From: Eduard Zingerman <eddyz87@gmail.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Kernel Team <kernel-team@fb.com>, Song Liu <song@kernel.org>,
Joanne Koong <joannelkoong@gmail.com>
Subject: Re: [PATCH bpf-next v7 3/5] bpf: Inline calls to bpf_loop when callback is known
Date: Sun, 19 Jun 2022 23:09:36 +0300 [thread overview]
Message-ID: <fb17ffcbdfa6b75813352133c5655f01aefe71ec.camel@gmail.com> (raw)
In-Reply-To: <CAADnVQ+rwwCoEPQUg+CS_iXSzqoptrgtW4TpqoM9XkMW9Jj+ag@mail.gmail.com>
Hi Daniel, Alexei,
> On Fri, 2022-06-17 at 01:12 +0200, Daniel Borkmann wrote:
> On Thu, 2022-06-16 at 19:14 -0700, Alexei Starovoitov wrote:
> On Mon, Jun 13, 2022 at 1:50 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
> > +
> > +static bool loop_flag_is_zero(struct bpf_verifier_env *env)
[...]
>
> Great catch here by Daniel.
> It needs mark_chain_precision().
Thanks for the catch regarding precision tracking. Unfortunately I
struggle to create a test case that demonstrates the issue without the
call to `mark_chain_precision`. As far as I understand this test case
should look as follows:
... do something in such a way that:
- there is a branch where
BPF_REG_4 is 0, SCALAR_VALUE, !precise
and this branch is explored first
- there is a branch where
BPF_REG_4 is 1, SCALAR_VALUE, !precise
/* create branching point */
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 0),
/* load callback address to r2 */
BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, BPF_REG_2, BPF_PSEUDO_FUNC, 0, 5),
BPF_RAW_INSN(0, 0, 0, 0, 0),
BPF_ALU64_IMM(BPF_MOV, BPF_REG_3, 0),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_loop),
BPF_ALU64_IMM(BPF_MOV, BPF_REG_0, 0),
BPF_EXIT_INSN(),
/* callback */
BPF_ALU64_IMM(BPF_MOV, BPF_REG_0, 1),
BPF_EXIT_INSN(),
The "do something" part would then rely on the state pruning logic to
skip the verification for the second branch. Namely, the following
part of the `regsafe` function should consider registers identical:
/* Returns true if (rold safe implies rcur safe) */
static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold,
struct bpf_reg_state *rcur, struct bpf_id_pair *idmap)
{
...
switch (base_type(rold->type)) {
case SCALAR_VALUE:
...
if (rcur->type == SCALAR_VALUE) {
here -> if (!rold->precise && !rcur->precise)
return true;
...
} else {
...
}
...
}
...
}
However, I don't understand what instructions could mark the register
as a scalar with particular value, but w/o `precise` mark. I tried
MOV, JEQ, JNE, MUL, sequence of BPF_ALU64_IMM(MOV, ...) - BPF_STX_MEM
- BPF_LDX_MEM to no avail.
The following observations might be relevant:
- `__mark_reg_known` does not change the state of the `precise` mark;
- `__mark_reg_unknown` always sets `precise` to `true` when there are
multiple sub-programs (due to the following line:
`reg->precise = env->subprog_cnt > 1 || !env->bpf_capable`);
- there are always multiple sub-programs when `bpf_loop` is used.
Could you please suggest what to do with this test?
Best regards,
Eduard Zingerman
next prev parent reply other threads:[~2022-06-19 20:09 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-13 20:50 [PATCH bpf-next v7 0/5] bpf_loop inlining Eduard Zingerman
2022-06-13 20:50 ` [PATCH bpf-next v7 1/5] selftests/bpf: specify expected instructions in test_verifier tests Eduard Zingerman
2022-06-13 20:50 ` [PATCH bpf-next v7 2/5] selftests/bpf: allow BTF specs and func infos " Eduard Zingerman
2022-06-13 20:50 ` [PATCH bpf-next v7 3/5] bpf: Inline calls to bpf_loop when callback is known Eduard Zingerman
2022-06-14 5:49 ` Song Liu
2022-06-16 23:12 ` Daniel Borkmann
2022-06-17 2:14 ` Alexei Starovoitov
2022-06-19 20:09 ` Eduard Zingerman [this message]
2022-06-19 21:10 ` Alexei Starovoitov
2022-06-19 22:01 ` Eduard Zingerman
2022-06-19 23:37 ` Alexei Starovoitov
2022-06-20 12:59 ` Eduard Zingerman
2022-06-13 20:50 ` [PATCH bpf-next v7 4/5] selftests/bpf: BPF test_verifier selftests for bpf_loop inlining Eduard Zingerman
2022-06-13 20:50 ` [PATCH bpf-next v7 5/5] selftests/bpf: BPF test_prog " Eduard Zingerman
-- strict thread matches above, loose matches on Subject: below --
2022-06-17 15:24 [PATCH bpf-next v7 3/5] bpf: Inline calls to bpf_loop when callback is known kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fb17ffcbdfa6b75813352133c5655f01aefe71ec.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=joannelkoong@gmail.com \
--cc=kernel-team@fb.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.