Re: [PATCH bpf-next v2 1/5] bpf: Support injecting chain calls into BPF programs on load

["Toke Høiland-Jørgensen" <toke@redhat.com>]

Jakub Kicinski <jakub.kicinski@netronome.com> writes:

> On Sat, 05 Oct 2019 12:29:14 +0200, Toke Høiland-Jørgensen wrote:
>> >> +static int bpf_inject_chain_calls(struct bpf_verifier_env *env)
>> >> +{
>> >> +	struct bpf_prog *prog = env->prog;
>> >> +	struct bpf_insn *insn = prog->insnsi;
>> >> +	int i, cnt, delta = 0, ret = -ENOMEM;
>> >> +	const int insn_cnt = prog->len;
>> >> +	struct bpf_array *prog_array;
>> >> +	struct bpf_prog *new_prog;
>> >> +	size_t array_size;
>> >> +
>> >> +	struct bpf_insn call_next[] = {
>> >> +		BPF_LD_IMM64(BPF_REG_2, 0),
>> >> +		/* Save real return value for later */
>> >> +		BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
>> >> +		/* First try tail call with index ret+1 */
>> >> +		BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),  
>> >
>> > Don't we need to check against the max here, and spectre-proofing
>> > here?  
>> 
>> No, I don't think so. This is just setting up the arguments for the
>> BPF_TAIL_CALL instruction below. The JIT will do its thing with that and
>> emit the range check and the retpoline stuff...
>
> Sorry, wrong CPU bug, I meant Meltdown :)
>
> https://elixir.bootlin.com/linux/v5.4-rc1/source/kernel/bpf/verifier.c#L9029

Ah, right. Well, it only adds those extra instructions if
bpf_map_ptr_unpriv() returns true. So I figured that since we're
injecting a pointer here that is not from a userspace map, it was not
needed. Though I must admit I didn't look too closely at exactly which
conditions would make bpf_map_ptr_unpriv() return true... :)

-Toke