bpf, verifier: reject xadd on flow key memory

We should not enable xadd operation for flow key memory if not
needed there anyway. There is no such issue as described in the
commit f37a8cb84cce ("bpf: reject stores into ctx via st and xadd")
since there's no context rewriter for flow keys today, but it
also shouldn't become part of the user facing behavior to allow
for it. After patch:

  0: (79) r7 = *(u64 *)(r1 +144)
  1: (b7) r3 = 4096
  2: (db) lock *(u64 *)(r7 +0) += r3
  BPF_XADD stores into R7 flow_keys is not allowed

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

1 files changed, 10 insertions, 1 deletions

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 64e0981a4074..0450ffcc3de4 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1553,6 +1553,14 @@ static bool is_pkt_reg(struct bpf_verifier_env *env, int regno)
         return type_is_pkt_pointer(reg->type);
 }
 
+static bool is_flow_key_reg(struct bpf_verifier_env *env, int regno)
+{
+        const struct bpf_reg_state *reg = reg_state(env, regno);
+
+        /* Separate to is_ctx_reg() since we still want to allow BPF_ST here. */
+        return reg->type == PTR_TO_FLOW_KEYS;
+}
+
 static int check_pkt_ptr_alignment(struct bpf_verifier_env *env,
                                    const struct bpf_reg_state *reg,
                                    int off, int size, bool strict)
@@ -1961,7 +1969,8 @@ static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_ins
         }
 
         if (is_ctx_reg(env, insn->dst_reg) ||
-            is_pkt_reg(env, insn->dst_reg)) {
+            is_pkt_reg(env, insn->dst_reg) ||
+            is_flow_key_reg(env, insn->dst_reg)) {
                 verbose(env, "BPF_XADD stores into R%d %s is not allowed\n",
                         insn->dst_reg,
                         reg_type_str[reg_state(env, insn->dst_reg)->type]);