bpf: Add function to find program from stack trace

In preparation of figuring out the closest program that led to the
current point in the kernel, implement a function that scans through the
stack trace and finds out the closest BPF program when walking down the
stack trace.

Special care needs to be taken to skip over kernel and BPF subprog
frames. We basically scan until we find a BPF main prog frame. The
assumption is that if a program calls into us transitively, we'll
hit it along the way. If not, we end up returning NULL.

Contextually the function will be used in places where we know the
program may have called into us.

Due to reliance on arch_bpf_stack_walk(), this function only works on
x86 with CONFIG_UNWINDER_ORC, arm64, and s390. Remove the warning from
arch_bpf_stack_walk as well since we call it outside bpf_throw()
context.

Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20250703204818.925464-6-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index 15672cb926fc1817f97d2cd1c55d1575803f6958..40e1b3b9634fec27c81fb7899d87515add500314 100644 (file)
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -3845,7 +3845,6 @@ void arch_bpf_stack_walk(bool (*consume_fn)(void *cookie, u64 ip, u64 sp, u64 bp
        }
        return;
 #endif
-       WARN(1, "verification of programs using bpf_throw should have failed\n");
 }
 
 void bpf_arch_poke_desc_update(struct bpf_jit_poke_descriptor *poke,

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index c3802af11bac738a9e5aa29448912c99c231676b..b267c378d884564ed9730e8385fd913d849b85eb 100644 (file)
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -3663,5 +3663,6 @@ static inline bool bpf_is_subprog(const struct bpf_prog *prog)
 
 int bpf_prog_get_file_line(struct bpf_prog *prog, unsigned long ip, const char **filep,
                           const char **linep, int *nump);
+struct bpf_prog *bpf_prog_find_from_stack(void);
 
 #endif /* _LINUX_BPF_H */

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 833442661742e49069fbaa882d57518035549a93..037d67cf5fb1f87bdcfb9e6c3f18585c0fc1ea4b 100644 (file)
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -3262,4 +3262,37 @@ int bpf_prog_get_file_line(struct bpf_prog *prog, unsigned long ip, const char *
        return 0;
 }
 
+struct walk_stack_ctx {
+       struct bpf_prog *prog;
+};
+
+static bool find_from_stack_cb(void *cookie, u64 ip, u64 sp, u64 bp)
+{
+       struct walk_stack_ctx *ctxp = cookie;
+       struct bpf_prog *prog;
+
+       /*
+        * The RCU read lock is held to safely traverse the latch tree, but we
+        * don't need its protection when accessing the prog, since it has an
+        * active stack frame on the current stack trace, and won't disappear.
+        */
+       rcu_read_lock();
+       prog = bpf_prog_ksym_find(ip);
+       rcu_read_unlock();
+       if (!prog)
+               return true;
+       if (bpf_is_subprog(prog))
+               return true;
+       ctxp->prog = prog;
+       return false;
+}
+
+struct bpf_prog *bpf_prog_find_from_stack(void)
+{
+       struct walk_stack_ctx ctx = {};
+
+       arch_bpf_stack_walk(find_from_stack_cb, &ctx);
+       return ctx.prog;
+}
+
 #endif