bpf: cgroup inet skb programs can return 0 to 3
authorbrakmo <brakmo@fb.com>
Tue, 28 May 2019 23:59:36 +0000 (16:59 -0700)
committerAlexei Starovoitov <ast@kernel.org>
Fri, 31 May 2019 23:41:29 +0000 (16:41 -0700)
Allows cgroup inet skb programs to return values in the range [0, 3].
The second bit is used to deterine if congestion occurred and higher
level protocol should decrease rate. E.g. TCP would call tcp_enter_cwr()

The bpf_prog must set expected_attach_type to BPF_CGROUP_INET_EGRESS
at load time if it uses the new return values (i.e. 2 or 3).

The expected_attach_type is currently not enforced for
BPF_PROG_TYPE_CGROUP_SKB.  e.g Meaning the current bpf_prog with
expected_attach_type setting to BPF_CGROUP_INET_EGRESS can attach to
BPF_CGROUP_INET_INGRESS.  Blindly enforcing expected_attach_type will
break backward compatibility.

This patch adds a enforce_expected_attach_type bit to only
enforce the expected_attach_type when it uses the new
return value.

Signed-off-by: Lawrence Brakmo <brakmo@fb.com>
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
include/linux/filter.h
kernel/bpf/syscall.c
kernel/bpf/verifier.c

index ba8b65270e0d51dfb68745e2b6aae6fe8e4bfbba..43b45d6db36d1647f8a9d2a2701dc486e8f81513 100644 (file)
@@ -526,7 +526,8 @@ struct bpf_prog {
                                blinded:1,      /* Was blinded */
                                is_func:1,      /* program is a bpf function */
                                kprobe_override:1, /* Do we override a kprobe? */
-                               has_callchain_buf:1; /* callchain buffer allocated? */
+                               has_callchain_buf:1, /* callchain buffer allocated? */
+                               enforce_expected_attach_type:1; /* Enforce expected_attach_type checking at attach time */
        enum bpf_prog_type      type;           /* Type of BPF program */
        enum bpf_attach_type    expected_attach_type; /* For some prog types */
        u32                     len;            /* Number of filter blocks */
index 3d546b6f464610ae7648cbe9bac5180ade535bb8..1539774d78c7f9857c5451e8a0c8f6f04a943e47 100644 (file)
@@ -1585,6 +1585,14 @@ bpf_prog_load_check_attach_type(enum bpf_prog_type prog_type,
                default:
                        return -EINVAL;
                }
+       case BPF_PROG_TYPE_CGROUP_SKB:
+               switch (expected_attach_type) {
+               case BPF_CGROUP_INET_INGRESS:
+               case BPF_CGROUP_INET_EGRESS:
+                       return 0;
+               default:
+                       return -EINVAL;
+               }
        default:
                return 0;
        }
@@ -1836,6 +1844,10 @@ static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog,
        case BPF_PROG_TYPE_CGROUP_SOCK:
        case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
                return attach_type == prog->expected_attach_type ? 0 : -EINVAL;
+       case BPF_PROG_TYPE_CGROUP_SKB:
+               return prog->enforce_expected_attach_type &&
+                       prog->expected_attach_type != attach_type ?
+                       -EINVAL : 0;
        default:
                return 0;
        }
index 2778417e6e0c3d66516b446b9a52e81d60b73a11..5c2cb5bd84ce551bae49e57fd111ecc102f79024 100644 (file)
@@ -5508,11 +5508,16 @@ static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn)
 
 static int check_return_code(struct bpf_verifier_env *env)
 {
+       struct tnum enforce_attach_type_range = tnum_unknown;
        struct bpf_reg_state *reg;
        struct tnum range = tnum_range(0, 1);
 
        switch (env->prog->type) {
        case BPF_PROG_TYPE_CGROUP_SKB:
+               if (env->prog->expected_attach_type == BPF_CGROUP_INET_EGRESS) {
+                       range = tnum_range(0, 3);
+                       enforce_attach_type_range = tnum_range(2, 3);
+               }
        case BPF_PROG_TYPE_CGROUP_SOCK:
        case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
        case BPF_PROG_TYPE_SOCK_OPS:
@@ -5531,18 +5536,23 @@ static int check_return_code(struct bpf_verifier_env *env)
        }
 
        if (!tnum_in(range, reg->var_off)) {
+               char tn_buf[48];
+
                verbose(env, "At program exit the register R0 ");
                if (!tnum_is_unknown(reg->var_off)) {
-                       char tn_buf[48];
-
                        tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
                        verbose(env, "has value %s", tn_buf);
                } else {
                        verbose(env, "has unknown scalar value");
                }
-               verbose(env, " should have been 0 or 1\n");
+               tnum_strn(tn_buf, sizeof(tn_buf), range);
+               verbose(env, " should have been %s\n", tn_buf);
                return -EINVAL;
        }
+
+       if (!tnum_is_unknown(enforce_attach_type_range) &&
+           tnum_in(enforce_attach_type_range, reg->var_off))
+               env->prog->enforce_expected_attach_type = 1;
        return 0;
 }