From: Eduard Zingerman <eddyz87@gmail.com>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Alexei Starovoitov <ast@kernel.org>, andrii <andrii@kernel.org>,
Nick Zavaritsky <mejedi@gmail.com>, bpf <bpf@vger.kernel.org>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>
Subject: Re: Packet pointer invalidation and subprograms
Date: Fri, 06 Dec 2024 02:44:13 -0800 [thread overview]
Message-ID: <1f49e00de4e5a17740e4e04ddb77b60e5ff46526.camel@gmail.com> (raw)
In-Reply-To: <CAEf4BzZybLU0bmYJqH2XJYG_g8Pvm+STRdHBtE1c5zbhHvtrcg@mail.gmail.com>
On Thu, 2024-12-05 at 22:22 -0800, Andrii Nakryiko wrote:
> On Thu, Dec 5, 2024 at 8:07 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
> >
> > On Thu, 2024-12-05 at 17:44 -0800, Alexei Starovoitov wrote:
> > > On Thu, Dec 5, 2024 at 4:29 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
> > > >
> > > > so I went ahead and the fix does look simple:
> > > > https://github.com/eddyz87/bpf/tree/skb-pull-data-global-func-bug
> > >
> > > Looks simple enough to me.
> > > Ship it for bpf tree.
> > > If we can come up with something better we can do it later in bpf-next.
> > >
> > > I very much prefer to avoid complexity as much as possible.
> >
> > Sent the patch-set for "simple".
> > It is better then "dumb" by any metric anyways.
> > Will try what Andrii suggests, as allowing calling global sub-programs
> > from non-sleepable context sounds interesting.
> >
>
> I haven't looked at your patches yet, but keep in mind another gotcha
> with subprograms: they can be freplace'd by another BPF program
> (clearly freplace programs were a successful reduction of
> complexity... ;)
If there would be no general objections for the patch-set I posted,
I'll do a v2 with an additional flag in bpf_prog_aux/bpf_func_info_aux
to be checked when freplace attachment is done.
> What this means in practice is whatever deductions you get out of
> analyzing any specific original subprogram might be violated by
> freplace program if we don't enforce them during freplace attachment.
>
>
> Anyways, I came here to say that I think I have a much simpler
> solution that won't require big changes to the BPF verifier: tags. We
> can shift the burden to the user having to declare the intent upfront
> through subprog tags. And then, during verification of that global
> subprog, the verifier can enforce that only explicitly declared side
> effects can be enacted by the subprogram's code (taking into account
> lazy dead code detection logic).
I considered tags, but didn't like it much for something so easily computable.
Please take a look at the patch, the change for check_cfg() is 32 lines.
> We already take advantage of declarative tags for global subprog args
> (__arg_trusted, etc), we can do the same for the function itself. We
> can have __subprog_invalidates_all_pkt_pointers tag (and yes, I do
> insist on this laconic name, of course), and during verification of
> subprogram we just make sure that subprog was annotated as such, if
> one of those fancy helpers is called directly in subprog itself or
> transitively through any of *actually* called subprogs.
>
> All this will preserve the lazy approach we have with no need to look
> ahead into subprog's implementation. I'd keep the concept of global
> subprog completely and exhaustively described with its type signature
> and associated tags as much as possible.
>
> P.S. We still need to keep in mind freplace complications, of course.
next prev parent reply other threads:[~2024-12-06 10:44 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-03 16:26 Packet pointer invalidation and subprograms Nick Zavaritsky
2024-12-03 20:19 ` Eduard Zingerman
2024-12-03 21:41 ` Eduard Zingerman
2024-12-06 0:03 ` Andrii Nakryiko
2024-12-06 0:12 ` Kumar Kartikeya Dwivedi
2024-12-06 0:29 ` Eduard Zingerman
2024-12-06 1:44 ` Alexei Starovoitov
2024-12-06 4:07 ` Eduard Zingerman
2024-12-06 6:22 ` Andrii Nakryiko
2024-12-06 10:44 ` Eduard Zingerman [this message]
2024-12-06 16:08 ` Andrii Nakryiko
2024-12-06 17:29 ` Eduard Zingerman
2024-12-06 17:46 ` Andrii Nakryiko
2024-12-06 17:58 ` Eduard Zingerman
2024-12-06 18:10 ` Andrii Nakryiko
2024-12-06 18:29 ` Eduard Zingerman
2024-12-06 16:07 ` Alexei Starovoitov
2024-12-06 16:12 ` Andrii Nakryiko
2024-12-06 16:20 ` Alexei Starovoitov
2024-12-06 17:42 ` Andrii Nakryiko
2024-12-06 18:23 ` Kumar Kartikeya Dwivedi
2024-12-06 18:30 ` Alexei Starovoitov
2024-12-06 19:31 ` Kumar Kartikeya Dwivedi
2024-12-06 18:26 ` Alexei Starovoitov
2024-12-06 18:30 ` Kumar Kartikeya Dwivedi
2024-12-06 18:32 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1f49e00de4e5a17740e4e04ddb77b60e5ff46526.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=mejedi@gmail.com \
--cc=memxor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.