[PATCH bpf-next v4 0/2] bpf: Reject offset refcount acquire arguments

[Yiyang Chen]

bpf_refcount_acquire() is modeled as returning a refcounted allocation
base, but it currently accepts PTR_TO_BTF_ID | MEM_ALLOC arguments whose
offset already points at an embedded graph node returned from a list or
rbtree operation.

At runtime the kfunc starts from the supplied pointer and adds the type's
refcount offset. With a graph-node pointer, that starts from base +
node_off, while the verifier treats the returned pointer as the allocation
base. Reject non-zero fixed-offset arguments to keep the runtime operation
and the verifier model aligned.

Programs that pop graph nodes can still acquire a reference after
normalizing the node pointer with container_of().

Patch 1 handles the zero fixed-offset requirement in the existing
check_func_arg_reg_off() / __check_ptr_off_reg() path without consuming a
bpf_type_flag bit.

Patch 2 adds a rejected direct list-node case.

Changes from v3:
  - Add Eduard's Acked-by to patch 1.
  - Drop the redundant rbtree selftest case; the list case exercises the same
    refcount-acquire fixed-offset rejection path.
  - Trim the selftest commit message and remove the selftest Fixes tag.

Changes from v2:
  - Avoid adding a new bpf_type_flag bit.
  - Carry the refcount-acquire zero fixed-offset requirement with an
    internal check_func_arg_reg_off() parameter.

Changes from v1:
  - Move zero fixed-offset enforcement into check_func_arg_reg_off() /
    __check_ptr_off_reg(), as suggested by Eduard.
  - Drop the positive container_of() selftest case.
  - Remove the stale bpf_obj_drop() after bpf_list_push_front(), since the
    pushed reference is consumed even when the verifier explores the error
    branch.
  - Rebase to bpf-next master a975094bf98c.

v3: 
https://lore.kernel.org/bpf/cover.1781979133.git.cheny...@mails.tsinghua.edu.cn/
v2: 
https://lore.kernel.org/bpf/cover.1781963957.git.cheny...@mails.tsinghua.edu.cn/
v1: 
https://lore.kernel.org/bpf/cover.1781852308.git.cheny...@mails.tsinghua.edu.cn/

Yiyang Chen (2):
  bpf: Reject offset refcount acquire arguments
  selftests/bpf: Cover refcount acquire node offsets

 kernel/bpf/verifier.c                         | 32 +++++++++++------
 .../bpf/progs/refcounted_kptr_fail.c          | 34 +++++++++++++++++++
 2 files changed, 56 insertions(+), 10 deletions(-)


base-commit: a975094bf98ca97be9146f9d3b5681a6f9cf5ce3
-- 
2.34.1