Re: [PATCH bpf-next 0/8] PTR_TO_BTF_ID arguments in global subprogs

[Eduard Zingerman <eddyz87@gmail.com>]

On Thu, 2024-01-04 at 16:09 -0800, Andrii Nakryiko wrote:
> This patch set follows recent changes that added btf_decl_tag-based argument
> annotation support for global subprogs. This time we add ability to pass
> PTR_TO_BTF_ID (BTF-aware kernel pointers) arguments into global subprograms.
> We support explicitly trusted and untrusted arguments. Legacy semi-trusted
> variant is not supported.
> 
> Patches #2 through #4 do preparatory refactorings to add support for multiple
> tags per argument. This is important for being able to use modifiers like
> __arg_nonnull together with trusted/untrusted arguments.
> 
> Patch #5 is adding the actual __arg_trusted and __arg_untrusted support.
> 
> It also raises a question about default nullable vs non-nullable semantics for
> PTR_TO_BTF_ID arguments. It feels like having both __arg_nonnull and
> __arg_nullable would provide the best kind of experience and flexibility, but
> for now we implement nullable by default semantics, as a more conservative
> behavior.
> 
> Patch #7 adds bpf_core_cast() helper macro which is a wrapper around
> bpf_rdonly_cast() kfunc, but hides BTF ID manipulations behind more
> user-friendly type argument instead. We utilize this macro in selftests added
> in patch #8.
> 
> Patch #8 adds a bunch of positive and negative tests to validate expected
> semantics for various trusted/untrusted + nullable/non-null variants. We also
> make sure that global subprog cannot destroy PTR_TO_BTF_ID, as that would
> wreak havoc in caller program that is not aware of this possibility.
> 
> There were proposals to do kernel-side type enforcement for __arg_ctx, let's
> decide whether we should do that and for which program types, and I can
> accommodate the logic in future revisions.
> 
> Cc: Dave Marchevsky <davemarchevsky@meta.com>

Full patch-set looks good to me.
Acked-by: Eduard Zingerman <eddyz87@gmail.com>