Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp881641iob; Wed, 18 May 2022 15:30:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxOavzTijjlF6L+kI1+q+Ixu7llBhogiP+FkDx60XWkHQvgBpW3AX+m/n8MeC20hstWEN+L X-Received: by 2002:a17:902:988e:b0:161:8750:480b with SMTP id s14-20020a170902988e00b001618750480bmr1609434plp.154.1652913035828; Wed, 18 May 2022 15:30:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652913035; cv=none; d=google.com; s=arc-20160816; b=inWEHZ0g1//CNS4abyvJLa01S47Ch8pFing26SL3hU5FonKW+HsrfJNKKQWz2VOu3b DinjA5llfSofV6Fux2+PODwsZPW33V7SDD5A+Ir5pdkxyzACO2/l7/Fd0nZWIS97+WQC bGv6xPS4HLDocbHv6mxSp9yvRsXbRt3la0ps8cxjdsmxzR3yMPj0jLubkDlkEoH2ouSh C3LW5YSJb43nafDGjnd7BlAWffHMZFf7WEulfyPozAbnHLFthdcbHnlZDCCQQ5G3djJu OKGXY5rkcDQX9ZC0A3rjjlKZjXqhzV3/MEYIPBDO+u4u18NuR8HN6KYuCviZFsk1Ovfr qPrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=RIqb0l2FHNo5ET2D8M6DThcvNo/nvpxkXAV0BcylEdU=; b=uHPvMoWphqprKJvroQzFAThVaHhUN42uy+hBXo2ycrL9wcJzHtGgcUjpwPST1eelwX w2Qu9xltPfyncLeq0sA3brkMElklfQUGtnrfEnzOeJoOzTae2sOzpfHkgzzFg9h2Lgom +1joGOMFkUpCuVfe5fdUY5DLUy0QuoB7Y3KT/2fIEtU2EXJ4dqYc/R718zDssRPNDo8F Xd7bMUaqIECFENr5FyDyCHoVqGTWjmY9zILpPey90J8OuQz3rJbw+0EdLzgY4PaX6jA7 YkJkjOgreVvzQVJ+dKDZoy8BTdlFTa0wnyqO7j3Kykd/ITYLFJPZH66WD7xmsNZJMKgI pk3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=L6+o37N6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t4-20020a17090a024400b001df21a58479si984888pje.163.2022.05.18.15.30.23; Wed, 18 May 2022 15:30:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=L6+o37N6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229450AbiERWEb (ORCPT + 99 others); Wed, 18 May 2022 18:04:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229553AbiERWEU (ORCPT ); Wed, 18 May 2022 18:04:20 -0400 Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2607:f8b0:4864:20::542]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EAEF3185C96; Wed, 18 May 2022 14:59:03 -0700 (PDT) Received: by mail-pg1-x542.google.com with SMTP id j21so3140430pga.13; Wed, 18 May 2022 14:59:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=RIqb0l2FHNo5ET2D8M6DThcvNo/nvpxkXAV0BcylEdU=; b=L6+o37N6k83FBDk1PDS1tBgcmU+od+pO7wsJRtpz5/lQoXWan0ykBlhM1q4c3e+iSD iyYh4gBF4DtXGSxtv3cbDaX9bxjEJk7hoM4EJ0w1AlpcyX86mGF8tD+1XlWyznefUDD2 6fLzsKKcTr5YzT6OIkc8FrCbZal6jMulaB3IoCjM+cAjWT2dJABax+ORvx5vO3NQeXKk TSVxWmrR+8lUAmDW9pTARCbLEZ/VUp1j+/YeIYIRxNVC93RoJh0vgJjcnGiwlZEVLxBU glS/w/6wf8FdXbUAlo6gEYhKNiHJ/Cz0z8JUCXdb2ZKLwjlNllcn8GepaOlMXndzCBTp BJNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=RIqb0l2FHNo5ET2D8M6DThcvNo/nvpxkXAV0BcylEdU=; b=4xxhSnulGje5TiQaJA48+pSfvbu4RKbAfGfIG4g7X2oCtnUHZUln0YLtvw3y5q+MAG 18g7lXZVDAHQEEHTzgAWBD4pnrvC7nRQL0nSz3VgE9URoswXSLlvCo2QxlK38sdR7Esq YsZcdH/SXSf9D6KCDLJrrfAXki7EdHjYQgnjiVVnbzst+Udk/JE+ShzkXvEU7tmH/edg dQBbIVhGEgonRUdWgxIHAkEMu65NYUb2+4TJgPzQVtbF6tIw6C/4rcGPd4hulbxouTja L/zuBdCkXnnzr1EG38J7aD5237K8wy5FDdL1FokpMXkGRPWovjPmtI0IJWKj451q5GPt A2wA== X-Gm-Message-State: AOAM532wxurtyyIZRFkb+GZx0ZY5EbGvs+Z/SZ+YCS06BewXKawMOix2 iXrFqHunmg+W4jKgF6GIqEw= X-Received: by 2002:a05:6a00:2186:b0:4f7:5544:1cc9 with SMTP id h6-20020a056a00218600b004f755441cc9mr1685762pfi.62.1652911143203; Wed, 18 May 2022 14:59:03 -0700 (PDT) Received: from localhost ([157.51.69.231]) by smtp.gmail.com with ESMTPSA id h130-20020a628388000000b0050d4d156362sm2431227pfe.1.2022.05.18.14.59.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 May 2022 14:59:02 -0700 (PDT) Date: Thu, 19 May 2022 03:29:51 +0530 From: Kumar Kartikeya Dwivedi To: Benjamin Tissoires Cc: Greg KH , Jiri Kosina , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Shuah Khan , Dave Marchevsky , Joe Stringer , Jonathan Corbet , Tero Kristo , linux-kernel@vger.kernel.org, linux-input@vger.kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-doc@vger.kernel.org Subject: Re: [PATCH bpf-next v5 02/17] bpf/verifier: allow kfunc to return an allocated mem Message-ID: <20220518215951.bhurzqzytb4kxqtm@apollo.legion> References: <20220518205924.399291-1-benjamin.tissoires@redhat.com> <20220518205924.399291-3-benjamin.tissoires@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220518205924.399291-3-benjamin.tissoires@redhat.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 19, 2022 at 02:29:09AM IST, Benjamin Tissoires wrote: > When a kfunc is not returning a pointer to a struct but to a plain type, > we can consider it is a valid allocated memory assuming that: > - one of the arguments is called rdonly_buf_size > - or one of the arguments is called rdwr_buf_size > - and this argument is a const from the caller point of view > > We can then use this parameter as the size of the allocated memory. > > The memory is either read-only or read-write based on the name > of the size parameter. > > Signed-off-by: Benjamin Tissoires > > --- > > changes in v5: > - updated PTR_TO_MEM comment in btf.c to match upstream > - make it read-only or read-write based on the name of size > > new in v4 > --- > include/linux/btf.h | 7 +++++ > kernel/bpf/btf.c | 41 +++++++++++++++++++++++- > kernel/bpf/verifier.c | 72 +++++++++++++++++++++++++++++++++---------- > 3 files changed, 102 insertions(+), 18 deletions(-) > > diff --git a/include/linux/btf.h b/include/linux/btf.h > index 2611cea2c2b6..2a4feafc083e 100644 > --- a/include/linux/btf.h > +++ b/include/linux/btf.h > @@ -343,6 +343,13 @@ static inline struct btf_param *btf_params(const struct btf_type *t) > return (struct btf_param *)(t + 1); > } > > +struct bpf_reg_state; > + > +bool btf_is_kfunc_arg_mem_size(const struct btf *btf, > + const struct btf_param *arg, > + const struct bpf_reg_state *reg, > + const char *name); > + > #ifdef CONFIG_BPF_SYSCALL > struct bpf_prog; > > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c > index 7bccaa4646e5..2d11d178807c 100644 > --- a/kernel/bpf/btf.c > +++ b/kernel/bpf/btf.c > @@ -6049,6 +6049,31 @@ static bool is_kfunc_arg_mem_size(const struct btf *btf, > return true; > } > > +bool btf_is_kfunc_arg_mem_size(const struct btf *btf, > + const struct btf_param *arg, > + const struct bpf_reg_state *reg, > + const char *name) > +{ > + int len, target_len = strlen(name); > + const struct btf_type *t; > + const char *param_name; > + > + t = btf_type_skip_modifiers(btf, arg->type, NULL); > + if (!btf_type_is_scalar(t) || reg->type != SCALAR_VALUE) > + return false; > + > + param_name = btf_name_by_offset(btf, arg->name_off); > + if (str_is_empty(param_name)) > + return false; > + len = strlen(param_name); > + if (len != target_len) > + return false; > + if (strncmp(param_name, name, target_len)) > + return false; > + > + return true; > +} I think you don't need these checks. btf_check_kfunc_arg_match would have already made sure scalar arguments receive scalar. The rest is just matching on the argument name, which you can directly strcmp when setting up R0's type. > + > static int btf_check_func_arg_match(struct bpf_verifier_env *env, > const struct btf *btf, u32 func_id, > struct bpf_reg_state *regs, > @@ -6198,7 +6223,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env, > if (reg->type == PTR_TO_BTF_ID) { > reg_btf = reg->btf; > reg_ref_id = reg->btf_id; > - /* Ensure only one argument is referenced PTR_TO_BTF_ID */ > + /* Ensure only one argument is reference PTR_TO_BTF_ID or PTR_TO_MEM */ But this part of the code would never be reached for PTR_TO_MEM, so the comment would be false? > if (reg->ref_obj_id) { > if (ref_obj_id) { > bpf_log(log, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n", > @@ -6258,6 +6283,20 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env, > i++; > continue; > } > + > + if (rel && reg->ref_obj_id) { > + /* Ensure only one argument is referenced PTR_TO_BTF_ID or PTR_TO_MEM */ > + if (ref_obj_id) { > + bpf_log(log, > + "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n", > + regno, > + reg->ref_obj_id, > + ref_obj_id); > + return -EFAULT; > + } > + ref_regno = regno; > + ref_obj_id = reg->ref_obj_id; > + } Why do we need this part? I don't see any code passing that __u8 * back into a release function. The only release function I see that you are adding is releasing a struct, which should be PTR_TO_BTF_ID and already supported. Also acquire function should not return non-struct pointer. Can you also update the if (acq && !btf_type_is_ptr(t)) check in check_kfunc_call to instead check for btf_type_is_struct? The verbose log would be misleading now, but it was based on the assumption only PTR_TO_BTF_ID as return pointer is supported. > } > > resolve_ret = btf_resolve_size(btf, ref_t, &type_size); > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 9b59581026f8..084319073064 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -7219,13 +7219,14 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn, > int *insn_idx_p) > { > const struct btf_type *t, *func, *func_proto, *ptr_type; > - struct bpf_reg_state *regs = cur_regs(env); > + struct bpf_reg_state *reg, *regs = cur_regs(env); > const char *func_name, *ptr_type_name; > - u32 i, nargs, func_id, ptr_type_id; > + u32 i, nargs, func_id, ptr_type_id, regno; > int err, insn_idx = *insn_idx_p; > const struct btf_param *args; > struct btf *desc_btf; > bool acq; > + size_t reg_rw_size = 0, reg_ro_size = 0; Not reverse X-mas tree. > > /* skip for now, but return error when we find this in fixup_kfunc_call */ > if (!insn->imm) > @@ -7266,8 +7267,8 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn, > } > } > > - for (i = 0; i < CALLER_SAVED_REGS; i++) > - mark_reg_not_init(env, regs, caller_saved[i]); > + /* reset REG_0 */ > + mark_reg_not_init(env, regs, BPF_REG_0); > > /* Check return type */ > t = btf_type_skip_modifiers(desc_btf, func_proto->type, NULL); > @@ -7277,6 +7278,9 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn, > return -EINVAL; > } > > + nargs = btf_type_vlen(func_proto); > + args = btf_params(func_proto); > + > if (btf_type_is_scalar(t)) { > mark_reg_unknown(env, regs, BPF_REG_0); > mark_btf_func_reg_size(env, BPF_REG_0, t->size); > @@ -7284,24 +7288,57 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn, > ptr_type = btf_type_skip_modifiers(desc_btf, t->type, > &ptr_type_id); > if (!btf_type_is_struct(ptr_type)) { > - ptr_type_name = btf_name_by_offset(desc_btf, > - ptr_type->name_off); > - verbose(env, "kernel function %s returns pointer type %s %s is not supported\n", > - func_name, btf_type_str(ptr_type), > - ptr_type_name); > - return -EINVAL; > + /* if we have an array, look for the arguments */ > + for (i = 0; i < nargs; i++) { > + regno = i + BPF_REG_1; > + reg = ®s[regno]; > + > + /* look for any const scalar parameter of name "rdonly_buf_size" > + * or "rdwr_buf_size" > + */ > + if (!check_reg_arg(env, regno, SRC_OP) && > + tnum_is_const(regs[regno].var_off)) { Instead of this, we should probably just check the argument that has its name as rdonly/rdwr_buf_size inside btf_check_kfunc_arg_match and ensure there is only one of those. No need for check_reg_arg, and just this tnum_is_const can also be enforced inside btf_check_kfunc_arg_match. You can pass a struct like so: struct bpf_kfunc_arg_meta { u64 r0_size; bool r0_rdonly; }; and set its value to reg->var_off.value from inside the function in the argument checking loop. Then you don't have to change the mark_reg_not_init order here. All your code can be inside the if (btf_type_is_scalar(t)) branch. Also, it would be nice to use this struct to signal the register that is being released. Right now it's done using a > 0 return value (the if (err)) which is a bit ugly. But up to you if you want to do that tiny cleanup. > + if (btf_is_kfunc_arg_mem_size(desc_btf, &args[i], reg, > + "rdonly_buf_size")) > + reg_ro_size = regs[regno].var_off.value; > + else if (btf_is_kfunc_arg_mem_size(desc_btf, &args[i], reg, > + "rdwr_buf_size")) > + reg_rw_size = regs[regno].var_off.value; > + } > + } > + > + if (!reg_rw_size && !reg_ro_size) { > + ptr_type_name = btf_name_by_offset(desc_btf, > + ptr_type->name_off); > + verbose(env, > + "kernel function %s returns pointer type %s %s is not supported\n", > + func_name, > + btf_type_str(ptr_type), > + ptr_type_name); > + return -EINVAL; > + } > + > + mark_reg_known_zero(env, regs, BPF_REG_0); > + regs[BPF_REG_0].type = PTR_TO_MEM; > + regs[BPF_REG_0].mem_size = reg_ro_size + reg_rw_size; > + > + if (reg_ro_size) > + regs[BPF_REG_0].type |= MEM_RDONLY; > + } else { > + mark_reg_known_zero(env, regs, BPF_REG_0); > + regs[BPF_REG_0].type = PTR_TO_BTF_ID; > + regs[BPF_REG_0].btf = desc_btf; > + regs[BPF_REG_0].btf_id = ptr_type_id; > + mark_btf_func_reg_size(env, BPF_REG_0, sizeof(void *)); > } > - mark_reg_known_zero(env, regs, BPF_REG_0); > - regs[BPF_REG_0].btf = desc_btf; > - regs[BPF_REG_0].type = PTR_TO_BTF_ID; > - regs[BPF_REG_0].btf_id = ptr_type_id; > + > if (btf_kfunc_id_set_contains(desc_btf, resolve_prog_type(env->prog), > BTF_KFUNC_TYPE_RET_NULL, func_id)) { > regs[BPF_REG_0].type |= PTR_MAYBE_NULL; > /* For mark_ptr_or_null_reg, see 93c230e3f5bd6 */ > regs[BPF_REG_0].id = ++env->id_gen; > } > - mark_btf_func_reg_size(env, BPF_REG_0, sizeof(void *)); > + Any reason to do this call only for PTR_TO_BTF_ID and not for PTR_TO_MEM? > if (acq) { > int id = acquire_reference_state(env, insn_idx); > > @@ -7312,8 +7349,9 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn, > } > } /* else { add_kfunc_call() ensures it is btf_type_is_void(t) } */ > > - nargs = btf_type_vlen(func_proto); > - args = (const struct btf_param *)(func_proto + 1); > + for (i = 1 ; i < CALLER_SAVED_REGS; i++) > + mark_reg_not_init(env, regs, caller_saved[i]); > + > for (i = 0; i < nargs; i++) { > u32 regno = i + 1; > > -- > 2.36.1 > -- Kartikeya