bpf_refcount_acquire() is modeled as returning a refcounted allocation
base, but it currently accepts PTR_TO_BTF_ID | MEM_ALLOC arguments whose
offset already points at an embedded graph node returned from a list or
rbtree operation.
At runtime the kfunc starts from the supplied pointer and adds the type's
refcount offset. With a graph-node pointer, that starts from base +
node_off, while the verifier treats the returned pointer as the allocation
base. Reject non-zero fixed-offset arguments to keep the runtime operation
and the verifier model aligned.
Programs that pop graph nodes can still acquire a reference after
normalizing the node pointer with container_of().
Patch 1 adds a PTR_ZERO_OFF argument flag and handles the zero fixed-offset
requirement through check_func_arg_reg_off() / __check_ptr_off_reg().
Patch 2 adds rejected direct list and rbtree node cases.
Changes from v1:
- Move zero fixed-offset enforcement into check_func_arg_reg_off() /
__check_ptr_off_reg(), as suggested by Eduard.
- Drop the positive container_of() selftest case.
- Remove the stale bpf_obj_drop() after bpf_list_push_front(), since the
pushed reference is consumed even when the verifier explores the error
branch.
- Add a Fixes tag to the selftest patch.
- Rebase to bpf-next master a975094bf98c.
Yiyang Chen (2):
bpf: Reject offset refcount acquire arguments
selftests/bpf: Cover refcount acquire node offsets
include/linux/bpf.h | 3 +
kernel/bpf/verifier.c | 18 +++--
.../bpf/progs/refcounted_kptr_fail.c | 77 +++++++++++++++++++
3 files changed, 91 insertions(+), 7 deletions(-)
base-commit: a975094bf98ca97be9146f9d3b5681a6f9cf5ce3
--
2.34.1
