diff mbox series

[bpf-next,1/2] bpf: Make the pointer returned by iter next method valid

Message ID AM6PR03MB58489794C158C438B04FD0E599802@AM6PR03MB5848.eurprd03.prod.outlook.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series [bpf-next,1/2] bpf: Make the pointer returned by iter next method valid | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for bpf-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 42 this patch: 42
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 13 of 13 maintainers
netdev/build_clang success Errors and warnings before: 43 this patch: 43
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 53 this patch: 53
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Unittests
bpf/vmtest-bpf-next-VM_Test-3 success Logs for Validate matrix.py
bpf/vmtest-bpf-next-VM_Test-5 success Logs for aarch64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-4 success Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-12 success Logs for s390x-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-10 success Logs for aarch64-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-11 success Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-19 success Logs for x86_64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-18 success Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-17 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-16 success Logs for s390x-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-33 success Logs for x86_64-llvm-17 / veristat
bpf/vmtest-bpf-next-VM_Test-35 success Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18-O2
bpf/vmtest-bpf-next-VM_Test-27 success Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-41 success Logs for x86_64-llvm-18 / veristat
bpf/vmtest-bpf-next-VM_Test-34 success Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-28 success Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17-O2
bpf/vmtest-bpf-next-VM_Test-9 success Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-8 success Logs for aarch64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-7 success Logs for aarch64-gcc / test (test_progs, false, 360) / test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-6 success Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-14 success Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-13 success Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-20 success Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-26 success Logs for x86_64-gcc / veristat / veristat on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-29 success Logs for x86_64-llvm-17 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-22 success Logs for x86_64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-25 success Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-21 success Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-24 success Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-23 success Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-31 success Logs for x86_64-llvm-17 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-39 success Logs for x86_64-llvm-18 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-40 success Logs for x86_64-llvm-18 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-32 success Logs for x86_64-llvm-17 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-37 success Logs for x86_64-llvm-18 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-30 success Logs for x86_64-llvm-17 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-38 success Logs for x86_64-llvm-18 / test (test_progs_cpuv4, false, 360) / test_progs_cpuv4 on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-36 success Logs for x86_64-llvm-18 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-15 fail Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc

Commit Message

Juntong Deng Aug. 15, 2024, 4:10 p.m. UTC 
Currently we cannot pass the pointer returned by iter next method as
argument to KF_TRUSTED_ARGS kfuncs, because the pointer returned by
iter next method is not "valid".

This patch sets the pointer returned by iter next method to be valid.

This is based on the fact that if the iterator is implemented correctly,
then the pointer returned from the iter next method should be valid.

This does not make NULL pointer valid. If the iter next method has
KF_RET_NULL flag, then the verifier will ask the ebpf program to
check NULL pointer.

Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
---
 kernel/bpf/verifier.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Andrii Nakryiko Aug. 15, 2024, 5:15 p.m. UTC | #1 
On Thu, Aug 15, 2024 at 9:11 AM Juntong Deng <juntong.deng@outlook.com> wrote:
>
> Currently we cannot pass the pointer returned by iter next method as
> argument to KF_TRUSTED_ARGS kfuncs, because the pointer returned by
> iter next method is not "valid".
>
> This patch sets the pointer returned by iter next method to be valid.
>
> This is based on the fact that if the iterator is implemented correctly,
> then the pointer returned from the iter next method should be valid.
>
> This does not make NULL pointer valid. If the iter next method has
> KF_RET_NULL flag, then the verifier will ask the ebpf program to
> check NULL pointer.
>
> Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
> ---
>  kernel/bpf/verifier.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index ebec74c28ae3..35a7b7c6679c 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12832,6 +12832,10 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
>                         /* For mark_ptr_or_null_reg, see 93c230e3f5bd6 */
>                         regs[BPF_REG_0].id = ++env->id_gen;
>                 }
> +
> +               if (is_iter_next_kfunc(&meta))
> +                       regs[BPF_REG_0].type |= PTR_TRUSTED;
> +

It seems a bit too generic to always assign PTR_TRUSTED to anything
returned from any iterator. Let's maybe add KF_RET_TRUSTED or
KF_ITER_TRUSTED or something along those lines to mark such iter_next
kfuncs explicitly?

For the numbers iterator, for instance, this PTR_TRUSTED makes no sense.

>                 mark_btf_func_reg_size(env, BPF_REG_0, sizeof(void *));
>                 if (is_kfunc_acquire(&meta)) {
>                         int id = acquire_reference_state(env, insn_idx);
> --
> 2.39.2
>
Juntong Deng Aug. 16, 2024, 1:42 p.m. UTC | #2 
On 8/15/24 18:15, Andrii Nakryiko wrote:
> On Thu, Aug 15, 2024 at 9:11 AM Juntong Deng <juntong.deng@outlook.com> wrote:
>>
>> Currently we cannot pass the pointer returned by iter next method as
>> argument to KF_TRUSTED_ARGS kfuncs, because the pointer returned by
>> iter next method is not "valid".
>>
>> This patch sets the pointer returned by iter next method to be valid.
>>
>> This is based on the fact that if the iterator is implemented correctly,
>> then the pointer returned from the iter next method should be valid.
>>
>> This does not make NULL pointer valid. If the iter next method has
>> KF_RET_NULL flag, then the verifier will ask the ebpf program to
>> check NULL pointer.
>>
>> Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
>> ---
>>   kernel/bpf/verifier.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index ebec74c28ae3..35a7b7c6679c 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -12832,6 +12832,10 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
>>                          /* For mark_ptr_or_null_reg, see 93c230e3f5bd6 */
>>                          regs[BPF_REG_0].id = ++env->id_gen;
>>                  }
>> +
>> +               if (is_iter_next_kfunc(&meta))
>> +                       regs[BPF_REG_0].type |= PTR_TRUSTED;
>> +
> 
> It seems a bit too generic to always assign PTR_TRUSTED to anything
> returned from any iterator. Let's maybe add KF_RET_TRUSTED or
> KF_ITER_TRUSTED or something along those lines to mark such iter_next
> kfuncs explicitly?
> 
> For the numbers iterator, for instance, this PTR_TRUSTED makes no sense.
> 

I had the same idea (KF_RET_TRUSTED) before, but Kumar thought it should
be avoided and pointers returned by iter next method should be trusted
by default [0].

The following are previous related discussions:

 >> For iter_next(), I currently have an idea to add new flags to allow
 >> iter_next() to decide whether the return value is trusted or not,
 >> such as KF_RET_TRUSTED.
 >>
 >> What do you think?
 >
 > Why shouldn't the return value always be trusted?
 > We eventually want to switch over to trusted by default everywhere.
 > It would be nice not to go further in the opposite direction (i.e.
 > having to manually annotate trusted) if we can avoid it.

[0]: 
https://lore.kernel.org/bpf/CAP01T75na=fz7EhrP4Aw0WZ33R7jTbZ4BcmY56S1xTWczxHXWw@mail.gmail.com/

Maybe we can have more discussion?

(This email has been CC Kumar)

>>                  mark_btf_func_reg_size(env, BPF_REG_0, sizeof(void *));
>>                  if (is_kfunc_acquire(&meta)) {
>>                          int id = acquire_reference_state(env, insn_idx);
>> --
>> 2.39.2
>>
Alexei Starovoitov Aug. 16, 2024, 3:39 p.m. UTC | #3 
On Fri, Aug 16, 2024 at 3:43 PM Juntong Deng <juntong.deng@outlook.com> wrote:
>
> On 8/15/24 18:15, Andrii Nakryiko wrote:
> > On Thu, Aug 15, 2024 at 9:11 AM Juntong Deng <juntong.deng@outlook.com> wrote:
> >>
> >> Currently we cannot pass the pointer returned by iter next method as
> >> argument to KF_TRUSTED_ARGS kfuncs, because the pointer returned by
> >> iter next method is not "valid".
> >>
> >> This patch sets the pointer returned by iter next method to be valid.
> >>
> >> This is based on the fact that if the iterator is implemented correctly,
> >> then the pointer returned from the iter next method should be valid.
> >>
> >> This does not make NULL pointer valid. If the iter next method has
> >> KF_RET_NULL flag, then the verifier will ask the ebpf program to
> >> check NULL pointer.
> >>
> >> Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
> >> ---
> >>   kernel/bpf/verifier.c | 4 ++++
> >>   1 file changed, 4 insertions(+)
> >>
> >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> >> index ebec74c28ae3..35a7b7c6679c 100644
> >> --- a/kernel/bpf/verifier.c
> >> +++ b/kernel/bpf/verifier.c
> >> @@ -12832,6 +12832,10 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
> >>                          /* For mark_ptr_or_null_reg, see 93c230e3f5bd6 */
> >>                          regs[BPF_REG_0].id = ++env->id_gen;
> >>                  }
> >> +
> >> +               if (is_iter_next_kfunc(&meta))
> >> +                       regs[BPF_REG_0].type |= PTR_TRUSTED;
> >> +
> >
> > It seems a bit too generic to always assign PTR_TRUSTED to anything
> > returned from any iterator. Let's maybe add KF_RET_TRUSTED or
> > KF_ITER_TRUSTED or something along those lines to mark such iter_next
> > kfuncs explicitly?
> >
> > For the numbers iterator, for instance, this PTR_TRUSTED makes no sense.
> >
>
> I had the same idea (KF_RET_TRUSTED) before, but Kumar thought it should
> be avoided and pointers returned by iter next method should be trusted
> by default [0].
>
> The following are previous related discussions:
>
>  >> For iter_next(), I currently have an idea to add new flags to allow
>  >> iter_next() to decide whether the return value is trusted or not,
>  >> such as KF_RET_TRUSTED.
>  >>
>  >> What do you think?
>  >
>  > Why shouldn't the return value always be trusted?
>  > We eventually want to switch over to trusted by default everywhere.
>  > It would be nice not to go further in the opposite direction (i.e.
>  > having to manually annotate trusted) if we can avoid it.
>
> [0]:
> https://lore.kernel.org/bpf/CAP01T75na=fz7EhrP4Aw0WZ33R7jTbZ4BcmY56S1xTWczxHXWw@mail.gmail.com/
>
> Maybe we can have more discussion?
>
> (This email has been CC Kumar)

+1
pointer from iterator should always be trusted except
the case of KF_RCU_PROTECTED iterators.
Those iters clear iter itself outside of RCU CS,
so a pointer returned from iter_next should probably be
PTR_TO_BTF_ID | MEM_RCU | PTR_MAYBE_NULL.

For all other iters it should be safe to return
PTR_TO_BTF_ID | PTR_TRUSTED | PTR_MAYBE_NULL

> For the numbers iterator, for instance, this PTR_TRUSTED makes no sense

I see no conflict. It's a trusted pointer to u32.
Andrii Nakryiko Aug. 19, 2024, 4:24 p.m. UTC | #4 
On Fri, Aug 16, 2024 at 8:39 AM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Fri, Aug 16, 2024 at 3:43 PM Juntong Deng <juntong.deng@outlook.com> wrote:
> >
> > On 8/15/24 18:15, Andrii Nakryiko wrote:
> > > On Thu, Aug 15, 2024 at 9:11 AM Juntong Deng <juntong.deng@outlook.com> wrote:
> > >>
> > >> Currently we cannot pass the pointer returned by iter next method as
> > >> argument to KF_TRUSTED_ARGS kfuncs, because the pointer returned by
> > >> iter next method is not "valid".
> > >>
> > >> This patch sets the pointer returned by iter next method to be valid.
> > >>
> > >> This is based on the fact that if the iterator is implemented correctly,
> > >> then the pointer returned from the iter next method should be valid.
> > >>
> > >> This does not make NULL pointer valid. If the iter next method has
> > >> KF_RET_NULL flag, then the verifier will ask the ebpf program to
> > >> check NULL pointer.
> > >>
> > >> Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
> > >> ---
> > >>   kernel/bpf/verifier.c | 4 ++++
> > >>   1 file changed, 4 insertions(+)
> > >>
> > >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > >> index ebec74c28ae3..35a7b7c6679c 100644
> > >> --- a/kernel/bpf/verifier.c
> > >> +++ b/kernel/bpf/verifier.c
> > >> @@ -12832,6 +12832,10 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
> > >>                          /* For mark_ptr_or_null_reg, see 93c230e3f5bd6 */
> > >>                          regs[BPF_REG_0].id = ++env->id_gen;
> > >>                  }
> > >> +
> > >> +               if (is_iter_next_kfunc(&meta))
> > >> +                       regs[BPF_REG_0].type |= PTR_TRUSTED;
> > >> +
> > >
> > > It seems a bit too generic to always assign PTR_TRUSTED to anything
> > > returned from any iterator. Let's maybe add KF_RET_TRUSTED or
> > > KF_ITER_TRUSTED or something along those lines to mark such iter_next
> > > kfuncs explicitly?
> > >
> > > For the numbers iterator, for instance, this PTR_TRUSTED makes no sense.
> > >
> >
> > I had the same idea (KF_RET_TRUSTED) before, but Kumar thought it should
> > be avoided and pointers returned by iter next method should be trusted
> > by default [0].
> >
> > The following are previous related discussions:
> >
> >  >> For iter_next(), I currently have an idea to add new flags to allow
> >  >> iter_next() to decide whether the return value is trusted or not,
> >  >> such as KF_RET_TRUSTED.
> >  >>
> >  >> What do you think?
> >  >
> >  > Why shouldn't the return value always be trusted?
> >  > We eventually want to switch over to trusted by default everywhere.
> >  > It would be nice not to go further in the opposite direction (i.e.
> >  > having to manually annotate trusted) if we can avoid it.
> >
> > [0]:
> > https://lore.kernel.org/bpf/CAP01T75na=fz7EhrP4Aw0WZ33R7jTbZ4BcmY56S1xTWczxHXWw@mail.gmail.com/
> >
> > Maybe we can have more discussion?
> >
> > (This email has been CC Kumar)
>
> +1
> pointer from iterator should always be trusted except
> the case of KF_RCU_PROTECTED iterators.
> Those iters clear iter itself outside of RCU CS,
> so a pointer returned from iter_next should probably be
> PTR_TO_BTF_ID | MEM_RCU | PTR_MAYBE_NULL.
>
> For all other iters it should be safe to return
> PTR_TO_BTF_ID | PTR_TRUSTED | PTR_MAYBE_NULL
>

Ok, but we at some point might need to return a non-RCU/non-trusted
pointer, so I guess we'll have to add yet another flag to opt-out of
"trustedness"?

> > For the numbers iterator, for instance, this PTR_TRUSTED makes no sense
>
> I see no conflict. It's a trusted pointer to u32.
Alexei Starovoitov Aug. 20, 2024, 6:28 a.m. UTC | #5 
On Mon, Aug 19, 2024 at 6:24 PM Andrii Nakryiko
<andrii.nakryiko@gmail.com> wrote:
>
> > >
> > > [0]:
> > > https://lore.kernel.org/bpf/CAP01T75na=fz7EhrP4Aw0WZ33R7jTbZ4BcmY56S1xTWczxHXWw@mail.gmail.com/
> > >
> > > Maybe we can have more discussion?
> > >
> > > (This email has been CC Kumar)
> >
> > +1
> > pointer from iterator should always be trusted except
> > the case of KF_RCU_PROTECTED iterators.
> > Those iters clear iter itself outside of RCU CS,
> > so a pointer returned from iter_next should probably be
> > PTR_TO_BTF_ID | MEM_RCU | PTR_MAYBE_NULL.
> >
> > For all other iters it should be safe to return
> > PTR_TO_BTF_ID | PTR_TRUSTED | PTR_MAYBE_NULL
> >
>
> Ok, but we at some point might need to return a non-RCU/non-trusted
> pointer, so I guess we'll have to add yet another flag to opt-out of
> "trustedness"?

If such case ever happens then yes, we'd need a new flag,
but I don't see it's happening
diff mbox series

Patch

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ebec74c28ae3..35a7b7c6679c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12832,6 +12832,10 @@  static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
 			/* For mark_ptr_or_null_reg, see 93c230e3f5bd6 */
 			regs[BPF_REG_0].id = ++env->id_gen;
 		}
+
+		if (is_iter_next_kfunc(&meta))
+			regs[BPF_REG_0].type |= PTR_TRUSTED;
+
 		mark_btf_func_reg_size(env, BPF_REG_0, sizeof(void *));
 		if (is_kfunc_acquire(&meta)) {
 			int id = acquire_reference_state(env, insn_idx);