Commit be8704ff authored by Alexei Starovoitov's avatar Alexei Starovoitov Committed by Daniel Borkmann
Browse files

bpf: Introduce dynamic program extensions 



Introduce dynamic program extensions. The users can load additional BPF
functions and replace global functions in previously loaded BPF programs while
these programs are executing.

Global functions are verified individually by the verifier based on their types only.
Hence the global function in the new program which types match older function can
safely replace that corresponding function.

This new function/program is called 'an extension' of old program. At load time
the verifier uses (attach_prog_fd, attach_btf_id) pair to identify the function
to be replaced. The BPF program type is derived from the target program into
extension program. Technically bpf_verifier_ops is copied from target program.
The BPF_PROG_TYPE_EXT program type is a placeholder. It has empty verifier_ops.
The extension program can call the same bpf helper functions as target program.
Single BPF_PROG_TYPE_EXT type is used to extend XDP, SKB and all other program
types. The verifier allows only one level of replacement. Meaning that the
extension program cannot recursively extend an extension. That also means that
the maximum stack size is increasing from 512 to 1024 bytes and maximum
function nesting level from 8 to 16. The programs don't always consume that
much. The stack usage is determined by the number of on-stack variables used by
the program. The verifier could have enforced 512 limit for combined original
plus extension program, but it makes for difficult user experience. The main
use case for extensions is to provide generic mechanism to plug external
programs into policy program or function call chaining.

BPF trampoline is used to track both fentry/fexit and program extensions
because both are using the same nop slot at the beginning of every BPF
function. Attaching fentry/fexit to a function that was replaced is not
allowed. The opposite is true as well. Replacing a function that currently
being analyzed with fentry/fexit is not allowed. The executable page allocated
by BPF trampoline is not used by program extensions. This inefficiency will be
optimized in future patches.

Function by function verification of global function supports scalars and
pointer to context only. Hence program extensions are supported for such class
of global functions only. In the future the verifier will be extended with
support to pointers to structures, arrays with sizes, etc.

Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
Acked-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
Link: https://lore.kernel.org/bpf/20200121005348.2769920-2-ast@kernel.org
parent 2a67a6cc

include/linux/bpf.h

+9 −1
Original line number Diff line number Diff line
@@ -465,7 +465,8 @@ void notrace __bpf_prog_exit(struct bpf_prog *prog, u64 start); 
enum bpf_tramp_prog_type {

	BPF_TRAMP_FENTRY,

	BPF_TRAMP_FEXIT,

	BPF_TRAMP_MAX

	BPF_TRAMP_MAX,

	BPF_TRAMP_REPLACE, /* more than MAX */

};



struct bpf_trampoline {
@@ -480,6 +481,11 @@ struct bpf_trampoline { 
		void *addr;

		bool ftrace_managed;

	} func;

	/* if !NULL this is BPF_PROG_TYPE_EXT program that extends another BPF

	 * program by replacing one of its functions. func.addr is the address

	 * of the function it replaced.

	 */

	struct bpf_prog *extension_prog;

	/* list of BPF programs using this trampoline */

	struct hlist_head progs_hlist[BPF_TRAMP_MAX];

	/* Number of attached programs. A counter per kind. */
@@ -1107,6 +1113,8 @@ int btf_check_func_arg_match(struct bpf_verifier_env *env, int subprog, 
			     struct bpf_reg_state *regs);

int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog,

			  struct bpf_reg_state *reg);

int btf_check_type_match(struct bpf_verifier_env *env, struct bpf_prog *prog,

			 struct btf *btf, const struct btf_type *t);



struct bpf_prog *bpf_prog_by_id(u32 id);

include/linux/bpf_types.h

+2 −0
Original line number Diff line number Diff line
@@ -68,6 +68,8 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_SK_REUSEPORT, sk_reuseport, 
#if defined(CONFIG_BPF_JIT)

BPF_PROG_TYPE(BPF_PROG_TYPE_STRUCT_OPS, bpf_struct_ops,

	      void *, void *)

BPF_PROG_TYPE(BPF_PROG_TYPE_EXT, bpf_extension,

	      void *, void *)

#endif



BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY, array_map_ops)

include/linux/btf.h

+5 −0
Original line number Diff line number Diff line
@@ -107,6 +107,11 @@ static inline u16 btf_type_vlen(const struct btf_type *t) 
	return BTF_INFO_VLEN(t->info);

}



static inline u16 btf_func_linkage(const struct btf_type *t)

{

	return BTF_INFO_VLEN(t->info);

}



static inline bool btf_type_kflag(const struct btf_type *t)

{

	return BTF_INFO_KFLAG(t->info);

include/uapi/linux/bpf.h

+1 −0
Original line number Diff line number Diff line
@@ -180,6 +180,7 @@ enum bpf_prog_type { 
	BPF_PROG_TYPE_CGROUP_SOCKOPT,

	BPF_PROG_TYPE_TRACING,

	BPF_PROG_TYPE_STRUCT_OPS,

	BPF_PROG_TYPE_EXT,

};



enum bpf_attach_type {

kernel/bpf/btf.c

+151 −1
Original line number Diff line number Diff line
@@ -276,6 +276,11 @@ static const char * const btf_kind_str[NR_BTF_KINDS] = { 
	[BTF_KIND_DATASEC]	= "DATASEC",

};



static const char *btf_type_str(const struct btf_type *t)

{

	return btf_kind_str[BTF_INFO_KIND(t->info)];

}



struct btf_kind_operations {

	s32 (*check_meta)(struct btf_verifier_env *env,

			  const struct btf_type *t,
@@ -4115,6 +4120,148 @@ int btf_distill_func_proto(struct bpf_verifier_log *log, 
	return 0;

}



/* Compare BTFs of two functions assuming only scalars and pointers to context.

 * t1 points to BTF_KIND_FUNC in btf1

 * t2 points to BTF_KIND_FUNC in btf2

 * Returns:

 * EINVAL - function prototype mismatch

 * EFAULT - verifier bug

 * 0 - 99% match. The last 1% is validated by the verifier.

 */

int btf_check_func_type_match(struct bpf_verifier_log *log,

			      struct btf *btf1, const struct btf_type *t1,

			      struct btf *btf2, const struct btf_type *t2)

{

	const struct btf_param *args1, *args2;

	const char *fn1, *fn2, *s1, *s2;

	u32 nargs1, nargs2, i;



	fn1 = btf_name_by_offset(btf1, t1->name_off);

	fn2 = btf_name_by_offset(btf2, t2->name_off);



	if (btf_func_linkage(t1) != BTF_FUNC_GLOBAL) {

		bpf_log(log, "%s() is not a global function\n", fn1);

		return -EINVAL;

	}

	if (btf_func_linkage(t2) != BTF_FUNC_GLOBAL) {

		bpf_log(log, "%s() is not a global function\n", fn2);

		return -EINVAL;

	}



	t1 = btf_type_by_id(btf1, t1->type);

	if (!t1 || !btf_type_is_func_proto(t1))

		return -EFAULT;

	t2 = btf_type_by_id(btf2, t2->type);

	if (!t2 || !btf_type_is_func_proto(t2))

		return -EFAULT;



	args1 = (const struct btf_param *)(t1 + 1);

	nargs1 = btf_type_vlen(t1);

	args2 = (const struct btf_param *)(t2 + 1);

	nargs2 = btf_type_vlen(t2);



	if (nargs1 != nargs2) {

		bpf_log(log, "%s() has %d args while %s() has %d args\n",

			fn1, nargs1, fn2, nargs2);

		return -EINVAL;

	}



	t1 = btf_type_skip_modifiers(btf1, t1->type, NULL);

	t2 = btf_type_skip_modifiers(btf2, t2->type, NULL);

	if (t1->info != t2->info) {

		bpf_log(log,

			"Return type %s of %s() doesn't match type %s of %s()\n",

			btf_type_str(t1), fn1,

			btf_type_str(t2), fn2);

		return -EINVAL;

	}



	for (i = 0; i < nargs1; i++) {

		t1 = btf_type_skip_modifiers(btf1, args1[i].type, NULL);

		t2 = btf_type_skip_modifiers(btf2, args2[i].type, NULL);



		if (t1->info != t2->info) {

			bpf_log(log, "arg%d in %s() is %s while %s() has %s\n",

				i, fn1, btf_type_str(t1),

				fn2, btf_type_str(t2));

			return -EINVAL;

		}

		if (btf_type_has_size(t1) && t1->size != t2->size) {

			bpf_log(log,

				"arg%d in %s() has size %d while %s() has %d\n",

				i, fn1, t1->size,

				fn2, t2->size);

			return -EINVAL;

		}



		/* global functions are validated with scalars and pointers

		 * to context only. And only global functions can be replaced.

		 * Hence type check only those types.

		 */

		if (btf_type_is_int(t1) || btf_type_is_enum(t1))

			continue;

		if (!btf_type_is_ptr(t1)) {

			bpf_log(log,

				"arg%d in %s() has unrecognized type\n",

				i, fn1);

			return -EINVAL;

		}

		t1 = btf_type_skip_modifiers(btf1, t1->type, NULL);

		t2 = btf_type_skip_modifiers(btf2, t2->type, NULL);

		if (!btf_type_is_struct(t1)) {

			bpf_log(log,

				"arg%d in %s() is not a pointer to context\n",

				i, fn1);

			return -EINVAL;

		}

		if (!btf_type_is_struct(t2)) {

			bpf_log(log,

				"arg%d in %s() is not a pointer to context\n",

				i, fn2);

			return -EINVAL;

		}

		/* This is an optional check to make program writing easier.

		 * Compare names of structs and report an error to the user.

		 * btf_prepare_func_args() already checked that t2 struct

		 * is a context type. btf_prepare_func_args() will check

		 * later that t1 struct is a context type as well.

		 */

		s1 = btf_name_by_offset(btf1, t1->name_off);

		s2 = btf_name_by_offset(btf2, t2->name_off);

		if (strcmp(s1, s2)) {

			bpf_log(log,

				"arg%d %s(struct %s *) doesn't match %s(struct %s *)\n",

				i, fn1, s1, fn2, s2);

			return -EINVAL;

		}

	}

	return 0;

}



/* Compare BTFs of given program with BTF of target program */

int btf_check_type_match(struct bpf_verifier_env *env, struct bpf_prog *prog,

			 struct btf *btf2, const struct btf_type *t2)

{

	struct btf *btf1 = prog->aux->btf;

	const struct btf_type *t1;

	u32 btf_id = 0;



	if (!prog->aux->func_info) {

		bpf_log(&env->log, "Program extension requires BTF\n");

		return -EINVAL;

	}



	btf_id = prog->aux->func_info[0].type_id;

	if (!btf_id)

		return -EFAULT;



	t1 = btf_type_by_id(btf1, btf_id);

	if (!t1 || !btf_type_is_func(t1))

		return -EFAULT;



	return btf_check_func_type_match(&env->log, btf1, t1, btf2, t2);

}



/* Compare BTF of a function with given bpf_reg_state.

 * Returns:

 * EFAULT - there is a verifier bug. Abort verification.
@@ -4224,6 +4371,7 @@ int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog, 
{

	struct bpf_verifier_log *log = &env->log;

	struct bpf_prog *prog = env->prog;

	enum bpf_prog_type prog_type = prog->type;

	struct btf *btf = prog->aux->btf;

	const struct btf_param *args;

	const struct btf_type *t;
@@ -4261,6 +4409,8 @@ int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog, 
		bpf_log(log, "Verifier bug in function %s()\n", tname);

		return -EFAULT;

	}

	if (prog_type == BPF_PROG_TYPE_EXT)

		prog_type = prog->aux->linked_prog->type;



	t = btf_type_by_id(btf, t->type);

	if (!t || !btf_type_is_func_proto(t)) {
@@ -4296,7 +4446,7 @@ int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog, 
			continue;

		}

		if (btf_type_is_ptr(t) &&

		    btf_get_prog_ctx_type(log, btf, t, prog->type, i)) {

		    btf_get_prog_ctx_type(log, btf, t, prog_type, i)) {

			reg[i + 1].type = PTR_TO_CTX;

			continue;

		}

CRA Git | Maintained and supported by SUSTech CRA and CCSE