From patchwork Sun Jul 28 03:01:12 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13743832
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qv1-f43.google.com (mail-qv1-f43.google.com
 [209.85.219.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E27F184D
	for <bpf@vger.kernel.org>; Sun, 28 Jul 2024 03:01:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1722135704; cv=none;
 b=NXtZ8gcr6Anci5oMFyHKYz2vGKKKH4aa00/tN/RvGZvt/XcxPA1HamUR1ZrivqxgjXsb1S8GKc1o+mnnv+AztFAOpnxp4TQwiXeJcCAlU9ibh67WMhLjmQ8ktcBbHDhxWbwNmYT8mvj1dmzVCXia2Ua/f2BoZdKUS7+zf/Yq4tY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1722135704; c=relaxed/simple;
	bh=RwfWHgtCdrEbA9YQ9AdXSlgPIospQ0IeS9BdX2rF2GA=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=TZyN7tjciYQR4zNyy6TyHQ9FAdxgoLcpoBdzgWEwWp5xE6DNs+cmSE/cLwP0H5vJ5/vYAyTfcQvoPs2mZ3ViKG17oFudtYXhqb+WEZHXaPeCCVY7mjDm4hphPmKM6W5ij2qXJFGOOeVx9sviVO/EzZId+4g2RlnkHc10UgydUMY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=U3lVZ1Rl; arc=none smtp.client-ip=209.85.219.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="U3lVZ1Rl"
Received: by mail-qv1-f43.google.com with SMTP id
 6a1803df08f44-6b7a4668f07so10712116d6.1
        for <bpf@vger.kernel.org>; Sat, 27 Jul 2024 20:01:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1722135702; x=1722740502;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2Dds8dIKOzIPsqNySyOBwetSI9ZRPmVfowMAUFUWv5g=;
        b=U3lVZ1RlEFGpchFwp41aJ6EYSBGWmhGuaL2SzQY5ItLLamNdEwXq/bd0l2aeNc/s34
         NRsuSPcNR+93YN9D0wgFlJyM0/AbZ6KrCHbtdryImP7Q+Vr82LPv74RZIb935GveAKy8
         mtD2qIpPZr0Rqhhjehxpu2l+ZFM3IIt8qbz+rXCElbnEXHLJIf24LtxaYBZ/RyWLRt6v
         bPU+1M6tQQEwp/OmcTS+4sa4kTXr3f422OuKcGZDQ9nJvCRpxGCNuZFIlwY2Omz/+27S
         vBoUQCEzSMcfGxGDFqIzHrGnW0y0CnH5nW7BTRqm1xg7gpkDQJduSXSG5dxHrZldWZBu
         uvuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1722135702; x=1722740502;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=2Dds8dIKOzIPsqNySyOBwetSI9ZRPmVfowMAUFUWv5g=;
        b=gkFBBMuhs8Z+c1KObjDeVzGykazpI+sCyLFYJRzLaUalkr/8HwASpT85/iYIkHl1yq
         Pn9lKqzPRQnTckx59t0oke9uSkg+6xExn0G81AV4SAR5G6jakXDwcPYrdOsMjEn2auks
         KCGcUxCr8AbkC+rkfhKkZfFcOgm0OOn1Ral4aKjyZ77ERutNwXBG82NA2IHL+o/GlxBx
         0wTfVO11Y/wP4Ih98QBGwEvTp1LUeGI3oz+dpsD+N5ZC60aIS1jobuhjY2ysu01Nx/Js
         oU2YOZ1jRwfCFUg6JhlhHtFJiKCUqoctPveSrDdH0ztOL3Il0he88Bu/JNcvsQXr5dVI
         P1Gg==
X-Gm-Message-State: AOJu0YyDmHjZIytIUUjblBMBrq+IpWACXiCGoWMd3GNVblUOWm3PfvrS
	nCyv6nZ0+ffn9zOsHsEgpTOOppArPij8VsWtivFYCyOZvU5eCiDVx2JsOw==
X-Google-Smtp-Source: 
 AGHT+IE1WlJ5GwfRoYu7Ldmc3Zos2PKOJwvQuuNq6QS+Jp3/ibLjv06WvmIfJNXrXsE1u28v3R7Xfw==
X-Received: by 2002:a05:6214:2261:b0:6b5:1976:98ac with SMTP id
 6a1803df08f44-6bb55a6f10bmr59669306d6.28.1722135702047;
        Sat, 27 Jul 2024 20:01:42 -0700 (PDT)
Received: from n36-183-057.byted.org ([139.177.233.179])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bb3f90e7b9sm37953306d6.52.2024.07.27.20.01.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 27 Jul 2024 20:01:41 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: bpf@vger.kernel.org
Cc: daniel@iogearbox.net,
	andrii@kernel.org,
	alexei.starovoitov@gmail.com,
	martin.lau@kernel.org,
	sinquersw@gmail.com,
	davemarchevsky@fb.com,
	ameryhung@gmail.com,
	Amery Hung <amery.hung@bytedance.com>
Subject: [PATCH v1 bpf-next 1/4] bpf: Search for kptrs in prog BTF structs
Date: Sun, 28 Jul 2024 03:01:12 +0000
Message-Id: <20240728030115.3970543-2-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240728030115.3970543-1-amery.hung@bytedance.com>
References: <20240728030115.3970543-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

From: Dave Marchevsky <davemarchevsky@fb.com>

Currently btf_parse_fields is used in two places to create struct
btf_record's for structs: when looking at mapval type, and when looking
at any struct in program BTF. The former looks for kptr fields while the
latter does not. This patch modifies the btf_parse_fields call made when
looking at prog BTF struct types to search for kptrs as well.

Before this series there was no reason to search for kptrs in non-mapval
types: a referenced kptr needs some owner to guarantee resource cleanup,
and map values were the only owner that supported this. If a struct with
a kptr field were to have some non-kptr-aware owner, the kptr field
might not be properly cleaned up and result in resources leaking. Only
searching for kptr fields in mapval was a simple way to avoid this
problem.

In practice, though, searching for BPF_KPTR when populating
struct_meta_tab does not expose us to this risk, as struct_meta_tab is
only accessed through btf_find_struct_meta helper, and that helper is
only called in contexts where recognizing the kptr field is safe:

  * PTR_TO_BTF_ID reg w/ MEM_ALLOC flag
    * Such a reg is a local kptr and must be free'd via bpf_obj_drop,
      which will correctly handle kptr field

  * When handling specific kfuncs which either expect MEM_ALLOC input or
    return MEM_ALLOC output (obj_{new,drop}, percpu_obj_{new,drop},
    list+rbtree funcs, refcount_acquire)
     * Will correctly handle kptr field for same reasons as above

  * When looking at kptr pointee type
     * Called by functions which implement "correct kptr resource
       handling"

  * In btf_check_and_fixup_fields
     * Helper that ensures no ownership loops for lists and rbtrees,
       doesn't care about kptr field existence

So we should be able to find BPF_KPTR fields in all prog BTF structs
without leaking resources.

Further patches in the series will build on this change to support
kptr_xchg into non-mapval local kptr. Without this change there would be
no kptr field found in such a type.

On a side note, when building program BTF, the refcount of program BTF
is now initialized before btf_parse_struct_metas() to prevent a
refcount_inc() on zero warning. This happens when BPF_KPTR is present
in program BTF: btf_parse_struct_metas() -> btf_parse_fields()
-> btf_parse_kptr() -> btf_get(). This should be okay as the program BTF
is not available yet outside btf_parse().

Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Signed-off-by: Amery Hung <amery.hung@bytedance.com>
---
 kernel/bpf/btf.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 95426d5b634e..7b8275e3e500 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -5585,7 +5585,8 @@ btf_parse_struct_metas(struct bpf_verifier_log *log, struct btf *btf)
 		type = &tab->types[tab->cnt];
 		type->btf_id = i;
 		record = btf_parse_fields(btf, t, BPF_SPIN_LOCK | BPF_LIST_HEAD | BPF_LIST_NODE |
-						  BPF_RB_ROOT | BPF_RB_NODE | BPF_REFCOUNT, t->size);
+						  BPF_RB_ROOT | BPF_RB_NODE | BPF_REFCOUNT |
+						  BPF_KPTR, t->size);
 		/* The record cannot be unset, treat it as an error if so */
 		if (IS_ERR_OR_NULL(record)) {
 			ret = PTR_ERR_OR_ZERO(record) ?: -EFAULT;
@@ -5737,6 +5738,8 @@ static struct btf *btf_parse(const union bpf_attr *attr, bpfptr_t uattr, u32 uat
 	if (err)
 		goto errout;
 
+	refcount_set(&btf->refcnt, 1);
+
 	struct_meta_tab = btf_parse_struct_metas(&env->log, btf);
 	if (IS_ERR(struct_meta_tab)) {
 		err = PTR_ERR(struct_meta_tab);
@@ -5759,7 +5762,6 @@ static struct btf *btf_parse(const union bpf_attr *attr, bpfptr_t uattr, u32 uat
 		goto errout_free;
 
 	btf_verifier_env_free(env);
-	refcount_set(&btf->refcnt, 1);
 	return btf;
 
 errout_meta:

From patchwork Sun Jul 28 03:01:13 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13743833
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qv1-f49.google.com (mail-qv1-f49.google.com
 [209.85.219.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 15BA81878
	for <bpf@vger.kernel.org>; Sun, 28 Jul 2024 03:01:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.49
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1722135705; cv=none;
 b=m9NHlrAQGB3/mmw6gWplSevQtXxy61l8WdRyjBg+hMZWMqvY7McMfxCyJxgoiamYomT+VFjxTiRdlrMxU640xBOiqsxPDW57DcGcQB1wqXA9b8sSne4SdnXfjsoa5PcMrj/HoMe3tDYRUtkMrs8FZAY8JuSwOFSeVKt/+FAEDYo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1722135705; c=relaxed/simple;
	bh=FI+7PpmYERHcN7kZKiPxVQPdW9F9QF+EU5ns2A9gpaY=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=HheWk2laVh+BnLWpXAHc87yjIdBktpFNgxVc537k2FXtxo4TEmMV6AXeKcZ86Lk2If/2VlRH2Q8ediVug+h4ccsVUUhyQDcCeBJfRaqX0fyONbhoGpqfjFZF0Zo2X2+GYPln1F0pgFxH8cLrqGRD3Ixe6n/HdxTgRZTMtoGndVY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=aFn/xxOC; arc=none smtp.client-ip=209.85.219.49
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="aFn/xxOC"
Received: by mail-qv1-f49.google.com with SMTP id
 6a1803df08f44-6b5dfcfb165so12009216d6.0
        for <bpf@vger.kernel.org>; Sat, 27 Jul 2024 20:01:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1722135703; x=1722740503;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=clVPQtJRsi/+mven7CF4nTrZtDHLvSg6be5RIZKCKoY=;
        b=aFn/xxOCdhU7sB7VQxtDKPc6OgoPbOdb+R9BHvR4l7VkMDynTggnf4m4MK/FxTkuvv
         AtpWplDz35MCroq6fKMW7gK2qkZOZih/9IIW81LNpT+0wi6SnZ13djQQ2kDZ1VDfSrdR
         mA4UC380HqH4t7UtCqu1ym/nZupLbgtEwDnQdRsxS2spSXna4BJCYdXRBn/6sNCwBOlQ
         ya6Mhy77bTIkV5/YJ0B7Y5Jg+aLgG85T7nAOpPI84ONHCTqj9o+NJ194Umr6nuYbk+G9
         bjKP1vCKnEPtDaDoQ+093MUxVpBUgLVrKFjoCGCejNfQjtKUjbINeIl/7/H3StDqqAP6
         UW4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1722135703; x=1722740503;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=clVPQtJRsi/+mven7CF4nTrZtDHLvSg6be5RIZKCKoY=;
        b=T4nW95F94hfPiKygREekwMW+b3LN21eMJpUFks35/3bIzxu0uxCCibIoR6tuaXQHjo
         HJ80UPosjVsZ+URTUKhq8rvxNjpu1oJJQPKZzEvPJpB/S4I5onRzTn5ALuQshkMMw96D
         lP2g0Wi6KtyUpFJJ6Ow7c+UtW5D+vB5nBGOWoT+zBojiC+C4mhGpVxZNH6UYRN9Iq8Z0
         CmmKIAd6O0byjaLIUslehPbXvm5smtGdO0LvRiNClpPr/ZKi4Bd6dPUCwIGPrkm2ycwc
         BjKtM3VSh1A16IxONskZIV0ddoceQob6iYzDvlKzvcVXsTFqVNK0zRR4kMQfmq6a2yP6
         Jhww==
X-Gm-Message-State: AOJu0Yy6qLPX3w+eeldjyUGU6ljEuxAcVQsBzdQDN7WxzTu1X3dLJigf
	cLCtIwStSAeCm7+RQQBMKod2J2E887YBenXmonaC36DAanwEOiF2Dg5oRw==
X-Google-Smtp-Source: 
 AGHT+IEKceGUpqGLO9XBTfVEayLnulCK/LDZNFDI64XqnIhfaEtbWLAEKWNj4a6VITbpLFkp56loIg==
X-Received: by 2002:ad4:4ea8:0:b0:6b7:ac31:ad19 with SMTP id
 6a1803df08f44-6bb55a700dbmr44620366d6.24.1722135702679;
        Sat, 27 Jul 2024 20:01:42 -0700 (PDT)
Received: from n36-183-057.byted.org ([139.177.233.179])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bb3f90e7b9sm37953306d6.52.2024.07.27.20.01.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 27 Jul 2024 20:01:42 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: bpf@vger.kernel.org
Cc: daniel@iogearbox.net,
	andrii@kernel.org,
	alexei.starovoitov@gmail.com,
	martin.lau@kernel.org,
	sinquersw@gmail.com,
	davemarchevsky@fb.com,
	ameryhung@gmail.com,
	Amery Hung <amery.hung@bytedance.com>
Subject: [PATCH v1 bpf-next 2/4] bpf: Rename ARG_PTR_TO_KPTR ->
 ARG_KPTR_XCHG_DEST
Date: Sun, 28 Jul 2024 03:01:13 +0000
Message-Id: <20240728030115.3970543-3-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240728030115.3970543-1-amery.hung@bytedance.com>
References: <20240728030115.3970543-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

From: Dave Marchevsky <davemarchevsky@fb.com>

ARG_PTR_TO_KPTR is currently only used by the bpf_kptr_xchg helper.
Although it limits reg types for that helper's first arg to
PTR_TO_MAP_VALUE, any arbitrary mapval won't do: further custom
verification logic ensures that the mapval reg being xchgd-into is
pointing to a kptr field. If this is not the case, it's not safe to xchg
into that reg's pointee.

Let's rename the bpf_arg_type to more accurately describe the fairly
specific expectations that this arg type encodes.

This is a nonfunctional change.

Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Signed-off-by: Amery Hung <amery.hung@bytedance.com>
---
 include/linux/bpf.h   | 2 +-
 kernel/bpf/helpers.c  | 2 +-
 kernel/bpf/verifier.c | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 7ad37cbdc815..f853e350c057 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -744,7 +744,7 @@ enum bpf_arg_type {
 	ARG_PTR_TO_STACK,	/* pointer to stack */
 	ARG_PTR_TO_CONST_STR,	/* pointer to a null terminated read-only string */
 	ARG_PTR_TO_TIMER,	/* pointer to bpf_timer */
-	ARG_PTR_TO_KPTR,	/* pointer to referenced kptr */
+	ARG_KPTR_XCHG_DEST,	/* pointer to destination that kptrs are bpf_kptr_xchg'd into */
 	ARG_PTR_TO_DYNPTR,      /* pointer to bpf_dynptr. See bpf_type_flag for dynptr type */
 	__BPF_ARG_TYPE_MAX,
 
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index d02ae323996b..8ecd8dc95f16 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1636,7 +1636,7 @@ static const struct bpf_func_proto bpf_kptr_xchg_proto = {
 	.gpl_only     = false,
 	.ret_type     = RET_PTR_TO_BTF_ID_OR_NULL,
 	.ret_btf_id   = BPF_PTR_POISON,
-	.arg1_type    = ARG_PTR_TO_KPTR,
+	.arg1_type    = ARG_KPTR_XCHG_DEST,
 	.arg2_type    = ARG_PTR_TO_BTF_ID_OR_NULL | OBJ_RELEASE,
 	.arg2_btf_id  = BPF_PTR_POISON,
 };
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 1f5302fb0957..9f2964b13b46 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8399,7 +8399,7 @@ static const struct bpf_reg_types func_ptr_types = { .types = { PTR_TO_FUNC } };
 static const struct bpf_reg_types stack_ptr_types = { .types = { PTR_TO_STACK } };
 static const struct bpf_reg_types const_str_ptr_types = { .types = { PTR_TO_MAP_VALUE } };
 static const struct bpf_reg_types timer_types = { .types = { PTR_TO_MAP_VALUE } };
-static const struct bpf_reg_types kptr_types = { .types = { PTR_TO_MAP_VALUE } };
+static const struct bpf_reg_types kptr_xchg_dest_types = { .types = { PTR_TO_MAP_VALUE } };
 static const struct bpf_reg_types dynptr_types = {
 	.types = {
 		PTR_TO_STACK,
@@ -8431,7 +8431,7 @@ static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {
 	[ARG_PTR_TO_STACK]		= &stack_ptr_types,
 	[ARG_PTR_TO_CONST_STR]		= &const_str_ptr_types,
 	[ARG_PTR_TO_TIMER]		= &timer_types,
-	[ARG_PTR_TO_KPTR]		= &kptr_types,
+	[ARG_KPTR_XCHG_DEST]		= &kptr_xchg_dest_types,
 	[ARG_PTR_TO_DYNPTR]		= &dynptr_types,
 };
 
@@ -9031,7 +9031,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 			return err;
 		break;
 	}
-	case ARG_PTR_TO_KPTR:
+	case ARG_KPTR_XCHG_DEST:
 		err = process_kptr_func(env, regno, meta);
 		if (err)
 			return err;

From patchwork Sun Jul 28 03:01:14 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13743834
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qv1-f43.google.com (mail-qv1-f43.google.com
 [209.85.219.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8701F1B86DC
	for <bpf@vger.kernel.org>; Sun, 28 Jul 2024 03:01:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1722135706; cv=none;
 b=b82PLe69QJ1M0XLnV4Ydos8CDAE0Yxl8e9HBUMRpRCt17EfEsd4GjlgU0m1htjOFG+PQe9etri6xGgttpqsHcXepqCfX6jYKDbc/zc+1ntbkXh7/XpDmX9lmg2Ko6xp2LrFJPwP2V6O+i5FjlnXyAWFpVJC8E11Dp5kW+g+ySDU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1722135706; c=relaxed/simple;
	bh=FmYOYsNEZAG9lENfVu5cohFab+lVJzPyw9ok0H3YQB4=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ffQYBIhyd5UKGCvhJHSP2GQSMzy4Ah6FD6p+HtXYj1SIpsf6FKUbVEgWEnwAti9Lv+PKqQHVy1/6lsT4Wb6EONC73VjHL217iuDdhHeY8cnft+X8Ks7V8R6DRxSvSQFS1MVVF8SRXez9W2ksheZOy0QId+163acT3IkpIPhXG9I=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=BIAOyvvg; arc=none smtp.client-ip=209.85.219.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="BIAOyvvg"
Received: by mail-qv1-f43.google.com with SMTP id
 6a1803df08f44-6b7b28442f9so22031016d6.3
        for <bpf@vger.kernel.org>; Sat, 27 Jul 2024 20:01:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1722135703; x=1722740503;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=md7GflDFfPw9u7WBE5P4rTBb0KC5ivuwZOG/KYaPFVI=;
        b=BIAOyvvgVg75F/fXX2KCqO/O6n5j6W/nTrhcTFO2meU1UI+upCebVGEU6N+CTzHtH6
         OEGn+wBCm37qkd5mVwo7ggIFPAp/Y2b0a7pn0ze3HTvRDvKTX9z6i6E4W35kkV5Rk3bP
         0nrcNHPd5yUdBV9hJ0IXdo2NTm1G+A4ufkc7v8XDLhI6QyE9LUr76j/CCtYF3uAtaYjO
         tJv8bbX9E5CwQ8xRNrWteUQWWu2ZsybS91t0IJ3rpTNKkjri3un2cIjwFSO4RscHyi3B
         17I7BJAuC/KoVVxrX6Vm6TP9DwiIZKKTtaAO6yTtPbjG4AcFATy6VUni6Wn/8PXtNrQw
         ZrBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1722135703; x=1722740503;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=md7GflDFfPw9u7WBE5P4rTBb0KC5ivuwZOG/KYaPFVI=;
        b=Noaef/liMm04R0aiOgAesWbEDcaUZf5tNGKGsuxcIh7RfrJI5cdsGrytYt6U/Aq6eX
         PJIwFjI+f5TtYM6xK9EsOVB8s1WsKt6Pl8yBO9Jb+FE1W5hAMxbRRsbCBymzN0DJKltI
         pVSmNbtuhGaKOJCPl0FcO3BrGcrn7FTj0RMa6NKMbzbXa7lPRoRS4HO8sW+/QPkeTTtA
         cKVK86Iav6tyEPOHG13pTs5Ho7QO1Gm1z1ZIO3pAaDsT7bCr5k8o0bCGP+XnXazBTwtU
         YAA/+TshBmaKNfx2gnaM1G7YlaJYN+12mDpXF+QU5WBYqD8B35n/ZA0xzOQcR+vot1QC
         ugJw==
X-Gm-Message-State: AOJu0YxNooZIDsr4oD7mvwVWIpe7bTSjjeFMCiFeU1Fce7sjdZsloUJC
	0mHHDTSsMZPoifckhYoPgHuXhX9wpdBhFZDqEh0a32zEEU7uY/70hLR5Iw==
X-Google-Smtp-Source: 
 AGHT+IEQDyZHO6JBQYpTJGRJMScNiofljymPvQT1NEli300pU/NCoO+V9TXLiw44LfzDOHhdQ7xuRA==
X-Received: by 2002:a05:6214:b65:b0:6b5:97:1796 with SMTP id
 6a1803df08f44-6bb559b4d37mr63985946d6.12.1722135703156;
        Sat, 27 Jul 2024 20:01:43 -0700 (PDT)
Received: from n36-183-057.byted.org ([139.177.233.179])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bb3f90e7b9sm37953306d6.52.2024.07.27.20.01.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 27 Jul 2024 20:01:42 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: bpf@vger.kernel.org
Cc: daniel@iogearbox.net,
	andrii@kernel.org,
	alexei.starovoitov@gmail.com,
	martin.lau@kernel.org,
	sinquersw@gmail.com,
	davemarchevsky@fb.com,
	ameryhung@gmail.com,
	Amery Hung <amery.hung@bytedance.com>
Subject: [PATCH v1 bpf-next 3/4] bpf: Support bpf_kptr_xchg into local kptr
Date: Sun, 28 Jul 2024 03:01:14 +0000
Message-Id: <20240728030115.3970543-4-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240728030115.3970543-1-amery.hung@bytedance.com>
References: <20240728030115.3970543-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

From: Dave Marchevsky <davemarchevsky@fb.com>

Currently, users can only stash kptr into map values with bpf_kptr_xchg().
This patch further supports stashing kptr into local kptr by adding local
kptr as a valid destination type.

When stashing into local kptr, btf_record in program BTF is used instead
of btf_record in map to search for the btf_field of the local kptr.

The local kptr specific checks in check_reg_type() only apply when the
source argument of bpf_kptr_xchg() is local kptr. Therefore, we make the
scope of the check explicit as the destination now can also be local kptr.

Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Signed-off-by: Amery Hung <amery.hung@bytedance.com>
---
 kernel/bpf/verifier.c | 43 +++++++++++++++++++++++++++++--------------
 1 file changed, 29 insertions(+), 14 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 9f2964b13b46..20094b35053a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7803,29 +7803,38 @@ static int process_kptr_func(struct bpf_verifier_env *env, int regno,
 			     struct bpf_call_arg_meta *meta)
 {
 	struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
-	struct bpf_map *map_ptr = reg->map_ptr;
 	struct btf_field *kptr_field;
+	struct bpf_map *map_ptr;
+	struct btf_record *rec;
 	u32 kptr_off;
 
+	if (type_is_ptr_alloc_obj(reg->type)) {
+		rec = reg_btf_record(reg);
+	} else { /* PTR_TO_MAP_VALUE */
+		map_ptr = reg->map_ptr;
+		if (!map_ptr->btf) {
+			verbose(env, "map '%s' has to have BTF in order to use bpf_kptr_xchg\n",
+				map_ptr->name);
+			return -EINVAL;
+		}
+		rec = map_ptr->record;
+		meta->map_ptr = map_ptr;
+	}
+
 	if (!tnum_is_const(reg->var_off)) {
 		verbose(env,
 			"R%d doesn't have constant offset. kptr has to be at the constant offset\n",
 			regno);
 		return -EINVAL;
 	}
-	if (!map_ptr->btf) {
-		verbose(env, "map '%s' has to have BTF in order to use bpf_kptr_xchg\n",
-			map_ptr->name);
-		return -EINVAL;
-	}
-	if (!btf_record_has_field(map_ptr->record, BPF_KPTR)) {
-		verbose(env, "map '%s' has no valid kptr\n", map_ptr->name);
+
+	if (!btf_record_has_field(rec, BPF_KPTR)) {
+		verbose(env, "R%d has no valid kptr\n", regno);
 		return -EINVAL;
 	}
 
-	meta->map_ptr = map_ptr;
 	kptr_off = reg->off + reg->var_off.value;
-	kptr_field = btf_record_find(map_ptr->record, kptr_off, BPF_KPTR);
+	kptr_field = btf_record_find(rec, kptr_off, BPF_KPTR);
 	if (!kptr_field) {
 		verbose(env, "off=%d doesn't point to kptr\n", kptr_off);
 		return -EACCES;
@@ -8399,7 +8408,12 @@ static const struct bpf_reg_types func_ptr_types = { .types = { PTR_TO_FUNC } };
 static const struct bpf_reg_types stack_ptr_types = { .types = { PTR_TO_STACK } };
 static const struct bpf_reg_types const_str_ptr_types = { .types = { PTR_TO_MAP_VALUE } };
 static const struct bpf_reg_types timer_types = { .types = { PTR_TO_MAP_VALUE } };
-static const struct bpf_reg_types kptr_xchg_dest_types = { .types = { PTR_TO_MAP_VALUE } };
+static const struct bpf_reg_types kptr_xchg_dest_types = {
+	.types = {
+		PTR_TO_MAP_VALUE,
+		PTR_TO_BTF_ID | MEM_ALLOC
+	}
+};
 static const struct bpf_reg_types dynptr_types = {
 	.types = {
 		PTR_TO_STACK,
@@ -8470,7 +8484,8 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
 	if (base_type(arg_type) == ARG_PTR_TO_MEM)
 		type &= ~DYNPTR_TYPE_FLAG_MASK;
 
-	if (meta->func_id == BPF_FUNC_kptr_xchg && type_is_alloc(type)) {
+	/* local kptr types are allowed as the source argument of bpf_kptr_xchg */
+	if (meta->func_id == BPF_FUNC_kptr_xchg && type_is_alloc(type) && regno == BPF_REG_2) {
 		type &= ~MEM_ALLOC;
 		type &= ~MEM_PERCPU;
 	}
@@ -8563,7 +8578,7 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno,
 			verbose(env, "verifier internal error: unimplemented handling of MEM_ALLOC\n");
 			return -EFAULT;
 		}
-		if (meta->func_id == BPF_FUNC_kptr_xchg) {
+		if (meta->func_id == BPF_FUNC_kptr_xchg && regno == BPF_REG_2) {
 			if (map_kptr_match_type(env, meta->kptr_field, reg, regno))
 				return -EACCES;
 		}
@@ -8874,7 +8889,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 		meta->release_regno = regno;
 	}
 
-	if (reg->ref_obj_id) {
+	if (reg->ref_obj_id && base_type(arg_type) != ARG_KPTR_XCHG_DEST) {
 		if (meta->ref_obj_id) {
 			verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
 				regno, reg->ref_obj_id,

From patchwork Sun Jul 28 03:01:15 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amery Hung <ameryhung@gmail.com>
X-Patchwork-Id: 13743835
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-qt1-f179.google.com (mail-qt1-f179.google.com
 [209.85.160.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 08B8E29A1
	for <bpf@vger.kernel.org>; Sun, 28 Jul 2024 03:01:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.160.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1722135706; cv=none;
 b=H7nSHQuBiMnXjTVQU+rMhRK/XP1S2iINC8OFfwrsm697yud+83sqh4Vv0dYkOWMNDpFrxu1bOdGMOJLoQ6l/di3yOrbiDBs2dTcHKuVjpANb/Gz/EaxGEc+eqyZtcU0yHxZ5bqij2usVpGnFRT2VhSRwCQn9bS/ro4YVH8dQDbw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1722135706; c=relaxed/simple;
	bh=l1P0twASE3WuDsB2Wzvp+isvEb4480jvH/gplhPlzvY=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=jpv7H0Q0a8shqkwgElSNwuW7r60R8RAyhbRBwKMhnPmMb40AchzsHvw0R0dXYCEBMoCH6BlayZO7V2DLK21oHPh4u1SEPItvmAaFLbAFaMG4Bab35IWDFdSVPn8OSYCjyZXjlBwWfWt1OPICz/l+RvfTVJeCTv1Sk02SX5azNH0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=m6oUUPR9; arc=none smtp.client-ip=209.85.160.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="m6oUUPR9"
Received: by mail-qt1-f179.google.com with SMTP id
 d75a77b69052e-45007373217so8611411cf.0
        for <bpf@vger.kernel.org>; Sat, 27 Jul 2024 20:01:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1722135704; x=1722740504;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=q2T5ujHD/71naqt6MOMNh2CUrH17Rdn5Y7KDIc5IAEQ=;
        b=m6oUUPR9aZoizxXezYMtTxhapWgDibQ6faM+F9umsh/8wMEy77dvQBS8xOG/DnO46p
         h4BXNgvZmZNKJFIAP1bZyDOc8jpll6x6i1IHQ0eHMRmaL+WF1gWCAGNZa67wwa7eqFFt
         XXcMDy8r4tnDT/lWGaVKnX7EbP5CmksQkSuhRc1u68B0ZCF0r3oVEjn9SxTVcL34zMaY
         siOnGXmJhfyyb5NYgX52iss7U3ZfM5xM6cUKqsU+hXKH3kZFNrRUZloOSdRU9c3Xelzw
         xUtqPdhA/ke2SAlJk2yFTGcZs/qkpuKfF3LIjMnVNNDmMTzNVtg/seD0GGEsU7KBMqNx
         BFEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1722135704; x=1722740504;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=q2T5ujHD/71naqt6MOMNh2CUrH17Rdn5Y7KDIc5IAEQ=;
        b=k8Z4PDMhwaDvfYDHURnDLH34bKy72YPGmDyJBKqru67zoxEiNflvoYCaFoKtRITy5p
         nt4kEV8auaoCAalhQcNT8x1vWyh2qAaXbO1HWvX/7N9hf/HPAWiBonj0RVN2IrNCD4ot
         MEppAwflEOnL9F6f3tOUJPiCITegkh/xemLwzVVa2JwkLkqZPE4xCNa0dQiK1ALY5nS1
         q/J6nEvakigdPQnaYjEs00MvfAue7YOB+Qm2LWsp0ag82W/9G/LfooPwFk7THw0v7m2r
         PvK/OTTOqqD/IhCioKQ+7QMBy80OyuXQxXkuXHLZ/xipyJQ/0yIwFZtU9PQL3XspGGYK
         KjlQ==
X-Gm-Message-State: AOJu0YxhweCzUqpC0YCbl4jI9zNbQkl26V8gUi1d5TY9vUHQAsOuqRfZ
	DJh98r7vmYffxW8aYd6gb5ylqGnM9xNa61mUAB48U8np4HvpNDyq2x2CBw==
X-Google-Smtp-Source: 
 AGHT+IFkgAndNHAVdHYGQqo7pkj6/N7a1+X8RnO1k5kunXA04xdO9SlXXE2FhBYxrtriw3ZQOwRIgw==
X-Received: by 2002:a05:6214:27cf:b0:6b5:2aa3:3a7f with SMTP id
 6a1803df08f44-6bb56353750mr68108316d6.20.1722135703663;
        Sat, 27 Jul 2024 20:01:43 -0700 (PDT)
Received: from n36-183-057.byted.org ([139.177.233.179])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bb3f90e7b9sm37953306d6.52.2024.07.27.20.01.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 27 Jul 2024 20:01:43 -0700 (PDT)
From: Amery Hung <ameryhung@gmail.com>
X-Google-Original-From: Amery Hung <amery.hung@bytedance.com>
To: bpf@vger.kernel.org
Cc: daniel@iogearbox.net,
	andrii@kernel.org,
	alexei.starovoitov@gmail.com,
	martin.lau@kernel.org,
	sinquersw@gmail.com,
	davemarchevsky@fb.com,
	ameryhung@gmail.com,
	Amery Hung <amery.hung@bytedance.com>
Subject: [PATCH v1 bpf-next 4/4] selftests/bpf: Test bpf_kptr_xchg stashing
 into local kptr
Date: Sun, 28 Jul 2024 03:01:15 +0000
Message-Id: <20240728030115.3970543-5-amery.hung@bytedance.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20240728030115.3970543-1-amery.hung@bytedance.com>
References: <20240728030115.3970543-1-amery.hung@bytedance.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

From: Dave Marchevsky <davemarchevsky@fb.com>

Test stashing a referenced kptr in to a local kptr.

Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Signed-off-by: Amery Hung <amery.hung@bytedance.com>
---
 .../selftests/bpf/progs/local_kptr_stash.c    | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/bpf/progs/local_kptr_stash.c b/tools/testing/selftests/bpf/progs/local_kptr_stash.c
index 75043ffc5dad..a0d784e8a05b 100644
--- a/tools/testing/selftests/bpf/progs/local_kptr_stash.c
+++ b/tools/testing/selftests/bpf/progs/local_kptr_stash.c
@@ -11,6 +11,7 @@
 struct node_data {
 	long key;
 	long data;
+	struct prog_test_ref_kfunc __kptr *stashed_in_node;
 	struct bpf_rb_node node;
 };
 
@@ -85,18 +86,35 @@ static bool less(struct bpf_rb_node *a, const struct bpf_rb_node *b)
 
 static int create_and_stash(int idx, int val)
 {
+	struct prog_test_ref_kfunc *inner;
 	struct map_value *mapval;
 	struct node_data *res;
+	unsigned long dummy;
 
 	mapval = bpf_map_lookup_elem(&some_nodes, &idx);
 	if (!mapval)
 		return 1;
 
+	dummy = 0;
+	inner = bpf_kfunc_call_test_acquire(&dummy);
+	if (!inner)
+		return 2;
+
 	res = bpf_obj_new(typeof(*res));
-	if (!res)
-		return 1;
+	if (!res) {
+		bpf_kfunc_call_test_release(inner);
+		return 3;
+	}
 	res->key = val;
 
+	inner = bpf_kptr_xchg(&res->stashed_in_node, inner);
+	if (inner) {
+		/* Should never happen, we just obj_new'd res */
+		bpf_kfunc_call_test_release(inner);
+		bpf_obj_drop(res);
+		return 4;
+	}
+
 	res = bpf_kptr_xchg(&mapval->node, res);
 	if (res)
 		bpf_obj_drop(res);