From patchwork Fri Feb  4 00:55:18 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matteo Croce <mcroce@linux.microsoft.com>
X-Patchwork-Id: 12734742
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8312FC433F5
	for <bpf@archiver.kernel.org>; Fri,  4 Feb 2022 00:55:44 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1356319AbiBDAzn (ORCPT <rfc822;bpf@archiver.kernel.org>);
        Thu, 3 Feb 2022 19:55:43 -0500
Received: from mail-wr1-f47.google.com ([209.85.221.47]:36840 "EHLO
        mail-wr1-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1356309AbiBDAzm (ORCPT <rfc822;bpf@vger.kernel.org>);
        Thu, 3 Feb 2022 19:55:42 -0500
Received: by mail-wr1-f47.google.com with SMTP id u15so8338369wrt.3;
        Thu, 03 Feb 2022 16:55:42 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=TX/t2a+cGE9g7yrB/Jazqo9Ut3nEa2N6/yICGhz19Yw=;
        b=VLr9l8UibQ6BSCriIHdeaDjAkkdEpRH9h8RzY3zuTgthcSUJF1d4JCsKTUqQmtvPKQ
         fpadWvm2Uj6fUpPESZ/M41BMgs648ehWcD4sVwcXR8w99l7eDeb5Hx1qszg6OTlG2AFR
         NlVW4PSB45WZEG2OiM8FNwVU4Qqv/wcwCf1+OV1Fs8cT19MYZkqNdOWeBKuLJi53V3sn
         F0bpedhvmP77MezmRWaW7aw9IPI2Bp4tXapbzmQI53YE8yIQCustRruK2gNpZcCW3dUx
         znhYRhJDT/gu6QL7jGzGEYUA9QiOBfADQ4ZqvlLV/4TWwJCz4qCbMkPPUCNfaId/qUcJ
         f8NA==
X-Gm-Message-State: AOAM531q9hDuu28stSgMsFDOzSHdFxU+RzLpIPKuKpeZhYnA+CZ2cGv6
        GxXgKvot2Br1RpJjMlMWCck=
X-Google-Smtp-Source: 
 ABdhPJwkj9zsYhD2Ex5of+R59baxTDwRHh3dvxJPmjyY9H/2oZFsFAgGGDn7Z30SNsVUbRjPtvHtSQ==
X-Received: by 2002:adf:de0c:: with SMTP id b12mr398274wrm.26.1643936141499;
        Thu, 03 Feb 2022 16:55:41 -0800 (PST)
Received: from t490s.teknoraver.net (net-2-35-22-35.cust.vodafonedsl.it.
 [2.35.22.35])
        by smtp.gmail.com with ESMTPSA id c8sm240391wmq.34.2022.02.03.16.55.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 03 Feb 2022 16:55:41 -0800 (PST)
From: Matteo Croce <mcroce@linux.microsoft.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
        bpf@vger.kernel.org
Cc: Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>,
        linux-kernel@vger.kernel.org
Subject: [PATCH bpf-next v3 1/2] bpf: limit bpf_core_types_are_compat()
 recursion
Date: Fri,  4 Feb 2022 01:55:18 +0100
Message-Id: <20220204005519.60361-2-mcroce@linux.microsoft.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220204005519.60361-1-mcroce@linux.microsoft.com>
References: <20220204005519.60361-1-mcroce@linux.microsoft.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org
X-Patchwork-Delegate: bpf@iogearbox.net

From: Matteo Croce <mcroce@microsoft.com>

In userspace, bpf_core_types_are_compat() is a recursive function which
can't be put in the kernel as is.
Limit the recursion depth to 2, to avoid potential stack overflows
in kernel.

Signed-off-by: Matteo Croce <mcroce@microsoft.com>
---
 include/linux/btf.h |   5 +++
 kernel/bpf/btf.c    | 105 +++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 109 insertions(+), 1 deletion(-)

diff --git a/include/linux/btf.h b/include/linux/btf.h
index f6c43dd513fa..36bc09b8e890 100644
--- a/include/linux/btf.h
+++ b/include/linux/btf.h
@@ -327,6 +327,11 @@ static inline const struct btf_var_secinfo *btf_type_var_secinfo(
 	return (const struct btf_var_secinfo *)(t + 1);
 }
 
+static inline struct btf_param *btf_params(const struct btf_type *t)
+{
+	return (struct btf_param *)(t + 1);
+}
+
 #ifdef CONFIG_BPF_SYSCALL
 struct bpf_prog;
 
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index b983cee8d196..fcc3d9e45320 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6785,10 +6785,113 @@ int register_btf_kfunc_id_set(enum bpf_prog_type prog_type,
 }
 EXPORT_SYMBOL_GPL(register_btf_kfunc_id_set);
 
+#define MAX_TYPES_ARE_COMPAT_DEPTH 2
+
+static
+int __bpf_core_types_are_compat(const struct btf *local_btf, __u32 local_id,
+				const struct btf *targ_btf, __u32 targ_id,
+				int level)
+{
+	const struct btf_type *local_type, *targ_type;
+	int depth = 32; /* max recursion depth */
+
+	/* caller made sure that names match (ignoring flavor suffix) */
+	local_type = btf_type_by_id(local_btf, local_id);
+	targ_type = btf_type_by_id(targ_btf, targ_id);
+	if (btf_kind(local_type) != btf_kind(targ_type))
+		return 0;
+
+recur:
+	depth--;
+	if (depth < 0)
+		return -EINVAL;
+
+	local_type = btf_type_skip_modifiers(local_btf, local_id, &local_id);
+	targ_type = btf_type_skip_modifiers(targ_btf, targ_id, &targ_id);
+	if (!local_type || !targ_type)
+		return -EINVAL;
+
+	if (btf_kind(local_type) != btf_kind(targ_type))
+		return 0;
+
+	switch (btf_kind(local_type)) {
+	case BTF_KIND_UNKN:
+	case BTF_KIND_STRUCT:
+	case BTF_KIND_UNION:
+	case BTF_KIND_ENUM:
+	case BTF_KIND_FWD:
+		return 1;
+	case BTF_KIND_INT:
+		/* just reject deprecated bitfield-like integers; all other
+		 * integers are by default compatible between each other
+		 */
+		return btf_int_offset(local_type) == 0 && btf_int_offset(targ_type) == 0;
+	case BTF_KIND_PTR:
+		local_id = local_type->type;
+		targ_id = targ_type->type;
+		goto recur;
+	case BTF_KIND_ARRAY:
+		local_id = btf_array(local_type)->type;
+		targ_id = btf_array(targ_type)->type;
+		goto recur;
+	case BTF_KIND_FUNC_PROTO: {
+		struct btf_param *local_p = btf_params(local_type);
+		struct btf_param *targ_p = btf_params(targ_type);
+		__u16 local_vlen = btf_vlen(local_type);
+		__u16 targ_vlen = btf_vlen(targ_type);
+		int i, err;
+
+		if (local_vlen != targ_vlen)
+			return 0;
+
+		for (i = 0; i < local_vlen; i++, local_p++, targ_p++) {
+			if (level <= 1)
+				return -EINVAL;
+
+			btf_type_skip_modifiers(local_btf, local_p->type, &local_id);
+			btf_type_skip_modifiers(targ_btf, targ_p->type, &targ_id);
+			err = __bpf_core_types_are_compat(local_btf, local_id,
+							  targ_btf, targ_id,
+							  level - 1);
+			if (err <= 0)
+				return err;
+		}
+
+		/* tail recurse for return type check */
+		btf_type_skip_modifiers(local_btf, local_type->type, &local_id);
+		btf_type_skip_modifiers(targ_btf, targ_type->type, &targ_id);
+		goto recur;
+	}
+	default:
+		return 0;
+	}
+}
+
+/* Check local and target types for compatibility. This check is used for
+ * type-based CO-RE relocations and follow slightly different rules than
+ * field-based relocations. This function assumes that root types were already
+ * checked for name match. Beyond that initial root-level name check, names
+ * are completely ignored. Compatibility rules are as follows:
+ *   - any two STRUCTs/UNIONs/FWDs/ENUMs/INTs are considered compatible, but
+ *     kind should match for local and target types (i.e., STRUCT is not
+ *     compatible with UNION);
+ *   - for ENUMs, the size is ignored;
+ *   - for INT, size and signedness are ignored;
+ *   - for ARRAY, dimensionality is ignored, element types are checked for
+ *     compatibility recursively;
+ *   - CONST/VOLATILE/RESTRICT modifiers are ignored;
+ *   - TYPEDEFs/PTRs are compatible if types they pointing to are compatible;
+ *   - FUNC_PROTOs are compatible if they have compatible signature: same
+ *     number of input args and compatible return and argument types.
+ * These rules are not set in stone and probably will be adjusted as we get
+ * more experience with using BPF CO-RE relocations.
+ */
 int bpf_core_types_are_compat(const struct btf *local_btf, __u32 local_id,
 			      const struct btf *targ_btf, __u32 targ_id)
 {
-	return -EOPNOTSUPP;
+	return __bpf_core_types_are_compat(local_btf, local_id,
+					   targ_btf, targ_id,
+					   MAX_TYPES_ARE_COMPAT_DEPTH);
 }
 
 static bool bpf_core_is_flavor_sep(const char *s)

From patchwork Fri Feb  4 00:55:19 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matteo Croce <mcroce@linux.microsoft.com>
X-Patchwork-Id: 12734743
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E01A6C433EF
	for <bpf@archiver.kernel.org>; Fri,  4 Feb 2022 00:55:45 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1356322AbiBDAzo (ORCPT <rfc822;bpf@archiver.kernel.org>);
        Thu, 3 Feb 2022 19:55:44 -0500
Received: from mail-wr1-f48.google.com ([209.85.221.48]:41494 "EHLO
        mail-wr1-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1356316AbiBDAzn (ORCPT <rfc822;bpf@vger.kernel.org>);
        Thu, 3 Feb 2022 19:55:43 -0500
Received: by mail-wr1-f48.google.com with SMTP id j16so8240033wrd.8;
        Thu, 03 Feb 2022 16:55:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=kU7g6tMkpTj/AU6TPU7JxrwuE+kJFMbSckL9QL5y1sU=;
        b=CfLkkVekrqcfQk26cIQ1Dv9Qzr+8NC16IUlXGGZxR9duwsfygShQiz7Gyn3oCcIcjh
         WsZ1crzXJBevtbQXXEpFbP3aIU35Xmn4BoYd6vjzxEjZMMiOplqyY9IzulJ9XCnvf/vS
         hgsTDa/nCT3zu+nfCnH9mWeTQICqlJeWVJNYp3aVGpLw1pm5YZCX3xcGdmE7okvgXRPB
         szeaJi6O/2CQY6X4iQPkD2bWaak9ROFzho6Eg2AmzjezzCNhhkkTMZ2kkaMSWF2xA7Ou
         TrkOORY24REw65mcMPWifPTfaXuacdwXkGQZeCWYE9IZCe1l7FmGZQxQj32IS433RO9h
         tv/g==
X-Gm-Message-State: AOAM531XXtrGFwJkN7YCRR5i42xbx+2PLgoiqv0mtMzR+xJqO5WJV92v
        0Wxr53Xo1dII3HxDQqnYas8=
X-Google-Smtp-Source: 
 ABdhPJzUphLNSqiWTFVE+GQLHIt9Jj+F9GZyf0Xlq3ZdZ6955J1HL85BRrSGwqzrhWn9SGXQRHkzwQ==
X-Received: by 2002:adf:f90c:: with SMTP id b12mr372663wrr.97.1643936142393;
        Thu, 03 Feb 2022 16:55:42 -0800 (PST)
Received: from t490s.teknoraver.net (net-2-35-22-35.cust.vodafonedsl.it.
 [2.35.22.35])
        by smtp.gmail.com with ESMTPSA id c8sm240391wmq.34.2022.02.03.16.55.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 03 Feb 2022 16:55:41 -0800 (PST)
From: Matteo Croce <mcroce@linux.microsoft.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
        bpf@vger.kernel.org
Cc: Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>,
        linux-kernel@vger.kernel.org
Subject: [PATCH bpf-next v3 2/2] selftests/bpf: test maximum recursion depth
 for bpf_core_types_are_compat()
Date: Fri,  4 Feb 2022 01:55:19 +0100
Message-Id: <20220204005519.60361-3-mcroce@linux.microsoft.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220204005519.60361-1-mcroce@linux.microsoft.com>
References: <20220204005519.60361-1-mcroce@linux.microsoft.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org
X-Patchwork-Delegate: bpf@iogearbox.net

From: Matteo Croce <mcroce@microsoft.com>

bpf_core_types_are_compat() was limited to 2 recursion levels, which are
enough to parse a function prototype.
Add a test which checks the existence of a function prototype, so to
test the bpf_core_types_are_compat() code path.

The test for the recursion limit being hit is done in a separate object,
because the kernel failure makes the whole load to fail.

Sample run log with extra prints:

	[ 5689.913751] bpf_core_apply_relo_insn:1200 cands->len: 2
	[ 5689.913902] bpf_core_types_are_compat:6896: ret: 1
	[ 5689.913994] bpf_core_types_are_compat:6896: ret: 0
	[ 5689.914025] bpf_core_apply_relo_insn:1200 cands->len: 2
	[ 5689.914141] bpf_core_types_are_compat:6896: ret: 0
	[ 5689.914246] bpf_core_types_are_compat:6896: ret: 0
	test_core_kern_lskel:PASS:open_and_load 0 nsec
	test_core_kern_lskel:PASS:attach(core_relo_proto) 0 nsec
	test_core_kern_lskel:PASS:bpf_core_type_exists 0 nsec
	test_core_kern_lskel:PASS:!bpf_core_type_exists 0 nsec
	#41 core_kern_lskel:OK
	[ 5689.915267] bpf_core_apply_relo_insn:1200 cands->len: 2
	[ 5689.915399] bpf_core_types_are_compat:6896: ret: 0
	[ 5689.915504] bpf_core_types_are_compat:6896: ret: -22
	test_core_kern_overflow_lskel:PASS:open_and_load 0 nsec
	#42 core_kern_overflow_lskel:OK
	Summary: 2/0 PASSED, 0 SKIPPED, 0 FAILED
	Successfully unloaded bpf_testmod.ko.

Signed-off-by: Matteo Croce <mcroce@microsoft.com>
---
 tools/testing/selftests/bpf/Makefile          |  2 +-
 .../selftests/bpf/bpf_testmod/bpf_testmod.c   |  5 +++++
 .../selftests/bpf/prog_tests/core_kern.c      | 15 ++++++++++++-
 .../bpf/prog_tests/core_kern_overflow.c       | 13 ++++++++++++
 tools/testing/selftests/bpf/progs/core_kern.c | 14 +++++++++++++
 .../selftests/bpf/progs/core_kern_overflow.c  | 21 +++++++++++++++++++
 6 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/core_kern_overflow.c
 create mode 100644 tools/testing/selftests/bpf/progs/core_kern_overflow.c

diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 945f92d71db3..91ea729990da 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -330,7 +330,7 @@ LINKED_SKELS := test_static_linked.skel.h linked_funcs.skel.h		\
 
 LSKELS := kfunc_call_test.c fentry_test.c fexit_test.c fexit_sleep.c \
 	test_ringbuf.c atomics.c trace_printk.c trace_vprintk.c \
-	map_ptr_kern.c core_kern.c
+	map_ptr_kern.c core_kern.c core_kern_overflow.c
 # Generate both light skeleton and libbpf skeleton for these
 LSKELS_EXTRA := test_ksyms_module.c test_ksyms_weak.c kfunc_call_test_subprog.c
 SKEL_BLACKLIST += $$(LSKELS)
diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
index 595d32ab285a..e5ba8d8a17da 100644
--- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
+++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
@@ -13,6 +13,11 @@
 #define CREATE_TRACE_POINTS
 #include "bpf_testmod-events.h"
 
+typedef int (*func_proto_typedef___match)(long);
+typedef int (*func_proto_typedef___overflow)(func_proto_typedef___match);
+func_proto_typedef___match funcp = NULL;
+func_proto_typedef___overflow funcp_of = NULL;
+
 DEFINE_PER_CPU(int, bpf_testmod_ksym_percpu) = 123;
 
 noinline void
diff --git a/tools/testing/selftests/bpf/prog_tests/core_kern.c b/tools/testing/selftests/bpf/prog_tests/core_kern.c
index 561c5185d886..91493f5836ff 100644
--- a/tools/testing/selftests/bpf/prog_tests/core_kern.c
+++ b/tools/testing/selftests/bpf/prog_tests/core_kern.c
@@ -7,8 +7,21 @@
 void test_core_kern_lskel(void)
 {
 	struct core_kern_lskel *skel;
+	int link_fd;
 
 	skel = core_kern_lskel__open_and_load();
-	ASSERT_OK_PTR(skel, "open_and_load");
+	if (!ASSERT_OK_PTR(skel, "open_and_load"))
+		return;
+
+	link_fd = core_kern_lskel__core_relo_proto__attach(skel);
+	if (!ASSERT_GT(link_fd, 0, "attach(core_relo_proto)"))
+		goto cleanup;
+
+	/* trigger tracepoints */
+	usleep(1);
+	ASSERT_TRUE(skel->bss->proto_out[0], "bpf_core_type_exists");
+	ASSERT_FALSE(skel->bss->proto_out[1], "!bpf_core_type_exists");
+
+cleanup:
 	core_kern_lskel__destroy(skel);
 }
diff --git a/tools/testing/selftests/bpf/prog_tests/core_kern_overflow.c b/tools/testing/selftests/bpf/prog_tests/core_kern_overflow.c
new file mode 100644
index 000000000000..04cc145bc26a
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/core_kern_overflow.c
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include "test_progs.h"
+#include "core_kern_overflow.lskel.h"
+
+void test_core_kern_overflow_lskel(void)
+{
+	struct core_kern_overflow_lskel *skel;
+
+	skel = core_kern_overflow_lskel__open_and_load();
+	if (!ASSERT_NULL(skel, "open_and_load"))
+		core_kern_overflow_lskel__destroy(skel);
+}
diff --git a/tools/testing/selftests/bpf/progs/core_kern.c b/tools/testing/selftests/bpf/progs/core_kern.c
index 13499cc15c7d..acabe4cb0480 100644
--- a/tools/testing/selftests/bpf/progs/core_kern.c
+++ b/tools/testing/selftests/bpf/progs/core_kern.c
@@ -101,4 +101,18 @@ int balancer_ingress(struct __sk_buff *ctx)
 	return 0;
 }
 
+typedef int (*func_proto_typedef___match)(long);
+typedef void (*func_proto_typedef___doesnt_match)(char*);
+
+int proto_out[2];
+
+SEC("raw_tracepoint/sys_enter")
+int core_relo_proto(void *ctx)
+{
+	proto_out[0] = bpf_core_type_exists(func_proto_typedef___match);
+	proto_out[1] = bpf_core_type_exists(func_proto_typedef___doesnt_match);
+
+	return 0;
+}
+
 char LICENSE[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/progs/core_kern_overflow.c b/tools/testing/selftests/bpf/progs/core_kern_overflow.c
new file mode 100644
index 000000000000..70417413af55
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/core_kern_overflow.c
@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: GPL-2.0
+#include "vmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+typedef int (*func_proto_typedef___match)(long);
+typedef int (*func_proto_typedef___overflow)(func_proto_typedef___match);
+
+int proto_out;
+
+SEC("raw_tracepoint/sys_enter")
+int core_relo_proto(void *ctx)
+{
+	proto_out = bpf_core_type_exists(func_proto_typedef___overflow);
+
+	return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";