bpf: Refactor {acquire,release}_reference_state

In preparation for introducing support for more reference types which
have to add and remove reference state, refactor the
acquire_reference_state and release_reference_state functions to share
common logic.

The acquire_reference_state function simply handles growing the acquired
refs and returning the pointer to the new uninitialized element, which
can be filled in by the caller.

The release_reference_state function simply erases a reference state
entry in the acquired_refs array and shrinks it. The callers are
responsible for finding the suitable element by matching on various
fields of the reference state and requesting deletion through this
function. It is not supposed to be called directly.

Existing callers of release_reference_state were using it to find and
remove state for a given ref_obj_id without scrubbing the associated
registers in the verifier state. Introduce release_reference_nomark to
provide this functionality and convert callers. We now use this new
release_reference_nomark function within release_reference as well.
It needs to operate on a verifier state instead of taking verifier env
as mark_ptr_or_null_regs requires operating on verifier state of the
two branches of a NULL condition check, therefore env->cur_state cannot
be used directly.

Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20241204030400.208005-3-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 019c56c782a2d20849fe28a0fd3823b124d1649c..41b3dc1ce450edaf223b21e8936b63c220d7bd29 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -196,7 +196,8 @@ struct bpf_verifier_stack_elem {
 
 #define BPF_PRIV_STACK_MIN_SIZE                64
 
-static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx);
+static int acquire_reference(struct bpf_verifier_env *env, int insn_idx);
+static int release_reference_nomark(struct bpf_verifier_state *state, int ref_obj_id);
 static int release_reference(struct bpf_verifier_env *env, int ref_obj_id);
 static void invalidate_non_owning_refs(struct bpf_verifier_env *env);
 static bool in_rbtree_lock_required_cb(struct bpf_verifier_env *env);
@@ -771,7 +772,7 @@ static int mark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_reg_
                if (clone_ref_obj_id)
                        id = clone_ref_obj_id;
                else
-                       id = acquire_reference_state(env, insn_idx);
+                       id = acquire_reference(env, insn_idx);
 
                if (id < 0)
                        return id;
@@ -1033,7 +1034,7 @@ static int mark_stack_slots_iter(struct bpf_verifier_env *env,
        if (spi < 0)
                return spi;
 
-       id = acquire_reference_state(env, insn_idx);
+       id = acquire_reference(env, insn_idx);
        if (id < 0)
                return id;
 
@@ -1349,77 +1350,68 @@ static int grow_stack_state(struct bpf_verifier_env *env, struct bpf_func_state
  * On success, returns a valid pointer id to associate with the register
  * On failure, returns a negative errno.
  */
-static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx)
+static struct bpf_reference_state *acquire_reference_state(struct bpf_verifier_env *env, int insn_idx)
 {
        struct bpf_verifier_state *state = env->cur_state;
        int new_ofs = state->acquired_refs;
-       int id, err;
+       int err;
 
        err = resize_reference_state(state, state->acquired_refs + 1);
        if (err)
-               return err;
-       id = ++env->id_gen;
-       state->refs[new_ofs].type = REF_TYPE_PTR;
-       state->refs[new_ofs].id = id;
+               return NULL;
        state->refs[new_ofs].insn_idx = insn_idx;
 
-       return id;
+       return &state->refs[new_ofs];
+}
+
+static int acquire_reference(struct bpf_verifier_env *env, int insn_idx)
+{
+       struct bpf_reference_state *s;
+
+       s = acquire_reference_state(env, insn_idx);
+       if (!s)
+               return -ENOMEM;
+       s->type = REF_TYPE_PTR;
+       s->id = ++env->id_gen;
+       return s->id;
 }
 
 static int acquire_lock_state(struct bpf_verifier_env *env, int insn_idx, enum ref_state_type type,
                              int id, void *ptr)
 {
        struct bpf_verifier_state *state = env->cur_state;
-       int new_ofs = state->acquired_refs;
-       int err;
+       struct bpf_reference_state *s;
 
-       err = resize_reference_state(state, state->acquired_refs + 1);
-       if (err)
-               return err;
-       state->refs[new_ofs].type = type;
-       state->refs[new_ofs].id = id;
-       state->refs[new_ofs].insn_idx = insn_idx;
-       state->refs[new_ofs].ptr = ptr;
+       s = acquire_reference_state(env, insn_idx);
+       s->type = type;
+       s->id = id;
+       s->ptr = ptr;
 
        state->active_locks++;
        return 0;
 }
 
-/* release function corresponding to acquire_reference_state(). Idempotent. */
-static int release_reference_state(struct bpf_verifier_state *state, int ptr_id)
+static void release_reference_state(struct bpf_verifier_state *state, int idx)
 {
-       int i, last_idx;
+       int last_idx;
 
        last_idx = state->acquired_refs - 1;
-       for (i = 0; i < state->acquired_refs; i++) {
-               if (state->refs[i].type != REF_TYPE_PTR)
-                       continue;
-               if (state->refs[i].id == ptr_id) {
-                       if (last_idx && i != last_idx)
-                               memcpy(&state->refs[i], &state->refs[last_idx],
-                                      sizeof(*state->refs));
-                       memset(&state->refs[last_idx], 0, sizeof(*state->refs));
-                       state->acquired_refs--;
-                       return 0;
-               }
-       }
-       return -EINVAL;
+       if (last_idx && idx != last_idx)
+               memcpy(&state->refs[idx], &state->refs[last_idx], sizeof(*state->refs));
+       memset(&state->refs[last_idx], 0, sizeof(*state->refs));
+       state->acquired_refs--;
+       return;
 }
 
 static int release_lock_state(struct bpf_verifier_state *state, int type, int id, void *ptr)
 {
-       int i, last_idx;
+       int i;
 
-       last_idx = state->acquired_refs - 1;
        for (i = 0; i < state->acquired_refs; i++) {
                if (state->refs[i].type != type)
                        continue;
                if (state->refs[i].id == id && state->refs[i].ptr == ptr) {
-                       if (last_idx && i != last_idx)
-                               memcpy(&state->refs[i], &state->refs[last_idx],
-                                      sizeof(*state->refs));
-                       memset(&state->refs[last_idx], 0, sizeof(*state->refs));
-                       state->acquired_refs--;
+                       release_reference_state(state, i);
                        state->active_locks--;
                        return 0;
                }
@@ -9666,21 +9658,38 @@ static void mark_pkt_end(struct bpf_verifier_state *vstate, int regn, bool range
                reg->range = AT_PKT_END;
 }
 
+static int release_reference_nomark(struct bpf_verifier_state *state, int ref_obj_id)
+{
+       int i;
+
+       for (i = 0; i < state->acquired_refs; i++) {
+               if (state->refs[i].type != REF_TYPE_PTR)
+                       continue;
+               if (state->refs[i].id == ref_obj_id) {
+                       release_reference_state(state, i);
+                       return 0;
+               }
+       }
+       return -EINVAL;
+}
+
 /* The pointer with the specified id has released its reference to kernel
  * resources. Identify all copies of the same pointer and clear the reference.
+ *
+ * This is the release function corresponding to acquire_reference(). Idempotent.
  */
-static int release_reference(struct bpf_verifier_env *env,
-                            int ref_obj_id)
+static int release_reference(struct bpf_verifier_env *env, int ref_obj_id)
 {
+       struct bpf_verifier_state *vstate = env->cur_state;
        struct bpf_func_state *state;
        struct bpf_reg_state *reg;
        int err;
 
-       err = release_reference_state(env->cur_state, ref_obj_id);
+       err = release_reference_nomark(vstate, ref_obj_id);
        if (err)
                return err;
 
-       bpf_for_each_reg_in_vstate(env->cur_state, state, reg, ({
+       bpf_for_each_reg_in_vstate(vstate, state, reg, ({
                if (reg->ref_obj_id == ref_obj_id)
                        mark_reg_invalid(env, reg);
        }));
@@ -10774,7 +10783,7 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
                        struct bpf_func_state *state;
                        struct bpf_reg_state *reg;
 
-                       err = release_reference_state(env->cur_state, ref_obj_id);
+                       err = release_reference_nomark(env->cur_state, ref_obj_id);
                        if (!err) {
                                bpf_for_each_reg_in_vstate(env->cur_state, state, reg, ({
                                        if (reg->ref_obj_id == ref_obj_id) {
@@ -11107,7 +11116,7 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
                /* For release_reference() */
                regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id;
        } else if (is_acquire_function(func_id, meta.map_ptr)) {
-               int id = acquire_reference_state(env, insn_idx);
+               int id = acquire_reference(env, insn_idx);
 
                if (id < 0)
                        return id;
@@ -13087,7 +13096,7 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
                }
                mark_btf_func_reg_size(env, BPF_REG_0, sizeof(void *));
                if (is_kfunc_acquire(&meta)) {
-                       int id = acquire_reference_state(env, insn_idx);
+                       int id = acquire_reference(env, insn_idx);
 
                        if (id < 0)
                                return id;
@@ -15387,7 +15396,7 @@ static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno,
                 * No one could have freed the reference state before
                 * doing the NULL check.
                 */
-               WARN_ON_ONCE(release_reference_state(vstate, id));
+               WARN_ON_ONCE(release_reference_nomark(vstate, id));
 
        bpf_for_each_reg_in_vstate(vstate, state, reg, ({
                mark_ptr_or_null_reg(state, reg, id, is_null);