From: Matt Bobrowski <mattbobrowski@google.com>
To: David Vernet <void@manifault.com>
Cc: bpf@vger.kernel.org, memxor@gmail.com
Subject: Re: BPF/Question: PTR_TRUSTED vs PTR_UNTRUSTED
Date: Fri, 21 Jul 2023 16:44:22 +0000 [thread overview]
Message-ID: <ZLq15qZWLhHzXJli@google.com> (raw)
In-Reply-To: <20230720151622.GA52260@maniforge>
On Thu, Jul 20, 2023 at 10:16:22AM -0500, David Vernet wrote:
> > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > > index fa43dc8e85b9..8b8ccde342f9 100644
> > > --- a/kernel/bpf/verifier.c
> > > +++ b/kernel/bpf/verifier.c
> > > @@ -5857,6 +5857,7 @@ BTF_TYPE_SAFE_RCU(struct task_struct) {
> > > struct css_set __rcu *cgroups;
> > > struct task_struct __rcu *real_parent;
> > > struct task_struct *group_leader;
> > > + struct fs_struct *fs;
> > > };
> >
> > Oh, right. So, if we explicitly dereference the struct fs_struct
> > member of struct task_struct within a RCU read-side critical section,
> > the BPF verifier considers the pointer to struct fs_struct as being
> > safe and trusted. Is that right?
>
> With the above patch, yes.
After conducting some further tests today, it turns out that making
amendments to the struct task_struct BTF_TYPE_SAFE_RCU definition
perhaps isn't actually necessary? As of commit afeebf9f57a49 ("bpf:
Undo strict enforcement for walking untagged fields"), if a trusted
pointer (in this case being struct task_struct obtained via
bpf_get_current_task_btf()) is dereferenced within a RCU read-side
critical section, then the pointer that is yielded as a result of the
walk/dereference operation is a PTR_TO_BTF_ID. It is neither trusted
or untrusted and therefore carries the same level of semantics as a
dereferenced pointer before any trust status for pointers was
introduced within the BPF verifier.
Have I misunderstood something here?
> > Why is it that we need to explicitly add it to such lists so that
> > they're considered to be trusted and cannot simply perform the
> > bpf_rcu_read_lock/unlock() dance from within the BPF program? Also,
> > should we not add the field to BTF_TYPE_SAFE_RCU_OR_NULL() instead of
> > BTF_TYPE_SAFE_RCU(), as struct fs_struct could perhaps be NULL in some
> > circumstances?
>
> I recommend doing some git log / git blame digging. All of this
> information was captured in prior discussions. For example, in the patch
> [0] which added these structs.
>
> [0]: https://lore.kernel.org/bpf/20230303041446.3630-7-alexei.starovoitov@gmail.com/
>
> > Are you OK with me carrying this recommended patch to the mailing
> > list?
>
> Of course
Based on what I've mentioned above, perhaps sending through a patch no
longer is necessary?
/M
next prev parent reply other threads:[~2023-07-21 16:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <ZIl0+n1Q5yn2r5vL@google.com>
2023-06-15 17:40 ` BPF/Question: PTR_TRUSTED vs PTR_UNTRUSTED David Vernet
2023-07-20 14:29 ` Matt Bobrowski
2023-07-20 15:16 ` David Vernet
2023-07-21 16:44 ` Matt Bobrowski [this message]
2023-07-21 17:08 ` David Vernet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZLq15qZWLhHzXJli@google.com \
--to=mattbobrowski@google.com \
--cc=bpf@vger.kernel.org \
--cc=memxor@gmail.com \
--cc=void@manifault.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.