From: Daniel Borkmann <daniel@iogearbox.net>
To: David Miller <davem@davemloft.net>, ecree@solarflare.com
Cc: ast@fb.com, alexei.starovoitov@gmail.com, netdev@vger.kernel.org
Subject: Re: Alignment in BPF verifier
Date: Sat, 20 May 2017 01:05:12 +0200 [thread overview]
Message-ID: <591F7A28.3020004@iogearbox.net> (raw)
In-Reply-To: <20170519.163957.1950740987459934279.davem@davemloft.net>
On 05/19/2017 10:39 PM, David Miller wrote:
> From: Edward Cree <ecree@solarflare.com>
> Date: Fri, 19 May 2017 21:00:13 +0100
>
>> Well, I've managed to get somewhat confused by reg->id.
>> In particular, I'm unsure which bpf_reg_types can have an id, and what
>> exactly it means. There seems to be some code that checks around map value
>> pointers, which seems strange as maps have fixed sizes (and the comments in
>> enum bpf_reg_type make it seem like id is a PTR_TO_PACKET thing) - is this
Besides PTR_TO_PACKET also PTR_TO_MAP_VALUE_OR_NULL uses it to
track all registers (incl. spilled ones) with the same reg->id
that originated from the same map lookup. After the reg type is
then migrated to either PTR_TO_MAP_VALUE (resp. CONST_PTR_TO_MAP
for map in map) or UNKNOWN_VALUE depending on the branch, the
reg->id is then reset to 0 again. Whole reason for this is that
LLVM generates code where it can move and/or spill a reg of type
PTR_TO_MAP_VALUE_OR_NULL to other regs before we do the NULL
test on it, and later on it expects that the spilled or moved
regs work wrt access. So they're marked with an id and then all
of them are type migrated. So here meaning of reg->id is different
than in PTR_TO_PACKET case. Example:
0: (b7) r1 = 10
1: (7b) *(u64 *)(r10 -8) = r1
2: (bf) r2 = r10
3: (07) r2 += -8
4: (18) r1 = 0x59c00000
6: (85) call 1 //map lookup
7: (bf) r4 = r0
8: (15) if r0 == 0x0 goto pc+1
R0=map_value(ks=8,vs=8) R4=map_value_or_null(ks=8,vs=8) R10=fp
9: (7a) *(u64 *)(r4 +0) = 0
>> maybe because of map-of-maps support, can the contained maps have differing
>> element sizes? Or do we allow *(map_value + var + imm), if map_value + var
>> was appropriately bounds-checked?
>>
>> Does the 'id' identify the variable that was added to an object pointer, or
>> the object itself? Or does it blur these and identify (what the comment in
>> enum bpf_reg_type calls) "skb->data + (u16) var"?
>
> The reg->id value changes any time a variable gets added to a packet
> pointer.
>
> You will also notice right now that only packet pointers have their
> alignment tracked.
>
> I have changes pending that will do that for MAP pointers too, but
> it needs more work.
>
next prev parent reply other threads:[~2017-05-19 23:05 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-15 16:04 [PATCH v2 1/3] bpf: Use 1<<16 as ceiling for immediate alignment in verifier David Miller
2017-05-16 12:37 ` Edward Cree
2017-05-16 19:52 ` David Miller
2017-05-16 22:53 ` Alexei Starovoitov
2017-05-17 14:00 ` Edward Cree
2017-05-17 15:33 ` Edward Cree
2017-05-18 0:16 ` David Miller
2017-05-18 1:18 ` Alexei Starovoitov
2017-05-18 14:10 ` Edward Cree
2017-05-18 2:48 ` Alexei Starovoitov
2017-05-18 14:49 ` Edward Cree
2017-05-18 16:38 ` Edward Cree
2017-05-18 18:41 ` Edward Cree
2017-05-19 1:22 ` Alexei Starovoitov
2017-05-19 14:21 ` Edward Cree
2017-05-19 14:55 ` Alexei Starovoitov
2017-05-19 17:17 ` Edward Cree
2017-05-19 20:00 ` Alignment in BPF verifier Edward Cree
2017-05-19 20:39 ` David Miller
2017-05-19 23:05 ` Daniel Borkmann [this message]
2017-05-23 14:41 ` Edward Cree
2017-05-23 17:43 ` Edward Cree
2017-05-23 23:59 ` Alexei Starovoitov
2017-05-23 19:45 ` Alexei Starovoitov
2017-05-23 21:27 ` Daniel Borkmann
2017-05-24 13:46 ` Edward Cree
2017-05-24 16:39 ` Alexei Starovoitov
2017-05-25 16:31 ` David Miller
2017-05-19 20:48 ` David Miller
2017-05-19 20:41 ` [PATCH v2 1/3] bpf: Use 1<<16 as ceiling for immediate alignment in verifier David Miller
2017-05-19 21:37 ` Alexei Starovoitov
2017-05-19 23:16 ` David Miller
2017-05-20 0:20 ` Alexei Starovoitov
2017-05-17 16:13 ` David Miller
2017-05-17 17:00 ` Edward Cree
2017-05-17 17:25 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=591F7A28.3020004@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@fb.com \
--cc=davem@davemloft.net \
--cc=ecree@solarflare.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.