This set addresses issue about accessing invalid
ptr returned from bpf_tcp_sock() and bpf_sk_fullsock()
after bpf_sk_release().
v4:
- Tried the one "id" approach. It does not work well and the reason is in
the Patch 1 commit message.
- Rename refcount_id to ref_obj_id.
- With ref_obj_id, resetting reg->id to 0 is fine in mark_ptr_or_null_reg()
because ref_obj_id is passed to release_reference() instead of reg->id.
- Also reset reg->ref_obj_id in mark_ptr_or_null_reg() when is_null == true
- sk_to_full_sk() is removed from bpf_sk_fullsock() and bpf_tcp_sock().
- bpf_get_listener_sock() is added to do sk_to_full_sk() in Patch 2.
- If tp is from bpf_tcp_sock(sk) and sk is a refcounted ptr,
bpf_sk_release(tp) is also allowed.
v3:
- reset reg->refcount_id for the is_null case in mark_ptr_or_null_reg()
v2:
- Remove refcount_id arg from release_reference() because
id == refcount_id
- Add a WARN_ON_ONCE to mark_ptr_or_null_regs() to catch
an internal verifier bug.
Martin KaFai Lau (5):
bpf: Fix bpf_tcp_sock and bpf_sk_fullsock issue related to
bpf_sk_release
bpf: Add bpf_get_listener_sock(struct bpf_sock *sk) helper
bpf: Sync bpf.h to tools/
bpf: Test ref release issue in bpf_tcp_sock and bpf_sk_fullsock
bpf: Add an example for bpf_get_listener_sock
include/linux/bpf.h | 1 -
include/linux/bpf_verifier.h | 40 +++++
include/uapi/linux/bpf.h | 11 +-
kernel/bpf/verifier.c | 131 ++++++++------
net/core/filter.c | 27 ++-
tools/include/uapi/linux/bpf.h | 11 +-
tools/testing/selftests/bpf/bpf_helpers.h | 2 +
.../bpf/progs/test_sock_fields_kern.c | 88 +++++++--
.../testing/selftests/bpf/test_sock_fields.c | 134 +++++++++++---
.../selftests/bpf/verifier/ref_tracking.c | 168 ++++++++++++++++++
tools/testing/selftests/bpf/verifier/sock.c | 4 +-
11 files changed, 506 insertions(+), 111 deletions(-)
--
2.17.1
