / BPF_REG_SIZE;
+
+	/* We need to check that slots between [spi - nr_slots + 1, spi] are
+	 * within [0, allocated_stack).
+	 *
+	 * Please note that the spi grows downwards. For example, a dynptr
+	 * takes the size of two stack slots; the first slot will be at
+	 * spi and the second slot will be at spi - 1.
+	 */
+	return spi - nr_slots + 1 >= 0 && spi < allocated_slots;
+}
+
 static struct bpf_func_state *func(struct bpf_verifier_env *env,
 				   const struct bpf_reg_state *reg)
 {
@@ -646,6 +672,134 @@  static void mark_verifier_state_scratched(struct bpf_verifier_env *env)
 	env->scratched_stack_slots = ~0ULL;
 }
 
+#define DYNPTR_TYPE_FLAG_MASK		DYNPTR_TYPE_MALLOC
+
+static int arg_to_dynptr_type(enum bpf_arg_type arg_type)
+{
+	switch (arg_type & DYNPTR_TYPE_FLAG_MASK) {
+	case DYNPTR_TYPE_MALLOC:
+		return BPF_DYNPTR_TYPE_MALLOC;
+	default:
+		return BPF_DYNPTR_TYPE_INVALID;
+	}
+}
+
+static inline bool dynptr_type_refcounted(enum bpf_dynptr_type type)
+{
+	return type == BPF_DYNPTR_TYPE_MALLOC;
+}
+
+static int mark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
+				   enum bpf_arg_type arg_type, int insn_idx)
+{
+	struct bpf_func_state *state = cur_func(env);
+	enum bpf_dynptr_type type;
+	int spi, id, i;
+
+	spi = get_spi(reg->off);
+
+	if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))
+		return -EINVAL;
+
+	for (i = 0; i < BPF_REG_SIZE; i++) {
+		state->stack[spi].slot_type[i] = STACK_DYNPTR;
+		state->stack[spi - 1].slot_type[i] = STACK_DYNPTR;
+	}
+
+	type = arg_to_dynptr_type(arg_type);
+	if (type == BPF_DYNPTR_TYPE_INVALID)
+		return -EINVAL;
+
+	state->stack[spi].spilled_ptr.dynptr.type = type;
+	state->stack[spi - 1].spilled_ptr.dynptr.type = type;
+
+	state->stack[spi].spilled_ptr.dynptr.first_slot = true;
+
+	if (dynptr_type_refcounted(type)) {
+		/* The id is used to track proper releasing */
+		id = acquire_reference_state(env, insn_idx);
+		if (id < 0)
+			return id;
+
+		state->stack[spi].spilled_ptr.id = id;
+		state->stack[spi - 1].spilled_ptr.id = id;
+	}
+
+	return 0;
+}
+
+static int unmark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
+{
+	struct bpf_func_state *state = func(env, reg);
+	int spi, i;
+
+	spi = get_spi(reg->off);
+
+	if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))
+		return -EINVAL;
+
+	for (i = 0; i < BPF_REG_SIZE; i++) {
+		state->stack[spi].slot_type[i] = STACK_INVALID;
+		state->stack[spi - 1].slot_type[i] = STACK_INVALID;
+	}
+
+	/* Invalidate any slices associated with this dynptr */
+	if (dynptr_type_refcounted(state->stack[spi].spilled_ptr.dynptr.type)) {
+		release_reference(env, state->stack[spi].spilled_ptr.id);
+		state->stack[spi].spilled_ptr.id = 0;
+		state->stack[spi - 1].spilled_ptr.id = 0;
+	}
+
+	state->stack[spi].spilled_ptr.dynptr.type = 0;
+	state->stack[spi - 1].spilled_ptr.dynptr.type = 0;
+
+	state->stack[spi].spilled_ptr.dynptr.first_slot = false;
+
+	return 0;
+}
+
+static bool is_dynptr_reg_valid_uninit(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
+{
+	struct bpf_func_state *state = func(env, reg);
+	int spi = get_spi(reg->off);
+	int i;
+
+	if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))
+		return true;
+
+	for (i = 0; i < BPF_REG_SIZE; i++) {
+		if (state->stack[spi].slot_type[i] == STACK_DYNPTR ||
+		    state->stack[spi - 1].slot_type[i] == STACK_DYNPTR)
+			return false;
+	}
+
+	return true;
+}
+
+static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
+				     enum bpf_arg_type arg_type)
+{
+	struct bpf_func_state *state = func(env, reg);
+	int spi = get_spi(reg->off);
+	int i;
+
+	if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS) ||
+	    !state->stack[spi].spilled_ptr.dynptr.first_slot)
+		return false;
+
+	for (i = 0; i < BPF_REG_SIZE; i++) {
+	    if (state->stack[spi].slot_type[i] != STACK_DYNPTR ||
+		state->stack[spi - 1].slot_type[i] != STACK_DYNPTR)
+		    return false;
+	}
+
+	/* ARG_PTR_TO_DYNPTR takes any type of dynptr */
+	if (arg_type == ARG_PTR_TO_DYNPTR)
+		return true;
+
+	return state->stack[spi].spilled_ptr.dynptr.type == arg_to_dynptr_type(arg_type);
+}
+
 /* The reg state of a pointer or a bounded scalar was saved when
  * it was spilled to the stack.
  */
@@ -5400,6 +5554,16 @@  static bool arg_type_is_release(enum bpf_arg_type type)
 	return type & OBJ_RELEASE;
 }
 
+static inline bool arg_type_is_dynptr(enum bpf_arg_type type)
+{
+	return base_type(type) == ARG_PTR_TO_DYNPTR;
+}
+
+static inline bool arg_type_is_dynptr_uninit(enum bpf_arg_type type)
+{
+	return arg_type_is_dynptr(type) && (type & MEM_UNINIT);
+}
+
 static int int_ptr_type_to_size(enum bpf_arg_type type)
 {
 	if (type == ARG_PTR_TO_INT)
@@ -5539,6 +5703,7 @@  static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {
 	[ARG_PTR_TO_CONST_STR]		= &const_str_ptr_types,
 	[ARG_PTR_TO_TIMER]		= &timer_types,
 	[ARG_PTR_TO_KPTR]		= &kptr_types,
+	[ARG_PTR_TO_DYNPTR]		= &stack_ptr_types,
 };
 
 static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
@@ -5725,7 +5890,16 @@  static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 
 skip_type_check:
 	if (arg_type_is_release(arg_type)) {
-		if (!reg->ref_obj_id && !register_is_null(reg)) {
+		if (arg_type_is_dynptr(arg_type)) {
+			struct bpf_func_state *state = func(env, reg);
+			int spi = get_spi(reg->off);
+
+			if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS) ||
+			    !state->stack[spi].spilled_ptr.id) {
+				verbose(env, "arg %d is an unacquired reference\n", regno);
+				return -EINVAL;
+			}
+		} else if (!reg->ref_obj_id && !register_is_null(reg)) {
 			verbose(env, "R%d must be referenced when passed to release function\n",
 				regno);
 			return -EINVAL;
@@ -5837,6 +6011,35 @@  static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 		bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);
 
 		err = check_mem_size_reg(env, reg, regno, zero_size_allowed, meta);
+	} else if (arg_type_is_dynptr(arg_type)) {
+		/* Can't pass in a dynptr at a weird offset */
+		if (reg->off % BPF_REG_SIZE) {
+			verbose(env, "cannot pass in non-zero dynptr offset\n");
+			return -EINVAL;
+		}
+
+		if (arg_type & MEM_UNINIT)  {
+			if (!is_dynptr_reg_valid_uninit(env, reg)) {
+				verbose(env, "Arg #%d dynptr has to be an uninitialized dynptr\n",
+					arg + BPF_REG_1);
+				return -EINVAL;
+			}
+
+			meta->uninit_dynptr_regno = arg + BPF_REG_1;
+		} else if (!is_dynptr_reg_valid_init(env, reg, arg_type)) {
+			const char *err_extra = "";
+
+			switch (arg_type & DYNPTR_TYPE_FLAG_MASK) {
+			case DYNPTR_TYPE_MALLOC:
+				err_extra = "malloc ";
+				break;
+			default:
+				break;
+			}
+			verbose(env, "Expected an initialized %sdynptr as arg #%d\n",
+				err_extra, arg + BPF_REG_1);
+			return -EINVAL;
+		}
 	} else if (arg_type_is_alloc_size(arg_type)) {
 		if (!tnum_is_const(reg->var_off)) {
 			verbose(env, "R%d is not a known constant'\n",
@@ -6965,9 +7168,27 @@  static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
 
 	regs = cur_regs(env);
 
+	if (meta.uninit_dynptr_regno) {
+		/* we write BPF_DW bits (8 bytes) at a time */
+		for (i = 0; i < BPF_DYNPTR_SIZE; i += 8) {
+			err = check_mem_access(env, insn_idx, meta.uninit_dynptr_regno,
+					       i, BPF_DW, BPF_WRITE, -1, false);
+			if (err)
+				return err;
+		}
+
+		err = mark_stack_slots_dynptr(env, &regs[meta.uninit_dynptr_regno],
+					      fn->arg_type[meta.uninit_dynptr_regno - BPF_REG_1],
+					      insn_idx);
+		if (err)
+			return err;
+	}
+
 	if (meta.release_regno) {
 		err = -EINVAL;
-		if (meta.ref_obj_id)
+		if (arg_type_is_dynptr(fn->arg_type[meta.release_regno - BPF_REG_1]))
+			err = unmark_stack_slots_dynptr(env, &regs[meta.release_regno]);
+		else if (meta.ref_obj_id)
 			err = release_reference(env, meta.ref_obj_id);
 		/* meta.ref_obj_id can only be 0 if register that is meant to be
 		 * released is NULL, which must be > R0.
diff --git a/scripts/bpf_doc.py b/scripts/bpf_doc.py
index 096625242475..766dcbc73897 100755
--- a/scripts/bpf_doc.py
+++ b/scripts/bpf_doc.py
@@ -633,6 +633,7 @@  class PrinterHelpers(Printer):
             'struct socket',
             'struct file',
             'struct bpf_timer',
+            'struct bpf_dynptr',
     ]
     known_types = {
             '...',
@@ -682,6 +683,7 @@  class PrinterHelpers(Printer):
             'struct socket',
             'struct file',
             'struct bpf_timer',
+            'struct bpf_dynptr',
     }
     mapped_types = {
             'u8': '__u8',
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 444fe6f1cf35..5a87ed654016 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -5154,6 +5154,29 @@  union bpf_attr {
  *		if not NULL, is a reference which must be released using its
  *		corresponding release function, or moved into a BPF map before
  *		program exit.
+ *
+ * long bpf_dynptr_alloc(u32 size, u64 flags, struct bpf_dynptr *ptr)
+ *	Description
+ *		Allocate memory of *size* bytes.
+ *
+ *		Every call to bpf_dynptr_alloc must have a corresponding
+ *		bpf_dynptr_put, regardless of whether the bpf_dynptr_alloc
+ *		succeeded.
+ *
+ *		The maximum *size* supported is DYNPTR_MAX_SIZE.
+ *		Supported *flags* are __GFP_ZERO.
+ *	Return
+ *		0 on success, -ENOMEM if there is not enough memory for the
+ *		allocation, -E2BIG if the size exceeds DYNPTR_MAX_SIZE, -EINVAL
+ *		if the flags is not supported.
+ *
+ * void bpf_dynptr_put(struct bpf_dynptr *ptr)
+ *	Description
+ *		Free memory allocated by bpf_dynptr_alloc.
+ *
+ *		After this operation, *ptr* will be an invalidated dynptr.
+ *	Return
+ *		Void.
  */
 #define __BPF_FUNC_MAPPER(FN)		\
 	FN(unspec),			\
@@ -5351,6 +5374,8 @@  union bpf_attr {
 	FN(skb_set_tstamp),		\
 	FN(ima_file_hash),		\
 	FN(kptr_xchg),			\
+	FN(dynptr_alloc),		\
+	FN(dynptr_put),			\
 	/* */
 
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
@@ -6498,6 +6523,11 @@  struct bpf_timer {
 	__u64 :64;
 } __attribute__((aligned(8)));
 
+struct bpf_dynptr {
+	__u64 :64;
+	__u64 :64;
+} __attribute__((aligned(8)));
+
 struct bpf_sysctl {
 	__u32	write;		/* Sysctl is being read (= 0) or written (= 1).
 				 * Allows 1,2,4-byte read, but no write.