From patchwork Fri Jul 19 17:21:16 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13737458
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com
 [209.85.222.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8786E250EC;
	Fri, 19 Jul 2024 17:21:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1721409683; cv=none;
 b=G83RFzLCVH4VOEzdx0jshRhGNIzJMW/rF2lbY7lZlJg3GXVf3cvIxYbS76Gzbex39wA720CQkdMZ/Lj7k7f+A/ZFozY02euhzjXkQ75GYSBkz2tYmt2cm2nqbbstt/AGZ4XumkVldPgnqiIp2LExFAYM8Nxr8Noy57KC7MkVi8w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1721409683; c=relaxed/simple;
	bh=MB0aCVmUQ8UX3TZWM489FzGEjJexdFys+uUChjT6zMQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=bR0Hq4gVYhZedKdDRSOJl+tVVd9W8FRWec5cCEHpj/jYJ8k4VzVGtLiSSqkxJh+VgLSkD1yJBC+t9y1srIEeqCv968wpdNQ1ti6me4Z+SsdRwxnNOQpN/Ud/CcTWLToAabl0e3L2Flu2mWzKJrdep/EVU999dCqUk2ZVm5bzUWA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Y1C5kGof; arc=none smtp.client-ip=209.85.222.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Y1C5kGof"
Received: by mail-qk1-f181.google.com with SMTP id
 af79cd13be357-79f178351d4so102234785a.0;
        Fri, 19 Jul 2024 10:21:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1721409680; x=1722014480;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MnnoqihdiiFXM0iLp5z8P7RVvEO5j7eMHztDecgJH/k=;
        b=Y1C5kGofdbwUmGaCMaMVL2yCuemq8s126P5CjFiC1FglfP1WLrF0XSQNimlZEVPD0t
         aU1gGHJPdy8akKojUMzU0MI8JVFl/bZJZQQ5mPpypvcCO1aePqUqz1Wam+pI2Y0gHj/Y
         CwiOsimgtRF6mETwVV43Is5WVOmw+M8dYSxqAmMUcY9ghKj5j7apS00Q+pQl3GxdRRno
         I1MKBBbS+HUBs6/kEcTpbAMQqbUNX3lghbVMpfa0+zbb6EKLPe1X0Q5XBZoIQM2uFj+c
         9tCPTEEDhg6erlM7D7xcexieDl54j95OCiiAimiLN0B63ki3SsAWVUe5nyZ/zvhsY08H
         YEew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721409680; x=1722014480;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MnnoqihdiiFXM0iLp5z8P7RVvEO5j7eMHztDecgJH/k=;
        b=hnjJH54I2iIUgMv46KTDq4gojwXVhR38oGX7jtB61rsfhsFNXO+HP8mxgwvsW0WfNy
         AKUeyosakl0GlzsW656LJbrc1pFBw2R/EGT6yU1UqfyMfkAZJ433DINCn3eEPbtV6s0G
         wTvTSOjcIhMEUg3oK3K3+zMRyt4D/M5xVwN6PbCSn81v35nwBW8Xeg3kQRI9qnyVzXoe
         KsMhofVynl3qP+YbwQACwd7i4Iy29zJUNl1jG+LbhWsbuUfY7PqARnR7F8VJRGgLjGaI
         YHuZFSCKMTkccHk6uRvUAhtbJuG9XsaIeUWvesFMEn84+bpx94V5RVzq9Gvkr/6+DdCS
         aQjA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUX39MAH6c5HglaeaMn4OJZSqmQrtaRE02zsYzREHtP6f225ZXrtvADHpO+6zqP2UiHUsEh3buTjh0f82T0y1k8gM+CeokXCbA0bPNhEPGFd3eRFK7ZSVRMsY7I
X-Gm-Message-State: AOJu0YxqUphDaZdbmzg27YwMKFJYh8SoYwsoxw9YXswSrtZB1uTAiM6b
	cnJFueiFwoSe6faBS/y8WSfN3heBzwSXTUlZVEAOJFRqy49DXNuIMffpEA==
X-Google-Smtp-Source: 
 AGHT+IFm13LtSr5S4O3rZvUNck/f1UflPgKIWkpuBfrH6AtVZb5KNAWuRGCiHP+7OlFp3SNzJilxBA==
X-Received: by 2002:a05:620a:2584:b0:79f:77b:3a20 with SMTP id
 af79cd13be357-7a1a132c7a5mr62959785a.20.1721409680370;
        Fri, 19 Jul 2024 10:21:20 -0700 (PDT)
Received: from n36-183-057.byted.org ([130.44.212.91])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-7a19905eb1dsm109706485a.89.2024.07.19.10.21.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 19 Jul 2024 10:21:20 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: ameryhung@gmail.com
Cc: alexei.starovoitov@gmail.com,
	andrii@kernel.org,
	bpf@vger.kernel.org,
	daniel@iogearbox.net,
	jhs@mojatatu.com,
	jiri@resnulli.us,
	martin.lau@kernel.org,
	netdev@vger.kernel.org,
	sdf@google.com,
	sinquersw@gmail.com,
	toke@redhat.com,
	xiyou.wangcong@gmail.com,
	yangpeihao@sjtu.edu.cn,
	yepeilin.cs@gmail.com,
	donald.hunter@gmail.com
Subject: [OFFLIST RFC 1/4] bpf: Search for kptrs in prog BTF structs
Date: Fri, 19 Jul 2024 17:21:16 +0000
Message-Id: <20240719172119.3199738-1-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240714175130.4051012-1-amery.hung@bytedance.com>
References: <20240714175130.4051012-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net
X-Patchwork-State: RFC

From: Dave Marchevsky <davemarchevsky@fb.com>

Currently btf_parse_fields is used in two places to create struct
btf_record's for structs: when looking at mapval type, and when looking
at any struct in program BTF. The former looks for kptr fields while the
latter does not. This patch modifies the btf_parse_fields call made when
looking at prog BTF struct types to search for kptrs as well.

Before this series there was no reason to search for kptrs in non-mapval
types: a referenced kptr needs some owner to guarantee resource cleanup,
and map values were the only owner that supported this. If a struct with
a kptr field were to have some non-kptr-aware owner, the kptr field
might not be properly cleaned up and result in resources leaking. Only
searching for kptr fields in mapval was a simple way to avoid this
problem.

In practice, though, searching for BPF_KPTR when populating
struct_meta_tab does not expose us to this risk, as struct_meta_tab is
only accessed through btf_find_struct_meta helper, and that helper is
only called in contexts where recognizing the kptr field is safe:

  * PTR_TO_BTF_ID reg w/ MEM_ALLOC flag
    * Such a reg is a local kptr and must be free'd via bpf_obj_drop,
      which will correctly handle kptr field

  * When handling specific kfuncs which either expect MEM_ALLOC input or
    return MEM_ALLOC output (obj_{new,drop}, percpu_obj_{new,drop},
    list+rbtree funcs, refcount_acquire)
     * Will correctly handle kptr field for same reasons as above

  * When looking at kptr pointee type
     * Called by functions which implement "correct kptr resource
       handling"

  * In btf_check_and_fixup_fields
     * Helper that ensures no ownership loops for lists and rbtrees,
       doesn't care about kptr field existence

So we should be able to find BPF_KPTR fields in all prog BTF structs
without leaking resources.

Further patches in the series will build on this change to support
kptr_xchg into non-mapval local kptr. Without this change there would be
no kptr field found in such a type.

Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
---
 kernel/bpf/btf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 520f49f422fe..967246ecd3cb 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -5585,7 +5585,8 @@ btf_parse_struct_metas(struct bpf_verifier_log *log, struct btf *btf)
 		type = &tab->types[tab->cnt];
 		type->btf_id = i;
 		record = btf_parse_fields(btf, t, BPF_SPIN_LOCK | BPF_LIST_HEAD | BPF_LIST_NODE |
-						  BPF_RB_ROOT | BPF_RB_NODE | BPF_REFCOUNT, t->size);
+						  BPF_RB_ROOT | BPF_RB_NODE | BPF_REFCOUNT |
+						  BPF_KPTR, t->size);
 		/* The record cannot be unset, treat it as an error if so */
 		if (IS_ERR_OR_NULL(record)) {
 			ret = PTR_ERR_OR_ZERO(record) ?: -EFAULT;

From patchwork Fri Jul 19 17:21:17 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13737459
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com
 [209.85.222.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38FFE13D61D;
	Fri, 19 Jul 2024 17:21:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.169
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1721409683; cv=none;
 b=XaWZdWY6VKgJXdBLwNHQ0wssWOnC/ZyHzNlVuAg1caLsG85GwXz4VJUJaZ5Yvh/nH1JcmxuiaDFnE8ewy+0l7eUne/FUXXRruVuNWQ0KZkOXjgehTj1A5tkizmtgOrTntb+QKwMY22TEOgKYqskLWA8XxY65tJgrNOwKcarnI+g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1721409683; c=relaxed/simple;
	bh=N7XN9zYJyoXoo4WBRpHa3c/xnLvk5O5Eq2nJF1C9R6Y=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ZOqLsSlU/U0Ye3CVqdc1KXtyH/7NS5I+NYiwnCKbBRXA/vr2JS6+BMRA1p8y3fnmgSfp2QC19IHiM3EmKaU1Du6QQCkrEHovnaHoNYKo0FH4QpIX82aaCJpEDbjJow2vNW6UheR4vBEK/idY+MtxEcIIGyL3dDQhyMqeLC9DZAY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=S+k1q+Vy; arc=none smtp.client-ip=209.85.222.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="S+k1q+Vy"
Received: by mail-qk1-f169.google.com with SMTP id
 af79cd13be357-79f08b01ba6so143258485a.0;
        Fri, 19 Jul 2024 10:21:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1721409681; x=1722014481;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jHkR3HeaTgi9Sf/bo6ZYoa8FS/YOxvNEWT4vNOjsanI=;
        b=S+k1q+Vy0We+3KOVL6AlIVVLCdbXQ1AAHlMlwOhwJzM/97OJW/GdtkfhKep1BoG/yi
         Fu8stwgNneZJEKKuV4RuHObzvMdtsZaH0iVu9VMC42JE73vU2fb3w+4B3HeUaAghFtZ+
         MXLN+6x8IohrIz2bgPwOhLpNqqU2K7OEwujJx2GKndfgNjp3fLhwOAhMiZeRHf1+6s+x
         7jYGDHF7SV8Sw05VuwMErhiN/aWzxvFpJ47BJ5J9lWqZG6oUYxzf7i/F9BEeqZP2ytua
         bnKHPxikGuvqU/24WdMju1gZrLA6U15sko/zLKvTVL9XoGItPMrR+T96hwgqsGOB8/Q2
         E0gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721409681; x=1722014481;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=jHkR3HeaTgi9Sf/bo6ZYoa8FS/YOxvNEWT4vNOjsanI=;
        b=w7RgIWW0LUbSO1ERRNMROsgElWlnkrtKpx7KsX7Lp+3Aem/x+lEtU5asHHFTPdX6Tn
         19AP5/10WkTWVP9XhIp3r2oEuBbHlath9caTBINcNUmNS1HTVAa01PLKlKyk6I+9Vi77
         8iczvPVGeBduKMfrod72TQB9PCrfaHZq49Ym9NEw/GWE6TFskmyYbFLw6B+maoXerZ6/
         XLMoYVe4mUQeHue8hBIi674uzq3RL2n23UydZU4yYk93seDKZkMSi+al1qPRvniM/ups
         rvSbiO1AsottLYIAL+Eru1/TK9NHAUhM2w2ZvmT3NGf9xn5R8tp+nG40I/FhFsgaIUq/
         yIAQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCVMo5KdxcbqrKFXuOCckxmwSlXAktHakBA3KOLreggmcQlz05ye6410kxxFjbhYEEI5BEP972LAePW7vj02xD1aQ95tebeB87gaoFf/wIDIVPkhb2PwQlzjAv/g
X-Gm-Message-State: AOJu0YyBlTpAMitO79pZsNXGmizRj3KT3WHevnteFWxSCM36ezoOVjOE
	FDnt5g1QsAMOJsPZHJp9nfJXIdWwUC42qbORUnw133E2y2qunokH
X-Google-Smtp-Source: 
 AGHT+IFcJWc4DhxYXowk7bcxAPqGv/DdpDPFiY2uxMgEAlptAMLX/qoN2RtmyPMXSgSJsN1EQuH3SA==
X-Received: by 2002:a05:620a:4549:b0:79f:18f1:b6e6 with SMTP id
 af79cd13be357-7a1a18e9aabmr60574685a.10.1721409681157;
        Fri, 19 Jul 2024 10:21:21 -0700 (PDT)
Received: from n36-183-057.byted.org ([130.44.212.91])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-7a19905eb1dsm109706485a.89.2024.07.19.10.21.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 19 Jul 2024 10:21:20 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: ameryhung@gmail.com
Cc: alexei.starovoitov@gmail.com,
	andrii@kernel.org,
	bpf@vger.kernel.org,
	daniel@iogearbox.net,
	jhs@mojatatu.com,
	jiri@resnulli.us,
	martin.lau@kernel.org,
	netdev@vger.kernel.org,
	sdf@google.com,
	sinquersw@gmail.com,
	toke@redhat.com,
	xiyou.wangcong@gmail.com,
	yangpeihao@sjtu.edu.cn,
	yepeilin.cs@gmail.com,
	donald.hunter@gmail.com
Subject: [OFFLIST RFC 2/4] bpf: Rename ARG_PTR_TO_KPTR -> ARG_KPTR_XCHG_DEST
Date: Fri, 19 Jul 2024 17:21:17 +0000
Message-Id: <20240719172119.3199738-2-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240719172119.3199738-1-amery.hung@bytedance.com>
References: <20240714175130.4051012-1-amery.hung@bytedance.com>
 <20240719172119.3199738-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net
X-Patchwork-State: RFC

From: Dave Marchevsky <davemarchevsky@fb.com>

ARG_PTR_TO_KPTR is currently only used by the bpf_kptr_xchg helper.
Although it limits reg types for that helper's first arg to
PTR_TO_MAP_VALUE, any arbitrary mapval won't do: further custom
verification logic ensures that the mapval reg being xchgd-into is
pointing to a kptr field. If this is not the case, it's not safe to xchg
into that reg's pointee.

Let's rename the bpf_arg_type to more accurately describe the fairly
specific expectations that this arg type encodes.

This is a nonfunctional change.

Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
---
 include/linux/bpf.h   | 2 +-
 kernel/bpf/helpers.c  | 2 +-
 kernel/bpf/verifier.c | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 4f1d4a97b9d1..cc460786da9b 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -743,7 +743,7 @@ enum bpf_arg_type {
 	ARG_PTR_TO_STACK,	/* pointer to stack */
 	ARG_PTR_TO_CONST_STR,	/* pointer to a null terminated read-only string */
 	ARG_PTR_TO_TIMER,	/* pointer to bpf_timer */
-	ARG_PTR_TO_KPTR,	/* pointer to referenced kptr */
+	ARG_KPTR_XCHG_DEST,	/* pointer to destination that kptrs are bpf_kptr_xchg'd into */
 	ARG_PTR_TO_DYNPTR,      /* pointer to bpf_dynptr. See bpf_type_flag for dynptr type */
 	__BPF_ARG_TYPE_MAX,
 
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index b5f0adae8293..c038c3e03019 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1635,7 +1635,7 @@ static const struct bpf_func_proto bpf_kptr_xchg_proto = {
 	.gpl_only     = false,
 	.ret_type     = RET_PTR_TO_BTF_ID_OR_NULL,
 	.ret_btf_id   = BPF_PTR_POISON,
-	.arg1_type    = ARG_PTR_TO_KPTR,
+	.arg1_type    = ARG_KPTR_XCHG_DEST,
 	.arg2_type    = ARG_PTR_TO_BTF_ID_OR_NULL | OBJ_RELEASE,
 	.arg2_btf_id  = BPF_PTR_POISON,
 };
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 8da132a1ef28..06ec18ee973c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8260,7 +8260,7 @@ static const struct bpf_reg_types func_ptr_types = { .types = { PTR_TO_FUNC } };
 static const struct bpf_reg_types stack_ptr_types = { .types = { PTR_TO_STACK } };
 static const struct bpf_reg_types const_str_ptr_types = { .types = { PTR_TO_MAP_VALUE } };
 static const struct bpf_reg_types timer_types = { .types = { PTR_TO_MAP_VALUE } };
-static const struct bpf_reg_types kptr_types = { .types = { PTR_TO_MAP_VALUE } };
+static const struct bpf_reg_types kptr_xchg_dest_types = { .types = { PTR_TO_MAP_VALUE } };
 static const struct bpf_reg_types dynptr_types = {
 	.types = {
 		PTR_TO_STACK,
@@ -8292,7 +8292,7 @@ static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {
 	[ARG_PTR_TO_STACK]		= &stack_ptr_types,
 	[ARG_PTR_TO_CONST_STR]		= &const_str_ptr_types,
 	[ARG_PTR_TO_TIMER]		= &timer_types,
-	[ARG_PTR_TO_KPTR]		= &kptr_types,
+	[ARG_KPTR_XCHG_DEST]		= &kptr_xchg_dest_types,
 	[ARG_PTR_TO_DYNPTR]		= &dynptr_types,
 };
 
@@ -8892,7 +8892,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 			return err;
 		break;
 	}
-	case ARG_PTR_TO_KPTR:
+	case ARG_KPTR_XCHG_DEST:
 		err = process_kptr_func(env, regno, meta);
 		if (err)
 			return err;

From patchwork Fri Jul 19 17:21:18 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13737461
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com
 [209.85.167.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0C631459FF;
	Fri, 19 Jul 2024 17:21:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1721409688; cv=none;
 b=L/JR/c5EIa1OxjWbzZP948TabMBF7QA6Zb8ugBm+i5FaHCDlNa0tGPgDVQntxJnIft4M1Kog7hnU8T2L0NcSmHosy21mDP/bL4Oi1kYZJWUILrmu/9L1UNLMdM5J4EgzjNEdrBNnKsmJe3qyiZUjrIv6bLgD/r3hsBjoLKVVrAU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1721409688; c=relaxed/simple;
	bh=3DXvp5jOvkAPu9y5xMa3aGwUsjFfFMj1jE7amb3n3b4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=tuYqwNDqcEO9FFaz2i2md3extkwi/AMYas67Bd+T3rsnRgw9YzU7kPESRY6ooIAgNfgXXuRH0UArsJGkt3hLN7KIOEVUzJVIN8U61kYLV3ey1J0ugWUrngdhhyOGl2oIZKtzsClBQd2zyf3uMo8FZwaMsoWi8ypq/hk6hFdtM3U=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=aBiewfAo; arc=none smtp.client-ip=209.85.167.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="aBiewfAo"
Received: by mail-oi1-f173.google.com with SMTP id
 5614622812f47-3d9ddfbbc58so1232795b6e.2;
        Fri, 19 Jul 2024 10:21:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1721409682; x=1722014482;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=BuMYKJns32/RgL4AWz+EBPPTGPYCidSuSNjBgS6hFzE=;
        b=aBiewfAoNEHCnkG1gIIfY9evz2lR81tKb04KrZRVUmOBid7G6cblkJefWP/V6Mf0z8
         rUP6884uBnd1LcLx7ZVmnmX1ZAmC++3YTHwygZzjIyLc2ERsvixIkIIPtVrv10+LpB/c
         tlvrhRI0UsEiAeE7i/dDzHG+jG6dnDhufn7vRjPgGiHWLZ5lV7FHnnC6KurP/awvS+Wp
         P2b1u7xSioPPFHnfQIbe+yqKzOmB1X9okJ9P6FOLQvcwBOWVxiiuXTWnT3VJuxjrLF3i
         9IpgxqbzM4nK99xixUqtUdeF2FJGiMvzhLwdA2f0Q+rWWiKDrkvwgJI3OCJj5C5rvjX3
         NLuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721409682; x=1722014482;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=BuMYKJns32/RgL4AWz+EBPPTGPYCidSuSNjBgS6hFzE=;
        b=YmdtkJun+0D9F7LDgDshyOW8NzaC1hO6lsK02V3Nubhd2fFIStI2pywYO5Eu63+/2N
         tCdd5VpMPogDx8ORTk/mspdetTOyATeaCkxfumw+Hm1TIamrgtuhIW9nYyVNCStRRsWD
         wZxEoSqUR/3P+xfYTDzdFaexKfeHFTy5rshn6BJhZ6Opti/k2zIZ9e3VSFa79NKK+Spe
         PQn0mbAYb7NHlNSSiyt0Wp4kFML8oP2iGTdd9MGdp8hTP0RmPAeu0Ju2fXuSmHjCg7Pw
         9esmf3HnG8qET6iuH/ZW6VBOZQxrZfxQ6OiZxC9y6desRNCQqq3J/2AmbGmIeHFQQ1lk
         MeHQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUoZtg4agzFmfL/dEwn7bfOn6W2qktTKQ2/lqa6jCrzNQVhh5Es8c6+lABwtQLpMutj26I+LkQT+EV0UoM92O5PBliAVbORM57Rl9JtyUQkaYK0NU7GWVvrzYgM
X-Gm-Message-State: AOJu0YxMQU55U+BKEZws9XPOHbkvo27nD4h4xoM5lj1Brpvq38V3/jAr
	FBGYRatIvOY5cSwfFmmAwtyiM1+E7vC04gnHFZMMjihfEKxpuqGN
X-Google-Smtp-Source: 
 AGHT+IEu7n+++Po4apJfVbgZ2gfw8/CM/R5Nijd8lh2ztJc+Tpz4sIp/Bn4JzsLDk7OAPcKJEbUr8g==
X-Received: by 2002:a05:6808:2024:b0:3d9:dc98:c84b with SMTP id
 5614622812f47-3dae5f43226mr794380b6e.5.1721409681844;
        Fri, 19 Jul 2024 10:21:21 -0700 (PDT)
Received: from n36-183-057.byted.org ([130.44.212.91])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-7a19905eb1dsm109706485a.89.2024.07.19.10.21.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 19 Jul 2024 10:21:21 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: ameryhung@gmail.com
Cc: alexei.starovoitov@gmail.com,
	andrii@kernel.org,
	bpf@vger.kernel.org,
	daniel@iogearbox.net,
	jhs@mojatatu.com,
	jiri@resnulli.us,
	martin.lau@kernel.org,
	netdev@vger.kernel.org,
	sdf@google.com,
	sinquersw@gmail.com,
	toke@redhat.com,
	xiyou.wangcong@gmail.com,
	yangpeihao@sjtu.edu.cn,
	yepeilin.cs@gmail.com,
	donald.hunter@gmail.com
Subject: [OFFLIST RFC 3/4] bpf: Support bpf_kptr_xchg into local kptr
Date: Fri, 19 Jul 2024 17:21:18 +0000
Message-Id: <20240719172119.3199738-3-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240719172119.3199738-1-amery.hung@bytedance.com>
References: <20240714175130.4051012-1-amery.hung@bytedance.com>
 <20240719172119.3199738-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net
X-Patchwork-State: RFC

From: Dave Marchevsky <davemarchevsky@fb.com>

Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
---
 kernel/bpf/verifier.c | 42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 06ec18ee973c..39929569ae58 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7664,29 +7664,38 @@ static int process_kptr_func(struct bpf_verifier_env *env, int regno,
 			     struct bpf_call_arg_meta *meta)
 {
 	struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
-	struct bpf_map *map_ptr = reg->map_ptr;
 	struct btf_field *kptr_field;
+	struct bpf_map *map_ptr;
+	struct btf_record *rec;
 	u32 kptr_off;
 
+	if (type_is_ptr_alloc_obj(reg->type)) {
+		rec = reg_btf_record(reg);
+	} else { /* PTR_TO_MAP_VALUE */
+		map_ptr = reg->map_ptr;
+		if (!map_ptr->btf) {
+			verbose(env, "map '%s' has to have BTF in order to use bpf_kptr_xchg\n",
+				map_ptr->name);
+			return -EINVAL;
+		}
+		rec = map_ptr->record;
+		meta->map_ptr = map_ptr;
+	}
+
 	if (!tnum_is_const(reg->var_off)) {
 		verbose(env,
 			"R%d doesn't have constant offset. kptr has to be at the constant offset\n",
 			regno);
 		return -EINVAL;
 	}
-	if (!map_ptr->btf) {
-		verbose(env, "map '%s' has to have BTF in order to use bpf_kptr_xchg\n",
-			map_ptr->name);
-		return -EINVAL;
-	}
-	if (!btf_record_has_field(map_ptr->record, BPF_KPTR)) {
-		verbose(env, "map '%s' has no valid kptr\n", map_ptr->name);
+
+	if (!btf_record_has_field(rec, BPF_KPTR)) {
+		verbose(env, "R%d has no valid kptr\n", regno);
 		return -EINVAL;
 	}
 
-	meta->map_ptr = map_ptr;
 	kptr_off = reg->off + reg->var_off.value;
-	kptr_field = btf_record_find(map_ptr->record, kptr_off, BPF_KPTR);
+	kptr_field = btf_record_find(rec, kptr_off, BPF_KPTR);
 	if (!kptr_field) {
 		verbose(env, "off=%d doesn't point to kptr\n", kptr_off);
 		return -EACCES;
@@ -8260,7 +8269,12 @@ static const struct bpf_reg_types func_ptr_types = { .types = { PTR_TO_FUNC } };
 static const struct bpf_reg_types stack_ptr_types = { .types = { PTR_TO_STACK } };
 static const struct bpf_reg_types const_str_ptr_types = { .types = { PTR_TO_MAP_VALUE } };
 static const struct bpf_reg_types timer_types = { .types = { PTR_TO_MAP_VALUE } };
-static const struct bpf_reg_types kptr_xchg_dest_types = { .types = { PTR_TO_MAP_VALUE } };
+static const struct bpf_reg_types kptr_xchg_dest_types = {
+	.types = {
+		PTR_TO_MAP_VALUE,
+		PTR_TO_BTF_ID | MEM_ALLOC
+	}
+};
 static const struct bpf_reg_types dynptr_types = {
 	.types = {
 		PTR_TO_STACK,
@@ -8331,7 +8345,7 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
 	if (base_type(arg_type) == ARG_PTR_TO_MEM)
 		type &= ~DYNPTR_TYPE_FLAG_MASK;
 
-	if (meta->func_id == BPF_FUNC_kptr_xchg && type_is_alloc(type)) {
+	if (meta->func_id == BPF_FUNC_kptr_xchg && type_is_alloc(type) && regno > 1) {
 		type &= ~MEM_ALLOC;
 		type &= ~MEM_PERCPU;
 	}
@@ -8424,7 +8438,7 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
 			verbose(env, "verifier internal error: unimplemented handling of MEM_ALLOC\n");
 			return -EFAULT;
 		}
-		if (meta->func_id == BPF_FUNC_kptr_xchg) {
+		if (meta->func_id == BPF_FUNC_kptr_xchg && regno > 1) {
 			if (map_kptr_match_type(env, meta->kptr_field, reg, regno))
 				return -EACCES;
 		}
@@ -8735,7 +8749,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 		meta->release_regno = regno;
 	}
 
-	if (reg->ref_obj_id) {
+	if (reg->ref_obj_id && base_type(arg_type) != ARG_KPTR_XCHG_DEST) {
 		if (meta->ref_obj_id) {
 			verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
 				regno, reg->ref_obj_id,

From patchwork Fri Jul 19 17:21:19 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13737460
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com
 [209.85.222.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFD82146A85;
	Fri, 19 Jul 2024 17:21:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.169
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1721409685; cv=none;
 b=pkaUKro7LZmDN+rysuGbZ4Dy3yQ225oqTvROxbmCiL9/MtBscw03mbOZPs0cg/vb5Z4+A/1/4Qktl3onCbxQT36Wp9tmQ/g2cEC9XtsKaDeXsJN/3FeQRnGv5AymZn0eiYzkyFRxgoiSWDLG7HuvzsJAYVr/Pst1pbWBggtq1gg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1721409685; c=relaxed/simple;
	bh=GcPbDg8dGPpvW3qKI6MgYWhbdTG4qTHFxQ7VdGvdbZ0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=hUzplkVst0pOsxyGacADg8W6DOFSF9OMcD7H/Si6y++BBxu0Ztk0DGDa90QBw45CNNRk9mHlAJz5c5OLDkA+HAXtOc03vCAiOyy2fj/mSXiv6PDZE4bvZ6logLvx/QLVlg5njTIhBg8BAH3qlYXTARdBG65cu2PP6sqge3WWylg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=JvbhNCQD; arc=none smtp.client-ip=209.85.222.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="JvbhNCQD"
Received: by mail-qk1-f169.google.com with SMTP id
 af79cd13be357-79ef93865afso106959485a.1;
        Fri, 19 Jul 2024 10:21:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1721409683; x=1722014483;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/3/xMbadZR6ipB99nJ7HjWra8CWfz07I6ua6elRBn7o=;
        b=JvbhNCQD6jfV/tO1WwWsGNyrHoP/N55Bix5WdXwrBGuwMY44Oi0oflbuYH0eihqiO+
         mSu0AhdR6bmPYXurC4Hd8p0KyGrcOV2Ycj/34xn91TR5Vxq930VVpPd+V/Say74PChzk
         zqhj7YMFakRr7XkuCdDeb+ATm0FoTcwB0ZrI/uvHddK+fFKLmVA7VH8lcuuXWTJlqkwx
         PeQt1vMOL2jx9TURtBpIqoHzp3iSlyAyYYAG52k+Nas+MqbdooVBvA/+xw2sV4XiGiE+
         BUs9LWb242QzBjgYxXqeo9afGzD0CMHGCWR5uNP3kW+IEH6t6y0s1Meu4b4+9vFXobgF
         NsaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721409683; x=1722014483;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=/3/xMbadZR6ipB99nJ7HjWra8CWfz07I6ua6elRBn7o=;
        b=WbfL4tt02rxKL2ftIwRjUKrtc6FFhspQul9lWhm1R3NDUpy2CtTUFxAGcBIsoZ8BZi
         FSq1XXz5UyP/l/UryADWOAGhpSqHnAvPk1OYFFt3qPjKzEuo/Cf/dzfsX3oY1wT5sZ+v
         F/KRc1mlvrVt+73yyS/O58sEmrVpmfzudzW/FK3465G1G/OPWhmgJ9vUFk3UASkNVo6B
         bg0mK/H+5O6U7/ynglQOraOx8DaBZ3kAlwSXJJPt+MJ78zr45GCSMk0zjaQm5EHn86KS
         UVjujTs2vQ5KyH/BFbIf8/mJdhHmU07lx9mmZJye0h+mKDUjSgSAT8Lmy0V8wvoHOzfJ
         MBoA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXoojE5rCkQtx0niU9cEh9uzKYAgMzrAfb6lqWa7J5b827bJELYTZ1jBggAUqioHKdSl2xM25o3Hi4hCWn8E1BN/VEylKBy6E2cx9sLZ58VaNwf+grnLoiEAGhs
X-Gm-Message-State: AOJu0YzQAfcE2cTshCKNyr4kDX+zbseJsB9FFYWFLXl3xPf1DlpewVKZ
	ONOn6gqsjbsagocAetchsuZtPcalboVCOFgZDI6MfADF32gAzVg5
X-Google-Smtp-Source: 
 AGHT+IFeYODdlJTJQuieFvm41hhcW7y+RmebwKsxXtILe9qa55t1jiNZPIbRJRpCS2XEZxiFmrs69w==
X-Received: by 2002:a05:620a:4108:b0:79c:103b:af44 with SMTP id
 af79cd13be357-7a187501438mr1068244185a.65.1721409682694;
        Fri, 19 Jul 2024 10:21:22 -0700 (PDT)
Received: from n36-183-057.byted.org ([130.44.212.91])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-7a19905eb1dsm109706485a.89.2024.07.19.10.21.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 19 Jul 2024 10:21:22 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: ameryhung@gmail.com
Cc: alexei.starovoitov@gmail.com,
	andrii@kernel.org,
	bpf@vger.kernel.org,
	daniel@iogearbox.net,
	jhs@mojatatu.com,
	jiri@resnulli.us,
	martin.lau@kernel.org,
	netdev@vger.kernel.org,
	sdf@google.com,
	sinquersw@gmail.com,
	toke@redhat.com,
	xiyou.wangcong@gmail.com,
	yangpeihao@sjtu.edu.cn,
	yepeilin.cs@gmail.com,
	donald.hunter@gmail.com
Subject: [OFFLIST RFC 4/4] selftests/bpf: Test bpf_kptr_xchg stashing into
 local kptr
Date: Fri, 19 Jul 2024 17:21:19 +0000
Message-Id: <20240719172119.3199738-4-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240719172119.3199738-1-amery.hung@bytedance.com>
References: <20240714175130.4051012-1-amery.hung@bytedance.com>
 <20240719172119.3199738-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net
X-Patchwork-State: RFC

From: Dave Marchevsky <davemarchevsky@fb.com>

Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
---
 .../selftests/bpf/progs/local_kptr_stash.c    | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/bpf/progs/local_kptr_stash.c b/tools/testing/selftests/bpf/progs/local_kptr_stash.c
index 75043ffc5dad..8532abcae5c0 100644
--- a/tools/testing/selftests/bpf/progs/local_kptr_stash.c
+++ b/tools/testing/selftests/bpf/progs/local_kptr_stash.c
@@ -11,6 +11,7 @@
 struct node_data {
 	long key;
 	long data;
+	struct prog_test_ref_kfunc __kptr *stashed_in_node;
 	struct bpf_rb_node node;
 };
 
@@ -85,17 +86,33 @@ static bool less(struct bpf_rb_node *a, const struct bpf_rb_node *b)
 
 static int create_and_stash(int idx, int val)
 {
+	struct prog_test_ref_kfunc *inner;
 	struct map_value *mapval;
 	struct node_data *res;
+	unsigned long dummy;
 
 	mapval = bpf_map_lookup_elem(&some_nodes, &idx);
 	if (!mapval)
 		return 1;
 
+	dummy = 0;
+	inner = bpf_kfunc_call_test_acquire(&dummy);
+	if (!inner)
+		return 2;
+
 	res = bpf_obj_new(typeof(*res));
-	if (!res)
-		return 1;
+	if (!res) {
+		bpf_kfunc_call_test_release(inner);
+		return 3;
+	}
 	res->key = val;
+	inner = bpf_kptr_xchg(&res->stashed_in_node, inner);
+	if (inner) {
+		/* Should never happen, we just obj_new'd res */
+		bpf_kfunc_call_test_release(inner);
+		bpf_obj_drop(res);
+		return 4;
+	}
 
 	res = bpf_kptr_xchg(&mapval->node, res);
 	if (res)