When a map value is being freed, we loop over all of the fields of the
corresponding BPF object and issue the appropriate cleanup calls
corresponding to the field's type. If the field is a referenced kptr, we
atomically xchg the value out of the map, and invoke the kptr's
destructor on whatever was there before.

Currently, we always invoke the destructor (or bpf_obj_drop() for a
local kptr) on any kptr, including if no value was xchg'd out of the
map. This means that any function serving as the kptr's KF_RELEASE
destructor must always treat the argument as possibly NULL, and we
invoke unnecessary (and seemingly unsafe) cleanup logic for the local
kptr path as well.

This is an odd requirement -- KF_RELEASE kfuncs that are invoked by BPF
programs do not have this restriction, and the verifier will fail to
load the program if the register containing the to-be-released type has
any untrusted modifiers (e.g. PTR_UNTRUSTED or PTR_MAYBE_NULL). So as to
simplify the expectations required for a KF_RELEASE kfunc, this patch
set updates the KPTR_REF destructor logic to only be invoked when a
non-NULL value is xchg'd out of the map.

Additionally, the patch removes now-unnecessary KF_RELEASE calls from
several kfuncs, and finally, updates the verifier to have KF_RELEASE
automatically imply KF_TRUSTED_ARGS. This restriction was already
implicitly happening because of the aforementioned logic in the verifier
to reject any regs with untrusted modifiers, and to enforce that
KF_RELEASE args are passed with a 0 offset. This change just updates the
behavior to match that of other trusted args. This patch is left to the
end of the series in case it happens to be controversial, as it arguably
is slightly orthogonal to the purpose of the rest of the series.

David Vernet (3):
  bpf: Only invoke kptr dtor following non-NULL xchg
  bpf: Remove now-unnecessary NULL checks for KF_RELEASE kfuncs
  bpf: Treat KF_RELEASE kfuncs as KF_TRUSTED_ARGS

 Documentation/bpf/kfuncs.rst                           | 7 ++++---
 kernel/bpf/cpumask.c                                   | 5 +----
 kernel/bpf/helpers.c                                   | 6 ------
 kernel/bpf/syscall.c                                   | 2 +-
 kernel/bpf/verifier.c                                  | 2 +-
 net/bpf/test_run.c                                     | 3 ---
 net/netfilter/nf_conntrack_bpf.c                       | 2 --
 tools/testing/selftests/bpf/progs/cgrp_kfunc_failure.c | 4 ++--
 tools/testing/selftests/bpf/progs/task_kfunc_failure.c | 6 +++---
 9 files changed, 12 insertions(+), 25 deletions(-)

-- 
2.39.0

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Sat, 25 Mar 2023 16:31:41 -0500 you wrote:
> When a map value is being freed, we loop over all of the fields of the
> corresponding BPF object and issue the appropriate cleanup calls
> corresponding to the field's type. If the field is a referenced kptr, we
> atomically xchg the value out of the map, and invoke the kptr's
> destructor on whatever was there before.
> 
> Currently, we always invoke the destructor (or bpf_obj_drop() for a
> local kptr) on any kptr, including if no value was xchg'd out of the
> map. This means that any function serving as the kptr's KF_RELEASE
> destructor must always treat the argument as possibly NULL, and we
> invoke unnecessary (and seemingly unsafe) cleanup logic for the local
> kptr path as well.
> 
> [...]

Here is the summary with links:
  - [bpf-next,1/3] bpf: Only invoke kptr dtor following non-NULL xchg
    https://git.kernel.org/bpf/bpf-next/c/1431d0b584a6
  - [bpf-next,2/3] bpf: Remove now-unnecessary NULL checks for KF_RELEASE kfuncs
    https://git.kernel.org/bpf/bpf-next/c/fb2211a57c11
  - [bpf-next,3/3] bpf: Treat KF_RELEASE kfuncs as KF_TRUSTED_ARGS
    https://git.kernel.org/bpf/bpf-next/c/6c831c468412

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html