[PATCH bpf-next v5 04/10] bpf: add the kfunc bpf_fsession_cookie
From: Menglong Dong <hidden>
Date: 2025-12-24 13:08:47
Also in:
bpf, lkml
Subsystem:
bpf [core], bpf [general] (safe dynamic programs and tools), bpf [security & lsm] (security audit and enforcement using bpf), bpf [tracing], the rest, tracing · Maintainers:
Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi, KP Singh, Matt Bobrowski, Song Liu, Linus Torvalds, Steven Rostedt, Masami Hiramatsu
Implement session cookie for fsession. In order to limit the stack usage, we make 4 as the maximum of the cookie count. The offset of the current cookie is stored in the "(ctx[-1] >> BPF_TRAMP_M_COOKIE) & 0xFF". Therefore, we can get the session cookie with ctx[-offset]. The stack will look like this: return value -> 8 bytes argN -> 8 bytes ... arg1 -> 8 bytes nr_args -> 8 bytes ip (optional) -> 8 bytes cookie2 -> 8 bytes cookie1 -> 8 bytes Inline the bpf_fsession_cookie() in the verifier too. Signed-off-by: Menglong Dong <redacted> --- v5: - remove "cookie_cnt" in struct bpf_trampoline v4: - limit the maximum of the cookie count to 4 - store the session cookies before nr_regs in stack --- include/linux/bpf.h | 15 +++++++++++++++ kernel/bpf/trampoline.c | 13 +++++++++++-- kernel/bpf/verifier.c | 20 ++++++++++++++++++-- kernel/trace/bpf_trace.c | 9 +++++++++ 4 files changed, 53 insertions(+), 4 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index dc6b4109f0bf..4095f4c2f833 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h@@ -1215,6 +1215,7 @@ enum { #define BPF_TRAMP_M_NR_ARGS 0 #define BPF_TRAMP_M_IS_RETURN 8 +#define BPF_TRAMP_M_COOKIE 9 struct bpf_tramp_links { struct bpf_tramp_link *links[BPF_MAX_TRAMP_LINKS];
@@ -1762,6 +1763,7 @@ struct bpf_prog { enforce_expected_attach_type:1, /* Enforce expected_attach_type checking at attach time */ call_get_stack:1, /* Do we call bpf_get_stack() or bpf_get_stackid() */ call_get_func_ip:1, /* Do we call get_func_ip() */ + call_session_cookie:1, /* Do we call bpf_fsession_cookie() */ tstamp_type_access:1, /* Accessed __sk_buff->tstamp_type */ sleepable:1; /* BPF program is sleepable */ enum bpf_prog_type type; /* Type of BPF program */
@@ -2137,6 +2139,19 @@ static inline int bpf_fsession_cnt(struct bpf_tramp_links *links) return cnt; } +static inline int bpf_fsession_cookie_cnt(struct bpf_tramp_links *links) +{ + struct bpf_tramp_links fentries = links[BPF_TRAMP_FENTRY]; + int cnt = 0; + + for (int i = 0; i < links[BPF_TRAMP_FENTRY].nr_links; i++) { + if (fentries.links[i]->link.prog->call_session_cookie) + cnt++; + } + + return cnt; +} + int bpf_prog_ctx_arg_info_init(struct bpf_prog *prog, const struct bpf_ctx_arg_aux *info, u32 cnt);
diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
index 77d474fc973a..347e92e7c54e 100644
--- a/kernel/bpf/trampoline.c
+++ b/kernel/bpf/trampoline.c@@ -592,6 +592,8 @@ static int bpf_freplace_check_tgt_prog(struct bpf_prog *tgt_prog) return 0; } +#define BPF_TRAMP_MAX_COOKIES 4 + static int __bpf_trampoline_link_prog(struct bpf_tramp_link *link, struct bpf_trampoline *tr, struct bpf_prog *tgt_prog)
@@ -600,7 +602,7 @@ static int __bpf_trampoline_link_prog(struct bpf_tramp_link *link, struct bpf_tramp_link *link_exiting; struct bpf_fsession_link *fslink; struct hlist_head *prog_list; - int err = 0; + int err = 0, cookie_cnt = 0; int cnt = 0, i; kind = bpf_attach_type_to_tramp(link->link.prog);
@@ -637,11 +639,18 @@ static int __bpf_trampoline_link_prog(struct bpf_tramp_link *link, /* prog already linked */ return -EBUSY; hlist_for_each_entry(link_exiting, prog_list, tramp_hlist) { - if (link_exiting->link.prog != link->link.prog) + if (link_exiting->link.prog != link->link.prog) { + if (kind == BPF_TRAMP_FSESSION && + link_exiting->link.prog->call_session_cookie) + cookie_cnt++; continue; + } /* prog already linked */ return -EBUSY; } + if (link->link.prog->call_session_cookie && + cookie_cnt >= BPF_TRAMP_MAX_COOKIES) + return -E2BIG; hlist_add_head(&link->tramp_hlist, prog_list); if (kind == BPF_TRAMP_FSESSION) {
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 8a5787e6ab0b..8928ce5bbeb1 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c@@ -12381,6 +12381,7 @@ enum special_kfunc_type { KF_bpf_task_work_schedule_signal_impl, KF_bpf_task_work_schedule_resume_impl, KF_bpf_fsession_is_return, + KF_bpf_fsession_cookie, }; BTF_ID_LIST(special_kfunc_list)
@@ -12456,6 +12457,7 @@ BTF_ID(func, __bpf_trap) BTF_ID(func, bpf_task_work_schedule_signal_impl) BTF_ID(func, bpf_task_work_schedule_resume_impl) BTF_ID(func, bpf_fsession_is_return) +BTF_ID(func, bpf_fsession_cookie) static bool is_task_work_add_kfunc(u32 func_id) {
@@ -12511,7 +12513,8 @@ get_kfunc_ptr_arg_type(struct bpf_verifier_env *env, bool arg_mem_size = false; if (meta->func_id == special_kfunc_list[KF_bpf_cast_to_kern_ctx] || - meta->func_id == special_kfunc_list[KF_bpf_fsession_is_return]) + meta->func_id == special_kfunc_list[KF_bpf_fsession_is_return] || + meta->func_id == special_kfunc_list[KF_bpf_fsession_cookie]) return KF_ARG_PTR_TO_CTX; /* In this function, we verify the kfunc's BTF as per the argument type,
@@ -14009,7 +14012,8 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn, } } - if (meta.func_id == special_kfunc_list[KF_bpf_session_cookie]) { + if (meta.func_id == special_kfunc_list[KF_bpf_session_cookie] || + meta.func_id == special_kfunc_list[KF_bpf_fsession_cookie]) { meta.r0_size = sizeof(u64); meta.r0_rdonly = false; }
@@ -14293,6 +14297,9 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn, return err; } + if (meta.func_id == special_kfunc_list[KF_bpf_fsession_cookie]) + env->prog->call_session_cookie = true; + return 0; }
@@ -22565,6 +22572,15 @@ static int fixup_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn, insn_buf[1] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_0, BPF_TRAMP_M_IS_RETURN); insn_buf[2] = BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1); *cnt = 3; + } else if (desc->func_id == special_kfunc_list[KF_bpf_fsession_cookie]) { + /* Load nr_args from ctx - 8 */ + insn_buf[0] = BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8); + insn_buf[1] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_0, BPF_TRAMP_M_COOKIE); + insn_buf[2] = BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xFF); + insn_buf[3] = BPF_ALU64_IMM(BPF_LSH, BPF_REG_0, 3); + insn_buf[4] = BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1); + insn_buf[5] = BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0); + *cnt = 6; } if (env->insn_aux_data[insn_idx].arg_prog) {
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 8a94a507bd51..67f673c41d50 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c@@ -3364,10 +3364,19 @@ __bpf_kfunc bool bpf_fsession_is_return(void *ctx) return !!(((u64 *)ctx)[-1] & (1 << BPF_TRAMP_M_IS_RETURN)); } +__bpf_kfunc u64 *bpf_fsession_cookie(void *ctx) +{ + /* This helper call is inlined by verifier. */ + u64 off = (((u64 *)ctx)[-1] >> BPF_TRAMP_M_COOKIE) & 0xFF; + + return &((u64 *)ctx)[-off]; +} + __bpf_kfunc_end_defs(); BTF_KFUNCS_START(tracing_kfunc_set_ids) BTF_ID_FLAGS(func, bpf_fsession_is_return, KF_FASTCALL) +BTF_ID_FLAGS(func, bpf_fsession_cookie, KF_FASTCALL) BTF_KFUNCS_END(tracing_kfunc_set_ids) static int bpf_tracing_filter(const struct bpf_prog *prog, u32 kfunc_id)
--
2.52.0