Re: [PATCH bpf-next v2 2/2] selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Martin KaFai Lau <martin.lau@linux.dev>
To: Hao Sun <sunhao.th@gmail.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Andrii Nakryiko <andrii@kernel.org>, Song Liu <song@kernel.org>,
	Yonghong Song <yhs@fb.com>, KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>, David Miller <davem@davemloft.net>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	bpf <bpf@vger.kernel.org>
Subject: Re: [PATCH bpf-next v2 2/2] selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID
Date: Wed, 21 Dec 2022 13:21:25 -0800	[thread overview]
Message-ID: <18e1219a-d2b2-0373-1f30-fcf83acd328f@linux.dev> (raw)
In-Reply-To: <7EAED688-C971-410E-BA56-9629CF9B3C91@gmail.com>

On 12/21/22 5:46 AM, Hao Sun wrote:
> Hi,
> 
> I’ve tried something like the bellow, but soon realized that this
> won’t work because once compiler figures out `inner_map` equals
> to `val`, it can choose either reg to write into in the following
> path, meaning that this program can be rejected due to writing
> into read-only PTR_TO_BTF_ID reg, and this makes the test useless.

hmm... I read the above a few times but I still don't quite get it.  In 
particular, '...can be rejected due to writing into read-only PTR_TO_BTF_ID 
reg...'.  Where is it writing into a read-only PTR_TO_BTF_ID reg in the 
following bpf prog?  Did I overlook something?

> 
> Essentially, we want two regs, one points to PTR_TO_BTD_ID, one
> points to MAP_VALUR_OR_NULL, then compare them and deref map val.

If I read this request correctly, I guess the compiler has changed 'ret = *val' 
to 'ret = *inner_map'?  Thus, the verifier did not reject because it deref a 
PTR_TO_BTF_ID?

> It’s hard to implement this in C level because compilers decide
> which reg to use but not us, maybe we can just drop this test.

Have you tried inline assembly.  Something like this (untested):

         asm volatile (
                 "r8 = %[val];\n"
                 "r9 = %[inner_map];\n"
		"if r8 != r9 goto +1;\n"
                 "%[ret] = *(u64 *)(r8 +0);\n"
                 :[ret] "+r"(ret)
                 : [inner_map] "r"(inner_map), [val] "r"(val)
                 :"r8", "r9");

Please attach the verifier output in the future.  It will be easier to understand.

> 
> thoughts?
>    
> +struct {
> +	__uint(type, BPF_MAP_TYPE_HASH);
> +	__uint(max_entries, 1);
> +	__type(key, u64);
> +	__type(value, u64);
> +} m_hash SEC(".maps");
> +
> +SEC("?raw_tp")
> +__failure __msg("invalid mem access 'map_value_or_null")
> +int jeq_infer_not_null_ptr_to_btfid(void *ctx)
> +{
> +	struct bpf_map *map = (struct bpf_map *)&m_hash;
> +	struct bpf_map *inner_map = map->inner_map_meta;
> +	u64 key = 0, ret = 0, *val;
> +
> +	val = bpf_map_lookup_elem(map, &key);
> +	/* Do not mark ptr as non-null if one of them is
> +	 * PTR_TO_BTF_ID, reject because of invalid access
> +	 * to map value.
> +	 */
> +	if (val == inner_map)
> +		ret = *val;
> +
> +	return ret;
> +}

next prev parent reply	other threads:[~2022-12-21 21:21 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-13  3:04 [PATCH bpf-next v2 1/2] bpf: fix nullness propagation for reg to reg comparisons Hao Sun
2022-12-13  3:04 ` [PATCH bpf-next v2 2/2] selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID Hao Sun
2022-12-19 22:01   ` Martin KaFai Lau
2022-12-20  2:43     ` Hao Sun
2022-12-21 13:46     ` Hao Sun
2022-12-21 21:21       ` Martin KaFai Lau [this message]
2022-12-22  2:30         ` Hao Sun

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=18e1219a-d2b2-0373-1f30-fcf83acd328f@linux.dev \
    --to=martin.lau@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sdf@google.com \
    --cc=song@kernel.org \
    --cc=sunhao.th@gmail.com \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.