Merge ra.kernel.org:/pub/scm/linux/kernel/git/bpf/bpf

------------------------------

A: YES. BPF instructions, arguments to BPF programs, set of helper

functions and their arguments, recognized return codes are all part

of ABI. However when tracing programs are using bpf_probe_read() helper

to walk kernel internal datastructures and compile with kernel

internal headers these accesses can and will break with newer

kernels. The union bpf_attr -> kern_version is checked at load time

to prevent accidentally loading kprobe-based bpf programs written

for a different kernel. Networking programs don't do kern_version check.

of ABI. However there is one specific exception to tracing programs

which are using helpers like bpf_probe_read() to walk kernel internal

data structures and compile with kernel internal headers. Both of these

kernel internals are subject to change and can break with newer kernels

such that the program needs to be adapted accordingly.

Q: How much stack space a BPF program uses?

-------------------------------------------

#define BPF_ALU_SANITIZE_SRC		1U

#define BPF_ALU_SANITIZE_DST		2U

#define BPF_ALU_NEG_VALUE		(1U << 2)

#define BPF_ALU_NON_POINTER		(1U << 3)

#define BPF_ALU_SANITIZE		(BPF_ALU_SANITIZE_SRC | \

					 BPF_ALU_SANITIZE_DST)

	}

}

static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env,

				    const struct bpf_insn *insn)

{

	return env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K;

}

static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux,

				       u32 alu_state, u32 alu_limit)

{

	/* If we arrived here from different branches with different

	 * state or limits to sanitize, then this won't work.

	 */

	if (aux->alu_state &&

	    (aux->alu_state != alu_state ||

	     aux->alu_limit != alu_limit))

		return -EACCES;

	/* Corresponding fixup done in fixup_bpf_calls(). */

	aux->alu_state = alu_state;

	aux->alu_limit = alu_limit;

	return 0;

}

static int sanitize_val_alu(struct bpf_verifier_env *env,

			    struct bpf_insn *insn)

{

	struct bpf_insn_aux_data *aux = cur_aux(env);

	if (can_skip_alu_sanitation(env, insn))

		return 0;

	return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0);

}

static int sanitize_ptr_alu(struct bpf_verifier_env *env,

			    struct bpf_insn *insn,

			    const struct bpf_reg_state *ptr_reg,

	struct bpf_reg_state tmp;

	bool ret;

	if (env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K)

	if (can_skip_alu_sanitation(env, insn))

		return 0;

	/* We already marked aux for masking from non-speculative

	if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg))

		return 0;

	/* If we arrived here from different branches with different

	 * limits to sanitize, then this won't work.

	 */

	if (aux->alu_state &&

	    (aux->alu_state != alu_state ||

	     aux->alu_limit != alu_limit))

	if (update_alu_sanitation_state(aux, alu_state, alu_limit))

		return -EACCES;

	/* Corresponding fixup done in fixup_bpf_calls(). */

	aux->alu_state = alu_state;

	aux->alu_limit = alu_limit;

do_sim:

	/* Simulate and find potential out-of-bounds access under

	 * speculative execution from truncation as a result of

	s64 smin_val, smax_val;

	u64 umin_val, umax_val;

	u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;

	u32 dst = insn->dst_reg;

	int ret;

	if (insn_bitness == 32) {

		/* Relevant for 32-bit RSH: Information can propagate towards

	switch (opcode) {

	case BPF_ADD:

		ret = sanitize_val_alu(env, insn);

		if (ret < 0) {

			verbose(env, "R%d tried to add from different pointers or scalars\n", dst);

			return ret;

		}

		if (signed_add_overflows(dst_reg->smin_value, smin_val) ||

		    signed_add_overflows(dst_reg->smax_value, smax_val)) {

			dst_reg->smin_value = S64_MIN;

		dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off);

		break;

	case BPF_SUB:

		ret = sanitize_val_alu(env, insn);

		if (ret < 0) {

			verbose(env, "R%d tried to sub from different pointers or scalars\n", dst);

			return ret;

		}

		if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||

		    signed_sub_overflows(dst_reg->smax_value, smin_val)) {

			/* Overflow possible, we know nothing */

	ipc6.opt = opt;

	fl6.flowi6_proto = sk->sk_protocol;

	if (!ipv6_addr_any(daddr))

	fl6.daddr = *daddr;

	else

		fl6.daddr.s6_addr[15] = 0x1; /* :: means loopback (BSD'ism) */

	if (ipv6_addr_any(&fl6.saddr) && !ipv6_addr_any(&np->saddr))

		fl6.saddr = np->saddr;

	fl6.fl6_sport = inet->inet_sport;

		}

	}

	if (ipv6_addr_any(&fl6.daddr))

		fl6.daddr.s6_addr[15] = 0x1; /* :: means loopback (BSD'ism) */

	final_p = fl6_update_dst(&fl6, opt, &final);

	if (final_p)

		connected = false;

	/* Create cgroup /foo, get fd, and join it */

	foo = create_and_get_cgroup(FOO);

	if (!foo)

	if (foo < 0)

		goto err;

	if (join_cgroup(FOO))

	/* Create cgroup /foo/bar, get fd, and join it */

	bar = create_and_get_cgroup(BAR);

	if (!bar)

	if (bar < 0)

		goto err;

	if (join_cgroup(BAR))

		goto err;

	cg1 = create_and_get_cgroup("/cg1");

	if (!cg1)

	if (cg1 < 0)

		goto err;

	cg2 = create_and_get_cgroup("/cg1/cg2");

	if (!cg2)

	if (cg2 < 0)

		goto err;

	cg3 = create_and_get_cgroup("/cg1/cg2/cg3");

	if (!cg3)

	if (cg3 < 0)

		goto err;

	cg4 = create_and_get_cgroup("/cg1/cg2/cg3/cg4");

	if (!cg4)

	if (cg4 < 0)

		goto err;

	cg5 = create_and_get_cgroup("/cg1/cg2/cg3/cg4/cg5");

	if (!cg5)

	if (cg5 < 0)

		goto err;

	if (join_cgroup("/cg1/cg2/cg3/cg4/cg5"))