From: Yonghong Song <yonghong.song@linux.dev>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
kernel-team@fb.com, Martin KaFai Lau <martin.lau@kernel.org>
Subject: Re: [PATCH bpf-next 03/15] bpf: Add alloc/xchg/direct_access support for local percpu kptr
Date: Sat, 19 Aug 2023 20:47:53 -0700 [thread overview]
Message-ID: <1d62fbc0-125b-e99e-d385-fa313f6f1f46@linux.dev> (raw)
In-Reply-To: <20230819002907.io3iphmnuk43xblu@macbook-pro-8.dhcp.thefacebook.com>
On 8/18/23 5:29 PM, Alexei Starovoitov wrote:
> On Mon, Aug 14, 2023 at 10:28:25AM -0700, Yonghong Song wrote:
>> @@ -4997,13 +4997,20 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
>> if (kptr_field->type == BPF_KPTR_UNREF)
>> perm_flags |= PTR_UNTRUSTED;
>>
>> + if (kptr_field->type == BPF_KPTR_PERCPU_REF)
>> + perm_flags |= MEM_PERCPU | MEM_ALLOC;
>
> this bit doesn't look right and ...
>
>> +
>> if (base_type(reg->type) != PTR_TO_BTF_ID || (type_flag(reg->type) & ~perm_flags))
>> goto bad_type;
>>
>> - if (!btf_is_kernel(reg->btf)) {
>> + if (kptr_field->type != BPF_KPTR_PERCPU_REF && !btf_is_kernel(reg->btf)) {
>> verbose(env, "R%d must point to kernel BTF\n", regno);
>> return -EINVAL;
>> }
>> + if (kptr_field->type == BPF_KPTR_PERCPU_REF && btf_is_kernel(reg->btf)) {
>> + verbose(env, "R%d must point to prog BTF\n", regno);
>> + return -EINVAL;
>> + }
>
> .. here it really doesn't look right.
> The map_kptr_match_type() should have been used for kptrs pointing to kernel objects only.
> But you're calling it for MEM_ALLOC object with prog's BTF...
>
>> + case PTR_TO_BTF_ID | MEM_PERCPU | MEM_ALLOC:
>> + if (meta->func_id != BPF_FUNC_kptr_xchg) {
>> + verbose(env, "verifier internal error: unimplemented handling of MEM_PERCPU | MEM_ALLOC\n");
>> + return -EFAULT;
>> + }
>
> this part should be handling it, but ...
>
>> + if (map_kptr_match_type(env, meta->kptr_field, reg, regno))
>> + return -EACCES;
>
> why call this here?
>
> Existing:
> case PTR_TO_BTF_ID | MEM_ALLOC:
> if (meta->func_id != BPF_FUNC_spin_lock && meta->func_id != BPF_FUNC_spin_unlock &&
> meta->func_id != BPF_FUNC_kptr_xchg) {
> verbose(env, "verifier internal error: unimplemented handling of MEM_ALLOC\n");
> return -EFAULT;
> }
> doesn't call map_kptr_match_type().
> Where do we check that btf of arg1 and arg2 matches for kptr_xchg of MEM_ALLOC objs? Do we have a bug?
>
> Yep. We do :(
>
> diff --git a/tools/testing/selftests/bpf/progs/local_kptr_stash.c b/tools/testing/selftests/bpf/progs/local_kptr_stash.c
> index 06838083079c..a6f546f4da9a 100644
> --- a/tools/testing/selftests/bpf/progs/local_kptr_stash.c
> +++ b/tools/testing/selftests/bpf/progs/local_kptr_stash.c
> @@ -14,10 +14,12 @@ struct node_data {
> struct bpf_rb_node node;
> };
>
> +struct node_data2 { long foo[4];};
> +
> struct map_value {
> struct prog_test_ref_kfunc *not_kptr;
> struct prog_test_ref_kfunc __kptr *val;
> - struct node_data __kptr *node;
> + struct node_data2 __kptr *node;
> };
>
> /* This is necessary so that LLVM generates BTF for node_data struct
> @@ -32,6 +34,7 @@ struct map_value {
> * Had to do the same w/ bpf_kfunc_call_test_release below
> */
> struct node_data *just_here_because_btf_bug;
> +struct node_data2 *just_here_because_btf_bug2;
>
> passes the verifier and runs into kernel WARN_ONCE.
>
> Let's fix this issue first before proceeding with this series.
Sounds good. I will investigate and fix this issue before sending
out v2.
next prev parent reply other threads:[~2023-08-20 3:51 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-14 17:28 [PATCH bpf-next 00/15] Add support for local percpu kptr Yonghong Song
2023-08-14 17:28 ` [PATCH bpf-next 01/15] bpf: Add support for non-fix-size percpu mem allocation Yonghong Song
2023-08-14 17:28 ` [PATCH bpf-next 02/15] bpf: Add BPF_KPTR_PERCPU_REF as a field type Yonghong Song
2023-08-18 18:37 ` David Marchevsky
2023-08-18 23:24 ` Alexei Starovoitov
2023-08-20 3:46 ` Yonghong Song
2023-08-20 3:45 ` Yonghong Song
2023-08-14 17:28 ` [PATCH bpf-next 03/15] bpf: Add alloc/xchg/direct_access support for local percpu kptr Yonghong Song
2023-08-19 0:29 ` Alexei Starovoitov
2023-08-20 3:47 ` Yonghong Song [this message]
2023-08-19 1:24 ` Kumar Kartikeya Dwivedi
2023-08-20 4:04 ` Yonghong Song
2023-08-14 17:28 ` [PATCH bpf-next 04/15] bpf: Add bpf_this_cpu_ptr/bpf_per_cpu_ptr support for allocated percpu obj Yonghong Song
2023-08-19 1:01 ` Alexei Starovoitov
2023-08-20 4:16 ` Yonghong Song
2023-08-14 17:28 ` [PATCH bpf-next 05/15] selftests/bpf: Update error message in negative linked_list test Yonghong Song
2023-08-14 17:28 ` [PATCH bpf-next 06/15] libbpf: Add __percpu macro definition Yonghong Song
2023-08-14 17:28 ` [PATCH bpf-next 07/15] selftests/bpf: Add bpf_percpu_obj_{new,drop}() macro in bpf_experimental.h Yonghong Song
2023-08-14 17:28 ` [PATCH bpf-next 08/15] selftests/bpf: Add tests for array map with local percpu kptr Yonghong Song
2023-08-14 17:28 ` [PATCH bpf-next 09/15] bpf: Mark OBJ_RELEASE argument as MEM_RCU when possible Yonghong Song
2023-08-19 1:44 ` Kumar Kartikeya Dwivedi
2023-08-20 4:19 ` Yonghong Song
2023-08-14 17:29 ` [PATCH bpf-next 10/15] selftests/bpf: Remove unnecessary direct read of local percpu kptr Yonghong Song
2023-08-14 17:29 ` [PATCH bpf-next 11/15] selftests/bpf: Add tests for cgrp_local_storage with " Yonghong Song
2023-08-14 17:29 ` [PATCH bpf-next 12/15] bpf: Allow bpf_spin_lock and bpf_list_head in allocated percpu data structure Yonghong Song
2023-08-14 17:29 ` [PATCH bpf-next 13/15] selftests/bpf: Add tests for percpu struct with bpf list head Yonghong Song
2023-08-14 17:29 ` [PATCH bpf-next 14/15] selftests/bpf: Add some negative tests Yonghong Song
2023-08-14 17:29 ` [PATCH bpf-next 15/15] bpf: Mark BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE deprecated Yonghong Song
2023-08-18 15:54 ` Daniel Borkmann
2023-08-18 17:17 ` Yonghong Song
2023-08-18 18:26 ` Zvi Effron
2023-08-18 18:58 ` Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1d62fbc0-125b-e99e-d385-fa313f6f1f46@linux.dev \
--to=yonghong.song@linux.dev \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.