Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp2886531rwb; Fri, 20 Jan 2023 08:30:39 -0800 (PST) X-Google-Smtp-Source: AMrXdXvyoTcJ70sbb+nSaKqt8LCDg/0IY3rWq4xHoLCmqWR2rQaJPDsTWmJJONnFZcLb88C8/rTm X-Received: by 2002:a05:6402:219:b0:499:70a8:f915 with SMTP id t25-20020a056402021900b0049970a8f915mr15360858edv.21.1674232239353; Fri, 20 Jan 2023 08:30:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674232239; cv=none; d=google.com; s=arc-20160816; b=IPlzuz48byWiqeACRTfQxcCa5mZv/jrprM2BOuOEL6HgnG/1v7zPTmID9qaoCdp5lP P7XxVnJ2L9r7zeaUegU38jfiWRtObJ5dMao9L4Dj7Vhg5PV0mDjIdIvrVq3HAWIY8ZCp PXJv3y+s5Sgi3sKGdHfToZBnxZMFH91y01wD+Gvbp1CncugqVPmECNYODkXgebo/D1Kq LyFs41fLLVe2JahCAVc9FeKoaOsc4zj3vXGvwt5rV/UlkMaCWGOoP0GuLkg7dVFXiibh RWt45YySK6GfUWkYpT1Od0pJZQ8r2LkdtUJ2m3dmfHp2xz4Nh9pXrLDtruMfdY4Kp7ni 6cNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=oaoP2q5jxU9ldhcqzrgZ3L4zkQjm2DT6Rdi7UTtBpUw=; b=m2txVO23jwIG8MWKphmwjZab1CLuQiCwtXIoZmUpUovWAhjULlqDGAzZW7Ff7JquQ7 kFCFki2lzNrcUb7CLaR7sMxJvpJwPj/KEOAHS8o1DDViX+GC9OOsq76/7cqVcfo+31qY mDCzFypASu0O8p245wjuf5sTH89sIwjvbgRQvD4GxQCiuAanm6J9CCNzVyqNfZDrp9CE 6AZ3jP6ORKbf3MKC1tuqos8ZTD/Hife309OPHtDyCob0zhqG0+smUVTqsZDsvUPhj07I EiHmMKR/az24J2USrPpLcfm3uRFwjaDb3PKl8QT/XHsDjSXKltj5jpDjWj2jRNE2Oz80 /zRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=mB9YMobT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b14-20020a056402084e00b004842aaeea0bsi24469464edz.603.2023.01.20.08.30.26; Fri, 20 Jan 2023 08:30:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=mB9YMobT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229885AbjATQRu (ORCPT + 50 others); Fri, 20 Jan 2023 11:17:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52052 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229668AbjATQRs (ORCPT ); Fri, 20 Jan 2023 11:17:48 -0500 Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F8CCDB7BB; Fri, 20 Jan 2023 08:17:31 -0800 (PST) Received: by mail-ej1-x634.google.com with SMTP id mp20so15178265ejc.7; Fri, 20 Jan 2023 08:17:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oaoP2q5jxU9ldhcqzrgZ3L4zkQjm2DT6Rdi7UTtBpUw=; b=mB9YMobTYsLoR7B7uzDVlkcj+h/F3QR4cZKj1nZZ+q+LiDNmKgo0PqvMi/iSmZnHyM b7cLUPy7ygYHEEC7Wjqyd52ZpU1z2uy5Oh74FntvPiuQNxjiPjNgeHAQuo2yvLYV2pof X0xEAVIkJT8bih7d9p3YV8IXVo6+Jt+JYK5oaQImXzHE4+e9U8JvmbOwRbsKNmGixfVX /xmu00ddxvucT82zARCxesRfhbgMPTsEcunznkjAzcmsAS4a2dZmOq/sLID1EzNvJqj0 klphywc0H34nV3fuMjTLl8hLNuvUDQ2mA9NrPgHeUGXt/u1WFY3+ig0QW4ug4z86z1dj pL8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oaoP2q5jxU9ldhcqzrgZ3L4zkQjm2DT6Rdi7UTtBpUw=; b=hZxtsG4eSqbX0fuh7Qo82J6Hvt+bwEt1scIpRK8Wy80Jtcolyi3Rw2DrqvFqPitVf0 FaauY5J8wepVyp41OfPUvRHI58hp3Cx50B5MYG++IMHRp2MLqPairdr4KS9DWD/AumzS Jz0PdVAF7Xk/1//VddMQReakv+/9OfhIx+oDXHCbHCs+Ju1mtkz1PhkAPupkZCRaWagX lhVep4eOsHfeMdkBCUqX4vOO7bc3J1KyMPETRvZsZWpF6TzNE4egv4oPRWzT5TLKN/7p Hc1+jhSo61p6ts8XoOz67gbSz4aDcAhTXE9kl3og2NXfyMQYaHn4niiNfoe+bPIWr5xK exbA== X-Gm-Message-State: AFqh2kq7WeHDYKsrTfPwyL4I/4qW7vNsAzNEm0CVK/kPfcUbvaZyx7gh WNU767n9mKUiKZqB+Sv6Hiut0L2EbAdGzETSWt0= X-Received: by 2002:a17:906:cf9b:b0:872:a7ee:f4c7 with SMTP id um27-20020a170906cf9b00b00872a7eef4c7mr1493481ejb.378.1674231449760; Fri, 20 Jan 2023 08:17:29 -0800 (PST) MIME-Version: 1.0 References: <20230119235833.2948341-1-void@manifault.com> <20230119235833.2948341-3-void@manifault.com> <20230120045815.4b7dc6obdt4uzy6a@apollo> <20230120054027.wcj3jxqkx2s2zsxo@MacBook-Pro-6.local.dhcp.thefacebook.com> <20230120061441.3gifklagiugmkrtd@MacBook-Pro-6.local.dhcp.thefacebook.com> In-Reply-To: From: Alexei Starovoitov Date: Fri, 20 Jan 2023 08:17:18 -0800 Message-ID: Subject: Re: [PATCH bpf-next 2/8] bpf: Allow trusted args to walk struct when checking BTF IDs To: David Vernet Cc: Kumar Kartikeya Dwivedi , bpf , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , LKML , Kernel Team , Tejun Heo Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 20, 2023 at 7:26 AM David Vernet wrote: > > > > > > Yes. Agree. I used unfortunate example in the previous reply with nf_conn___init. > > > I meant to say: > > > > > > For definition: > > > struct nf_conn_init { > > > struct nf_conn ct; > > > }; > > > if a kfunc accepts a pointer to nf_conn it should always accept a pointer to nf_conn_init > > > for both read and write, because in C that's valid and safe type cast. > > > > > > Meainng that C rules apply. > > > Our triple underscore is special, because it's the "same type". > > > In the 2nd part of my reply I'm proposing to use the whole suffix "___init" to indicate that. > > > I think you're arguing that just "___" part is enough to enforce strict match. > > > Matching foo___flavor with foo should not be allowed. > > > While passing struct foo_flavor {struct foo;} into a kfunc that accepts 'struct foo' > > > is safe. > > > If so, I'm fine with such approach. > > > > Alright, I'll spin v2 to treat any type with name___.* as a disallowed > > alias, and update the documentation to mention it. I was originally > > going to push back and say that we should just use a single alias like > > __nocast to keep things simple, but it doesn't feel generalizable > > enough. > > On second thought, unless you guys feel strongly, I'll just check > ___init. The resulting code is going to be a lot of tricky string > manipulation / math otherwise. Not _terrible_, but I'd prefer to avoid > adding it until we have a concrete use-case. And I expect this could be > implemented much simpler using something like tags, once gcc has support > for it. There is bpf_core_is_flavor_sep() that makes it easy to check, but thinking more about it we probably should stick to strict "___init" suffix for now, since flavors can appear in progs too and they are equivalent to corresponding types in the kernel. The nf_conn___init is kernel only type. The verifier sees that bpf_xdp_ct_alloc kfunc returns it, but when we export this kfunc to bpf prog it returns nf_conn. We probably should pick some other suffix without "___" to distinguish from flavors. bpf prog should not use nf_conn___init.