Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3446925rwb; Mon, 3 Oct 2022 15:25:32 -0700 (PDT) X-Google-Smtp-Source: AMsMyM66RboeYZD1gdx4jn0ZAoBq+Z9wntWqUXXTMplbWRgqSSTvsZzhRairOnUOlO/e+6W/anRO X-Received: by 2002:a17:907:9686:b0:783:4a37:65d0 with SMTP id hd6-20020a170907968600b007834a3765d0mr16725428ejc.384.1664835932393; Mon, 03 Oct 2022 15:25:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664835932; cv=none; d=google.com; s=arc-20160816; b=dgFYwoVidFMOY0oS0Sjkkd0scvcWqEGKOWReiH3u+KCbP1jQBLAg7sJP2gfy/xzV8H gwhY6KB3oC+Mb9vOuLzC2J3cAdTuf05MvokusWsTaozBGfEWpbkGalPAwjOHT5MjrG6W XHhR2GLEC2r4BY2bfL9+j8HROgT6X5+elm59CuwS6B90Re7RmcP8ULbSHnHDtyHdZChk p0aWS7+zwgCbp0Ja2sTdhpYf3zmV9+wHQyHnaSePiLAtVNecDvCGAuA68ckp4rwRbvL7 ig7g7k+lIbjMy22jptCz5dRD/TIpEPWHh1vfnAjm9834r8FfEEeNW4zODahuJNinvocj ZuTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=3Y5/lhymnvOkyWysTmVlNOmPaMVza0kxCZ5BthUg2sA=; b=eHovJWCwtrxTbdEIfdAf/iCPcMVFTavtw8k1BeHHgItQuyn8HQ2a0EF3SA3JoOZFH3 ooL/fM87hhopQFw8ZfPrMoIp/LyK8q5aGeKStD4S0GkU3RTLwME5vsAGJocuIT2pOtzZ HNbj1BIwAIhvU0DWmQ03Rq5ToHBO5AyLewWiXKCFRtnWtZuVa8WzYSXMpuUxw3hpOlO+ Wd2kNoL34uFuVy0qZoe+ZlXnWswTUDA3zuKuHXIkyU1dj4ibVzYH1cpnBGeb8nhlktF6 GiY2MTq2hJIsDHg++fraltAkHE2fvfzyfKuZHM2yZGoo7wQn660YqO0+7L1sSu4ybriI KCUw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qb34-20020a1709077ea200b0073d8ccd37c2si9228607ejc.107.2022.10.03.15.25.07; Mon, 03 Oct 2022 15:25:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229817AbiJCV7U (ORCPT + 99 others); Mon, 3 Oct 2022 17:59:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229514AbiJCV7R (ORCPT ); Mon, 3 Oct 2022 17:59:17 -0400 Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com [209.85.219.45]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D94FC2C642; Mon, 3 Oct 2022 14:59:16 -0700 (PDT) Received: by mail-qv1-f45.google.com with SMTP id mg6so2441345qvb.10; Mon, 03 Oct 2022 14:59:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date; bh=3Y5/lhymnvOkyWysTmVlNOmPaMVza0kxCZ5BthUg2sA=; b=UzeYowYNHszpq1Zk+Q+WMVnc7VBhGIacvGuGFavYQujGD+Xc1wNxKNrwu61lzqRcCV gFfigM0NSANpfIvDPcBDT2qLSEqM9BByqYYxCLlGkQgAtJ4MC2gFdZhNT1o+FjoOCWxs Chltni4N5eZF0MzJFlw7qQKmDbn4Zr5pBvquJ+yn0FiLsjUH2uLlbhWID2NPPvacffuP iLMYOuZDBXPmiT0/wtMKvo3HgEO6tBoG1Y/QfFKM3JDKxpNPvBvHoLemuQXeg6Ysv3Na 6Ght5txiMdt7+2px/DwnZ2cHloRPsOVU+BXCAPeQRKKyqSBgAaF84s5N9e7DhZ/vw/JW kXDA== X-Gm-Message-State: ACrzQf0c1oIuTGiVwLgYIASdYNvBdbxHQejmbdE4o4S3TatHwLZ9zWyt qhlp1ovhpvPmSXM16Q40A8g= X-Received: by 2002:a05:6214:2307:b0:46e:5fbc:3c30 with SMTP id gc7-20020a056214230700b0046e5fbc3c30mr17499988qvb.21.1664834355803; Mon, 03 Oct 2022 14:59:15 -0700 (PDT) Received: from maniforge.dhcp.thefacebook.com ([2620:10d:c091:480::59bd]) by smtp.gmail.com with ESMTPSA id x22-20020a05620a0b5600b006ce7cd81359sm11665044qkg.110.2022.10.03.14.59.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Oct 2022 14:59:15 -0700 (PDT) Date: Mon, 3 Oct 2022 16:59:22 -0500 From: David Vernet To: Kumar Kartikeya Dwivedi Cc: Martin KaFai Lau , ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kernel-team@fb.com, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, yhs@fb.com, song@kernel.org, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, tj@kernel.org Subject: Re: [PATCH v2 2/2] bpf/selftests: Add selftests for new task kfuncs Message-ID: References: <20221001144716.3403120-1-void@manifault.com> <20221001144716.3403120-3-void@manifault.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.2.7 (2022-08-07) X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 03, 2022 at 11:03:01PM +0200, Kumar Kartikeya Dwivedi wrote: > On Mon, 3 Oct 2022 at 21:53, Martin KaFai Lau wrote: > > > > On 10/3/22 8:56 AM, Kumar Kartikeya Dwivedi wrote: > > >>> Also, could you include a test to make sure sleepable programs cannot > > >>> call bpf_task_acquire? It seems to assume RCU read lock is held while > > >>> that may not be true. If already not possible, maybe a WARN_ON_ONCE > > >>> inside the helper to ensure future cases don't creep in. > > >> > > >> I don't _think_ it's unsafe for a sleepable program to call > > >> bpf_task_acquire(). My understanding is that the struct task_struct * > > >> parameter to bpf_task_acquire() is not PTR_UNTRUSTED, so it's safe to > > >> dereference directly in the kfunc. The implicit assumption here is that > > >> the task was either passed to the BPF program (which is calling > > >> bpf_task_acquire()) from the main kernel in something like a trace or > > >> struct_ops callback, or it was a referenced kptr that was removed from a > > >> map with bpf_kptr_xchg(), and is now owned by the BPF program. Given > > >> that the ptr type is not PTR_UNTRUSTED, it seemed correct to assume that > > >> the task was valid in bpf_task_acquire() regardless of whether we were > > >> in an RCU read region or not, but please let me know if I'm wrong about > > > > > > I don't think it's correct. You can just walk arbitrary structures and > > > obtain a normal PTR_TO_BTF_ID that looks seemingly ok to the verifier > > > but has no lifetime guarantees. It's a separate pre-existing problem > > > unrelated to your series [0]. PTR_UNTRUSTED is not set for those cases > > > currently. > > > > > > So the argument to your bpf_task_acquire may already be freed by then. > > > This issue would be exacerbated in sleepable BPF programs, where RCU > > > read lock is not held, so some cases of pointer walking where it may > > > be safe no longer holds. > > > > > > I am planning to clean this up, but I'd still prefer if we don't allow > > > this helper in sleepable programs, yet. kptr_get is ok to allow. > > > Once you have explicit BPF RCU read sections, sleepable programs can > > > take it, do loads, and operate on the RCU pointer safely until they > > > invalidate it with the outermost bpf_rcu_read_unlock. It's needed for > > > local kptrs as well, not just this. I plan to post this very soon, so > > > we should be able to fix it up in the current cycle after landing your > > > series. > > > > > > __rcu tags in the kernel will automatically be understood by the > > > verifier and for the majority of the correctly annotated cases this > > > will work fine and not break tracing programs. > > > > > > [0]: https://lore.kernel.org/bpf/CAADnVQJxe1QT5bvcsrZQCLeZ6kei6WEESP5bDXf_5qcB2Bb6_Q@mail.gmail.com > > > > > >> that. Other kfuncs I saw such as bpf_xdp_ct_lookup() assumed that the > > >> parameter passed by the BPF program (which itself was passing on a > > >> pointer given to it by the main kernel) is valid as well. > > > > > > Yeah, but the CT API doesn't assume validity of random PTR_TO_BTF_ID, > > > it requires KF_TRUSTED_ARGS which forces them to have ref_obj_id != 0. > > > > Other than ref_obj_id != 0, could the PTR_TO_BTF_ID obtained through > > btf_ctx_access be marked as trusted (e.g. the ctx[0] in the selftest here) > > and bpf_task_acquire() will require KF_TRUSTED_ARGS? would it be safe in general? > > > > Recently eed807f62610 ("bpf: Tweak definition of KF_TRUSTED_ARGS") > relaxed things a bit, now that constraint is only for PTR_TO_BTF_ID > and it allows other types without ref_obj_id > 0. > > But you're right, ctx loads should usually be trusted, this is the > current plan (also elaborated a bit in that link [0]), usually that is > true, an exception is free path as you noted in your reply for patch 1 > (and especially fexit path where object may not even be alive > anymore). There are some details to work out, but eventually I'd want > to force KF_TRUSTED_ARGS by default for all kfuncs, and we only make > exceptions in some special cases by having some KF_UNSAFE flag or > __unsafe tag for arguments. It's becoming harder to think about all > permutations if we're too permissive by default in terms of acceptable > arguments. Thanks for providing additional context, Kumar. So what do we want to do for this patch set? IMO it doesn't seem useful to restrict bpf_kfunc_acquire() to only be callable by non-sleepable programs if our goal is to avoid crashes for nested task structs. We could easily accidentally crash if e.g. those pointers are NULL, or someone is doing something weird like stashing some extra flag bits in unused portions of the pointer which are masked out when it's actually dereferenced regardless of whether we're in RCU. Trusting ctx loads sounds like the right approach, barring some of the challenges you pointed out such as dealing with fexit paths after free where the object may not be valid anymore. In general, it seems like we should maybe decide on what our policy should be for kfuncs until we can wire up whatever we need to properly trust ctx.