Skip to content

Commit 7f16d2a

Browse files
author
Alexei Starovoitov
committed
Merge branch 'Introduce composable bpf types'
Hao Luo says: ==================== This patch set consists of two changes: - a cleanup of arg_type, ret_type and reg_type which try to make those types composable. (patch 1/9 - patch 6/9) - a bug fix that prevents bpf programs from writing kernel memory. (patch 7/9 - patch 9/9) The purpose of the cleanup is to find a scalable way to express type nullness and read-onliness. This patchset introduces two flags that can be applied on all three types: PTR_MAYBE_NULL and MEM_RDONLY. Previous types such as ARG_XXX_OR_NULL can now be written as ARG_XXX | PTR_MAYBE_NULL Similarly, PTR_TO_RDONLY_BUF is now "PTR_TO_BUF | MEM_RDONLY". Flags can be composed, as ARGs can be both MEM_RDONLY and MAYBE_NULL. ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY Based on this new composable types, patch 7/9 applies MEM_RDONLY on PTR_TO_MEM, in order to tag the returned memory from per_cpu_ptr as read-only. Therefore fixing a previous bug that one can leverage per_cpu_ptr to modify kernel memory within BPF programs. Patch 8/9 generalizes the use of MEM_RDONLY further by tagging a set of helper arguments ARG_PTR_TO_MEM with MEM_RDONLY. Some helper functions may override their arguments, such as bpf_d_path, bpf_snprintf. In this patch, we narrow the ARG_PTR_TO_MEM to be compatible with only a subset of memory types. This prevents these helpers from writing read-only memories. For the helpers that do not write its arguments, we add tag MEM_RDONLY to allow taking a RDONLY memory as argument. Changes since v1: - use %u to print base_type(type) instead of %lu. (Andrii, patch 3/9) - improve reg_type_str() by appending '_or_null' and prepending 'rdonly_'. use preallocated buffer in 'bpf_env'. - unified handling of the previous XXX_OR_NULL in adjust_ptr_min_max_vals (Andrii, patch 4/9) - move PTR_TO_MAP_KEY up to PTR_TO_MAP_VALUE so that we don't have to change to drivers that assume the numeric values of bpf_reg. (patch 4/9) - reintroduce the typo from previous commits in fixes tags (Andrii, patch 7/9) - extensive comments on the reason behind folding flags in check_reg_type (Andrii, patch 8/9) Changes since RFC v2: - renamed BPF_BASE_TYPE to a more succinct name base_type and move its definition to bpf_verifier.h. Same for BPF_TYPE_FLAG. (Alexei) - made checking MEM_RDONLY in check_reg_type() universal (Alexei) - ran through majority of test_progs and fixed bugs in RFC v2: - fixed incorrect BPF_BASE_TYPE_MASK. The high bit of GENMASK should be BITS - 1, rather than BITS. patch 1/9. - fixed incorrect conditions when checking ARG_PTR_TO_MAP_VALUE in check_func_arg(). See patch 2/9. - fixed a bug where PTR_TO_BTF_ID may be combined with MEM_RDONLY, causing the check in check_mem_access() to fall through to the 'else' branch. See check_helper_call() in patch 7/9. - fixed build failure on netronome driver. Entries in bpf_reg_type have been ordered. patch 4/9. - fixed build warnings of using '%d' to print base_type. patch 4/9 - unify arg_type_may_be_null() and reg_type_may_be_null() into a single type_may_be_null(). Previous versions: v1: https://lwn.net/Articles/877938/ RFC v2: https://lwn.net/Articles/877171/ RFC v1: https://lore.kernel.org/bpf/[email protected]/T/ https://lore.kernel.org/bpf/[email protected]/T/ ==================== Signed-off-by: Alexei Starovoitov <[email protected]>
2 parents e967a20 + 9497c45 commit 7f16d2a

File tree

15 files changed

+443
-335
lines changed

15 files changed

+443
-335
lines changed

include/linux/bpf.h

Lines changed: 77 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -297,6 +297,34 @@ bool bpf_map_meta_equal(const struct bpf_map *meta0,
297297

298298
extern const struct bpf_map_ops bpf_map_offload_ops;
299299

300+
/* bpf_type_flag contains a set of flags that are applicable to the values of
301+
* arg_type, ret_type and reg_type. For example, a pointer value may be null,
302+
* or a memory is read-only. We classify types into two categories: base types
303+
* and extended types. Extended types are base types combined with a type flag.
304+
*
305+
* Currently there are no more than 32 base types in arg_type, ret_type and
306+
* reg_types.
307+
*/
308+
#define BPF_BASE_TYPE_BITS 8
309+
310+
enum bpf_type_flag {
311+
/* PTR may be NULL. */
312+
PTR_MAYBE_NULL = BIT(0 + BPF_BASE_TYPE_BITS),
313+
314+
/* MEM is read-only. When applied on bpf_arg, it indicates the arg is
315+
* compatible with both mutable and immutable memory.
316+
*/
317+
MEM_RDONLY = BIT(1 + BPF_BASE_TYPE_BITS),
318+
319+
__BPF_TYPE_LAST_FLAG = MEM_RDONLY,
320+
};
321+
322+
/* Max number of base types. */
323+
#define BPF_BASE_TYPE_LIMIT (1UL << BPF_BASE_TYPE_BITS)
324+
325+
/* Max number of all types. */
326+
#define BPF_TYPE_LIMIT (__BPF_TYPE_LAST_FLAG | (__BPF_TYPE_LAST_FLAG - 1))
327+
300328
/* function argument constraints */
301329
enum bpf_arg_type {
302330
ARG_DONTCARE = 0, /* unused argument in helper function */
@@ -308,13 +336,11 @@ enum bpf_arg_type {
308336
ARG_PTR_TO_MAP_KEY, /* pointer to stack used as map key */
309337
ARG_PTR_TO_MAP_VALUE, /* pointer to stack used as map value */
310338
ARG_PTR_TO_UNINIT_MAP_VALUE, /* pointer to valid memory used to store a map value */
311-
ARG_PTR_TO_MAP_VALUE_OR_NULL, /* pointer to stack used as map value or NULL */
312339

313340
/* the following constraints used to prototype bpf_memcmp() and other
314341
* functions that access data on eBPF program stack
315342
*/
316343
ARG_PTR_TO_MEM, /* pointer to valid memory (stack, packet, map value) */
317-
ARG_PTR_TO_MEM_OR_NULL, /* pointer to valid memory or NULL */
318344
ARG_PTR_TO_UNINIT_MEM, /* pointer to memory does not need to be initialized,
319345
* helper function must fill all bytes or clear
320346
* them in error case.
@@ -324,42 +350,65 @@ enum bpf_arg_type {
324350
ARG_CONST_SIZE_OR_ZERO, /* number of bytes accessed from memory or 0 */
325351

326352
ARG_PTR_TO_CTX, /* pointer to context */
327-
ARG_PTR_TO_CTX_OR_NULL, /* pointer to context or NULL */
328353
ARG_ANYTHING, /* any (initialized) argument is ok */
329354
ARG_PTR_TO_SPIN_LOCK, /* pointer to bpf_spin_lock */
330355
ARG_PTR_TO_SOCK_COMMON, /* pointer to sock_common */
331356
ARG_PTR_TO_INT, /* pointer to int */
332357
ARG_PTR_TO_LONG, /* pointer to long */
333358
ARG_PTR_TO_SOCKET, /* pointer to bpf_sock (fullsock) */
334-
ARG_PTR_TO_SOCKET_OR_NULL, /* pointer to bpf_sock (fullsock) or NULL */
335359
ARG_PTR_TO_BTF_ID, /* pointer to in-kernel struct */
336360
ARG_PTR_TO_ALLOC_MEM, /* pointer to dynamically allocated memory */
337-
ARG_PTR_TO_ALLOC_MEM_OR_NULL, /* pointer to dynamically allocated memory or NULL */
338361
ARG_CONST_ALLOC_SIZE_OR_ZERO, /* number of allocated bytes requested */
339362
ARG_PTR_TO_BTF_ID_SOCK_COMMON, /* pointer to in-kernel sock_common or bpf-mirrored bpf_sock */
340363
ARG_PTR_TO_PERCPU_BTF_ID, /* pointer to in-kernel percpu type */
341364
ARG_PTR_TO_FUNC, /* pointer to a bpf program function */
342-
ARG_PTR_TO_STACK_OR_NULL, /* pointer to stack or NULL */
365+
ARG_PTR_TO_STACK, /* pointer to stack */
343366
ARG_PTR_TO_CONST_STR, /* pointer to a null terminated read-only string */
344367
ARG_PTR_TO_TIMER, /* pointer to bpf_timer */
345368
__BPF_ARG_TYPE_MAX,
369+
370+
/* Extended arg_types. */
371+
ARG_PTR_TO_MAP_VALUE_OR_NULL = PTR_MAYBE_NULL | ARG_PTR_TO_MAP_VALUE,
372+
ARG_PTR_TO_MEM_OR_NULL = PTR_MAYBE_NULL | ARG_PTR_TO_MEM,
373+
ARG_PTR_TO_CTX_OR_NULL = PTR_MAYBE_NULL | ARG_PTR_TO_CTX,
374+
ARG_PTR_TO_SOCKET_OR_NULL = PTR_MAYBE_NULL | ARG_PTR_TO_SOCKET,
375+
ARG_PTR_TO_ALLOC_MEM_OR_NULL = PTR_MAYBE_NULL | ARG_PTR_TO_ALLOC_MEM,
376+
ARG_PTR_TO_STACK_OR_NULL = PTR_MAYBE_NULL | ARG_PTR_TO_STACK,
377+
378+
/* This must be the last entry. Its purpose is to ensure the enum is
379+
* wide enough to hold the higher bits reserved for bpf_type_flag.
380+
*/
381+
__BPF_ARG_TYPE_LIMIT = BPF_TYPE_LIMIT,
346382
};
383+
static_assert(__BPF_ARG_TYPE_MAX <= BPF_BASE_TYPE_LIMIT);
347384

348385
/* type of values returned from helper functions */
349386
enum bpf_return_type {
350387
RET_INTEGER, /* function returns integer */
351388
RET_VOID, /* function doesn't return anything */
352389
RET_PTR_TO_MAP_VALUE, /* returns a pointer to map elem value */
353-
RET_PTR_TO_MAP_VALUE_OR_NULL, /* returns a pointer to map elem value or NULL */
354-
RET_PTR_TO_SOCKET_OR_NULL, /* returns a pointer to a socket or NULL */
355-
RET_PTR_TO_TCP_SOCK_OR_NULL, /* returns a pointer to a tcp_sock or NULL */
356-
RET_PTR_TO_SOCK_COMMON_OR_NULL, /* returns a pointer to a sock_common or NULL */
357-
RET_PTR_TO_ALLOC_MEM_OR_NULL, /* returns a pointer to dynamically allocated memory or NULL */
358-
RET_PTR_TO_BTF_ID_OR_NULL, /* returns a pointer to a btf_id or NULL */
359-
RET_PTR_TO_MEM_OR_BTF_ID_OR_NULL, /* returns a pointer to a valid memory or a btf_id or NULL */
390+
RET_PTR_TO_SOCKET, /* returns a pointer to a socket */
391+
RET_PTR_TO_TCP_SOCK, /* returns a pointer to a tcp_sock */
392+
RET_PTR_TO_SOCK_COMMON, /* returns a pointer to a sock_common */
393+
RET_PTR_TO_ALLOC_MEM, /* returns a pointer to dynamically allocated memory */
360394
RET_PTR_TO_MEM_OR_BTF_ID, /* returns a pointer to a valid memory or a btf_id */
361395
RET_PTR_TO_BTF_ID, /* returns a pointer to a btf_id */
396+
__BPF_RET_TYPE_MAX,
397+
398+
/* Extended ret_types. */
399+
RET_PTR_TO_MAP_VALUE_OR_NULL = PTR_MAYBE_NULL | RET_PTR_TO_MAP_VALUE,
400+
RET_PTR_TO_SOCKET_OR_NULL = PTR_MAYBE_NULL | RET_PTR_TO_SOCKET,
401+
RET_PTR_TO_TCP_SOCK_OR_NULL = PTR_MAYBE_NULL | RET_PTR_TO_TCP_SOCK,
402+
RET_PTR_TO_SOCK_COMMON_OR_NULL = PTR_MAYBE_NULL | RET_PTR_TO_SOCK_COMMON,
403+
RET_PTR_TO_ALLOC_MEM_OR_NULL = PTR_MAYBE_NULL | RET_PTR_TO_ALLOC_MEM,
404+
RET_PTR_TO_BTF_ID_OR_NULL = PTR_MAYBE_NULL | RET_PTR_TO_BTF_ID,
405+
406+
/* This must be the last entry. Its purpose is to ensure the enum is
407+
* wide enough to hold the higher bits reserved for bpf_type_flag.
408+
*/
409+
__BPF_RET_TYPE_LIMIT = BPF_TYPE_LIMIT,
362410
};
411+
static_assert(__BPF_RET_TYPE_MAX <= BPF_BASE_TYPE_LIMIT);
363412

364413
/* eBPF function prototype used by verifier to allow BPF_CALLs from eBPF programs
365414
* to in-kernel helper functions and for adjusting imm32 field in BPF_CALL
@@ -421,18 +470,15 @@ enum bpf_reg_type {
421470
PTR_TO_CTX, /* reg points to bpf_context */
422471
CONST_PTR_TO_MAP, /* reg points to struct bpf_map */
423472
PTR_TO_MAP_VALUE, /* reg points to map element value */
424-
PTR_TO_MAP_VALUE_OR_NULL,/* points to map elem value or NULL */
473+
PTR_TO_MAP_KEY, /* reg points to a map element key */
425474
PTR_TO_STACK, /* reg == frame_pointer + offset */
426475
PTR_TO_PACKET_META, /* skb->data - meta_len */
427476
PTR_TO_PACKET, /* reg points to skb->data */
428477
PTR_TO_PACKET_END, /* skb->data + headlen */
429478
PTR_TO_FLOW_KEYS, /* reg points to bpf_flow_keys */
430479
PTR_TO_SOCKET, /* reg points to struct bpf_sock */
431-
PTR_TO_SOCKET_OR_NULL, /* reg points to struct bpf_sock or NULL */
432480
PTR_TO_SOCK_COMMON, /* reg points to sock_common */
433-
PTR_TO_SOCK_COMMON_OR_NULL, /* reg points to sock_common or NULL */
434481
PTR_TO_TCP_SOCK, /* reg points to struct tcp_sock */
435-
PTR_TO_TCP_SOCK_OR_NULL, /* reg points to struct tcp_sock or NULL */
436482
PTR_TO_TP_BUFFER, /* reg points to a writable raw tp's buffer */
437483
PTR_TO_XDP_SOCK, /* reg points to struct xdp_sock */
438484
/* PTR_TO_BTF_ID points to a kernel struct that does not need
@@ -450,18 +496,25 @@ enum bpf_reg_type {
450496
* been checked for null. Used primarily to inform the verifier
451497
* an explicit null check is required for this struct.
452498
*/
453-
PTR_TO_BTF_ID_OR_NULL,
454499
PTR_TO_MEM, /* reg points to valid memory region */
455-
PTR_TO_MEM_OR_NULL, /* reg points to valid memory region or NULL */
456-
PTR_TO_RDONLY_BUF, /* reg points to a readonly buffer */
457-
PTR_TO_RDONLY_BUF_OR_NULL, /* reg points to a readonly buffer or NULL */
458-
PTR_TO_RDWR_BUF, /* reg points to a read/write buffer */
459-
PTR_TO_RDWR_BUF_OR_NULL, /* reg points to a read/write buffer or NULL */
500+
PTR_TO_BUF, /* reg points to a read/write buffer */
460501
PTR_TO_PERCPU_BTF_ID, /* reg points to a percpu kernel variable */
461502
PTR_TO_FUNC, /* reg points to a bpf program function */
462-
PTR_TO_MAP_KEY, /* reg points to a map element key */
463503
__BPF_REG_TYPE_MAX,
504+
505+
/* Extended reg_types. */
506+
PTR_TO_MAP_VALUE_OR_NULL = PTR_MAYBE_NULL | PTR_TO_MAP_VALUE,
507+
PTR_TO_SOCKET_OR_NULL = PTR_MAYBE_NULL | PTR_TO_SOCKET,
508+
PTR_TO_SOCK_COMMON_OR_NULL = PTR_MAYBE_NULL | PTR_TO_SOCK_COMMON,
509+
PTR_TO_TCP_SOCK_OR_NULL = PTR_MAYBE_NULL | PTR_TO_TCP_SOCK,
510+
PTR_TO_BTF_ID_OR_NULL = PTR_MAYBE_NULL | PTR_TO_BTF_ID,
511+
512+
/* This must be the last entry. Its purpose is to ensure the enum is
513+
* wide enough to hold the higher bits reserved for bpf_type_flag.
514+
*/
515+
__BPF_REG_TYPE_LIMIT = BPF_TYPE_LIMIT,
464516
};
517+
static_assert(__BPF_REG_TYPE_MAX <= BPF_BASE_TYPE_LIMIT);
465518

466519
/* The information passed from prog-specific *_is_valid_access
467520
* back to the verifier.

include/linux/bpf_verifier.h

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@
1818
* that converting umax_value to int cannot overflow.
1919
*/
2020
#define BPF_MAX_VAR_SIZ (1 << 29)
21+
/* size of type_str_buf in bpf_verifier. */
22+
#define TYPE_STR_BUF_LEN 64
2123

2224
/* Liveness marks, used for registers and spilled-regs (in stack slots).
2325
* Read marks propagate upwards until they find a write mark; they record that
@@ -484,6 +486,8 @@ struct bpf_verifier_env {
484486
/* Same as scratched_regs but for stack slots */
485487
u64 scratched_stack_slots;
486488
u32 prev_log_len, prev_insn_print_len;
489+
/* buffer used in reg_type_str() to generate reg_type string */
490+
char type_str_buf[TYPE_STR_BUF_LEN];
487491
};
488492

489493
__printf(2, 0) void bpf_verifier_vlog(struct bpf_verifier_log *log,
@@ -546,5 +550,18 @@ int bpf_check_attach_target(struct bpf_verifier_log *log,
546550
struct bpf_attach_target_info *tgt_info);
547551
void bpf_free_kfunc_btf_tab(struct bpf_kfunc_btf_tab *tab);
548552

553+
#define BPF_BASE_TYPE_MASK GENMASK(BPF_BASE_TYPE_BITS - 1, 0)
554+
555+
/* extract base type from bpf_{arg, return, reg}_type. */
556+
static inline u32 base_type(u32 type)
557+
{
558+
return type & BPF_BASE_TYPE_MASK;
559+
}
560+
561+
/* extract flags from an extended type. See bpf_type_flag in bpf.h. */
562+
static inline u32 type_flag(u32 type)
563+
{
564+
return type & ~BPF_BASE_TYPE_MASK;
565+
}
549566

550567
#endif /* _LINUX_BPF_VERIFIER_H */

kernel/bpf/btf.c

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4940,10 +4940,12 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
49404940
/* check for PTR_TO_RDONLY_BUF_OR_NULL or PTR_TO_RDWR_BUF_OR_NULL */
49414941
for (i = 0; i < prog->aux->ctx_arg_info_size; i++) {
49424942
const struct bpf_ctx_arg_aux *ctx_arg_info = &prog->aux->ctx_arg_info[i];
4943+
u32 type, flag;
49434944

4944-
if (ctx_arg_info->offset == off &&
4945-
(ctx_arg_info->reg_type == PTR_TO_RDONLY_BUF_OR_NULL ||
4946-
ctx_arg_info->reg_type == PTR_TO_RDWR_BUF_OR_NULL)) {
4945+
type = base_type(ctx_arg_info->reg_type);
4946+
flag = type_flag(ctx_arg_info->reg_type);
4947+
if (ctx_arg_info->offset == off && type == PTR_TO_BUF &&
4948+
(flag & PTR_MAYBE_NULL)) {
49474949
info->reg_type = ctx_arg_info->reg_type;
49484950
return true;
49494951
}
@@ -5857,7 +5859,7 @@ int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog,
58575859
return -EINVAL;
58585860
}
58595861

5860-
reg->type = PTR_TO_MEM_OR_NULL;
5862+
reg->type = PTR_TO_MEM | PTR_MAYBE_NULL;
58615863
reg->id = ++env->id_gen;
58625864

58635865
continue;
@@ -6351,7 +6353,7 @@ const struct bpf_func_proto bpf_btf_find_by_name_kind_proto = {
63516353
.func = bpf_btf_find_by_name_kind,
63526354
.gpl_only = false,
63536355
.ret_type = RET_INTEGER,
6354-
.arg1_type = ARG_PTR_TO_MEM,
6356+
.arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY,
63556357
.arg2_type = ARG_CONST_SIZE,
63566358
.arg3_type = ARG_ANYTHING,
63576359
.arg4_type = ARG_ANYTHING,

kernel/bpf/cgroup.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1789,7 +1789,7 @@ static const struct bpf_func_proto bpf_sysctl_set_new_value_proto = {
17891789
.gpl_only = false,
17901790
.ret_type = RET_INTEGER,
17911791
.arg1_type = ARG_PTR_TO_CTX,
1792-
.arg2_type = ARG_PTR_TO_MEM,
1792+
.arg2_type = ARG_PTR_TO_MEM | MEM_RDONLY,
17931793
.arg3_type = ARG_CONST_SIZE,
17941794
};
17951795

kernel/bpf/helpers.c

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -531,7 +531,7 @@ const struct bpf_func_proto bpf_strtol_proto = {
531531
.func = bpf_strtol,
532532
.gpl_only = false,
533533
.ret_type = RET_INTEGER,
534-
.arg1_type = ARG_PTR_TO_MEM,
534+
.arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY,
535535
.arg2_type = ARG_CONST_SIZE,
536536
.arg3_type = ARG_ANYTHING,
537537
.arg4_type = ARG_PTR_TO_LONG,
@@ -559,7 +559,7 @@ const struct bpf_func_proto bpf_strtoul_proto = {
559559
.func = bpf_strtoul,
560560
.gpl_only = false,
561561
.ret_type = RET_INTEGER,
562-
.arg1_type = ARG_PTR_TO_MEM,
562+
.arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY,
563563
.arg2_type = ARG_CONST_SIZE,
564564
.arg3_type = ARG_ANYTHING,
565565
.arg4_type = ARG_PTR_TO_LONG,
@@ -645,7 +645,7 @@ const struct bpf_func_proto bpf_event_output_data_proto = {
645645
.arg1_type = ARG_PTR_TO_CTX,
646646
.arg2_type = ARG_CONST_MAP_PTR,
647647
.arg3_type = ARG_ANYTHING,
648-
.arg4_type = ARG_PTR_TO_MEM,
648+
.arg4_type = ARG_PTR_TO_MEM | MEM_RDONLY,
649649
.arg5_type = ARG_CONST_SIZE_OR_ZERO,
650650
};
651651

@@ -682,7 +682,7 @@ BPF_CALL_2(bpf_per_cpu_ptr, const void *, ptr, u32, cpu)
682682
const struct bpf_func_proto bpf_per_cpu_ptr_proto = {
683683
.func = bpf_per_cpu_ptr,
684684
.gpl_only = false,
685-
.ret_type = RET_PTR_TO_MEM_OR_BTF_ID_OR_NULL,
685+
.ret_type = RET_PTR_TO_MEM_OR_BTF_ID | PTR_MAYBE_NULL | MEM_RDONLY,
686686
.arg1_type = ARG_PTR_TO_PERCPU_BTF_ID,
687687
.arg2_type = ARG_ANYTHING,
688688
};
@@ -695,7 +695,7 @@ BPF_CALL_1(bpf_this_cpu_ptr, const void *, percpu_ptr)
695695
const struct bpf_func_proto bpf_this_cpu_ptr_proto = {
696696
.func = bpf_this_cpu_ptr,
697697
.gpl_only = false,
698-
.ret_type = RET_PTR_TO_MEM_OR_BTF_ID,
698+
.ret_type = RET_PTR_TO_MEM_OR_BTF_ID | MEM_RDONLY,
699699
.arg1_type = ARG_PTR_TO_PERCPU_BTF_ID,
700700
};
701701

@@ -1026,7 +1026,7 @@ const struct bpf_func_proto bpf_snprintf_proto = {
10261026
.arg1_type = ARG_PTR_TO_MEM_OR_NULL,
10271027
.arg2_type = ARG_CONST_SIZE_OR_ZERO,
10281028
.arg3_type = ARG_PTR_TO_CONST_STR,
1029-
.arg4_type = ARG_PTR_TO_MEM_OR_NULL,
1029+
.arg4_type = ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY,
10301030
.arg5_type = ARG_CONST_SIZE_OR_ZERO,
10311031
};
10321032

kernel/bpf/map_iter.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -174,9 +174,9 @@ static const struct bpf_iter_reg bpf_map_elem_reg_info = {
174174
.ctx_arg_info_size = 2,
175175
.ctx_arg_info = {
176176
{ offsetof(struct bpf_iter__bpf_map_elem, key),
177-
PTR_TO_RDONLY_BUF_OR_NULL },
177+
PTR_TO_BUF | PTR_MAYBE_NULL | MEM_RDONLY },
178178
{ offsetof(struct bpf_iter__bpf_map_elem, value),
179-
PTR_TO_RDWR_BUF_OR_NULL },
179+
PTR_TO_BUF | PTR_MAYBE_NULL },
180180
},
181181
};
182182

kernel/bpf/ringbuf.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -444,7 +444,7 @@ const struct bpf_func_proto bpf_ringbuf_output_proto = {
444444
.func = bpf_ringbuf_output,
445445
.ret_type = RET_INTEGER,
446446
.arg1_type = ARG_CONST_MAP_PTR,
447-
.arg2_type = ARG_PTR_TO_MEM,
447+
.arg2_type = ARG_PTR_TO_MEM | MEM_RDONLY,
448448
.arg3_type = ARG_CONST_SIZE_OR_ZERO,
449449
.arg4_type = ARG_ANYTHING,
450450
};

kernel/bpf/syscall.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4773,7 +4773,7 @@ static const struct bpf_func_proto bpf_sys_bpf_proto = {
47734773
.gpl_only = false,
47744774
.ret_type = RET_INTEGER,
47754775
.arg1_type = ARG_ANYTHING,
4776-
.arg2_type = ARG_PTR_TO_MEM,
4776+
.arg2_type = ARG_PTR_TO_MEM | MEM_RDONLY,
47774777
.arg3_type = ARG_CONST_SIZE,
47784778
};
47794779

0 commit comments

Comments
 (0)