bpf_refcount_acquire() increments the refcount at the caller-supplied
pointer plus the refcount field offset, then returns the caller-supplied
pointer unchanged.
The verifier records the return value as a base pointer to the refcounted
object.
bpf_list_pop_front() and bpf_rbtree_remove() can return embedded graph-node
pointers as PTR_TO_BTF_ID | MEM_ALLOC with a fixed offset equal to the node
field offset. Passing such a pointer directly to bpf_refcount_acquire()
currently passes the refcounted-kptr type check.
That makes the runtime operation start from base + node_off while the
verifier models the returned pointer as the object base.
Require refcount-acquire arguments to have zero offset. Programs can still
acquire a refcount from a graph-node-derived pointer after normalizing it
with container_of().
Fixes: 7c50b1cb76aca ("bpf: Add bpf_refcount_acquire kfunc")
Signed-off-by: Yiyang Chen <[email protected]>
---
kernel/bpf/verifier.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2abc79dbf..4510fe0b4 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12392,6 +12392,11 @@ static int check_kfunc_args(struct bpf_verifier_env
*env, struct bpf_kfunc_call_
reg_arg_name(env, argno));
return -EINVAL;
}
+ if (reg->var_off.value != 0) {
+ verbose(env, "%s must have zero offset when
passed to %s\n",
+ reg_arg_name(env, argno),
meta->func_name);
+ return -EINVAL;
+ }
if (!type_is_non_owning_ref(reg->type))
meta->arg_owning_ref = true;
--
2.34.1
