Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp172297rwl; Thu, 6 Apr 2023 16:57:48 -0700 (PDT) X-Google-Smtp-Source: AKy350bkQaYOof0cKMm8wPpQMjEZZWmf4z9ZlfUGKvtCOUchI2meXxOn1+BUNIfsshk4PeGORRdc X-Received: by 2002:a17:90b:1e11:b0:23e:f8e2:9ed3 with SMTP id pg17-20020a17090b1e1100b0023ef8e29ed3mr333846pjb.43.1680825468661; Thu, 06 Apr 2023 16:57:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680825468; cv=none; d=google.com; s=arc-20160816; b=MrPAGMet4YxKi2T/rshqzvFdGLyNUjI1IPRRh6j+DAyuz79BG4upMfJejSMBvVJ3Bq PtCJ3mDPWiy4ipe5wlLo21urhZc+jYmPbs87xftxdf3DjLRpdfBRoztTmI8fGrTQuMYi M6yEgXA0+aaTs+euUKbznA6xOzDq7rABX0NMcnkmGOsdkQqLcoA/ufk+PIlLcUzAoAEp dEOFYwZsypwewIShADx8VDk30XxIDa99YipZfZcoGb4xUrZMgwSVzfp/BbYdbaidqID+ u4eBceNga4PDWg8P+jYcaU0ANI9rKEvXPLuL0Vy7UhaI+Twx4guhiwFzEo1FRcI4prX/ QVnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=CikBPbUxVUuJ7IrbUQ9wU1KffUTIqbzP3eb0rXcRUkg=; b=tVbtf4Z3OXkI4dok5bduEGKp1br756UhNQkmUaPHvDQyZ7X1FDjdZeLVb5kVoNC5ni V2cujllFhjiGLfwsJzc4wdnt/Lec9iCikUckp92+uBzdhLTX/xRdqdoyeWvoo90hfWLT r0X8vRkCWSEn7xmr5oswnzZiHUD720OIWR8S7ndng26rqG/Gh5yowGvBuH1La8JichCr hjmNq3RWgYVSQnADpomVj7hvwgegqYTL8O45Q6B5Q8vSPcJznocXm8WpS+JoLbCvrs9J noVhg09kIFpBFo77N41MVqugjYv4Ac7PfTObKYC7lysdVH7TP5otk0cJSv90NBYbjXx+ b0IQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=HzkmRvtx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s6-20020a63dc06000000b00513f9dbbdb9si2225925pgg.275.2023.04.06.16.57.37; Thu, 06 Apr 2023 16:57:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=HzkmRvtx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232575AbjDFXyp (ORCPT + 99 others); Thu, 6 Apr 2023 19:54:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237261AbjDFXyh (ORCPT ); Thu, 6 Apr 2023 19:54:37 -0400 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F4667ED3; Thu, 6 Apr 2023 16:54:36 -0700 (PDT) Received: by mail-ej1-x62f.google.com with SMTP id g18so5062492ejx.7; Thu, 06 Apr 2023 16:54:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680825275; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=CikBPbUxVUuJ7IrbUQ9wU1KffUTIqbzP3eb0rXcRUkg=; b=HzkmRvtxMm4P83iWhZXWYnREh/Aw63gNTIRiYPPczkXDk+XvTAZffm2WgzmunJabVv I+fCneguVvtcsSVm6MNOSxeX25kPF26kuP4fapvf9l6yFUQgMKeGp5yjVgMo/WnDwNWd zxE2Q5sGiF5H8cBmAowJH/PZoUs79TBYs2HPLoT8Arthat0AFIvIE9YDXrw3y2j84HnX DulZMUwCs09JwEtM23hpbXjQ/5LIAXKkgx6ij/6CLvGpLEjNCAboFL2IHqpngEnrX1OW z0ApFH7PqH5lqeY80VFtow6u1DCKjaIjAuTIcfCRmwVRWx+ZJxTmxOHZEmeArCUL5T34 mqpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680825275; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CikBPbUxVUuJ7IrbUQ9wU1KffUTIqbzP3eb0rXcRUkg=; b=HayTHKlNKIOQCdtpQTy594ER9rU3EueV4Q2wMSpdbfSqF8gNtzWj5+y5TB6jPAGB3g 4BhSh35nOgKIeL0kOeossWMZhk/vqT6wui3m+5gGiPWsuaJp/V8Ww4ymP2qctKHviBZz 1VmjfRX1niaU3/h5HC/9m4EFSnxO6H1QxISYXrigjRSRthplI30Qmas7eoa38BXGH2zU LdxeR2H4kDABM10iOsbCl+ioEBBJfTX79OEHgkps8CNuKff9n6tLxa/X7GqRaA+KNY9j b7t96i5SWEJLvnUURewMmz6lLs2q9HStsTR9xbc5g2NkijLLcTDnwDQg2yQepr+xVKZL 1gxw== X-Gm-Message-State: AAQBX9faTDD6I2LL4id+3fRDs5cRdgQBUp89GYSRNEhJ5dPTm9GaKn/S SSfrWBto0A1m1m1/buuxqQ66k8kjfsVBGmgwLKU= X-Received: by 2002:a17:906:82cd:b0:932:38d5:ff86 with SMTP id a13-20020a17090682cd00b0093238d5ff86mr299666ejy.5.1680825275137; Thu, 06 Apr 2023 16:54:35 -0700 (PDT) MIME-Version: 1.0 References: <20230406004018.1439952-1-drosen@google.com> <20230406004018.1439952-3-drosen@google.com> In-Reply-To: From: Andrii Nakryiko Date: Thu, 6 Apr 2023 16:54:22 -0700 Message-ID: Subject: Re: [PATCH 2/3] bpf: Allow NULL buffers in bpf_dynptr_slice(_rw) To: Daniel Rosenberg Cc: bpf@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Jonathan Corbet , Joanne Koong , Mykola Lysenko , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, kernel-team@android.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 6, 2023 at 3:25=E2=80=AFPM Daniel Rosenberg = wrote: > > On Thu, Apr 6, 2023 at 2:09=E2=80=AFPM Andrii Nakryiko > wrote: > > > > should we always reject NULL even for SKB/XDP or only when the buffer > > *would be* required? If the latter, we could use bpf_dynptr_slice() > > with NULL buf to say "only return pointer if no byte copying is > > required". As opposed to bpf_dynptr_data(), where I think we always > > fail for SKB/XDP, because we are not sure whether users are aware of > > this need to copy bytes. Here, users are aware, but chose to prevent > > copying. > > > > WDYT? > > > > I think Passing NULL here should signal that you're quite okay with it > failing instead of copying. We could limit this to just local/ringbuf > types, but that seems like an unneeded restriction, particularly if > you're operating on some section of an skb/xdp buffer that you know > will always be contiguous. > I adjusted xdp for that. The adjustment would be similar for skb, I > just didn't do that since it was another layer of indirection deep and > hadn't looked through all of those use cases. Though it should be fine > to just reject when the buffer would have been needed, since all users > currently provide one. > I agree that allowing that same behavior for dnyptr_data would be more > likely to cause confusion. Blocking the copy on dynprt_slice is much > more explicit. > > > > > would this work correctly if someone passes a non-null buffer with too > > small size? Can you please add a test for this use case. > > > > Yes, that's one of the tests that's missing there. Once I get my build > situation sorted I'll add more tests. The behavior for a non-null > buffer should be unchanged by this patch. cool, sounds good > > > Also, I feel like for cases where we allow a NULL buffer, we need to > > explicitly check that the register is a *known* NULL (SCALAR=3D0 > > basically). And also in that case the size of the buffer probably > > should be enforced to zero, not just be allowed to be any value. > > > > We absolutely should check that the pointer in question is NULL before > ignoring the size check. I think I'm accomplishing that by ignoring > __opt when reg->umax_value > 0 in is_kfunc_arg_optional. Is that the > wrong check? Perhaps I should check var_off =3D=3D tnum_const(0) instead. yeah, umax_value is probably wrong check, use register_is_null() but this approach, even if correct, is a bit too subtle. I'd code it explic= itly: - if __opt, then we know it *can be NULL* - if so, we need to consider two situations - it is NULL, then don't enforce buffer size - it is not NULL (or may be not NULL), then enforce buffer size Basically, conflating check whether argument is marked as opt with enforcement of all the implied conditions seems very error-prone. > > We can't enforce the size being zero in this case because the size is > doing double duty. It's both the length of the requested area of > access into the dnyptr, and the size of the buffer that it might copy yep, completely missed this double use of that constant, ignore my point about enforcing sz=3D=3D0 then > that data into. If we don't provide a buffer, then it doesn't make > sense to check that buffer's size. The size does still apply to the > returned pointer though. Within the kfunc, it just needs to check for yep > null before copying dynptr data, as well as the regular enforcement of > length against the dynprt/offset. > > > it's scary to just ignore some error, tbh, the number of error > > conditions can grow overtime and we'll be masking them with this > > is_kfunc_arg_optional() override. Let's be strict and explicit here. > > > It would probably make more sense to check is_kfunc_arg_optional and > skip the size check altogether. Either way we're just relying on > runtime checks against the dynptr at that point. If the buffer is > known null and optional, we don't care what the relationship between > the buffer and the size is, just that size and the dynptr. __szk > already takes care of it being a constant. This doesn't affect the > return buffer size. yep, I agree about the logic, I'm concerned with the conflated implementation, as I tried to explain above