bpf: return PTR_TO_BTF_ID | PTR_TRUSTED from BPF kfuncs by default

Teach the BPF verifier to treat pointers to struct types returned from
BPF kfuncs as implicitly trusted (PTR_TO_BTF_ID | PTR_TRUSTED) by
default. Returning untrusted pointers to struct types from BPF kfuncs
should be considered an exception only, and certainly not the norm.

Update existing selftests to reflect the change in register type
printing (e.g. `ptr_` becoming `trusted_ptr_` in verifier error
messages).

Link: https://lore.kernel.org/bpf/aV4nbCaMfIoM0awM@google.com/
Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260113083949.2502978-1-mattbobrowski@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 45733bae271d380a3c8e2f93d7b64a3868d25220..faa1ecc1fe9d753325ac6b8c255c8885a77102d4 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -14212,26 +14212,38 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
                        if (is_kfunc_rcu_protected(&meta))
                                regs[BPF_REG_0].type |= MEM_RCU;
                } else {
-                       mark_reg_known_zero(env, regs, BPF_REG_0);
-                       regs[BPF_REG_0].btf = desc_btf;
-                       regs[BPF_REG_0].type = PTR_TO_BTF_ID;
-                       regs[BPF_REG_0].btf_id = ptr_type_id;
+                       enum bpf_reg_type type = PTR_TO_BTF_ID;
 
                        if (meta.func_id == special_kfunc_list[KF_bpf_get_kmem_cache])
-                               regs[BPF_REG_0].type |= PTR_UNTRUSTED;
-                       else if (is_kfunc_rcu_protected(&meta))
-                               regs[BPF_REG_0].type |= MEM_RCU;
-
-                       if (is_iter_next_kfunc(&meta)) {
-                               struct bpf_reg_state *cur_iter;
-
-                               cur_iter = get_iter_from_state(env->cur_state, &meta);
-
-                               if (cur_iter->type & MEM_RCU) /* KF_RCU_PROTECTED */
-                                       regs[BPF_REG_0].type |= MEM_RCU;
-                               else
-                                       regs[BPF_REG_0].type |= PTR_TRUSTED;
+                               type |= PTR_UNTRUSTED;
+                       else if (is_kfunc_rcu_protected(&meta) ||
+                                (is_iter_next_kfunc(&meta) &&
+                                 (get_iter_from_state(env->cur_state, &meta)
+                                          ->type & MEM_RCU))) {
+                               /*
+                                * If the iterator's constructor (the _new
+                                * function e.g., bpf_iter_task_new) has been
+                                * annotated with BPF kfunc flag
+                                * KF_RCU_PROTECTED and was called within a RCU
+                                * read-side critical section, also propagate
+                                * the MEM_RCU flag to the pointer returned from
+                                * the iterator's next function (e.g.,
+                                * bpf_iter_task_next).
+                                */
+                               type |= MEM_RCU;
+                       } else {
+                               /*
+                                * Any PTR_TO_BTF_ID that is returned from a BPF
+                                * kfunc should by default be treated as
+                                * implicitly trusted.
+                                */
+                               type |= PTR_TRUSTED;
                        }
+
+                       mark_reg_known_zero(env, regs, BPF_REG_0);
+                       regs[BPF_REG_0].btf = desc_btf;
+                       regs[BPF_REG_0].type = type;
+                       regs[BPF_REG_0].btf_id = ptr_type_id;
                }
 
                if (is_kfunc_ret_null(&meta)) {

diff --git a/tools/testing/selftests/bpf/progs/map_kptr_fail.c b/tools/testing/selftests/bpf/progs/map_kptr_fail.c
index 4c0ff01f1a9682c21e3dd569ed6c855a92730052..6443b320c732414c19bde9a43795e9c7b6c8e773 100644 (file)
--- a/tools/testing/selftests/bpf/progs/map_kptr_fail.c
+++ b/tools/testing/selftests/bpf/progs/map_kptr_fail.c
@@ -272,7 +272,7 @@ int reject_untrusted_xchg(struct __sk_buff *ctx)
 
 SEC("?tc")
 __failure
-__msg("invalid kptr access, R2 type=ptr_prog_test_ref_kfunc expected=ptr_prog_test_member")
+__msg("invalid kptr access, R2 type=trusted_ptr_prog_test_ref_kfunc expected=ptr_prog_test_member")
 int reject_bad_type_xchg(struct __sk_buff *ctx)
 {
        struct prog_test_ref_kfunc *ref_ptr;
@@ -291,7 +291,7 @@ int reject_bad_type_xchg(struct __sk_buff *ctx)
 }
 
 SEC("?tc")
-__failure __msg("invalid kptr access, R2 type=ptr_prog_test_ref_kfunc")
+__failure __msg("invalid kptr access, R2 type=trusted_ptr_prog_test_ref_kfunc")
 int reject_member_of_ref_xchg(struct __sk_buff *ctx)
 {
        struct prog_test_ref_kfunc *ref_ptr;

diff --git a/tools/testing/selftests/bpf/progs/struct_ops_kptr_return_fail__wrong_type.c b/tools/testing/selftests/bpf/progs/struct_ops_kptr_return_fail__wrong_type.c
index 6a2dd536780232d85c917740a6291f65dc7f7546..c8d217e89eeabea78531755381ce51e7a147dac5 100644 (file)
--- a/tools/testing/selftests/bpf/progs/struct_ops_kptr_return_fail__wrong_type.c
+++ b/tools/testing/selftests/bpf/progs/struct_ops_kptr_return_fail__wrong_type.c
@@ -12,7 +12,7 @@ void bpf_task_release(struct task_struct *p) __ksym;
  * reject programs returning a referenced kptr of the wrong type.
  */
 SEC("struct_ops/test_return_ref_kptr")
-__failure __msg("At program exit the register R0 is not a known value (ptr_or_null_)")
+__failure __msg("At program exit the register R0 is not a known value (trusted_ptr_or_null_)")
 struct task_struct *BPF_PROG(kptr_return_fail__wrong_type, int dummy,
                             struct task_struct *task, struct cgroup *cgrp)
 {

diff --git a/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c b/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
index 1204fbc58178e0fdd9944e3fbf94213f6ee4d2d4..e7dae0cf9c17ce53a5c5723fa4df4aa84441ce93 100644 (file)
--- a/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
+++ b/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
@@ -72,7 +72,7 @@ int trusted_task_arg_nonnull_fail1(void *ctx)
 
 SEC("?tp_btf/task_newtask")
 __failure __log_level(2)
-__msg("R1 type=ptr_or_null_ expected=ptr_, trusted_ptr_, rcu_ptr_")
+__msg("R1 type=trusted_ptr_or_null_ expected=ptr_, trusted_ptr_, rcu_ptr_")
 __msg("Caller passes invalid args into func#1 ('subprog_trusted_task_nonnull')")
 int trusted_task_arg_nonnull_fail2(void *ctx)
 {

diff --git a/tools/testing/selftests/bpf/verifier/calls.c b/tools/testing/selftests/bpf/verifier/calls.c
index c8d640802cce415da9cba2c78c13720decab64f3..9ca83dce100d4e13bbc46c9b6f7146766645d5b1 100644 (file)
--- a/tools/testing/selftests/bpf/verifier/calls.c
+++ b/tools/testing/selftests/bpf/verifier/calls.c
@@ -220,7 +220,7 @@
        },
        .result_unpriv = REJECT,
        .result = REJECT,
-       .errstr = "variable ptr_ access var_off=(0x0; 0x7) disallowed",
+       .errstr = "variable trusted_ptr_ access var_off=(0x0; 0x7) disallowed",
 },
 {
        "calls: invalid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID",