Following discussion in the "bpf: tail calls in sleepable programs" [1], this series extends __bpf_prog_map_compatible() with additional per-program compatibility checks.
The series validates these attributes: * kprobe_write_ctx: for uprobe programs that can update pt_regs. * call_get_func_ip: for tracing programs using bpf_get_func_ip(). * call_session_cookie: for fsession programs using bpf_session_cookie(). kprobe_write_ctx progs can be abused to modify pt_regs of kprobe progs via tail calls. As in the test in patch #6, a kprobe prog can "regs->di = 0;" when it runs as a tail callee. Thus, bpf_prog_test_run_opts() gets -EFAULT instead of success. call_get_func_ip progs could get a bogus func IP when they run as tail callees, because the tail caller does not prepare the func IP on the trampoline stack. As in the test in patch #6, it gets the RBX value on stack instead of the true func IP. call_session_cookie progs can modify the first arg value on the trampoline stack. As in the test in patch #6, bpf_prog_test_run_opts() also gets -EFAULT because the first arg is modified by "*cookie = 0;". Links: [1] https://lore.kernel.org/bpf/[email protected]/ Changes: v2 -> v3: * Address comment from bot+bpf-ci: * Guard call_get_func_ip and call_session_cookie with "has_trampoline" for BPF_MAP_OWNER_MATCH_FOR_INIT. * v2: https://lore.kernel.org/bpf/[email protected]/ v1 -> v2: * Factor out bpf_map_owner_init() and bpf_map_owner_matches() helpers. * Drop the "call_session_is_return" case, because the "is_return" value is always prepared for fsession progs. * Address comments from Alexei: * Use bitfields like 'u32 jited:1;'. * Reimplement selftests. * v1: https://lore.kernel.org/bpf/[email protected]/ Leon Hwang (6): bpf: Add fsession to verbose log in check_get_func_ip() bpf: Factor out bpf_map_owner_[init,matches]() helpers bpf: Disallow !kprobe_write_ctx progs tail-calling kprobe_write_ctx progs bpf: Disallow !call_get_func_ip progs tail-calling call_get_func_ip progs bpf: Disallow !call_session_cookie progs tail-calling call_session_cookie progs selftests/bpf: Add tests to verify prog_array map compatibility include/linux/bpf.h | 9 +- kernel/bpf/core.c | 141 +++++--- kernel/bpf/verifier.c | 2 +- .../selftests/bpf/prog_tests/tailcalls.c | 319 ++++++++++++++++++ .../bpf/progs/tailcall_map_compatible.c | 103 ++++++ 5 files changed, 524 insertions(+), 50 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/tailcall_map_compatible.c -- 2.52.0
