bpf: Relax tracing prog recursive attach rules

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Currently, it's not allowed to attach an fentry/fexit prog to another
one fentry/fexit. At the same time it's not uncommon to see a tracing
program with lots of logic in use, and the attachment limitation
prevents usage of fentry/fexit for performance analysis (e.g. with
"bpftool prog profile" command) in this case. An example could be
falcosecurity libs project that uses tp_btf tracing programs.

Following the corresponding discussion [1], the reason for that is to
avoid tracing progs call cycles without introducing more complex
solutions. But currently it seems impossible to load and attach tracing
programs in a way that will form such a cycle. The limitation is coming
from the fact that attach_prog_fd is specified at the prog load (thus
making it impossible to attach to a program loaded after it in this
way), as well as tracing progs not implementing link_detach.

Replace "no same type" requirement with verification that no more than
one level of attachment nesting is allowed. In this way only one
fentry/fexit program could be attached to another fentry/fexit to cover
profiling use case, and still no cycle could be formed. To implement,
add a new field into bpf_prog_aux to track nested attachment for tracing
programs.

[1]: https://lore.kernel.org/bpf/20191108064039.2041889-16-ast@kernel.org/

Acked-by: Jiri Olsa <olsajiri@gmail.com>
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com>
Link: https://lore.kernel.org/r/20240103190559.14750-2-9erthalion6@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Dmitrii Dolgov and committed by

Alexei Starovoitov 2 years ago 19bfcdf9 00bc8988

+48 -15

3 changed files

expand all

include

linux

bpf.h

kernel

bpf

syscall.c

verifier.c

include/linux/bpf.h

··· 1449 1449 bool dev_bound; /* Program is bound to the netdev. */ 1450 1450 bool offload_requested; /* Program is bound and offloaded to the netdev. */ 1451 1451 bool attach_btf_trace; /* true if attaching to BTF-enabled raw tp */ 1452 + bool attach_tracing_prog; /* true if tracing another tracing program */ 1452 1453 bool func_proto_unreliable; 1453 1454 bool sleepable; 1454 1455 bool tail_call_reachable;

+22 -1

kernel/bpf/syscall.c

··· 2738 2738 goto free_prog_sec; 2739 2739 } 2740 2740 2741 + /* 2742 + * Bookkeeping for managing the program attachment chain. 2743 + * 2744 + * It might be tempting to set attach_tracing_prog flag at the attachment 2745 + * time, but this will not prevent from loading bunch of tracing prog 2746 + * first, then attach them one to another. 2747 + * 2748 + * The flag attach_tracing_prog is set for the whole program lifecycle, and 2749 + * doesn't have to be cleared in bpf_tracing_link_release, since tracing 2750 + * programs cannot change attachment target. 2751 + */ 2752 + if (type == BPF_PROG_TYPE_TRACING && dst_prog && 2753 + dst_prog->type == BPF_PROG_TYPE_TRACING) { 2754 + prog->aux->attach_tracing_prog = true; 2755 + } 2756 + 2741 2757 /* find program type: socket_filter vs tracing_filter */ 2742 2758 err = find_prog_type(type, prog); 2743 2759 if (err < 0) ··· 3187 3171 } 3188 3172 3189 3173 if (tgt_prog_fd) { 3190 - /* For now we only allow new targets for BPF_PROG_TYPE_EXT */ 3174 + /* 3175 + * For now we only allow new targets for BPF_PROG_TYPE_EXT. If this 3176 + * part would be changed to implement the same for 3177 + * BPF_PROG_TYPE_TRACING, do not forget to update the way how 3178 + * attach_tracing_prog flag is set. 3179 + */ 3191 3180 if (prog->type != BPF_PROG_TYPE_EXT) { 3192 3181 err = -EINVAL; 3193 3182 goto out_put_prog;

+25 -14

kernel/bpf/verifier.c

··· 20317 20317 struct bpf_attach_target_info *tgt_info) 20318 20318 { 20319 20319 bool prog_extension = prog->type == BPF_PROG_TYPE_EXT; 20320 + bool prog_tracing = prog->type == BPF_PROG_TYPE_TRACING; 20320 20321 const char prefix[] = "btf_trace_"; 20321 20322 int ret = 0, subprog = -1, i; 20322 20323 const struct btf_type *t; ··· 20388 20387 bpf_log(log, "Can attach to only JITed progs\n"); 20389 20388 return -EINVAL; 20390 20389 } 20391 - if (tgt_prog->type == prog->type) { 20392 - /* Cannot fentry/fexit another fentry/fexit program. 20393 - * Cannot attach program extension to another extension. 20394 - * It's ok to attach fentry/fexit to extension program. 20390 + if (prog_tracing) { 20391 + if (aux->attach_tracing_prog) { 20392 + /* 20393 + * Target program is an fentry/fexit which is already attached 20394 + * to another tracing program. More levels of nesting 20395 + * attachment are not allowed. 20396 + */ 20397 + bpf_log(log, "Cannot nest tracing program attach more than once\n"); 20398 + return -EINVAL; 20399 + } 20400 + } else if (tgt_prog->type == prog->type) { 20401 + /* 20402 + * To avoid potential call chain cycles, prevent attaching of a 20403 + * program extension to another extension. It's ok to attach 20404 + * fentry/fexit to extension program. 20395 20405 */ 20396 20406 bpf_log(log, "Cannot recursively attach\n"); 20397 20407 return -EINVAL; ··· 20415 20403 * except fentry/fexit. The reason is the following. 20416 20404 * The fentry/fexit programs are used for performance 20417 20405 * analysis, stats and can be attached to any program 20418 - * type except themselves. When extension program is 20419 - * replacing XDP function it is necessary to allow 20420 - * performance analysis of all functions. Both original 20421 - * XDP program and its program extension. Hence 20422 - * attaching fentry/fexit to BPF_PROG_TYPE_EXT is 20423 - * allowed. If extending of fentry/fexit was allowed it 20424 - * would be possible to create long call chain 20425 - * fentry->extension->fentry->extension beyond 20426 - * reasonable stack size. Hence extending fentry is not 20427 - * allowed. 20406 + * type. When extension program is replacing XDP function 20407 + * it is necessary to allow performance analysis of all 20408 + * functions. Both original XDP program and its program 20409 + * extension. Hence attaching fentry/fexit to 20410 + * BPF_PROG_TYPE_EXT is allowed. If extending of 20411 + * fentry/fexit was allowed it would be possible to create 20412 + * long call chain fentry->extension->fentry->extension 20413 + * beyond reasonable stack size. Hence extending fentry 20414 + * is not allowed. 20428 20415 */ 20429 20416 bpf_log(log, "Cannot extend fentry/fexit\n"); 20430 20417 return -EINVAL;