Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp102779rwl; Thu, 6 Apr 2023 15:36:00 -0700 (PDT) X-Google-Smtp-Source: AKy350a+QEZkmMInZkfO+urW3CYyRLtJ+ga/7ytfYBiBbf/N9USK1qSW7Isd+XBJk1WzMgqLVWoI X-Received: by 2002:a17:906:228d:b0:931:7350:a4f3 with SMTP id p13-20020a170906228d00b009317350a4f3mr551196eja.10.1680820560205; Thu, 06 Apr 2023 15:36:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680820560; cv=none; d=google.com; s=arc-20160816; b=BCiCfI4kVNu0gvoOGPZmb3m5es+ak1G7zWQ7wYUouu6v07ckyMQIoBaS4RzMxNFtzP wFbVpR7dQ9KP6sWd1OsIIM4NhbVwzgSeZ/0PCty35XbuKh3AcevmpoADbOhDOeNY64S5 1gobYIBxsBHQEzq6bXp9IjMS1G3Y3aXPCHmao7oxAtjPL9C20Ef5ucOkNGYxaubCE8il fMen5XvguxKTCtoJiEtVWtxF96C7sjtG4B5JWzaMaFz9NvAg+kHosbz92lvh9HdcB6UL Lj8UZ5Pv5AB+bonkN52vrB4h8QjDI7oXyTeCBuudbeWughb0iTOPWK7IdMHNw4cusP/Z CiZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=g1AjHf2kCvIdLeYFh5xT+QDV5+o6aZpVh3ZQromHqS0=; b=L9Ii9AkCAVEJMqiThXUrldYQgscptLTQUkLdHllSsRxINYnyI6fBK4+hU5nQZR26wP sX6q3S3MmPRc8SqDb+NoJpiH5XKp969afZuSotIa6GrSZhUU/7DM3ovmJU27/nIrelqI XqX9q6nt2Fu4qhnuIF5A+qFiy3lEJ3aXzLbNiKaLM9CrW0j5naHIJmUup9qZro7cHT+I 6F9HSI6SLAD7uLqO5KIr3503k7p8AYi4QRPrNvLuGCck02tlkBDpdJk0de69URShfY6b /mvsG7aQoa3QQP9lT279dEHlyOLMrA7lpNJytlKXFFMLzPy06tX2WcmI7ddorRnCcNq8 Ct7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=s3vxtsDP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gs19-20020a1709072d1300b0093e739fb090si2203367ejc.945.2023.04.06.15.35.33; Thu, 06 Apr 2023 15:36:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=s3vxtsDP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233135AbjDFWZR (ORCPT + 99 others); Thu, 6 Apr 2023 18:25:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44294 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230311AbjDFWZP (ORCPT ); Thu, 6 Apr 2023 18:25:15 -0400 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DAA9D76BF for ; Thu, 6 Apr 2023 15:25:14 -0700 (PDT) Received: by mail-pl1-x62c.google.com with SMTP id z19so38737612plo.2 for ; Thu, 06 Apr 2023 15:25:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; t=1680819914; x=1683411914; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=g1AjHf2kCvIdLeYFh5xT+QDV5+o6aZpVh3ZQromHqS0=; b=s3vxtsDPoSXlMifI4rs+/vS/5nH+8PhwE9xs9s2dgUzHr8Wd3iRtFg3A8X9ZOMc66B DDWHb/HSBO6gvjMvYXddd2ncUcHdon4UINWwRxDu/DSlHq7aLz0YDSpzGjy8NubKQ2s1 GedeUwwhCURiLXGy9Pxq6czCKovsxRc09laMA9ZvWQwov+ZavxiPAU5CL4CISipg3LEr fMH1kDRJSjjZmUubc2XGwOX0HMdwZylp3slecMV9+YfDhnsA3/2ABFqjoUTfrfpy8mZb pE8p3K/8k07JlB5CbT8c9Ofk3I0XP0L0P12C9kC4arPcCY0hJCOrLiE8Q8S2hOKn/zmD y8PA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680819914; x=1683411914; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=g1AjHf2kCvIdLeYFh5xT+QDV5+o6aZpVh3ZQromHqS0=; b=mRD93DXELg09behCdKDVEvPVYqgSJ2rnRDGd1Rc0kQolJZC0rAL04cLmUvYmHCSxQ/ ZJRHvLRdBP8rcXNLD9GfT1KvrNrjZGR+1jDiY7XXityiORP4LFqQiyE7Aqj9javkp4Pf mmaC/X1OayzDhRf38/6qVYqQxPr0dNgoiRXM0NMge+gJ2Olt3dSUGLONT9CayYUTPq90 ptKd69t1K7h3GPmQZWRs5jtDMuHmvIfOX8YK4+/pdj1okZYXyF1juSW3ddV2qOE/hfch nzAqyjW3F9JYoi60OTj7VSXtyMipoxmZ98kh89c19a1eM0W+34GdYw9FDpYvVvF/9u07 Nr1w== X-Gm-Message-State: AAQBX9doRTprgg5hKX6u7JL76PP1VoLuC9oVRs27UjoiB1DVixRcO7i1 VR34dhH36tEtyOy5kTI5orm48Bg+TlCJFyuq3SNMrg== X-Received: by 2002:a17:90a:a004:b0:23d:3b06:ee13 with SMTP id q4-20020a17090aa00400b0023d3b06ee13mr64109pjp.1.1680819914155; Thu, 06 Apr 2023 15:25:14 -0700 (PDT) MIME-Version: 1.0 References: <20230406004018.1439952-1-drosen@google.com> <20230406004018.1439952-3-drosen@google.com> In-Reply-To: From: Daniel Rosenberg Date: Thu, 6 Apr 2023 15:25:02 -0700 Message-ID: Subject: Re: [PATCH 2/3] bpf: Allow NULL buffers in bpf_dynptr_slice(_rw) To: Andrii Nakryiko Cc: bpf@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Jonathan Corbet , Joanne Koong , Mykola Lysenko , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, kernel-team@android.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-15.7 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,ENV_AND_HDR_SPF_MATCH, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 6, 2023 at 2:09=E2=80=AFPM Andrii Nakryiko wrote: > > should we always reject NULL even for SKB/XDP or only when the buffer > *would be* required? If the latter, we could use bpf_dynptr_slice() > with NULL buf to say "only return pointer if no byte copying is > required". As opposed to bpf_dynptr_data(), where I think we always > fail for SKB/XDP, because we are not sure whether users are aware of > this need to copy bytes. Here, users are aware, but chose to prevent > copying. > > WDYT? > I think Passing NULL here should signal that you're quite okay with it failing instead of copying. We could limit this to just local/ringbuf types, but that seems like an unneeded restriction, particularly if you're operating on some section of an skb/xdp buffer that you know will always be contiguous. I adjusted xdp for that. The adjustment would be similar for skb, I just didn't do that since it was another layer of indirection deep and hadn't looked through all of those use cases. Though it should be fine to just reject when the buffer would have been needed, since all users currently provide one. I agree that allowing that same behavior for dnyptr_data would be more likely to cause confusion. Blocking the copy on dynprt_slice is much more explicit. > > would this work correctly if someone passes a non-null buffer with too > small size? Can you please add a test for this use case. > Yes, that's one of the tests that's missing there. Once I get my build situation sorted I'll add more tests. The behavior for a non-null buffer should be unchanged by this patch. > Also, I feel like for cases where we allow a NULL buffer, we need to > explicitly check that the register is a *known* NULL (SCALAR=3D0 > basically). And also in that case the size of the buffer probably > should be enforced to zero, not just be allowed to be any value. > We absolutely should check that the pointer in question is NULL before ignoring the size check. I think I'm accomplishing that by ignoring __opt when reg->umax_value > 0 in is_kfunc_arg_optional. Is that the wrong check? Perhaps I should check var_off =3D=3D tnum_const(0) instead. We can't enforce the size being zero in this case because the size is doing double duty. It's both the length of the requested area of access into the dnyptr, and the size of the buffer that it might copy that data into. If we don't provide a buffer, then it doesn't make sense to check that buffer's size. The size does still apply to the returned pointer though. Within the kfunc, it just needs to check for null before copying dynptr data, as well as the regular enforcement of length against the dynprt/offset. > it's scary to just ignore some error, tbh, the number of error > conditions can grow overtime and we'll be masking them with this > is_kfunc_arg_optional() override. Let's be strict and explicit here. > It would probably make more sense to check is_kfunc_arg_optional and skip the size check altogether. Either way we're just relying on runtime checks against the dynptr at that point. If the buffer is known null and optional, we don't care what the relationship between the buffer and the size is, just that size and the dynptr. __szk already takes care of it being a constant. This doesn't affect the return buffer size.