From patchwork Tue Mar 12 17:23:01 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Martin KaFai Lau <kafai@fb.com>
X-Patchwork-Id: 1055597
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=fb.com
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=fb.com header.i=@fb.com header.b="js0V/eEE";
	dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 44Jhpd74C8z9s71
	for <patchwork-incoming-netdev@ozlabs.org>;
	Wed, 13 Mar 2019 04:31:21 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1729164AbfCLRbR (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Tue, 12 Mar 2019 13:31:17 -0400
Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:41590 "EHLO
	mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1727504AbfCLRbQ (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 12 Mar 2019 13:31:16 -0400
Received: from pps.filterd (m0109334.ppops.net [127.0.0.1])
	by mx0a-00082601.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id
	x2CHQSRV021493
	for <netdev@vger.kernel.org>; Tue, 12 Mar 2019 10:31:14 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com;
	h=from : to : cc : subject
	: date : message-id : mime-version : content-type; s=facebook;
	bh=uc3df2NzCWjlePy8S7/+vN9XQVPeyEksLfBqyiGpMDY=;
	b=js0V/eEEFt1TG83Bq9d/edWFBWSCG+HJ+s6NMsTQSB2MxYgCyGVNEqldILjciYycxRNb
	05cerHqrKpQSSq4eBH5YwsbozCdgOtt5AVllX5LhE9dPZTn0OutCAn2LbMzC1ApjsD13
	XaN4TjUA2vrf5fr5YFqIcJfiwmueNoVZax8=
Received: from maileast.thefacebook.com ([199.201.65.23])
	by mx0a-00082601.pphosted.com with ESMTP id 2r6f6j8pq1-2
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT)
	for <netdev@vger.kernel.org>; Tue, 12 Mar 2019 10:31:13 -0700
Received: from mx-out.facebook.com (2620:10d:c0a1:3::13) by
	mail.thefacebook.com (2620:10d:c021:18::171) with Microsoft SMTP
	Server
	(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id
	15.1.1713.5; Tue, 12 Mar 2019 10:23:02 -0700
Received: by devbig005.ftw2.facebook.com (Postfix, from userid 6611)
	id 628C52941CA4; Tue, 12 Mar 2019 10:23:01 -0700 (PDT)
Smtp-Origin-Hostprefix: devbig
From: Martin KaFai Lau <kafai@fb.com>
Smtp-Origin-Hostname: devbig005.ftw2.facebook.com
To: <netdev@vger.kernel.org>
CC: Alexei Starovoitov <ast@fb.com>,
	Daniel Borkmann <daniel@iogearbox.net>, <kernel-team@fb.com>,
	Lorenz Bauer <lmb@cloudflare.com>
Smtp-Origin-Cluster: ftw2c04
Subject: [PATCH v4 bpf 0/5] Fix bpf_tcp_sock and bpf_sk_fullsock issue
	related to bpf_sk_release
Date: Tue, 12 Mar 2019 10:23:01 -0700
Message-ID: <20190312172301.590390-1-kafai@fb.com>
X-Mailer: git-send-email 2.17.1
X-FB-Internal: Safe
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
	definitions=2019-03-12_10:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

This set addresses issue about accessing invalid
ptr returned from bpf_tcp_sock() and bpf_sk_fullsock()
after bpf_sk_release().

v4:
- Tried the one "id" approach.  It does not work well and the reason is in
  the Patch 1 commit message.
- Rename refcount_id to ref_obj_id.
- With ref_obj_id, resetting reg->id to 0 is fine in mark_ptr_or_null_reg()
  because ref_obj_id is passed to release_reference() instead of reg->id.
- Also reset reg->ref_obj_id in mark_ptr_or_null_reg() when is_null == true
- sk_to_full_sk() is removed from bpf_sk_fullsock() and bpf_tcp_sock().
- bpf_get_listener_sock() is added to do sk_to_full_sk() in Patch 2.
- If tp is from bpf_tcp_sock(sk) and sk is a refcounted ptr,
  bpf_sk_release(tp) is also allowed.

v3:
- reset reg->refcount_id for the is_null case in mark_ptr_or_null_reg()

v2:
- Remove refcount_id arg from release_reference() because
  id == refcount_id
- Add a WARN_ON_ONCE to mark_ptr_or_null_regs() to catch
  an internal verifier bug.

Martin KaFai Lau (5):
  bpf: Fix bpf_tcp_sock and bpf_sk_fullsock issue related to
    bpf_sk_release
  bpf: Add bpf_get_listener_sock(struct bpf_sock *sk) helper
  bpf: Sync bpf.h to tools/
  bpf: Test ref release issue in bpf_tcp_sock and bpf_sk_fullsock
  bpf: Add an example for bpf_get_listener_sock

 include/linux/bpf.h                           |   1 -
 include/linux/bpf_verifier.h                  |  40 +++++
 include/uapi/linux/bpf.h                      |  11 +-
 kernel/bpf/verifier.c                         | 131 ++++++++------
 net/core/filter.c                             |  27 ++-
 tools/include/uapi/linux/bpf.h                |  11 +-
 tools/testing/selftests/bpf/bpf_helpers.h     |   2 +
 .../bpf/progs/test_sock_fields_kern.c         |  88 +++++++--
 .../testing/selftests/bpf/test_sock_fields.c  | 134 +++++++++++---
 .../selftests/bpf/verifier/ref_tracking.c     | 168 ++++++++++++++++++
 tools/testing/selftests/bpf/verifier/sock.c   |   4 +-
 11 files changed, 506 insertions(+), 111 deletions(-)