Commit 5cf1e914 authored by brakmo's avatar brakmo Committed by Alexei Starovoitov
Browse files

bpf: cgroup inet skb programs can return 0 to 3 



Allows cgroup inet skb programs to return values in the range [0, 3].
The second bit is used to deterine if congestion occurred and higher
level protocol should decrease rate. E.g. TCP would call tcp_enter_cwr()

The bpf_prog must set expected_attach_type to BPF_CGROUP_INET_EGRESS
at load time if it uses the new return values (i.e. 2 or 3).

The expected_attach_type is currently not enforced for
BPF_PROG_TYPE_CGROUP_SKB.  e.g Meaning the current bpf_prog with
expected_attach_type setting to BPF_CGROUP_INET_EGRESS can attach to
BPF_CGROUP_INET_INGRESS.  Blindly enforcing expected_attach_type will
break backward compatibility.

This patch adds a enforce_expected_attach_type bit to only
enforce the expected_attach_type when it uses the new
return value.

Signed-off-by: default avatarLawrence Brakmo <brakmo@fb.com>
Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 1f52f6c0

include/linux/filter.h

+2 −1
Original line number Diff line number Diff line
@@ -526,7 +526,8 @@ struct bpf_prog { 
				blinded:1,	/* Was blinded */

				is_func:1,	/* program is a bpf function */

				kprobe_override:1, /* Do we override a kprobe? */

				has_callchain_buf:1; /* callchain buffer allocated? */

				has_callchain_buf:1, /* callchain buffer allocated? */

				enforce_expected_attach_type:1; /* Enforce expected_attach_type checking at attach time */

	enum bpf_prog_type	type;		/* Type of BPF program */

	enum bpf_attach_type	expected_attach_type; /* For some prog types */

	u32			len;		/* Number of filter blocks */

kernel/bpf/syscall.c

+12 −0
Original line number Diff line number Diff line
@@ -1585,6 +1585,14 @@ bpf_prog_load_check_attach_type(enum bpf_prog_type prog_type, 
		default:

			return -EINVAL;

		}

	case BPF_PROG_TYPE_CGROUP_SKB:

		switch (expected_attach_type) {

		case BPF_CGROUP_INET_INGRESS:

		case BPF_CGROUP_INET_EGRESS:

			return 0;

		default:

			return -EINVAL;

		}

	default:

		return 0;

	}
@@ -1836,6 +1844,10 @@ static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog, 
	case BPF_PROG_TYPE_CGROUP_SOCK:

	case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:

		return attach_type == prog->expected_attach_type ? 0 : -EINVAL;

	case BPF_PROG_TYPE_CGROUP_SKB:

		return prog->enforce_expected_attach_type &&

			prog->expected_attach_type != attach_type ?

			-EINVAL : 0;

	default:

		return 0;

	}

kernel/bpf/verifier.c

+13 −3
Original line number Diff line number Diff line
@@ -5508,11 +5508,16 @@ static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) 


static int check_return_code(struct bpf_verifier_env *env)

{

	struct tnum enforce_attach_type_range = tnum_unknown;

	struct bpf_reg_state *reg;

	struct tnum range = tnum_range(0, 1);



	switch (env->prog->type) {

	case BPF_PROG_TYPE_CGROUP_SKB:

		if (env->prog->expected_attach_type == BPF_CGROUP_INET_EGRESS) {

			range = tnum_range(0, 3);

			enforce_attach_type_range = tnum_range(2, 3);

		}

	case BPF_PROG_TYPE_CGROUP_SOCK:

	case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:

	case BPF_PROG_TYPE_SOCK_OPS:
@@ -5531,18 +5536,23 @@ static int check_return_code(struct bpf_verifier_env *env) 
	}



	if (!tnum_in(range, reg->var_off)) {

		verbose(env, "At program exit the register R0 ");

		if (!tnum_is_unknown(reg->var_off)) {

		char tn_buf[48];



		verbose(env, "At program exit the register R0 ");

		if (!tnum_is_unknown(reg->var_off)) {

			tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);

			verbose(env, "has value %s", tn_buf);

		} else {

			verbose(env, "has unknown scalar value");

		}

		verbose(env, " should have been 0 or 1\n");

		tnum_strn(tn_buf, sizeof(tn_buf), range);

		verbose(env, " should have been %s\n", tn_buf);

		return -EINVAL;

	}



	if (!tnum_is_unknown(enforce_attach_type_range) &&

	    tnum_in(enforce_attach_type_range, reg->var_off))

		env->prog->enforce_expected_attach_type = 1;

	return 0;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE