bpf: Relax allowlist for css_task iter

kchuyizhou · Alexei Starovoitov · commit 3091b667498b · 2023-11-01T22:49:20.000-07:00
The newly added open-coded css_task iter would try to hold the global css_set_lock in bpf_iter_css_task_new, so the bpf side has to be careful in where it allows to use this iter. The mainly concern is dead locking on css_set_lock. check_css_task_iter_allowlist() in verifier enforced css_task can only be used in bpf_lsm hooks and sleepable bpf_iter. This patch relax the allowlist for css_task iter. Any lsm and any iter (even non-sleepable) and any sleepable are safe since they would not hold the css_set_lock before entering BPF progs context. This patch also fixes the misused BPF_TRACE_ITER in check_css_task_iter_allowlist which compared bpf_prog_type with bpf_attach_type. Fixes: 9c66dc9 ("bpf: Introduce css_task open-coded iterator kfuncs") Signed-off-by: Chuyi Zhou <zhouchuyi@bytedance.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20231031050438.93297-2-zhouchuyi@bytedance.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
@@ -11402,17 +11402,25 @@ static int process_kf_arg_ptr_to_rbtree_node(struct bpf_verifier_env *env,
 						  &meta->arg_rbtree_root.field);
 }
 
+/*
+ * css_task iter allowlist is needed to avoid dead locking on css_set_lock.
+ * LSM hooks and iters (both sleepable and non-sleepable) are safe.
+ * Any sleepable progs are also safe since bpf_check_attach_target() enforce
+ * them can only be attached to some specific hook points.
+ */
 static bool check_css_task_iter_allowlist(struct bpf_verifier_env *env)
 {
 	enum bpf_prog_type prog_type = resolve_prog_type(env->prog);
 
 	switch (prog_type) {
 	case BPF_PROG_TYPE_LSM:
 		return true;
-	case BPF_TRACE_ITER:
-		return env->prog->aux->sleepable;
+	case BPF_PROG_TYPE_TRACING:
+		if (env->prog->expected_attach_type == BPF_TRACE_ITER)
+			return true;
+		fallthrough;
 	default:
-		return false;
+		return env->prog->aux->sleepable;
 	}
 }
 
@@ -11671,7 +11679,7 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
 		case KF_ARG_PTR_TO_ITER:
 			if (meta->func_id == special_kfunc_list[KF_bpf_iter_css_task_new]) {
 				if (!check_css_task_iter_allowlist(env)) {
-					verbose(env, "css_task_iter is only allowed in bpf_lsm and bpf iter-s\n");
+					verbose(env, "css_task_iter is only allowed in bpf_lsm, bpf_iter and sleepable progs\n");
 					return -EINVAL;
 				}
 			}
diff --git a/tools/testing/selftests/bpf/progs/iters_task_failure.c b/tools/testing/selftests/bpf/progs/iters_task_failure.c
@@ -84,8 +84,8 @@ int BPF_PROG(iter_css_lock_and_unlock)
 	return 0;
 }
 
-SEC("?fentry.s/" SYS_PREFIX "sys_getpgid")
-__failure __msg("css_task_iter is only allowed in bpf_lsm and bpf iter-s")
+SEC("?fentry/" SYS_PREFIX "sys_getpgid")
+__failure __msg("css_task_iter is only allowed in bpf_lsm, bpf_iter and sleepable progs")
 int BPF_PROG(iter_css_task_for_each)
 {
 	u64 cg_id = bpf_get_current_cgroup_id();

Original file line number	Diff line number	Diff line change
`@@ -11402,17 +11402,25 @@ static int process_kf_arg_ptr_to_rbtree_node(struct bpf_verifier_env *env,`
`11402`	`11402`	`&meta->arg_rbtree_root.field);`
`11403`	`11403`	`}`
`11404`	`11404`
	`11405`	`+/*`
	`11406`	`+ * css_task iter allowlist is needed to avoid dead locking on css_set_lock.`
	`11407`	`+ * LSM hooks and iters (both sleepable and non-sleepable) are safe.`
	`11408`	`+ * Any sleepable progs are also safe since bpf_check_attach_target() enforce`
	`11409`	`+ * them can only be attached to some specific hook points.`
	`11410`	`+ */`
`11405`	`11411`	`static bool check_css_task_iter_allowlist(struct bpf_verifier_env *env)`
`11406`	`11412`	`{`
`11407`	`11413`	`enum bpf_prog_type prog_type = resolve_prog_type(env->prog);`
`11408`	`11414`
`11409`	`11415`	`switch (prog_type) {`
`11410`	`11416`	`case BPF_PROG_TYPE_LSM:`
`11411`	`11417`	`return true;`
`11412`		`- case BPF_TRACE_ITER:`
`11413`		`- return env->prog->aux->sleepable;`
	`11418`	`+ case BPF_PROG_TYPE_TRACING:`
	`11419`	`+ if (env->prog->expected_attach_type == BPF_TRACE_ITER)`
	`11420`	`+ return true;`
	`11421`	`+ fallthrough;`
`11414`	`11422`	`default:`
`11415`		`- return false;`
	`11423`	`+ return env->prog->aux->sleepable;`
`11416`	`11424`	`}`
`11417`	`11425`	`}`
`11418`	`11426`
`@@ -11671,7 +11679,7 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_`
`11671`	`11679`	`case KF_ARG_PTR_TO_ITER:`
`11672`	`11680`	`if (meta->func_id == special_kfunc_list[KF_bpf_iter_css_task_new]) {`
`11673`	`11681`	`if (!check_css_task_iter_allowlist(env)) {`
`11674`		`- verbose(env, "css_task_iter is only allowed in bpf_lsm and bpf iter-s\n");`
	`11682`	`+ verbose(env, "css_task_iter is only allowed in bpf_lsm, bpf_iter and sleepable progs\n");`
`11675`	`11683`	`return -EINVAL;`
`11676`	`11684`	`}`
`11677`	`11685`	`}`
Original file line number	Diff line number	Diff line change
`@@ -84,8 +84,8 @@ int BPF_PROG(iter_css_lock_and_unlock)`
`84`	`84`	`return 0;`
`85`	`85`	`}`
`86`	`86`
`87`		`-SEC("?fentry.s/" SYS_PREFIX "sys_getpgid")`
`88`		`-__failure __msg("css_task_iter is only allowed in bpf_lsm and bpf iter-s")`
	`87`	`+SEC("?fentry/" SYS_PREFIX "sys_getpgid")`
	`88`	`+__failure __msg("css_task_iter is only allowed in bpf_lsm, bpf_iter and sleepable progs")`
`89`	`89`	`int BPF_PROG(iter_css_task_for_each)`
`90`	`90`	`{`
`91`	`91`	`u64 cg_id = bpf_get_current_cgroup_id();`