Skip to content

Commit a7aba34

Browse files
kkdwivediKernel Patches Daemon
kkdwivedi
authored and
Kernel Patches Daemon
committed
bpf: Maintain FIFO property for rqspinlock unlock
Since out-of-order unlocks are unsupported for rqspinlock, and irqsave variants enforce strict FIFO ordering anyway, make the same change for normal non-irqsave variants, such that FIFO ordering is enforced. Two new verifier state fields (active_lock_id, active_lock_ptr) are used to denote the top of the stack, and prev_id and prev_ptr are ascertained whenever popping the topmost entry through an unlock. Take special care to make these fields part of the state comparison in refsafe. Signed-off-by: Kumar Kartikeya Dwivedi <[email protected]>
1 parent dc91353 commit a7aba34

File tree

2 files changed

+31
-5
lines changed

2 files changed

+31
-5
lines changed

include/linux/bpf_verifier.h

+3
Original file line numberDiff line numberDiff line change
@@ -268,6 +268,7 @@ struct bpf_reference_state {
268268
REF_TYPE_LOCK = (1 << 3),
269269
REF_TYPE_RES_LOCK = (1 << 4),
270270
REF_TYPE_RES_LOCK_IRQ = (1 << 5),
271+
REF_TYPE_LOCK_MASK = REF_TYPE_LOCK | REF_TYPE_RES_LOCK | REF_TYPE_RES_LOCK_IRQ,
271272
} type;
272273
/* Track each reference created with a unique id, even if the same
273274
* instruction creates the reference multiple times (eg, via CALL).
@@ -434,6 +435,8 @@ struct bpf_verifier_state {
434435
u32 active_locks;
435436
u32 active_preempt_locks;
436437
u32 active_irq_id;
438+
u32 active_lock_id;
439+
void *active_lock_ptr;
437440
bool active_rcu_lock;
438441

439442
bool speculative;

kernel/bpf/verifier.c

+28-5
Original file line numberDiff line numberDiff line change
@@ -1421,6 +1421,8 @@ static int copy_reference_state(struct bpf_verifier_state *dst, const struct bpf
14211421
dst->active_preempt_locks = src->active_preempt_locks;
14221422
dst->active_rcu_lock = src->active_rcu_lock;
14231423
dst->active_irq_id = src->active_irq_id;
1424+
dst->active_lock_id = src->active_lock_id;
1425+
dst->active_lock_ptr = src->active_lock_ptr;
14241426
return 0;
14251427
}
14261428

@@ -1520,6 +1522,8 @@ static int acquire_lock_state(struct bpf_verifier_env *env, int insn_idx, enum r
15201522
s->ptr = ptr;
15211523

15221524
state->active_locks++;
1525+
state->active_lock_id = id;
1526+
state->active_lock_ptr = ptr;
15231527
return 0;
15241528
}
15251529

@@ -1570,16 +1574,24 @@ static bool find_reference_state(struct bpf_verifier_state *state, int ptr_id)
15701574

15711575
static int release_lock_state(struct bpf_verifier_state *state, int type, int id, void *ptr)
15721576
{
1577+
void *prev_ptr = NULL;
1578+
u32 prev_id = 0;
15731579
int i;
15741580

15751581
for (i = 0; i < state->acquired_refs; i++) {
1576-
if (state->refs[i].type != type)
1577-
continue;
1578-
if (state->refs[i].id == id && state->refs[i].ptr == ptr) {
1582+
if (state->refs[i].type == type && state->refs[i].id == id &&
1583+
state->refs[i].ptr == ptr) {
15791584
release_reference_state(state, i);
15801585
state->active_locks--;
1586+
/* Reassign active lock (id, ptr). */
1587+
state->active_lock_id = prev_id;
1588+
state->active_lock_ptr = prev_ptr;
15811589
return 0;
15821590
}
1591+
if (state->refs[i].type & REF_TYPE_LOCK_MASK) {
1592+
prev_id = state->refs[i].id;
1593+
prev_ptr = state->refs[i].ptr;
1594+
}
15831595
}
15841596
return -EINVAL;
15851597
}
@@ -8283,6 +8295,14 @@ static int process_spin_lock(struct bpf_verifier_env *env, int regno, int flags)
82838295
type = REF_TYPE_RES_LOCK;
82848296
else
82858297
type = REF_TYPE_LOCK;
8298+
if (!find_lock_state(cur, type, reg->id, ptr)) {
8299+
verbose(env, "%s_unlock of different lock\n", lock_str);
8300+
return -EINVAL;
8301+
}
8302+
if (reg->id != cur->active_lock_id || ptr != cur->active_lock_ptr) {
8303+
verbose(env, "%s_unlock cannot be out of order\n", lock_str);
8304+
return -EINVAL;
8305+
}
82868306
if (release_lock_state(cur, type, reg->id, ptr)) {
82878307
verbose(env, "%s_unlock of different lock\n", lock_str);
82888308
return -EINVAL;
@@ -12475,8 +12495,7 @@ static int check_reg_allocation_locked(struct bpf_verifier_env *env, struct bpf_
1247512495

1247612496
if (!env->cur_state->active_locks)
1247712497
return -EINVAL;
12478-
s = find_lock_state(env->cur_state, REF_TYPE_LOCK | REF_TYPE_RES_LOCK | REF_TYPE_RES_LOCK_IRQ,
12479-
id, ptr);
12498+
s = find_lock_state(env->cur_state, REF_TYPE_LOCK_MASK, id, ptr);
1248012499
if (!s) {
1248112500
verbose(env, "held lock and object are not in the same allocation\n");
1248212501
return -EINVAL;
@@ -18531,6 +18550,10 @@ static bool refsafe(struct bpf_verifier_state *old, struct bpf_verifier_state *c
1853118550
if (!check_ids(old->active_irq_id, cur->active_irq_id, idmap))
1853218551
return false;
1853318552

18553+
if (!check_ids(old->active_lock_id, cur->active_lock_id, idmap) ||
18554+
old->active_lock_ptr != cur->active_lock_ptr)
18555+
return false;
18556+
1853418557
for (i = 0; i < old->acquired_refs; i++) {
1853518558
if (!check_ids(old->refs[i].id, cur->refs[i].id, idmap) ||
1853618559
old->refs[i].type != cur->refs[i].type)

0 commit comments

Comments
 (0)