current/SOURCES/bpf-add-mem_rdonly-for-helper-args-that-are-pointers-to-rdonly-mem.patch

From foo@baz Thu Feb 17 08:07:01 PM CET 2022
From: Hao Luo <haoluo@google.com>
Date: Wed, 16 Feb 2022 14:52:08 -0800
Subject: bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem.
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Alexei Starovoitov <ast@kernel.org>, Andrii Nakryiko <andrii@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, laura@labbott.name, stable@vger.kernel.org, Hao Luo <haoluo@google.com>
Message-ID: <20220216225209.2196865-9-haoluo@google.com>

From: Hao Luo <haoluo@google.com>

commit 216e3cd2f28dbbf1fe86848e0e29e6693b9f0a20 upstream.

Some helper functions may modify its arguments, for example,
bpf_d_path, bpf_get_stack etc. Previously, their argument types
were marked as ARG_PTR_TO_MEM, which is compatible with read-only
mem types, such as PTR_TO_RDONLY_BUF. Therefore it's legitimate,
but technically incorrect, to modify a read-only memory by passing
it into one of such helper functions.

This patch tags the bpf_args compatible with immutable memory with
MEM_RDONLY flag. The arguments that don't have this flag will be
only compatible with mutable memory types, preventing the helper
from modifying a read-only memory. The bpf_args that have
MEM_RDONLY are compatible with both mutable memory and immutable
memory.

Signed-off-by: Hao Luo <haoluo@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20211217003152.48334-9-haoluo@google.com
Cc: stable@vger.kernel.org # 5.16.x
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/bpf.h      |    4 ++
 kernel/bpf/btf.c         |    2 -
 kernel/bpf/cgroup.c      |    2 -
 kernel/bpf/helpers.c     |    8 ++---
 kernel/bpf/ringbuf.c     |    2 -
 kernel/bpf/syscall.c     |    2 -
 kernel/bpf/verifier.c    |   20 ++++++++++++--
 kernel/trace/bpf_trace.c |   26 +++++++++----------
 net/core/filter.c        |   64 +++++++++++++++++++++++------------------------
 9 files changed, 73 insertions(+), 57 deletions(-)

--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -311,7 +311,9 @@ enum bpf_type_flag {
        /* PTR may be NULL. */
        PTR_MAYBE_NULL          = BIT(0 + BPF_BASE_TYPE_BITS),
 
-       /* MEM is read-only. */
+       /* MEM is read-only. When applied on bpf_arg, it indicates the arg is
+        * compatible with both mutable and immutable memory.
+        */
        MEM_RDONLY              = BIT(1 + BPF_BASE_TYPE_BITS),
 
        __BPF_TYPE_LAST_FLAG    = MEM_RDONLY,
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6337,7 +6337,7 @@ const struct bpf_func_proto bpf_btf_find
        .func           = bpf_btf_find_by_name_kind,
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
-       .arg1_type      = ARG_PTR_TO_MEM,
+       .arg1_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg2_type      = ARG_CONST_SIZE,
        .arg3_type      = ARG_ANYTHING,
        .arg4_type      = ARG_ANYTHING,
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1789,7 +1789,7 @@ static const struct bpf_func_proto bpf_s
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
 };
 
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -530,7 +530,7 @@ const struct bpf_func_proto bpf_strtol_p
        .func           = bpf_strtol,
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
-       .arg1_type      = ARG_PTR_TO_MEM,
+       .arg1_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg2_type      = ARG_CONST_SIZE,
        .arg3_type      = ARG_ANYTHING,
        .arg4_type      = ARG_PTR_TO_LONG,
@@ -558,7 +558,7 @@ const struct bpf_func_proto bpf_strtoul_
        .func           = bpf_strtoul,
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
-       .arg1_type      = ARG_PTR_TO_MEM,
+       .arg1_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg2_type      = ARG_CONST_SIZE,
        .arg3_type      = ARG_ANYTHING,
        .arg4_type      = ARG_PTR_TO_LONG,
@@ -630,7 +630,7 @@ const struct bpf_func_proto bpf_event_ou
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_CONST_MAP_PTR,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -1011,7 +1011,7 @@ const struct bpf_func_proto bpf_snprintf
        .arg1_type      = ARG_PTR_TO_MEM_OR_NULL,
        .arg2_type      = ARG_CONST_SIZE_OR_ZERO,
        .arg3_type      = ARG_PTR_TO_CONST_STR,
-       .arg4_type      = ARG_PTR_TO_MEM_OR_NULL,
+       .arg4_type      = ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
--- a/kernel/bpf/ringbuf.c
+++ b/kernel/bpf/ringbuf.c
@@ -444,7 +444,7 @@ const struct bpf_func_proto bpf_ringbuf_
        .func           = bpf_ringbuf_output,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_CONST_MAP_PTR,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE_OR_ZERO,
        .arg4_type      = ARG_ANYTHING,
 };
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -4772,7 +4772,7 @@ static const struct bpf_func_proto bpf_s
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_ANYTHING,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
 };
 
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5060,7 +5060,6 @@ static const struct bpf_reg_types mem_ty
                PTR_TO_MAP_VALUE,
                PTR_TO_MEM,
                PTR_TO_BUF,
-               PTR_TO_BUF | MEM_RDONLY,
        },
 };
 
@@ -5130,6 +5129,21 @@ static int check_reg_type(struct bpf_ver
                return -EFAULT;
        }
 
+       /* ARG_PTR_TO_MEM + RDONLY is compatible with PTR_TO_MEM and PTR_TO_MEM + RDONLY,
+        * but ARG_PTR_TO_MEM is compatible only with PTR_TO_MEM and NOT with PTR_TO_MEM + RDONLY
+        *
+        * Same for MAYBE_NULL:
+        *
+        * ARG_PTR_TO_MEM + MAYBE_NULL is compatible with PTR_TO_MEM and PTR_TO_MEM + MAYBE_NULL,
+        * but ARG_PTR_TO_MEM is compatible only with PTR_TO_MEM but NOT with PTR_TO_MEM + MAYBE_NULL
+        *
+        * Therefore we fold these flags depending on the arg_type before comparison.
+        */
+       if (arg_type & MEM_RDONLY)
+               type &= ~MEM_RDONLY;
+       if (arg_type & PTR_MAYBE_NULL)
+               type &= ~PTR_MAYBE_NULL;
+
        for (i = 0; i < ARRAY_SIZE(compatible->types); i++) {
                expected = compatible->types[i];
                if (expected == NOT_INIT)
@@ -5139,14 +5153,14 @@ static int check_reg_type(struct bpf_ver
                        goto found;
        }
 
-       verbose(env, "R%d type=%s expected=", regno, reg_type_str(env, type));
+       verbose(env, "R%d type=%s expected=", regno, reg_type_str(env, reg->type));
        for (j = 0; j + 1 < i; j++)
                verbose(env, "%s, ", reg_type_str(env, compatible->types[j]));
        verbose(env, "%s\n", reg_type_str(env, compatible->types[j]));
        return -EACCES;
 
 found:
-       if (type == PTR_TO_BTF_ID) {
+       if (reg->type == PTR_TO_BTF_ID) {
                if (!arg_btf_id) {
                        if (!compatible->btf_id) {
                                verbose(env, "verifier internal error: missing arg compatible BTF ID\n");
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -345,7 +345,7 @@ static const struct bpf_func_proto bpf_p
        .gpl_only       = true,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_ANYTHING,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
 };
 
@@ -394,7 +394,7 @@ static const struct bpf_func_proto bpf_t
        .func           = bpf_trace_printk,
        .gpl_only       = true,
        .ret_type       = RET_INTEGER,
-       .arg1_type      = ARG_PTR_TO_MEM,
+       .arg1_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg2_type      = ARG_CONST_SIZE,
 };
 
@@ -450,9 +450,9 @@ static const struct bpf_func_proto bpf_t
        .func           = bpf_trace_vprintk,
        .gpl_only       = true,
        .ret_type       = RET_INTEGER,
-       .arg1_type      = ARG_PTR_TO_MEM,
+       .arg1_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg2_type      = ARG_CONST_SIZE,
-       .arg3_type      = ARG_PTR_TO_MEM_OR_NULL,
+       .arg3_type      = ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY,
        .arg4_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -492,9 +492,9 @@ static const struct bpf_func_proto bpf_s
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_BTF_ID,
        .arg1_btf_id    = &btf_seq_file_ids[0],
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
-       .arg4_type      = ARG_PTR_TO_MEM_OR_NULL,
+       .arg4_type      = ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -509,7 +509,7 @@ static const struct bpf_func_proto bpf_s
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_BTF_ID,
        .arg1_btf_id    = &btf_seq_file_ids[0],
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -533,7 +533,7 @@ static const struct bpf_func_proto bpf_s
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_BTF_ID,
        .arg1_btf_id    = &btf_seq_file_ids[0],
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE_OR_ZERO,
        .arg4_type      = ARG_ANYTHING,
 };
@@ -694,7 +694,7 @@ static const struct bpf_func_proto bpf_p
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_CONST_MAP_PTR,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -1004,7 +1004,7 @@ const struct bpf_func_proto bpf_snprintf
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_MEM,
        .arg2_type      = ARG_CONST_SIZE,
-       .arg3_type      = ARG_PTR_TO_MEM,
+       .arg3_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg4_type      = ARG_CONST_SIZE,
        .arg5_type      = ARG_ANYTHING,
 };
@@ -1285,7 +1285,7 @@ static const struct bpf_func_proto bpf_p
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_CONST_MAP_PTR,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -1507,7 +1507,7 @@ static const struct bpf_func_proto bpf_p
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_CONST_MAP_PTR,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -1561,7 +1561,7 @@ static const struct bpf_func_proto bpf_g
        .gpl_only       = true,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE_OR_ZERO,
        .arg4_type      = ARG_ANYTHING,
 };
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1713,7 +1713,7 @@ static const struct bpf_func_proto bpf_s
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_ANYTHING,
-       .arg3_type      = ARG_PTR_TO_MEM,
+       .arg3_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg4_type      = ARG_CONST_SIZE,
        .arg5_type      = ARG_ANYTHING,
 };
@@ -2018,9 +2018,9 @@ static const struct bpf_func_proto bpf_c
        .gpl_only       = false,
        .pkt_access     = true,
        .ret_type       = RET_INTEGER,
-       .arg1_type      = ARG_PTR_TO_MEM_OR_NULL,
+       .arg1_type      = ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY,
        .arg2_type      = ARG_CONST_SIZE_OR_ZERO,
-       .arg3_type      = ARG_PTR_TO_MEM_OR_NULL,
+       .arg3_type      = ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY,
        .arg4_type      = ARG_CONST_SIZE_OR_ZERO,
        .arg5_type      = ARG_ANYTHING,
 };
@@ -2541,7 +2541,7 @@ static const struct bpf_func_proto bpf_r
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_ANYTHING,
-       .arg2_type      = ARG_PTR_TO_MEM_OR_NULL,
+       .arg2_type      = ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE_OR_ZERO,
        .arg4_type      = ARG_ANYTHING,
 };
@@ -4174,7 +4174,7 @@ static const struct bpf_func_proto bpf_s
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_CONST_MAP_PTR,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -4188,7 +4188,7 @@ const struct bpf_func_proto bpf_skb_outp
        .arg1_btf_id    = &bpf_skb_output_btf_ids[0],
        .arg2_type      = ARG_CONST_MAP_PTR,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -4371,7 +4371,7 @@ static const struct bpf_func_proto bpf_s
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
 };
@@ -4397,7 +4397,7 @@ static const struct bpf_func_proto bpf_s
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
 };
 
@@ -4567,7 +4567,7 @@ static const struct bpf_func_proto bpf_x
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_CONST_MAP_PTR,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -4581,7 +4581,7 @@ const struct bpf_func_proto bpf_xdp_outp
        .arg1_btf_id    = &bpf_xdp_output_btf_ids[0],
        .arg2_type      = ARG_CONST_MAP_PTR,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 };
 
@@ -5069,7 +5069,7 @@ const struct bpf_func_proto bpf_sk_setso
        .arg1_type      = ARG_PTR_TO_BTF_ID_SOCK_COMMON,
        .arg2_type      = ARG_ANYTHING,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE,
 };
 
@@ -5103,7 +5103,7 @@ static const struct bpf_func_proto bpf_s
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_ANYTHING,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE,
 };
 
@@ -5137,7 +5137,7 @@ static const struct bpf_func_proto bpf_s
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_ANYTHING,
        .arg3_type      = ARG_ANYTHING,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE,
 };
 
@@ -5312,7 +5312,7 @@ static const struct bpf_func_proto bpf_b
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
 };
 
@@ -5900,7 +5900,7 @@ static const struct bpf_func_proto bpf_l
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_ANYTHING,
-       .arg3_type      = ARG_PTR_TO_MEM,
+       .arg3_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg4_type      = ARG_CONST_SIZE
 };
 
@@ -5910,7 +5910,7 @@ static const struct bpf_func_proto bpf_l
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_ANYTHING,
-       .arg3_type      = ARG_PTR_TO_MEM,
+       .arg3_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg4_type      = ARG_CONST_SIZE
 };
 
@@ -5953,7 +5953,7 @@ static const struct bpf_func_proto bpf_l
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_ANYTHING,
-       .arg3_type      = ARG_PTR_TO_MEM,
+       .arg3_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg4_type      = ARG_CONST_SIZE
 };
 
@@ -6041,7 +6041,7 @@ static const struct bpf_func_proto bpf_l
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
        .arg2_type      = ARG_ANYTHING,
-       .arg3_type      = ARG_PTR_TO_MEM,
+       .arg3_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg4_type      = ARG_CONST_SIZE
 };
 
@@ -6266,7 +6266,7 @@ static const struct bpf_func_proto bpf_s
        .pkt_access     = true,
        .ret_type       = RET_PTR_TO_SOCK_COMMON_OR_NULL,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
        .arg5_type      = ARG_ANYTHING,
@@ -6285,7 +6285,7 @@ static const struct bpf_func_proto bpf_s
        .pkt_access     = true,
        .ret_type       = RET_PTR_TO_SOCKET_OR_NULL,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
        .arg5_type      = ARG_ANYTHING,
@@ -6304,7 +6304,7 @@ static const struct bpf_func_proto bpf_s
        .pkt_access     = true,
        .ret_type       = RET_PTR_TO_SOCKET_OR_NULL,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
        .arg5_type      = ARG_ANYTHING,
@@ -6341,7 +6341,7 @@ static const struct bpf_func_proto bpf_x
        .pkt_access     = true,
        .ret_type       = RET_PTR_TO_SOCKET_OR_NULL,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
        .arg5_type      = ARG_ANYTHING,
@@ -6364,7 +6364,7 @@ static const struct bpf_func_proto bpf_x
        .pkt_access     = true,
        .ret_type       = RET_PTR_TO_SOCK_COMMON_OR_NULL,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
        .arg5_type      = ARG_ANYTHING,
@@ -6387,7 +6387,7 @@ static const struct bpf_func_proto bpf_x
        .pkt_access     = true,
        .ret_type       = RET_PTR_TO_SOCKET_OR_NULL,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
        .arg5_type      = ARG_ANYTHING,
@@ -6406,7 +6406,7 @@ static const struct bpf_func_proto bpf_s
        .gpl_only       = false,
        .ret_type       = RET_PTR_TO_SOCK_COMMON_OR_NULL,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
        .arg5_type      = ARG_ANYTHING,
@@ -6425,7 +6425,7 @@ static const struct bpf_func_proto bpf_s
        .gpl_only       = false,
        .ret_type       = RET_PTR_TO_SOCKET_OR_NULL,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
        .arg5_type      = ARG_ANYTHING,
@@ -6444,7 +6444,7 @@ static const struct bpf_func_proto bpf_s
        .gpl_only       = false,
        .ret_type       = RET_PTR_TO_SOCKET_OR_NULL,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
        .arg5_type      = ARG_ANYTHING,
@@ -6757,9 +6757,9 @@ static const struct bpf_func_proto bpf_t
        .pkt_access     = true,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_BTF_ID_SOCK_COMMON,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE,
 };
 
@@ -6826,9 +6826,9 @@ static const struct bpf_func_proto bpf_t
        .pkt_access     = true,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_BTF_ID_SOCK_COMMON,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
-       .arg4_type      = ARG_PTR_TO_MEM,
+       .arg4_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg5_type      = ARG_CONST_SIZE,
 };
 
@@ -7057,7 +7057,7 @@ static const struct bpf_func_proto bpf_s
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
        .arg1_type      = ARG_PTR_TO_CTX,
-       .arg2_type      = ARG_PTR_TO_MEM,
+       .arg2_type      = ARG_PTR_TO_MEM | MEM_RDONLY,
        .arg3_type      = ARG_CONST_SIZE,
        .arg4_type      = ARG_ANYTHING,
 };
1	From foo@baz Thu Feb 17 08:07:01 PM CET 2022
2	From: Hao Luo <haoluo@google.com>
3	Date: Wed, 16 Feb 2022 14:52:08 -0800
4	Subject: bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem.
5	To: Greg KH <gregkh@linuxfoundation.org>
6	Cc: Alexei Starovoitov <ast@kernel.org>, Andrii Nakryiko <andrii@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, laura@labbott.name, stable@vger.kernel.org, Hao Luo <haoluo@google.com>
7	Message-ID: <20220216225209.2196865-9-haoluo@google.com>
8
9	From: Hao Luo <haoluo@google.com>
10
11	commit 216e3cd2f28dbbf1fe86848e0e29e6693b9f0a20 upstream.
12
13	Some helper functions may modify its arguments, for example,
14	bpf_d_path, bpf_get_stack etc. Previously, their argument types
15	were marked as ARG_PTR_TO_MEM, which is compatible with read-only
16	mem types, such as PTR_TO_RDONLY_BUF. Therefore it's legitimate,
17	but technically incorrect, to modify a read-only memory by passing
18	it into one of such helper functions.
19
20	This patch tags the bpf_args compatible with immutable memory with
21	MEM_RDONLY flag. The arguments that don't have this flag will be
22	only compatible with mutable memory types, preventing the helper
23	from modifying a read-only memory. The bpf_args that have
24	MEM_RDONLY are compatible with both mutable memory and immutable
25	memory.
26
27	Signed-off-by: Hao Luo <haoluo@google.com>
28	Signed-off-by: Alexei Starovoitov <ast@kernel.org>
29	Link: https://lore.kernel.org/bpf/20211217003152.48334-9-haoluo@google.com
30	Cc: stable@vger.kernel.org # 5.16.x
31	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
32	---
33	include/linux/bpf.h \| 4 ++
34	kernel/bpf/btf.c \| 2 -
35	kernel/bpf/cgroup.c \| 2 -
36	kernel/bpf/helpers.c \| 8 ++---
37	kernel/bpf/ringbuf.c \| 2 -
38	kernel/bpf/syscall.c \| 2 -
39	kernel/bpf/verifier.c \| 20 ++++++++++++--
40	kernel/trace/bpf_trace.c \| 26 +++++++++----------
41	net/core/filter.c \| 64 +++++++++++++++++++++++------------------------
42	9 files changed, 73 insertions(+), 57 deletions(-)
43
44	--- a/include/linux/bpf.h
45	+++ b/include/linux/bpf.h
46	@@ -311,7 +311,9 @@ enum bpf_type_flag {
47	/* PTR may be NULL. */
48	PTR_MAYBE_NULL = BIT(0 + BPF_BASE_TYPE_BITS),
49
50	- /* MEM is read-only. */
51	+ /* MEM is read-only. When applied on bpf_arg, it indicates the arg is
52	+ * compatible with both mutable and immutable memory.
53	+ */
54	MEM_RDONLY = BIT(1 + BPF_BASE_TYPE_BITS),
55
56	__BPF_TYPE_LAST_FLAG = MEM_RDONLY,
57	--- a/kernel/bpf/btf.c
58	+++ b/kernel/bpf/btf.c
59	@@ -6337,7 +6337,7 @@ const struct bpf_func_proto bpf_btf_find
60	.func = bpf_btf_find_by_name_kind,
61	.gpl_only = false,
62	.ret_type = RET_INTEGER,
63	- .arg1_type = ARG_PTR_TO_MEM,
64	+ .arg1_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
65	.arg2_type = ARG_CONST_SIZE,
66	.arg3_type = ARG_ANYTHING,
67	.arg4_type = ARG_ANYTHING,
68	--- a/kernel/bpf/cgroup.c
69	+++ b/kernel/bpf/cgroup.c
70	@@ -1789,7 +1789,7 @@ static const struct bpf_func_proto bpf_s
71	.gpl_only = false,
72	.ret_type = RET_INTEGER,
73	.arg1_type = ARG_PTR_TO_CTX,
74	- .arg2_type = ARG_PTR_TO_MEM,
75	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
76	.arg3_type = ARG_CONST_SIZE,
77	};
78
79	--- a/kernel/bpf/helpers.c
80	+++ b/kernel/bpf/helpers.c
81	@@ -530,7 +530,7 @@ const struct bpf_func_proto bpf_strtol_p
82	.func = bpf_strtol,
83	.gpl_only = false,
84	.ret_type = RET_INTEGER,
85	- .arg1_type = ARG_PTR_TO_MEM,
86	+ .arg1_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
87	.arg2_type = ARG_CONST_SIZE,
88	.arg3_type = ARG_ANYTHING,
89	.arg4_type = ARG_PTR_TO_LONG,
90	@@ -558,7 +558,7 @@ const struct bpf_func_proto bpf_strtoul_
91	.func = bpf_strtoul,
92	.gpl_only = false,
93	.ret_type = RET_INTEGER,
94	- .arg1_type = ARG_PTR_TO_MEM,
95	+ .arg1_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
96	.arg2_type = ARG_CONST_SIZE,
97	.arg3_type = ARG_ANYTHING,
98	.arg4_type = ARG_PTR_TO_LONG,
99	@@ -630,7 +630,7 @@ const struct bpf_func_proto bpf_event_ou
100	.arg1_type = ARG_PTR_TO_CTX,
101	.arg2_type = ARG_CONST_MAP_PTR,
102	.arg3_type = ARG_ANYTHING,
103	- .arg4_type = ARG_PTR_TO_MEM,
104	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
105	.arg5_type = ARG_CONST_SIZE_OR_ZERO,
106	};
107
108	@@ -1011,7 +1011,7 @@ const struct bpf_func_proto bpf_snprintf
109	.arg1_type = ARG_PTR_TO_MEM_OR_NULL,
110	.arg2_type = ARG_CONST_SIZE_OR_ZERO,
111	.arg3_type = ARG_PTR_TO_CONST_STR,
112	- .arg4_type = ARG_PTR_TO_MEM_OR_NULL,
113	+ .arg4_type = ARG_PTR_TO_MEM \| PTR_MAYBE_NULL \| MEM_RDONLY,
114	.arg5_type = ARG_CONST_SIZE_OR_ZERO,
115	};
116
117	--- a/kernel/bpf/ringbuf.c
118	+++ b/kernel/bpf/ringbuf.c
119	@@ -444,7 +444,7 @@ const struct bpf_func_proto bpf_ringbuf_
120	.func = bpf_ringbuf_output,
121	.ret_type = RET_INTEGER,
122	.arg1_type = ARG_CONST_MAP_PTR,
123	- .arg2_type = ARG_PTR_TO_MEM,
124	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
125	.arg3_type = ARG_CONST_SIZE_OR_ZERO,
126	.arg4_type = ARG_ANYTHING,
127	};
128	--- a/kernel/bpf/syscall.c
129	+++ b/kernel/bpf/syscall.c
130	@@ -4772,7 +4772,7 @@ static const struct bpf_func_proto bpf_s
131	.gpl_only = false,
132	.ret_type = RET_INTEGER,
133	.arg1_type = ARG_ANYTHING,
134	- .arg2_type = ARG_PTR_TO_MEM,
135	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
136	.arg3_type = ARG_CONST_SIZE,
137	};
138
139	--- a/kernel/bpf/verifier.c
140	+++ b/kernel/bpf/verifier.c
141	@@ -5060,7 +5060,6 @@ static const struct bpf_reg_types mem_ty
142	PTR_TO_MAP_VALUE,
143	PTR_TO_MEM,
144	PTR_TO_BUF,
145	- PTR_TO_BUF \| MEM_RDONLY,
146	},
147	};
148
149	@@ -5130,6 +5129,21 @@ static int check_reg_type(struct bpf_ver
150	return -EFAULT;
151	}
152
153	+ /* ARG_PTR_TO_MEM + RDONLY is compatible with PTR_TO_MEM and PTR_TO_MEM + RDONLY,
154	+ * but ARG_PTR_TO_MEM is compatible only with PTR_TO_MEM and NOT with PTR_TO_MEM + RDONLY
155	+ *
156	+ * Same for MAYBE_NULL:
157	+ *
158	+ * ARG_PTR_TO_MEM + MAYBE_NULL is compatible with PTR_TO_MEM and PTR_TO_MEM + MAYBE_NULL,
159	+ * but ARG_PTR_TO_MEM is compatible only with PTR_TO_MEM but NOT with PTR_TO_MEM + MAYBE_NULL
160	+ *
161	+ * Therefore we fold these flags depending on the arg_type before comparison.
162	+ */
163	+ if (arg_type & MEM_RDONLY)
164	+ type &= ~MEM_RDONLY;
165	+ if (arg_type & PTR_MAYBE_NULL)
166	+ type &= ~PTR_MAYBE_NULL;
167	+
168	for (i = 0; i < ARRAY_SIZE(compatible->types); i++) {
169	expected = compatible->types[i];
170	if (expected == NOT_INIT)
171	@@ -5139,14 +5153,14 @@ static int check_reg_type(struct bpf_ver
172	goto found;
173	}
174
175	- verbose(env, "R%d type=%s expected=", regno, reg_type_str(env, type));
176	+ verbose(env, "R%d type=%s expected=", regno, reg_type_str(env, reg->type));
177	for (j = 0; j + 1 < i; j++)
178	verbose(env, "%s, ", reg_type_str(env, compatible->types[j]));
179	verbose(env, "%s\n", reg_type_str(env, compatible->types[j]));
180	return -EACCES;
181
182	found:
183	- if (type == PTR_TO_BTF_ID) {
184	+ if (reg->type == PTR_TO_BTF_ID) {
185	if (!arg_btf_id) {
186	if (!compatible->btf_id) {
187	verbose(env, "verifier internal error: missing arg compatible BTF ID\n");
188	--- a/kernel/trace/bpf_trace.c
189	+++ b/kernel/trace/bpf_trace.c
190	@@ -345,7 +345,7 @@ static const struct bpf_func_proto bpf_p
191	.gpl_only = true,
192	.ret_type = RET_INTEGER,
193	.arg1_type = ARG_ANYTHING,
194	- .arg2_type = ARG_PTR_TO_MEM,
195	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
196	.arg3_type = ARG_CONST_SIZE,
197	};
198
199	@@ -394,7 +394,7 @@ static const struct bpf_func_proto bpf_t
200	.func = bpf_trace_printk,
201	.gpl_only = true,
202	.ret_type = RET_INTEGER,
203	- .arg1_type = ARG_PTR_TO_MEM,
204	+ .arg1_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
205	.arg2_type = ARG_CONST_SIZE,
206	};
207
208	@@ -450,9 +450,9 @@ static const struct bpf_func_proto bpf_t
209	.func = bpf_trace_vprintk,
210	.gpl_only = true,
211	.ret_type = RET_INTEGER,
212	- .arg1_type = ARG_PTR_TO_MEM,
213	+ .arg1_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
214	.arg2_type = ARG_CONST_SIZE,
215	- .arg3_type = ARG_PTR_TO_MEM_OR_NULL,
216	+ .arg3_type = ARG_PTR_TO_MEM \| PTR_MAYBE_NULL \| MEM_RDONLY,
217	.arg4_type = ARG_CONST_SIZE_OR_ZERO,
218	};
219
220	@@ -492,9 +492,9 @@ static const struct bpf_func_proto bpf_s
221	.ret_type = RET_INTEGER,
222	.arg1_type = ARG_PTR_TO_BTF_ID,
223	.arg1_btf_id = &btf_seq_file_ids[0],
224	- .arg2_type = ARG_PTR_TO_MEM,
225	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
226	.arg3_type = ARG_CONST_SIZE,
227	- .arg4_type = ARG_PTR_TO_MEM_OR_NULL,
228	+ .arg4_type = ARG_PTR_TO_MEM \| PTR_MAYBE_NULL \| MEM_RDONLY,
229	.arg5_type = ARG_CONST_SIZE_OR_ZERO,
230	};
231
232	@@ -509,7 +509,7 @@ static const struct bpf_func_proto bpf_s
233	.ret_type = RET_INTEGER,
234	.arg1_type = ARG_PTR_TO_BTF_ID,
235	.arg1_btf_id = &btf_seq_file_ids[0],
236	- .arg2_type = ARG_PTR_TO_MEM,
237	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
238	.arg3_type = ARG_CONST_SIZE_OR_ZERO,
239	};
240
241	@@ -533,7 +533,7 @@ static const struct bpf_func_proto bpf_s
242	.ret_type = RET_INTEGER,
243	.arg1_type = ARG_PTR_TO_BTF_ID,
244	.arg1_btf_id = &btf_seq_file_ids[0],
245	- .arg2_type = ARG_PTR_TO_MEM,
246	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
247	.arg3_type = ARG_CONST_SIZE_OR_ZERO,
248	.arg4_type = ARG_ANYTHING,
249	};
250	@@ -694,7 +694,7 @@ static const struct bpf_func_proto bpf_p
251	.arg1_type = ARG_PTR_TO_CTX,
252	.arg2_type = ARG_CONST_MAP_PTR,
253	.arg3_type = ARG_ANYTHING,
254	- .arg4_type = ARG_PTR_TO_MEM,
255	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
256	.arg5_type = ARG_CONST_SIZE_OR_ZERO,
257	};
258
259	@@ -1004,7 +1004,7 @@ const struct bpf_func_proto bpf_snprintf
260	.ret_type = RET_INTEGER,
261	.arg1_type = ARG_PTR_TO_MEM,
262	.arg2_type = ARG_CONST_SIZE,
263	- .arg3_type = ARG_PTR_TO_MEM,
264	+ .arg3_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
265	.arg4_type = ARG_CONST_SIZE,
266	.arg5_type = ARG_ANYTHING,
267	};
268	@@ -1285,7 +1285,7 @@ static const struct bpf_func_proto bpf_p
269	.arg1_type = ARG_PTR_TO_CTX,
270	.arg2_type = ARG_CONST_MAP_PTR,
271	.arg3_type = ARG_ANYTHING,
272	- .arg4_type = ARG_PTR_TO_MEM,
273	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
274	.arg5_type = ARG_CONST_SIZE_OR_ZERO,
275	};
276
277	@@ -1507,7 +1507,7 @@ static const struct bpf_func_proto bpf_p
278	.arg1_type = ARG_PTR_TO_CTX,
279	.arg2_type = ARG_CONST_MAP_PTR,
280	.arg3_type = ARG_ANYTHING,
281	- .arg4_type = ARG_PTR_TO_MEM,
282	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
283	.arg5_type = ARG_CONST_SIZE_OR_ZERO,
284	};
285
286	@@ -1561,7 +1561,7 @@ static const struct bpf_func_proto bpf_g
287	.gpl_only = true,
288	.ret_type = RET_INTEGER,
289	.arg1_type = ARG_PTR_TO_CTX,
290	- .arg2_type = ARG_PTR_TO_MEM,
291	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
292	.arg3_type = ARG_CONST_SIZE_OR_ZERO,
293	.arg4_type = ARG_ANYTHING,
294	};
295	--- a/net/core/filter.c
296	+++ b/net/core/filter.c
297	@@ -1713,7 +1713,7 @@ static const struct bpf_func_proto bpf_s
298	.ret_type = RET_INTEGER,
299	.arg1_type = ARG_PTR_TO_CTX,
300	.arg2_type = ARG_ANYTHING,
301	- .arg3_type = ARG_PTR_TO_MEM,
302	+ .arg3_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
303	.arg4_type = ARG_CONST_SIZE,
304	.arg5_type = ARG_ANYTHING,
305	};
306	@@ -2018,9 +2018,9 @@ static const struct bpf_func_proto bpf_c
307	.gpl_only = false,
308	.pkt_access = true,
309	.ret_type = RET_INTEGER,
310	- .arg1_type = ARG_PTR_TO_MEM_OR_NULL,
311	+ .arg1_type = ARG_PTR_TO_MEM \| PTR_MAYBE_NULL \| MEM_RDONLY,
312	.arg2_type = ARG_CONST_SIZE_OR_ZERO,
313	- .arg3_type = ARG_PTR_TO_MEM_OR_NULL,
314	+ .arg3_type = ARG_PTR_TO_MEM \| PTR_MAYBE_NULL \| MEM_RDONLY,
315	.arg4_type = ARG_CONST_SIZE_OR_ZERO,
316	.arg5_type = ARG_ANYTHING,
317	};
318	@@ -2541,7 +2541,7 @@ static const struct bpf_func_proto bpf_r
319	.gpl_only = false,
320	.ret_type = RET_INTEGER,
321	.arg1_type = ARG_ANYTHING,
322	- .arg2_type = ARG_PTR_TO_MEM_OR_NULL,
323	+ .arg2_type = ARG_PTR_TO_MEM \| PTR_MAYBE_NULL \| MEM_RDONLY,
324	.arg3_type = ARG_CONST_SIZE_OR_ZERO,
325	.arg4_type = ARG_ANYTHING,
326	};
327	@@ -4174,7 +4174,7 @@ static const struct bpf_func_proto bpf_s
328	.arg1_type = ARG_PTR_TO_CTX,
329	.arg2_type = ARG_CONST_MAP_PTR,
330	.arg3_type = ARG_ANYTHING,
331	- .arg4_type = ARG_PTR_TO_MEM,
332	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
333	.arg5_type = ARG_CONST_SIZE_OR_ZERO,
334	};
335
336	@@ -4188,7 +4188,7 @@ const struct bpf_func_proto bpf_skb_outp
337	.arg1_btf_id = &bpf_skb_output_btf_ids[0],
338	.arg2_type = ARG_CONST_MAP_PTR,
339	.arg3_type = ARG_ANYTHING,
340	- .arg4_type = ARG_PTR_TO_MEM,
341	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
342	.arg5_type = ARG_CONST_SIZE_OR_ZERO,
343	};
344
345	@@ -4371,7 +4371,7 @@ static const struct bpf_func_proto bpf_s
346	.gpl_only = false,
347	.ret_type = RET_INTEGER,
348	.arg1_type = ARG_PTR_TO_CTX,
349	- .arg2_type = ARG_PTR_TO_MEM,
350	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
351	.arg3_type = ARG_CONST_SIZE,
352	.arg4_type = ARG_ANYTHING,
353	};
354	@@ -4397,7 +4397,7 @@ static const struct bpf_func_proto bpf_s
355	.gpl_only = false,
356	.ret_type = RET_INTEGER,
357	.arg1_type = ARG_PTR_TO_CTX,
358	- .arg2_type = ARG_PTR_TO_MEM,
359	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
360	.arg3_type = ARG_CONST_SIZE,
361	};
362
363	@@ -4567,7 +4567,7 @@ static const struct bpf_func_proto bpf_x
364	.arg1_type = ARG_PTR_TO_CTX,
365	.arg2_type = ARG_CONST_MAP_PTR,
366	.arg3_type = ARG_ANYTHING,
367	- .arg4_type = ARG_PTR_TO_MEM,
368	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
369	.arg5_type = ARG_CONST_SIZE_OR_ZERO,
370	};
371
372	@@ -4581,7 +4581,7 @@ const struct bpf_func_proto bpf_xdp_outp
373	.arg1_btf_id = &bpf_xdp_output_btf_ids[0],
374	.arg2_type = ARG_CONST_MAP_PTR,
375	.arg3_type = ARG_ANYTHING,
376	- .arg4_type = ARG_PTR_TO_MEM,
377	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
378	.arg5_type = ARG_CONST_SIZE_OR_ZERO,
379	};
380
381	@@ -5069,7 +5069,7 @@ const struct bpf_func_proto bpf_sk_setso
382	.arg1_type = ARG_PTR_TO_BTF_ID_SOCK_COMMON,
383	.arg2_type = ARG_ANYTHING,
384	.arg3_type = ARG_ANYTHING,
385	- .arg4_type = ARG_PTR_TO_MEM,
386	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
387	.arg5_type = ARG_CONST_SIZE,
388	};
389
390	@@ -5103,7 +5103,7 @@ static const struct bpf_func_proto bpf_s
391	.arg1_type = ARG_PTR_TO_CTX,
392	.arg2_type = ARG_ANYTHING,
393	.arg3_type = ARG_ANYTHING,
394	- .arg4_type = ARG_PTR_TO_MEM,
395	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
396	.arg5_type = ARG_CONST_SIZE,
397	};
398
399	@@ -5137,7 +5137,7 @@ static const struct bpf_func_proto bpf_s
400	.arg1_type = ARG_PTR_TO_CTX,
401	.arg2_type = ARG_ANYTHING,
402	.arg3_type = ARG_ANYTHING,
403	- .arg4_type = ARG_PTR_TO_MEM,
404	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
405	.arg5_type = ARG_CONST_SIZE,
406	};
407
408	@@ -5312,7 +5312,7 @@ static const struct bpf_func_proto bpf_b
409	.gpl_only = false,
410	.ret_type = RET_INTEGER,
411	.arg1_type = ARG_PTR_TO_CTX,
412	- .arg2_type = ARG_PTR_TO_MEM,
413	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
414	.arg3_type = ARG_CONST_SIZE,
415	};
416
417	@@ -5900,7 +5900,7 @@ static const struct bpf_func_proto bpf_l
418	.ret_type = RET_INTEGER,
419	.arg1_type = ARG_PTR_TO_CTX,
420	.arg2_type = ARG_ANYTHING,
421	- .arg3_type = ARG_PTR_TO_MEM,
422	+ .arg3_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
423	.arg4_type = ARG_CONST_SIZE
424	};
425
426	@@ -5910,7 +5910,7 @@ static const struct bpf_func_proto bpf_l
427	.ret_type = RET_INTEGER,
428	.arg1_type = ARG_PTR_TO_CTX,
429	.arg2_type = ARG_ANYTHING,
430	- .arg3_type = ARG_PTR_TO_MEM,
431	+ .arg3_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
432	.arg4_type = ARG_CONST_SIZE
433	};
434
435	@@ -5953,7 +5953,7 @@ static const struct bpf_func_proto bpf_l
436	.ret_type = RET_INTEGER,
437	.arg1_type = ARG_PTR_TO_CTX,
438	.arg2_type = ARG_ANYTHING,
439	- .arg3_type = ARG_PTR_TO_MEM,
440	+ .arg3_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
441	.arg4_type = ARG_CONST_SIZE
442	};
443
444	@@ -6041,7 +6041,7 @@ static const struct bpf_func_proto bpf_l
445	.ret_type = RET_INTEGER,
446	.arg1_type = ARG_PTR_TO_CTX,
447	.arg2_type = ARG_ANYTHING,
448	- .arg3_type = ARG_PTR_TO_MEM,
449	+ .arg3_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
450	.arg4_type = ARG_CONST_SIZE
451	};
452
453	@@ -6266,7 +6266,7 @@ static const struct bpf_func_proto bpf_s
454	.pkt_access = true,
455	.ret_type = RET_PTR_TO_SOCK_COMMON_OR_NULL,
456	.arg1_type = ARG_PTR_TO_CTX,
457	- .arg2_type = ARG_PTR_TO_MEM,
458	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
459	.arg3_type = ARG_CONST_SIZE,
460	.arg4_type = ARG_ANYTHING,
461	.arg5_type = ARG_ANYTHING,
462	@@ -6285,7 +6285,7 @@ static const struct bpf_func_proto bpf_s
463	.pkt_access = true,
464	.ret_type = RET_PTR_TO_SOCKET_OR_NULL,
465	.arg1_type = ARG_PTR_TO_CTX,
466	- .arg2_type = ARG_PTR_TO_MEM,
467	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
468	.arg3_type = ARG_CONST_SIZE,
469	.arg4_type = ARG_ANYTHING,
470	.arg5_type = ARG_ANYTHING,
471	@@ -6304,7 +6304,7 @@ static const struct bpf_func_proto bpf_s
472	.pkt_access = true,
473	.ret_type = RET_PTR_TO_SOCKET_OR_NULL,
474	.arg1_type = ARG_PTR_TO_CTX,
475	- .arg2_type = ARG_PTR_TO_MEM,
476	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
477	.arg3_type = ARG_CONST_SIZE,
478	.arg4_type = ARG_ANYTHING,
479	.arg5_type = ARG_ANYTHING,
480	@@ -6341,7 +6341,7 @@ static const struct bpf_func_proto bpf_x
481	.pkt_access = true,
482	.ret_type = RET_PTR_TO_SOCKET_OR_NULL,
483	.arg1_type = ARG_PTR_TO_CTX,
484	- .arg2_type = ARG_PTR_TO_MEM,
485	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
486	.arg3_type = ARG_CONST_SIZE,
487	.arg4_type = ARG_ANYTHING,
488	.arg5_type = ARG_ANYTHING,
489	@@ -6364,7 +6364,7 @@ static const struct bpf_func_proto bpf_x
490	.pkt_access = true,
491	.ret_type = RET_PTR_TO_SOCK_COMMON_OR_NULL,
492	.arg1_type = ARG_PTR_TO_CTX,
493	- .arg2_type = ARG_PTR_TO_MEM,
494	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
495	.arg3_type = ARG_CONST_SIZE,
496	.arg4_type = ARG_ANYTHING,
497	.arg5_type = ARG_ANYTHING,
498	@@ -6387,7 +6387,7 @@ static const struct bpf_func_proto bpf_x
499	.pkt_access = true,
500	.ret_type = RET_PTR_TO_SOCKET_OR_NULL,
501	.arg1_type = ARG_PTR_TO_CTX,
502	- .arg2_type = ARG_PTR_TO_MEM,
503	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
504	.arg3_type = ARG_CONST_SIZE,
505	.arg4_type = ARG_ANYTHING,
506	.arg5_type = ARG_ANYTHING,
507	@@ -6406,7 +6406,7 @@ static const struct bpf_func_proto bpf_s
508	.gpl_only = false,
509	.ret_type = RET_PTR_TO_SOCK_COMMON_OR_NULL,
510	.arg1_type = ARG_PTR_TO_CTX,
511	- .arg2_type = ARG_PTR_TO_MEM,
512	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
513	.arg3_type = ARG_CONST_SIZE,
514	.arg4_type = ARG_ANYTHING,
515	.arg5_type = ARG_ANYTHING,
516	@@ -6425,7 +6425,7 @@ static const struct bpf_func_proto bpf_s
517	.gpl_only = false,
518	.ret_type = RET_PTR_TO_SOCKET_OR_NULL,
519	.arg1_type = ARG_PTR_TO_CTX,
520	- .arg2_type = ARG_PTR_TO_MEM,
521	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
522	.arg3_type = ARG_CONST_SIZE,
523	.arg4_type = ARG_ANYTHING,
524	.arg5_type = ARG_ANYTHING,
525	@@ -6444,7 +6444,7 @@ static const struct bpf_func_proto bpf_s
526	.gpl_only = false,
527	.ret_type = RET_PTR_TO_SOCKET_OR_NULL,
528	.arg1_type = ARG_PTR_TO_CTX,
529	- .arg2_type = ARG_PTR_TO_MEM,
530	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
531	.arg3_type = ARG_CONST_SIZE,
532	.arg4_type = ARG_ANYTHING,
533	.arg5_type = ARG_ANYTHING,
534	@@ -6757,9 +6757,9 @@ static const struct bpf_func_proto bpf_t
535	.pkt_access = true,
536	.ret_type = RET_INTEGER,
537	.arg1_type = ARG_PTR_TO_BTF_ID_SOCK_COMMON,
538	- .arg2_type = ARG_PTR_TO_MEM,
539	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
540	.arg3_type = ARG_CONST_SIZE,
541	- .arg4_type = ARG_PTR_TO_MEM,
542	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
543	.arg5_type = ARG_CONST_SIZE,
544	};
545
546	@@ -6826,9 +6826,9 @@ static const struct bpf_func_proto bpf_t
547	.pkt_access = true,
548	.ret_type = RET_INTEGER,
549	.arg1_type = ARG_PTR_TO_BTF_ID_SOCK_COMMON,
550	- .arg2_type = ARG_PTR_TO_MEM,
551	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
552	.arg3_type = ARG_CONST_SIZE,
553	- .arg4_type = ARG_PTR_TO_MEM,
554	+ .arg4_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
555	.arg5_type = ARG_CONST_SIZE,
556	};
557
558	@@ -7057,7 +7057,7 @@ static const struct bpf_func_proto bpf_s
559	.gpl_only = false,
560	.ret_type = RET_INTEGER,
561	.arg1_type = ARG_PTR_TO_CTX,
562	- .arg2_type = ARG_PTR_TO_MEM,
563	+ .arg2_type = ARG_PTR_TO_MEM \| MEM_RDONLY,
564	.arg3_type = ARG_CONST_SIZE,
565	.arg4_type = ARG_ANYTHING,
566	};