diff mbox series

[bpf,1/2] bpf: Let verifier consider {task,cgroup} is trusted in bpf_iter_reg

Message ID 20231105133458.1315620-2-zhouchuyi@bytedance.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series Let BPF verifier consider {task,cgroup} is trusted in bpf_iter_reg | expand

Checks

Context Check Description
bpf/vmtest-bpf-PR success PR summary
bpf/vmtest-bpf-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-VM_Test-2 success Logs for Validate matrix.py
bpf/vmtest-bpf-VM_Test-4 success Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-3 success Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-VM_Test-7 success Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-8 success Logs for aarch64-gcc / veristat
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for bpf
netdev/fixes_present fail Series targets non-next tree, but doesn't contain any Fixes tags
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1327 this patch: 1327
netdev/cc_maintainers warning 8 maintainers not CCed: jolsa@kernel.org sdf@google.com john.fastabend@gmail.com kpsingh@kernel.org song@kernel.org yonghong.song@linux.dev haoluo@google.com martin.lau@linux.dev
netdev/build_clang success Errors and warnings before: 1342 this patch: 1342
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 1355 this patch: 1355
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-VM_Test-6 success Logs for aarch64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-5 success Logs for aarch64-gcc / test (test_progs, false, 360) / test_progs on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-9 success Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-VM_Test-13 success Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc
bpf/vmtest-bpf-VM_Test-15 success Logs for set-matrix
bpf/vmtest-bpf-VM_Test-14 success Logs for s390x-gcc / veristat
bpf/vmtest-bpf-VM_Test-16 success Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-VM_Test-17 success Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-19 success Logs for x86_64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-18 success Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-20 success Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-21 success Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-23 success Logs for x86_64-gcc / veristat / veristat on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-25 success Logs for x86_64-llvm-16 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-22 success Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-26 success Logs for x86_64-llvm-16 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-24 success Logs for x86_64-llvm-16 / build / build for x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-27 success Logs for x86_64-llvm-16 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-28 success Logs for x86_64-llvm-16 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-29 success Logs for x86_64-llvm-16 / veristat
bpf/vmtest-bpf-VM_Test-12 success Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-VM_Test-10 success Logs for s390x-gcc / test (test_maps, false, 360) / test_maps on s390x with gcc
bpf/vmtest-bpf-VM_Test-11 success Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc

Commit Message

Chuyi Zhou Nov. 5, 2023, 1:34 p.m. UTC 
BTF_TYPE_SAFE_TRUSTED(struct bpf_iter__task) in verifier.c wanted to
teach BPF verifier that bpf_iter__task -> task is a trusted ptr. But it
doesn't work well.

The reason is, bpf_iter__task -> task would go through btf_ctx_access()
which enforces the reg_type of 'task' is ctx_arg_info->reg_type, and in
task_iter.c, we actually explicitly declare that the
ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL.

This patch sets ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL |
PTR_TRUSTED in task_reg_info.

Similarly, bpf_cgroup_reg_info -> cgroup is also PTR_TRUSTED since we are
under the protection of cgroup_mutex and we would check cgroup_is_dead()
in __cgroup_iter_seq_show().

Signed-off-by: Chuyi Zhou <zhouchuyi@bytedance.com>
---
 kernel/bpf/cgroup_iter.c | 2 +-
 kernel/bpf/task_iter.c   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Yonghong Song Nov. 6, 2023, 6:26 p.m. UTC | #1 
On 11/5/23 5:34 AM, Chuyi Zhou wrote:
> BTF_TYPE_SAFE_TRUSTED(struct bpf_iter__task) in verifier.c wanted to
> teach BPF verifier that bpf_iter__task -> task is a trusted ptr. But it
> doesn't work well.
>
> The reason is, bpf_iter__task -> task would go through btf_ctx_access()
> which enforces the reg_type of 'task' is ctx_arg_info->reg_type, and in
> task_iter.c, we actually explicitly declare that the
> ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL.
>
> This patch sets ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL |
> PTR_TRUSTED in task_reg_info.

Actually we have a previous case like this. See

  https://lore.kernel.org/all/20230706133932.45883-3-aspsk@isovalent.com/

where PTR_TRUSTED is added to the arg flag for map_iter.

You could mention this case in your commit message.

>
> Similarly, bpf_cgroup_reg_info -> cgroup is also PTR_TRUSTED since we are
> under the protection of cgroup_mutex and we would check cgroup_is_dead()
> in __cgroup_iter_seq_show().
>
> Signed-off-by: Chuyi Zhou <zhouchuyi@bytedance.com>

Acked-by: Yonghong Song <yonghong.song@linux.dev>

> ---
>   kernel/bpf/cgroup_iter.c | 2 +-
>   kernel/bpf/task_iter.c   | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/bpf/cgroup_iter.c b/kernel/bpf/cgroup_iter.c
> index d1b5c5618..f04a468cf 100644
> --- a/kernel/bpf/cgroup_iter.c
> +++ b/kernel/bpf/cgroup_iter.c
> @@ -282,7 +282,7 @@ static struct bpf_iter_reg bpf_cgroup_reg_info = {
>   	.ctx_arg_info_size	= 1,
>   	.ctx_arg_info		= {
>   		{ offsetof(struct bpf_iter__cgroup, cgroup),
> -		  PTR_TO_BTF_ID_OR_NULL },
> +		  PTR_TO_BTF_ID_OR_NULL | PTR_TRUSTED },
>   	},
>   	.seq_info		= &cgroup_iter_seq_info,
>   };
> diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c
> index 4e156dca4..26082b978 100644
> --- a/kernel/bpf/task_iter.c
> +++ b/kernel/bpf/task_iter.c
> @@ -704,7 +704,7 @@ static struct bpf_iter_reg task_reg_info = {
>   	.ctx_arg_info_size	= 1,
>   	.ctx_arg_info		= {
>   		{ offsetof(struct bpf_iter__task, task),
> -		  PTR_TO_BTF_ID_OR_NULL },
> +		  PTR_TO_BTF_ID_OR_NULL | PTR_TRUSTED },
>   	},
>   	.seq_info		= &task_seq_info,
>   	.fill_link_info		= bpf_iter_fill_link_info,
Martin KaFai Lau Nov. 6, 2023, 6:29 p.m. UTC | #2 
On 11/5/23 5:34 AM, Chuyi Zhou wrote:
> BTF_TYPE_SAFE_TRUSTED(struct bpf_iter__task) in verifier.c wanted to
> teach BPF verifier that bpf_iter__task -> task is a trusted ptr. But it
> doesn't work well.
> 
> The reason is, bpf_iter__task -> task would go through btf_ctx_access()
> which enforces the reg_type of 'task' is ctx_arg_info->reg_type, and in
> task_iter.c, we actually explicitly declare that the
> ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL.
> 
> This patch sets ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL |
> PTR_TRUSTED in task_reg_info.
> 
> Similarly, bpf_cgroup_reg_info -> cgroup is also PTR_TRUSTED since we are
> under the protection of cgroup_mutex and we would check cgroup_is_dead()
> in __cgroup_iter_seq_show().
> 

Make sense. I think the bpf_tcp_iter made similar change in tcp_seq_info also. 
What may be the Fixes tag? Is it fixing the recent kfunc of the css_task iter?
Chuyi Zhou Nov. 7, 2023, 2:23 a.m. UTC | #3 
Hello,

在 2023/11/7 02:26, Yonghong Song 写道:
> 
> On 11/5/23 5:34 AM, Chuyi Zhou wrote:
>> BTF_TYPE_SAFE_TRUSTED(struct bpf_iter__task) in verifier.c wanted to
>> teach BPF verifier that bpf_iter__task -> task is a trusted ptr. But it
>> doesn't work well.
>>
>> The reason is, bpf_iter__task -> task would go through btf_ctx_access()
>> which enforces the reg_type of 'task' is ctx_arg_info->reg_type, and in
>> task_iter.c, we actually explicitly declare that the
>> ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL.
>>
>> This patch sets ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL |
>> PTR_TRUSTED in task_reg_info.
> 
> Actually we have a previous case like this. See
> 
>   https://lore.kernel.org/all/20230706133932.45883-3-aspsk@isovalent.com/
> 
> where PTR_TRUSTED is added to the arg flag for map_iter.
> 
> You could mention this case in your commit message.
> 

Thanks, will do it in next version.
Chuyi Zhou Nov. 7, 2023, 2:44 a.m. UTC | #4 
Hello,

在 2023/11/7 02:29, Martin KaFai Lau 写道:
> On 11/5/23 5:34 AM, Chuyi Zhou wrote:
>> BTF_TYPE_SAFE_TRUSTED(struct bpf_iter__task) in verifier.c wanted to
>> teach BPF verifier that bpf_iter__task -> task is a trusted ptr. But it
>> doesn't work well.
>>
>> The reason is, bpf_iter__task -> task would go through btf_ctx_access()
>> which enforces the reg_type of 'task' is ctx_arg_info->reg_type, and in
>> task_iter.c, we actually explicitly declare that the
>> ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL.
>>
>> This patch sets ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL |
>> PTR_TRUSTED in task_reg_info.
>>
>> Similarly, bpf_cgroup_reg_info -> cgroup is also PTR_TRUSTED since we are
>> under the protection of cgroup_mutex and we would check cgroup_is_dead()
>> in __cgroup_iter_seq_show().
>>
> 
> Make sense. I think the bpf_tcp_iter made similar change in tcp_seq_info 
> also. What may be the Fixes tag? Is it fixing the recent kfunc of the 
> css_task iter?
> 

Thanks for the review.

I think it's not a fix for recent kfunc of css_task iter. We are working 
at SEC("iter/task") and SEC("iter/cgroup").

I'm not sure whether it's a 'fix' for cgroup_iter/task_iter. If we need 
fix tags, do we need to split this patch into two separate patches? Or 
add two fix tags on commit log:

Fixes: d4ccaf58a84721 ("bpf: Introduce cgroup iter")
Fixes: 3c32cc1bceba8a17 ("bpf: Enable bpf_iter targets registering ctx 
argument types")

Thanks.
Yonghong Song Nov. 7, 2023, 6:52 a.m. UTC | #5 
On 11/6/23 6:44 PM, Chuyi Zhou wrote:
> Hello,
>
> 在 2023/11/7 02:29, Martin KaFai Lau 写道:
>> On 11/5/23 5:34 AM, Chuyi Zhou wrote:
>>> BTF_TYPE_SAFE_TRUSTED(struct bpf_iter__task) in verifier.c wanted to
>>> teach BPF verifier that bpf_iter__task -> task is a trusted ptr. But it
>>> doesn't work well.
>>>
>>> The reason is, bpf_iter__task -> task would go through btf_ctx_access()
>>> which enforces the reg_type of 'task' is ctx_arg_info->reg_type, and in
>>> task_iter.c, we actually explicitly declare that the
>>> ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL.
>>>
>>> This patch sets ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL |
>>> PTR_TRUSTED in task_reg_info.
>>>
>>> Similarly, bpf_cgroup_reg_info -> cgroup is also PTR_TRUSTED since 
>>> we are
>>> under the protection of cgroup_mutex and we would check 
>>> cgroup_is_dead()
>>> in __cgroup_iter_seq_show().
>>>
>>
>> Make sense. I think the bpf_tcp_iter made similar change in 
>> tcp_seq_info also. What may be the Fixes tag? Is it fixing the recent 
>> kfunc of the css_task iter?
>>
>
> Thanks for the review.
>
> I think it's not a fix for recent kfunc of css_task iter. We are 
> working at SEC("iter/task") and SEC("iter/cgroup").
>
> I'm not sure whether it's a 'fix' for cgroup_iter/task_iter. If we 
> need fix tags, do we need to split this patch into two separate 
> patches? Or add two fix tags on commit log:

I think the patch itself is not a fix, rather an improvement. The bpf_iter predates kfunc/PTR_TRUSTED stuff. The argument 'task'
or 'cgroup' are already trusted so the bpf_iter program can print out useful data.
But recent kfunc things requires some parameters to be marked as PTR_TRUSTED so that they can be passed to kfunc,
so this patch enables this usage for kfunc in bpf_iter programs.


>
> Fixes: d4ccaf58a84721 ("bpf: Introduce cgroup iter")
> Fixes: 3c32cc1bceba8a17 ("bpf: Enable bpf_iter targets registering ctx 
> argument types")
>
> Thanks.
>
>
>
Chuyi Zhou Nov. 7, 2023, 6:54 a.m. UTC | #6 
在 2023/11/7 14:52, Yonghong Song 写道:
> 
> On 11/6/23 6:44 PM, Chuyi Zhou wrote:
>> Hello,
>>
>> 在 2023/11/7 02:29, Martin KaFai Lau 写道:
>>> On 11/5/23 5:34 AM, Chuyi Zhou wrote:
>>>> BTF_TYPE_SAFE_TRUSTED(struct bpf_iter__task) in verifier.c wanted to
>>>> teach BPF verifier that bpf_iter__task -> task is a trusted ptr. But it
>>>> doesn't work well.
>>>>
>>>> The reason is, bpf_iter__task -> task would go through btf_ctx_access()
>>>> which enforces the reg_type of 'task' is ctx_arg_info->reg_type, and in
>>>> task_iter.c, we actually explicitly declare that the
>>>> ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL.
>>>>
>>>> This patch sets ctx_arg_info->reg_type is PTR_TO_BTF_ID_OR_NULL |
>>>> PTR_TRUSTED in task_reg_info.
>>>>
>>>> Similarly, bpf_cgroup_reg_info -> cgroup is also PTR_TRUSTED since 
>>>> we are
>>>> under the protection of cgroup_mutex and we would check 
>>>> cgroup_is_dead()
>>>> in __cgroup_iter_seq_show().
>>>>
>>>
>>> Make sense. I think the bpf_tcp_iter made similar change in 
>>> tcp_seq_info also. What may be the Fixes tag? Is it fixing the recent 
>>> kfunc of the css_task iter?
>>>
>>
>> Thanks for the review.
>>
>> I think it's not a fix for recent kfunc of css_task iter. We are 
>> working at SEC("iter/task") and SEC("iter/cgroup").
>>
>> I'm not sure whether it's a 'fix' for cgroup_iter/task_iter. If we 
>> need fix tags, do we need to split this patch into two separate 
>> patches? Or add two fix tags on commit log:
> 
> I think the patch itself is not a fix, rather an improvement. The 
> bpf_iter predates kfunc/PTR_TRUSTED stuff. The argument 'task'
> or 'cgroup' are already trusted so the bpf_iter program can print out 
> useful data.
> But recent kfunc things requires some parameters to be marked as 
> PTR_TRUSTED so that they can be passed to kfunc,
> so this patch enables this usage for kfunc in bpf_iter programs.
> 
> 

Thanks. I will send v2.
diff mbox series

Patch

diff --git a/kernel/bpf/cgroup_iter.c b/kernel/bpf/cgroup_iter.c
index d1b5c5618..f04a468cf 100644
--- a/kernel/bpf/cgroup_iter.c
+++ b/kernel/bpf/cgroup_iter.c
@@ -282,7 +282,7 @@  static struct bpf_iter_reg bpf_cgroup_reg_info = {
 	.ctx_arg_info_size	= 1,
 	.ctx_arg_info		= {
 		{ offsetof(struct bpf_iter__cgroup, cgroup),
-		  PTR_TO_BTF_ID_OR_NULL },
+		  PTR_TO_BTF_ID_OR_NULL | PTR_TRUSTED },
 	},
 	.seq_info		= &cgroup_iter_seq_info,
 };
diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c
index 4e156dca4..26082b978 100644
--- a/kernel/bpf/task_iter.c
+++ b/kernel/bpf/task_iter.c
@@ -704,7 +704,7 @@  static struct bpf_iter_reg task_reg_info = {
 	.ctx_arg_info_size	= 1,
 	.ctx_arg_info		= {
 		{ offsetof(struct bpf_iter__task, task),
-		  PTR_TO_BTF_ID_OR_NULL },
+		  PTR_TO_BTF_ID_OR_NULL | PTR_TRUSTED },
 	},
 	.seq_info		= &task_seq_info,
 	.fill_link_info		= bpf_iter_fill_link_info,