diff mbox series

[bpf-next,v1,3/9] bpf: Replace RET_XXX_OR_NULL with RET_XXX | PTR_MAYBE_NULL

Message ID 20211206232227.3286237-4-haoluo@google.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series Introduce composable bpf types | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for bpf-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Series has a cover letter
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit fail Errors and warnings before: 12426 this patch: 12428
netdev/cc_maintainers warning 2 maintainers not CCed: netdev@vger.kernel.org john.fastabend@gmail.com
netdev/build_clang fail Errors and warnings before: 2096 this patch: 2099
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn fail Errors and warnings before: 11591 this patch: 11593
netdev/checkpatch warning WARNING: line length of 82 exceeds 80 columns WARNING: line length of 95 exceeds 80 columns
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Hao Luo Dec. 6, 2021, 11:22 p.m. UTC 
We have introduced a new type to make bpf_ret composable, by
reserving high bits to represent flags.

One of the flag is PTR_MAYBE_NULL, which indicates a pointer
may be NULL. When applying this flag to ret_types, it means
the returned value could be a NULL pointer. This patch
switches the qualified arg_types to use this flag.
The ret_types changed in this patch include:

1. RET_PTR_TO_MAP_VALUE_OR_NULL
2. RET_PTR_TO_SOCKET_OR_NULL
3. RET_PTR_TO_TCP_SOCK_OR_NULL
4. RET_PTR_TO_SOCK_COMMON_OR_NULL
5. RET_PTR_TO_ALLOC_MEM_OR_NULL
6. RET_PTR_TO_MEM_OR_BTF_ID_OR_NULL
7. RET_PTR_TO_BTF_ID_OR_NULL

This patch doesn't eliminate the use of these names, instead
it makes them aliases to 'RET_PTR_TO_XXX | PTR_MAYBE_NULL'.

Signed-off-by: Hao Luo <haoluo@google.com>
---
 include/linux/bpf.h   | 19 ++++++++++------
 kernel/bpf/helpers.c  |  2 +-
 kernel/bpf/verifier.c | 52 +++++++++++++++++++++----------------------
 3 files changed, 39 insertions(+), 34 deletions(-)

Comments

Andrii Nakryiko Dec. 7, 2021, 5:51 a.m. UTC | #1 
On Mon, Dec 6, 2021 at 3:22 PM Hao Luo <haoluo@google.com> wrote:
>
> We have introduced a new type to make bpf_ret composable, by
> reserving high bits to represent flags.
>
> One of the flag is PTR_MAYBE_NULL, which indicates a pointer
> may be NULL. When applying this flag to ret_types, it means
> the returned value could be a NULL pointer. This patch
> switches the qualified arg_types to use this flag.
> The ret_types changed in this patch include:
>
> 1. RET_PTR_TO_MAP_VALUE_OR_NULL
> 2. RET_PTR_TO_SOCKET_OR_NULL
> 3. RET_PTR_TO_TCP_SOCK_OR_NULL
> 4. RET_PTR_TO_SOCK_COMMON_OR_NULL
> 5. RET_PTR_TO_ALLOC_MEM_OR_NULL
> 6. RET_PTR_TO_MEM_OR_BTF_ID_OR_NULL
> 7. RET_PTR_TO_BTF_ID_OR_NULL
>
> This patch doesn't eliminate the use of these names, instead
> it makes them aliases to 'RET_PTR_TO_XXX | PTR_MAYBE_NULL'.
>
> Signed-off-by: Hao Luo <haoluo@google.com>
> ---
>  include/linux/bpf.h   | 19 ++++++++++------
>  kernel/bpf/helpers.c  |  2 +-
>  kernel/bpf/verifier.c | 52 +++++++++++++++++++++----------------------
>  3 files changed, 39 insertions(+), 34 deletions(-)
>

[...]

> @@ -6570,28 +6570,28 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
>                                 return -EINVAL;
>                         }
>                         regs[BPF_REG_0].type =
> -                               fn->ret_type == RET_PTR_TO_MEM_OR_BTF_ID ?
> -                               PTR_TO_MEM : PTR_TO_MEM_OR_NULL;
> +                               (ret_type & PTR_MAYBE_NULL) ?
> +                               PTR_TO_MEM_OR_NULL : PTR_TO_MEM;

nit: I expected something like (let's use the fact that those flags
are the same across different enums):

regs[BPF_REG_0].type = PTR_TO_MEM | (ret_type & PTR_MAYBE_NULL);


>                         regs[BPF_REG_0].mem_size = tsize;
>                 } else {
>                         regs[BPF_REG_0].type =
> -                               fn->ret_type == RET_PTR_TO_MEM_OR_BTF_ID ?
> -                               PTR_TO_BTF_ID : PTR_TO_BTF_ID_OR_NULL;
> +                               (ret_type & PTR_MAYBE_NULL) ?
> +                               PTR_TO_BTF_ID_OR_NULL : PTR_TO_BTF_ID;

same as above

>                         regs[BPF_REG_0].btf = meta.ret_btf;
>                         regs[BPF_REG_0].btf_id = meta.ret_btf_id;
>                 }
> -       } else if (fn->ret_type == RET_PTR_TO_BTF_ID_OR_NULL ||
> -                  fn->ret_type == RET_PTR_TO_BTF_ID) {
> +       } else if (base_type(ret_type) == RET_PTR_TO_BTF_ID) {
>                 int ret_btf_id;
>
>                 mark_reg_known_zero(env, regs, BPF_REG_0);
> -               regs[BPF_REG_0].type = fn->ret_type == RET_PTR_TO_BTF_ID ?
> -                                                    PTR_TO_BTF_ID :
> -                                                    PTR_TO_BTF_ID_OR_NULL;
> +               regs[BPF_REG_0].type = (ret_type & PTR_MAYBE_NULL) ?
> +                                                    PTR_TO_BTF_ID_OR_NULL :
> +                                                    PTR_TO_BTF_ID;

and here


>                 ret_btf_id = *fn->ret_btf_id;
>                 if (ret_btf_id == 0) {
> -                       verbose(env, "invalid return type %d of func %s#%d\n",
> -                               fn->ret_type, func_id_name(func_id), func_id);
> +                       verbose(env, "invalid return type %lu of func %s#%d\n",
> +                               base_type(ret_type), func_id_name(func_id),

base type returns u32, shouldn't it be %u then?

> +                               func_id);
>                         return -EINVAL;
>                 }
>                 /* current BPF helper definitions are only coming from
> @@ -6600,8 +6600,8 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
>                 regs[BPF_REG_0].btf = btf_vmlinux;
>                 regs[BPF_REG_0].btf_id = ret_btf_id;
>         } else {
> -               verbose(env, "unknown return type %d of func %s#%d\n",
> -                       fn->ret_type, func_id_name(func_id), func_id);
> +               verbose(env, "unknown return type %lu of func %s#%d\n",
> +                       base_type(ret_type), func_id_name(func_id), func_id);

same %u

>                 return -EINVAL;
>         }
>
> --
> 2.34.1.400.ga245620fadb-goog
>
Hao Luo Dec. 7, 2021, 7:05 p.m. UTC | #2 
On Mon, Dec 6, 2021 at 9:51 PM Andrii Nakryiko
<andrii.nakryiko@gmail.com> wrote:
>
> On Mon, Dec 6, 2021 at 3:22 PM Hao Luo <haoluo@google.com> wrote:
> >
> > We have introduced a new type to make bpf_ret composable, by
> > reserving high bits to represent flags.
> >
> > One of the flag is PTR_MAYBE_NULL, which indicates a pointer
> > may be NULL. When applying this flag to ret_types, it means
> > the returned value could be a NULL pointer. This patch
> > switches the qualified arg_types to use this flag.
> > The ret_types changed in this patch include:
> >
> > 1. RET_PTR_TO_MAP_VALUE_OR_NULL
> > 2. RET_PTR_TO_SOCKET_OR_NULL
> > 3. RET_PTR_TO_TCP_SOCK_OR_NULL
> > 4. RET_PTR_TO_SOCK_COMMON_OR_NULL
> > 5. RET_PTR_TO_ALLOC_MEM_OR_NULL
> > 6. RET_PTR_TO_MEM_OR_BTF_ID_OR_NULL
> > 7. RET_PTR_TO_BTF_ID_OR_NULL
> >
> > This patch doesn't eliminate the use of these names, instead
> > it makes them aliases to 'RET_PTR_TO_XXX | PTR_MAYBE_NULL'.
> >
> > Signed-off-by: Hao Luo <haoluo@google.com>
> > ---
> >  include/linux/bpf.h   | 19 ++++++++++------
> >  kernel/bpf/helpers.c  |  2 +-
> >  kernel/bpf/verifier.c | 52 +++++++++++++++++++++----------------------
> >  3 files changed, 39 insertions(+), 34 deletions(-)
> >
>
> [...]
>
> > @@ -6570,28 +6570,28 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
> >                                 return -EINVAL;
> >                         }
> >                         regs[BPF_REG_0].type =
> > -                               fn->ret_type == RET_PTR_TO_MEM_OR_BTF_ID ?
> > -                               PTR_TO_MEM : PTR_TO_MEM_OR_NULL;
> > +                               (ret_type & PTR_MAYBE_NULL) ?
> > +                               PTR_TO_MEM_OR_NULL : PTR_TO_MEM;
>
> nit: I expected something like (let's use the fact that those flags
> are the same across different enums):
>
> regs[BPF_REG_0].type = PTR_TO_MEM | (ret_type & PTR_MAYBE_NULL);
>

We haven't taught reg_type to recognize PTR_MAYBE_NULL until the next
patch. Patch 4/9 does have the suggested conversion:

regs[BPF_REG_0].type = PTR_TO_MEM | ret_flag;

>
> >                         regs[BPF_REG_0].mem_size = tsize;
> >                 } else {
> >                         regs[BPF_REG_0].type =
> > -                               fn->ret_type == RET_PTR_TO_MEM_OR_BTF_ID ?
> > -                               PTR_TO_BTF_ID : PTR_TO_BTF_ID_OR_NULL;
> > +                               (ret_type & PTR_MAYBE_NULL) ?
> > +                               PTR_TO_BTF_ID_OR_NULL : PTR_TO_BTF_ID;
>
> same as above
>
> >                         regs[BPF_REG_0].btf = meta.ret_btf;
> >                         regs[BPF_REG_0].btf_id = meta.ret_btf_id;
> >                 }
> > -       } else if (fn->ret_type == RET_PTR_TO_BTF_ID_OR_NULL ||
> > -                  fn->ret_type == RET_PTR_TO_BTF_ID) {
> > +       } else if (base_type(ret_type) == RET_PTR_TO_BTF_ID) {
> >                 int ret_btf_id;
> >
> >                 mark_reg_known_zero(env, regs, BPF_REG_0);
> > -               regs[BPF_REG_0].type = fn->ret_type == RET_PTR_TO_BTF_ID ?
> > -                                                    PTR_TO_BTF_ID :
> > -                                                    PTR_TO_BTF_ID_OR_NULL;
> > +               regs[BPF_REG_0].type = (ret_type & PTR_MAYBE_NULL) ?
> > +                                                    PTR_TO_BTF_ID_OR_NULL :
> > +                                                    PTR_TO_BTF_ID;
>
> and here
>
>
> >                 ret_btf_id = *fn->ret_btf_id;
> >                 if (ret_btf_id == 0) {
> > -                       verbose(env, "invalid return type %d of func %s#%d\n",
> > -                               fn->ret_type, func_id_name(func_id), func_id);
> > +                       verbose(env, "invalid return type %lu of func %s#%d\n",
> > +                               base_type(ret_type), func_id_name(func_id),
>
> base type returns u32, shouldn't it be %u then?
>

Ack, you are right. When writing this, I know '%lu' will work but
didn't give it much thought. Will use '%u' in v2.

> > +                               func_id);
> >                         return -EINVAL;
> >                 }
> >                 /* current BPF helper definitions are only coming from
> > @@ -6600,8 +6600,8 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
> >                 regs[BPF_REG_0].btf = btf_vmlinux;
> >                 regs[BPF_REG_0].btf_id = ret_btf_id;
> >         } else {
> > -               verbose(env, "unknown return type %d of func %s#%d\n",
> > -                       fn->ret_type, func_id_name(func_id), func_id);
> > +               verbose(env, "unknown return type %lu of func %s#%d\n",
> > +                       base_type(ret_type), func_id_name(func_id), func_id);
>
> same %u
>
> >                 return -EINVAL;
> >         }
> >
> > --
> > 2.34.1.400.ga245620fadb-goog
> >
diff mbox series

Patch

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index b0d063972091..202eb5155edc 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -382,17 +382,22 @@  enum bpf_return_type {
 	RET_INTEGER,			/* function returns integer */
 	RET_VOID,			/* function doesn't return anything */
 	RET_PTR_TO_MAP_VALUE,		/* returns a pointer to map elem value */
-	RET_PTR_TO_MAP_VALUE_OR_NULL,	/* returns a pointer to map elem value or NULL */
-	RET_PTR_TO_SOCKET_OR_NULL,	/* returns a pointer to a socket or NULL */
-	RET_PTR_TO_TCP_SOCK_OR_NULL,	/* returns a pointer to a tcp_sock or NULL */
-	RET_PTR_TO_SOCK_COMMON_OR_NULL,	/* returns a pointer to a sock_common or NULL */
-	RET_PTR_TO_ALLOC_MEM_OR_NULL,	/* returns a pointer to dynamically allocated memory or NULL */
-	RET_PTR_TO_BTF_ID_OR_NULL,	/* returns a pointer to a btf_id or NULL */
-	RET_PTR_TO_MEM_OR_BTF_ID_OR_NULL, /* returns a pointer to a valid memory or a btf_id or NULL */
+	RET_PTR_TO_SOCKET,		/* returns a pointer to a socket */
+	RET_PTR_TO_TCP_SOCK,		/* returns a pointer to a tcp_sock */
+	RET_PTR_TO_SOCK_COMMON,		/* returns a pointer to a sock_common */
+	RET_PTR_TO_ALLOC_MEM,		/* returns a pointer to dynamically allocated memory */
 	RET_PTR_TO_MEM_OR_BTF_ID,	/* returns a pointer to a valid memory or a btf_id */
 	RET_PTR_TO_BTF_ID,		/* returns a pointer to a btf_id */
 	__BPF_RET_TYPE_MAX,
 
+	/* Extended ret_types. */
+	RET_PTR_TO_MAP_VALUE_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_MAP_VALUE,
+	RET_PTR_TO_SOCKET_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_SOCKET,
+	RET_PTR_TO_TCP_SOCK_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_TCP_SOCK,
+	RET_PTR_TO_SOCK_COMMON_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_SOCK_COMMON,
+	RET_PTR_TO_ALLOC_MEM_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_ALLOC_MEM,
+	RET_PTR_TO_BTF_ID_OR_NULL	= PTR_MAYBE_NULL | RET_PTR_TO_BTF_ID,
+
 	/* This must be the last entry. Its purpose is to ensure the enum is
 	 * wide enough to hold the higher bits reserved for bpf_type_flag.
 	 */
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 1ffd469c217f..293d9314ec7f 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -667,7 +667,7 @@  BPF_CALL_2(bpf_per_cpu_ptr, const void *, ptr, u32, cpu)
 const struct bpf_func_proto bpf_per_cpu_ptr_proto = {
 	.func		= bpf_per_cpu_ptr,
 	.gpl_only	= false,
-	.ret_type	= RET_PTR_TO_MEM_OR_BTF_ID_OR_NULL,
+	.ret_type	= RET_PTR_TO_MEM_OR_BTF_ID | PTR_MAYBE_NULL,
 	.arg1_type	= ARG_PTR_TO_PERCPU_BTF_ID,
 	.arg2_type	= ARG_ANYTHING,
 };
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b8fa88266af7..253de4a99ba5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6370,6 +6370,7 @@  static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
 			     int *insn_idx_p)
 {
 	const struct bpf_func_proto *fn = NULL;
+	enum bpf_return_type ret_type;
 	struct bpf_reg_state *regs;
 	struct bpf_call_arg_meta meta;
 	int insn_idx = *insn_idx_p;
@@ -6510,13 +6511,13 @@  static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
 	regs[BPF_REG_0].subreg_def = DEF_NOT_SUBREG;
 
 	/* update return register (already marked as written above) */
-	if (fn->ret_type == RET_INTEGER) {
+	ret_type = fn->ret_type;
+	if (ret_type == RET_INTEGER) {
 		/* sets type to SCALAR_VALUE */
 		mark_reg_unknown(env, regs, BPF_REG_0);
-	} else if (fn->ret_type == RET_VOID) {
+	} else if (ret_type == RET_VOID) {
 		regs[BPF_REG_0].type = NOT_INIT;
-	} else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL ||
-		   fn->ret_type == RET_PTR_TO_MAP_VALUE) {
+	} else if (base_type(ret_type) == RET_PTR_TO_MAP_VALUE) {
 		/* There is no offset yet applied, variable or fixed */
 		mark_reg_known_zero(env, regs, BPF_REG_0);
 		/* remember map_ptr, so that check_map_access()
@@ -6530,28 +6531,27 @@  static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
 		}
 		regs[BPF_REG_0].map_ptr = meta.map_ptr;
 		regs[BPF_REG_0].map_uid = meta.map_uid;
-		if (fn->ret_type == RET_PTR_TO_MAP_VALUE) {
+		if (type_may_be_null(ret_type)) {
+			regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL;
+		} else {
 			regs[BPF_REG_0].type = PTR_TO_MAP_VALUE;
 			if (map_value_has_spin_lock(meta.map_ptr))
 				regs[BPF_REG_0].id = ++env->id_gen;
-		} else {
-			regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL;
 		}
-	} else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) {
+	} else if (base_type(ret_type) == RET_PTR_TO_SOCKET) {
 		mark_reg_known_zero(env, regs, BPF_REG_0);
 		regs[BPF_REG_0].type = PTR_TO_SOCKET_OR_NULL;
-	} else if (fn->ret_type == RET_PTR_TO_SOCK_COMMON_OR_NULL) {
+	} else if (base_type(ret_type) == RET_PTR_TO_SOCK_COMMON) {
 		mark_reg_known_zero(env, regs, BPF_REG_0);
 		regs[BPF_REG_0].type = PTR_TO_SOCK_COMMON_OR_NULL;
-	} else if (fn->ret_type == RET_PTR_TO_TCP_SOCK_OR_NULL) {
+	} else if (base_type(ret_type) == RET_PTR_TO_TCP_SOCK) {
 		mark_reg_known_zero(env, regs, BPF_REG_0);
 		regs[BPF_REG_0].type = PTR_TO_TCP_SOCK_OR_NULL;
-	} else if (fn->ret_type == RET_PTR_TO_ALLOC_MEM_OR_NULL) {
+	} else if (base_type(ret_type) == RET_PTR_TO_ALLOC_MEM) {
 		mark_reg_known_zero(env, regs, BPF_REG_0);
 		regs[BPF_REG_0].type = PTR_TO_MEM_OR_NULL;
 		regs[BPF_REG_0].mem_size = meta.mem_size;
-	} else if (fn->ret_type == RET_PTR_TO_MEM_OR_BTF_ID_OR_NULL ||
-		   fn->ret_type == RET_PTR_TO_MEM_OR_BTF_ID) {
+	} else if (base_type(ret_type) == RET_PTR_TO_MEM_OR_BTF_ID) {
 		const struct btf_type *t;
 
 		mark_reg_known_zero(env, regs, BPF_REG_0);
@@ -6570,28 +6570,28 @@  static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
 				return -EINVAL;
 			}
 			regs[BPF_REG_0].type =
-				fn->ret_type == RET_PTR_TO_MEM_OR_BTF_ID ?
-				PTR_TO_MEM : PTR_TO_MEM_OR_NULL;
+				(ret_type & PTR_MAYBE_NULL) ?
+				PTR_TO_MEM_OR_NULL : PTR_TO_MEM;
 			regs[BPF_REG_0].mem_size = tsize;
 		} else {
 			regs[BPF_REG_0].type =
-				fn->ret_type == RET_PTR_TO_MEM_OR_BTF_ID ?
-				PTR_TO_BTF_ID : PTR_TO_BTF_ID_OR_NULL;
+				(ret_type & PTR_MAYBE_NULL) ?
+				PTR_TO_BTF_ID_OR_NULL : PTR_TO_BTF_ID;
 			regs[BPF_REG_0].btf = meta.ret_btf;
 			regs[BPF_REG_0].btf_id = meta.ret_btf_id;
 		}
-	} else if (fn->ret_type == RET_PTR_TO_BTF_ID_OR_NULL ||
-		   fn->ret_type == RET_PTR_TO_BTF_ID) {
+	} else if (base_type(ret_type) == RET_PTR_TO_BTF_ID) {
 		int ret_btf_id;
 
 		mark_reg_known_zero(env, regs, BPF_REG_0);
-		regs[BPF_REG_0].type = fn->ret_type == RET_PTR_TO_BTF_ID ?
-						     PTR_TO_BTF_ID :
-						     PTR_TO_BTF_ID_OR_NULL;
+		regs[BPF_REG_0].type = (ret_type & PTR_MAYBE_NULL) ?
+						     PTR_TO_BTF_ID_OR_NULL :
+						     PTR_TO_BTF_ID;
 		ret_btf_id = *fn->ret_btf_id;
 		if (ret_btf_id == 0) {
-			verbose(env, "invalid return type %d of func %s#%d\n",
-				fn->ret_type, func_id_name(func_id), func_id);
+			verbose(env, "invalid return type %lu of func %s#%d\n",
+				base_type(ret_type), func_id_name(func_id),
+				func_id);
 			return -EINVAL;
 		}
 		/* current BPF helper definitions are only coming from
@@ -6600,8 +6600,8 @@  static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
 		regs[BPF_REG_0].btf = btf_vmlinux;
 		regs[BPF_REG_0].btf_id = ret_btf_id;
 	} else {
-		verbose(env, "unknown return type %d of func %s#%d\n",
-			fn->ret_type, func_id_name(func_id), func_id);
+		verbose(env, "unknown return type %lu of func %s#%d\n",
+			base_type(ret_type), func_id_name(func_id), func_id);
 		return -EINVAL;
 	}