This patchset adds the base infrastructure for modular BPF verifier. The motivation remains unchanged from the LSFMMBPF25 proposal [0].
However, the design has diverged. Rather than immediately going for the facade described in [0], we instead make a stop first at the continously exported copies of the verifier in an out-of-tree repository, with a separate copy for each kernel release. Each copy will receive as many verifier backports as possible within the "boundary" of the modular portions.
For example, a patch that changes the verifier at the same time as one of the kernel symbols it depends on cannot be applied, as at runtime only the verifier portion can be updated. However, a patch that only changes verifier.c can be applied, as it's within the boundary. Rough analysis of past data shows that most verifier changes fall within the latter category. The jupyter notebook for this can be found here [1].
From here, we'll gradually enlarge the "boundary" to enable backports of more and more patches, with the north star being the facade as described in the proposal. Ideally, completion of the facade will render the out-of-tree repository useless.
[0]: https://lore.kernel.org/bpf/nahst74z46ov7ii3vmriyhk25zo6tkf2f3hsulzjzselvobb... [1]: https://github.com/danobi/verifier-analysis/blob/master/analysis.ipynb
Daniel Xu (13): bpf: Move bpf_prog_ctx_arg_info_init() body into header bpf: Move BTF related globals out of verifier.c bpf: Move percpu memory allocator definition into core bpf: Move bpf_check_attach_target() to core bpf: Remove map_set_for_each_callback_args callback for maps bpf: Move kfunc definitions out of verifier.c bpf: Make bpf_free_kfunc_btf_tab() static in core selftests: bpf: Avoid attaching to bpf_check() perf: Export perf_snapshot_branch_stack static key bpf: verifier: Add indirection to kallsyms_lookup_name() treewide: bpf: Export symbols used by verifier bpf: verifier: Make verifier loadable bpf: Supporting building verifier.ko out-of-tree
arch/x86/net/bpf_jit_comp.c | 2 + drivers/media/rc/bpf-lirc.c | 1 + fs/bpf_fs_kfuncs.c | 4 + include/linux/bpf.h | 82 ++- include/linux/bpf_verifier.h | 7 - include/linux/btf.h | 4 + kernel/bpf/Kbuild | 8 + kernel/bpf/Kconfig | 12 + kernel/bpf/Makefile | 3 +- kernel/bpf/arraymap.c | 2 - kernel/bpf/bpf_iter.c | 1 + kernel/bpf/bpf_lsm.c | 5 + kernel/bpf/bpf_struct_ops.c | 2 + kernel/bpf/btf.c | 61 +- kernel/bpf/cgroup.c | 4 + kernel/bpf/core.c | 463 ++++++++++++++++ kernel/bpf/disasm.c | 4 + kernel/bpf/hashtab.c | 4 - kernel/bpf/helpers.c | 2 + kernel/bpf/local_storage.c | 2 + kernel/bpf/log.c | 12 + kernel/bpf/map_iter.c | 1 + kernel/bpf/memalloc.c | 3 + kernel/bpf/offload.c | 10 + kernel/bpf/syscall.c | 52 +- kernel/bpf/tnum.c | 20 + kernel/bpf/token.c | 1 + kernel/bpf/trampoline.c | 5 + kernel/bpf/verifier.c | 521 ++---------------- kernel/events/callchain.c | 3 + kernel/events/core.c | 1 + kernel/trace/bpf_trace.c | 9 + lib/error-inject.c | 2 + net/core/filter.c | 26 + net/core/xdp.c | 2 + net/netfilter/nf_bpf_link.c | 1 + .../selftests/bpf/progs/exceptions_assert.c | 2 +- .../selftests/bpf/progs/exceptions_fail.c | 4 +- 38 files changed, 834 insertions(+), 514 deletions(-) create mode 100644 kernel/bpf/Kbuild