From patchwork Wed Sep 12 00:36:40 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joe Stringer <joe@wand.net.nz>
X-Patchwork-Id: 968785
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=wand.net.nz
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="T6m7U76X"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 4292sz5QHbz9s3Z
	for <patchwork-incoming-netdev@ozlabs.org>;
	Wed, 12 Sep 2018 10:37:11 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1728012AbeILFi7 (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Wed, 12 Sep 2018 01:38:59 -0400
Received: from mail-oi0-f66.google.com ([209.85.218.66]:45693 "EHLO
	mail-oi0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726454AbeILFi7 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 12 Sep 2018 01:38:59 -0400
Received: by mail-oi0-f66.google.com with SMTP id t68-v6so269443oie.12
	for <netdev@vger.kernel.org>; Tue, 11 Sep 2018 17:37:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=hOXG/7OUBUIupIpkpb0Ste5Sntrdgd9bVjTU4xsqEaE=;
	b=T6m7U76XBrEIe//c5ELKIOWA6kBxRK23UdFva+zKJvUcPyJirC9RsmD/1YcWN5/DSL
	yUY2fjRGyebrd4C9p62fDYj9Bmfy6wJzQABm47Eq9CVxWO8q/nVkDFImavO+9Yqxg5o/
	BP8MaClKnoc4HHH8lA2KEQutZSjzEJJTTEjvy3U9pz+yYrWzMu10SNFVVW5Usqmwvv+G
	JWrtjO3tjari7gtMZ/4LQSHai2SxmaDMc1MBFkopT6alf5k+pjpcCCMmNbvbqttqYoCA
	1Bbel3rkpdIgPnKwiW8X80vBrOSfhvazXA3qkl57ggSadtjwrfNZD+pehHZQNeDYego/
	oHcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references;
	bh=hOXG/7OUBUIupIpkpb0Ste5Sntrdgd9bVjTU4xsqEaE=;
	b=Zil1JERzaWwKF3v5HTRUfzfXzmejxm+b+SQdEQdZA6PVIogonl6U35GjDRjxyr5HWO
	3dhj0hrmq7NGuJWRgNE2G/TauAJo2LK7aWGhsR37r+HcD4Cu4s7SsoIb0DGvtw2IeQ1B
	xFRONFJzxhrXBjv9xYH1nXOKZtpqiEEhC+0Y9gTL7Gmz6i0PD6BUrk1rYpq6Pf5ArSkP
	TueM+73URr/KcMYbPel7UycGTBi8z9UxO4HLvB2M3O3YJPA0myBY5hQpkE7MYFy1Bdu3
	Owf4axA9yHlj2wsFFU5sd8uD4H5GAcotn/fZUuugZeN+6u+SRudyO2Hf1XiFjOtash8F
	GcoA==
X-Gm-Message-State: APzg51CJ4sOx/nNAfQl8CVLabj8VhZED5K/OupJnN5RTnMW1uMr61Oft
	UaK5NDolB4faZYZnvO67f0I=
X-Google-Smtp-Source: 
 ANB0VdYmTap7fzgAXSuHnqGg3UjvkuScUqv1QJrLd/y/35F5O0WOE+XdHwHa+ydlTWwVWhlXxdFIVA==
X-Received: by 2002:aca:afcc:: with SMTP id
	y195-v6mr15865726oie.322.1536712628065;
	Tue, 11 Sep 2018 17:37:08 -0700 (PDT)
Received: from allosaurus.lan ([99.0.85.34])
	by smtp.gmail.com with ESMTPSA id
	s145-v6sm39598850oih.16.2018.09.11.17.37.06
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 11 Sep 2018 17:37:06 -0700 (PDT)
From: Joe Stringer <joe@wand.net.nz>
To: daniel@iogearbox.net
Cc: netdev@vger.kernel.org, ast@kernel.org, john.fastabend@gmail.com,
	tgraf@suug.ch, kafai@fb.com, nitin.hande@gmail.com,
	mauricio.vasquez@polito.it
Subject: [PATCH bpf-next 11/11] Documentation: Describe bpf reference
	tracking
Date: Tue, 11 Sep 2018 17:36:40 -0700
Message-Id: <20180912003640.28316-12-joe@wand.net.nz>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180912003640.28316-1-joe@wand.net.nz>
References: <20180912003640.28316-1-joe@wand.net.nz>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Signed-off-by: Joe Stringer <joe@wand.net.nz>
Acked-by: Alexei Starovoitov <ast@kernel.org>
---
 Documentation/networking/filter.txt | 64 +++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/Documentation/networking/filter.txt b/Documentation/networking/filter.txt
index e6b4ebb2b243..4443ce958862 100644
--- a/Documentation/networking/filter.txt
+++ b/Documentation/networking/filter.txt
@@ -1125,6 +1125,14 @@ pointer type.  The types of pointers describe their base, as follows:
     PTR_TO_STACK        Frame pointer.
     PTR_TO_PACKET       skb->data.
     PTR_TO_PACKET_END   skb->data + headlen; arithmetic forbidden.
+    PTR_TO_SOCKET       Pointer to struct bpf_sock_ops, implicitly refcounted.
+    PTR_TO_SOCKET_OR_NULL
+                        Either a pointer to a socket, or NULL; socket lookup
+                        returns this type, which becomes a PTR_TO_SOCKET when
+                        checked != NULL. PTR_TO_SOCKET is reference-counted,
+                        so programs must release the reference through the
+                        socket release function before the end of the program.
+                        Arithmetic on these pointers is forbidden.
 However, a pointer may be offset from this base (as a result of pointer
 arithmetic), and this is tracked in two parts: the 'fixed offset' and 'variable
 offset'.  The former is used when an exactly-known value (e.g. an immediate
@@ -1171,6 +1179,13 @@ over the Ethernet header, then reads IHL and addes (IHL * 4), the resulting
 pointer will have a variable offset known to be 4n+2 for some n, so adding the 2
 bytes (NET_IP_ALIGN) gives a 4-byte alignment and so word-sized accesses through
 that pointer are safe.
+The 'id' field is also used on PTR_TO_SOCKET and PTR_TO_SOCKET_OR_NULL, common
+to all copies of the pointer returned from a socket lookup. This has similar
+behaviour to the handling for PTR_TO_MAP_VALUE_OR_NULL->PTR_TO_MAP_VALUE, but
+it also handles reference tracking for the pointer. PTR_TO_SOCKET implicitly
+represents a reference to the corresponding 'struct sock'. To ensure that the
+reference is not leaked, it is imperative to NULL-check the reference and in
+the non-NULL case, and pass the valid reference to the socket release function.
 
 Direct packet access
 --------------------
@@ -1444,6 +1459,55 @@ Error:
   8: (7a) *(u64 *)(r0 +0) = 1
   R0 invalid mem access 'imm'
 
+Program that performs a socket lookup then sets the pointer to NULL without
+checking it:
+value:
+  BPF_MOV64_IMM(BPF_REG_2, 0),
+  BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),
+  BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+  BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+  BPF_MOV64_IMM(BPF_REG_3, 4),
+  BPF_MOV64_IMM(BPF_REG_4, 0),
+  BPF_MOV64_IMM(BPF_REG_5, 0),
+  BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
+  BPF_MOV64_IMM(BPF_REG_0, 0),
+  BPF_EXIT_INSN(),
+Error:
+  0: (b7) r2 = 0
+  1: (63) *(u32 *)(r10 -8) = r2
+  2: (bf) r2 = r10
+  3: (07) r2 += -8
+  4: (b7) r3 = 4
+  5: (b7) r4 = 0
+  6: (b7) r5 = 0
+  7: (85) call bpf_sk_lookup_tcp#65
+  8: (b7) r0 = 0
+  9: (95) exit
+  Unreleased reference id=1, alloc_insn=7
+
+Program that performs a socket lookup but does not NULL-check the returned
+value:
+  BPF_MOV64_IMM(BPF_REG_2, 0),
+  BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),
+  BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+  BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+  BPF_MOV64_IMM(BPF_REG_3, 4),
+  BPF_MOV64_IMM(BPF_REG_4, 0),
+  BPF_MOV64_IMM(BPF_REG_5, 0),
+  BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
+  BPF_EXIT_INSN(),
+Error:
+  0: (b7) r2 = 0
+  1: (63) *(u32 *)(r10 -8) = r2
+  2: (bf) r2 = r10
+  3: (07) r2 += -8
+  4: (b7) r3 = 4
+  5: (b7) r4 = 0
+  6: (b7) r5 = 0
+  7: (85) call bpf_sk_lookup_tcp#65
+  8: (95) exit
+  Unreleased reference id=1, alloc_insn=7
+
 Testing
 -------