[PATCH AUTOSEL for 4.15 45/78] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog

2018-03-07 Thread Sasha Levin 
From: Yonghong Song 

[ Upstream commit 06ef0ccb5a36e1feba9b413ff59a04ecc4407c1c ]

The tools/testing/selftests/bpf test program
test_dev_cgroup fails with the following error
when compiled with llvm 6.0. (I did not try
with earlier versions.)

  libbpf: load bpf program failed: Permission denied
  libbpf: -- BEGIN DUMP LOG ---
  libbpf:
  0: (61) r2 = *(u32 *)(r1 +4)
  1: (b7) r0 = 0
  2: (55) if r2 != 0x1 goto pc+8
   R0=inv0 R1=ctx(id=0,off=0,imm=0) R2=inv1 R10=fp0
  3: (69) r2 = *(u16 *)(r1 +0)
  invalid bpf_context access off=0 size=2
  ...

The culprit is the following statement in dev_cgroup.c:
  short type = ctx->access_type & 0x;
This code is typical as the ctx->access_type is assigned
as below in kernel/bpf/cgroup.c:
  struct bpf_cgroup_dev_ctx ctx = {
.access_type = (access << 16) | dev_type,
.major = major,
.minor = minor,
  };

The compiler converts it to u16 access while
the verifier cgroup_dev_is_valid_access rejects
any non u32 access.

This patch permits the field access_type to be accessible
with type u16 and u8 as well.

Signed-off-by: Yonghong Song 
Tested-by: Roman Gushchin 
Signed-off-by: Daniel Borkmann 
Signed-off-by: Sasha Levin 
---
 include/uapi/linux/bpf.h |  3 ++-
 kernel/bpf/cgroup.c  | 15 +--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 4c223ab30293..04b2f613dd06 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -995,7 +995,8 @@ struct bpf_perf_event_value {
 #define BPF_DEVCG_DEV_CHAR (1ULL << 1)
 
 struct bpf_cgroup_dev_ctx {
-   __u32 access_type; /* (access << 16) | type */
+   /* access_type encoded as (BPF_DEVCG_ACC_* << 16) | BPF_DEVCG_DEV_* */
+   __u32 access_type;
__u32 major;
__u32 minor;
 };
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index b789ab78d28f..c1c0b60d3f2f 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -568,6 +568,8 @@ static bool cgroup_dev_is_valid_access(int off, int size,
   enum bpf_access_type type,
   struct bpf_insn_access_aux *info)
 {
+   const int size_default = sizeof(__u32);
+
if (type == BPF_WRITE)
return false;
 
@@ -576,8 +578,17 @@ static bool cgroup_dev_is_valid_access(int off, int size,
/* The verifier guarantees that size > 0. */
if (off % size != 0)
return false;
-   if (size != sizeof(__u32))
-   return false;
+
+   switch (off) {
+   case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type):
+   bpf_ctx_record_field_size(info, size_default);
+   if (!bpf_ctx_narrow_access_ok(off, size, size_default))
+   return false;
+   break;
+   default:
+   if (size != size_default)
+   return false;
+   }
 
return true;
 }
-- 
2.14.1

[PATCH AUTOSEL for 4.15 45/78] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog

2018-03-07 Thread Sasha Levin 
From: Yonghong Song 

[ Upstream commit 06ef0ccb5a36e1feba9b413ff59a04ecc4407c1c ]

The tools/testing/selftests/bpf test program
test_dev_cgroup fails with the following error
when compiled with llvm 6.0. (I did not try
with earlier versions.)

  libbpf: load bpf program failed: Permission denied
  libbpf: -- BEGIN DUMP LOG ---
  libbpf:
  0: (61) r2 = *(u32 *)(r1 +4)
  1: (b7) r0 = 0
  2: (55) if r2 != 0x1 goto pc+8
   R0=inv0 R1=ctx(id=0,off=0,imm=0) R2=inv1 R10=fp0
  3: (69) r2 = *(u16 *)(r1 +0)
  invalid bpf_context access off=0 size=2
  ...

The culprit is the following statement in dev_cgroup.c:
  short type = ctx->access_type & 0x;
This code is typical as the ctx->access_type is assigned
as below in kernel/bpf/cgroup.c:
  struct bpf_cgroup_dev_ctx ctx = {
.access_type = (access << 16) | dev_type,
.major = major,
.minor = minor,
  };

The compiler converts it to u16 access while
the verifier cgroup_dev_is_valid_access rejects
any non u32 access.

This patch permits the field access_type to be accessible
with type u16 and u8 as well.

Signed-off-by: Yonghong Song 
Tested-by: Roman Gushchin 
Signed-off-by: Daniel Borkmann 
Signed-off-by: Sasha Levin 
---
 include/uapi/linux/bpf.h |  3 ++-
 kernel/bpf/cgroup.c  | 15 +--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 4c223ab30293..04b2f613dd06 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -995,7 +995,8 @@ struct bpf_perf_event_value {
 #define BPF_DEVCG_DEV_CHAR (1ULL << 1)
 
 struct bpf_cgroup_dev_ctx {
-   __u32 access_type; /* (access << 16) | type */
+   /* access_type encoded as (BPF_DEVCG_ACC_* << 16) | BPF_DEVCG_DEV_* */
+   __u32 access_type;
__u32 major;
__u32 minor;
 };
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index b789ab78d28f..c1c0b60d3f2f 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -568,6 +568,8 @@ static bool cgroup_dev_is_valid_access(int off, int size,
   enum bpf_access_type type,
   struct bpf_insn_access_aux *info)
 {
+   const int size_default = sizeof(__u32);
+
if (type == BPF_WRITE)
return false;
 
@@ -576,8 +578,17 @@ static bool cgroup_dev_is_valid_access(int off, int size,
/* The verifier guarantees that size > 0. */
if (off % size != 0)
return false;
-   if (size != sizeof(__u32))
-   return false;
+
+   switch (off) {
+   case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type):
+   bpf_ctx_record_field_size(info, size_default);
+   if (!bpf_ctx_narrow_access_ok(off, size, size_default))
+   return false;
+   break;
+   default:
+   if (size != size_default)
+   return false;
+   }
 
return true;
 }
-- 
2.14.1