From: Dave Marchevsky <davemarchevsky@meta.com>
To: Yonghong Song <yhs@meta.com>,
Dave Marchevsky <davemarchevsky@fb.com>,
bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Kernel Team <kernel-team@fb.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>
Subject: Re: [PATCH bpf-next 1/2] bpf: Fix release_on_unlock release logic for multiple refs
Date: Thu, 1 Dec 2022 10:19:22 -0800 [thread overview]
Message-ID: <28e8797c-ff9c-dc35-d07a-52db5a7ed8e1@meta.com> (raw)
In-Reply-To: <b5d46fd5-2693-cd46-9515-700fef1a110b@meta.com>
On 11/30/22 7:21 PM, Yonghong Song wrote:
>
>
> On 11/30/22 11:25 AM, Dave Marchevsky wrote:
>> Consider a verifier state with three acquired references, all with
>> release_on_unlock = true:
>>
>> idx 0 1 2
>> state->refs = [2 4 6]
>>
>> (with 2, 4, and 6 being the ref ids).
>>
>> When bpf_spin_unlock is called, process_spin_lock will loop through all
>> acquired_refs and, for each ref, if it's release_on_unlock, calls
>> release_reference on it. That function in turn calls
>> release_reference_state, which removes the reference from state->refs by
>> swapping the reference state with the last reference state in
>> refs array and decrements acquired_refs count.
>>
>> process_spin_lock's loop logic, which is essentially:
>>
>> for (i = 0; i < state->acquired_refs; i++) {
>> if (!state->refs[i].release_on_unlock)
>> continue;
>> release_reference(state->refs[i].id);
>> }
>>
>> will fail to release release_on_unlock references which are swapped from
>> the end. Running this logic on our example demonstrates:
>>
>> state->refs = [2 4 6] (start of idx=0 iter)
>> release state->refs[0] by swapping w/ state->refs[2]
>>
>> state->refs = [6 4] (start of idx=1)
>> release state->refs[1], no need to swap as it's the last idx
>>
>> state->refs = [6] (start of idx=2, loop terminates)
>>
>> ref_id 6 should have been removed but was skipped.
>>
>> Fix this by looping from back-to-front, which results in refs that are
>> candidates for removal being swapped with refs which have already been
>> examined and kept. If we modify our initial example such that ref 6 is
>> not release_on_unlock and loop from the back, we'd see:
>>
>> state->refs = [2 4 6] (start of idx=2)
>>
>> state->refs = [2 4 6] (start of idx=1)
>>
>> state->refs = [2 6] (start of idx=0)
>>
>> state->refs = [6] (after idx=0, loop terminates)
>
> I am not sure whether the above is correct or not. Should it be:
>
> state->refs = [2 4 6] (idx=2)
> => release state->refs[2] (id 6)
> state->refs = [2 4] (idx=1)
> => release state->refs[1] (id 4)
> state->refs = [2] (idx = 0)
> => release state->refs[0] (id 2)
> ?
>
For this second example, the ref with id 6 is not release_on_unlock while the
others are. So that ref should not be released and should be the only one
remaining after the loop completes. This was intended to demonstrate the
swapping of "refs which have already been examined and kept".
It would be less confusing if I used a new ref_id for the second example
instead of changing the properties of ref 6. Will respin with this change.
>>
>> Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
>> cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
>> Fixes: 534e86bc6c66 ("bpf: Add 'release on unlock' logic for bpf_list_push_{front,back}")
>> ---
>>
>> I noticed this while testing ng_ds version of rbtree. Submitting
>> separately so that this fix can be applied before the rest of rbtree
>> work, as the latter will likely need a few respins.
>>
>> An alternative to this fix would be to modify or add new helper
>> functions which enable safe release_reference in a loop. The additional
>> complexity of this alternative seems unnecessary to me for now as this
>> is currently the only place in verifier where release_reference in a
>> loop is used.
>>
>> kernel/bpf/verifier.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> The code change itself looks good to me, so
>
> Acked-by: Yonghong Song <yhs@fb.com>
>
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 4e7f1d085e53..ac3e1219a7a5 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -5726,7 +5726,7 @@ static int process_spin_lock(struct bpf_verifier_env *env, int regno,
>> cur->active_lock.ptr = NULL;
>> cur->active_lock.id = 0;
>> - for (i = 0; i < fstate->acquired_refs; i++) {
>> + for (i = fstate->acquired_refs - 1; i >= 0; i--) {
>> int err;
>> /* Complain on error because this reference state cannot
prev parent reply other threads:[~2022-12-01 18:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-30 19:25 [PATCH bpf-next 1/2] bpf: Fix release_on_unlock release logic for multiple refs Dave Marchevsky
2022-11-30 19:25 ` [PATCH bpf-next 2/2] selftests/bpf: Validate multiple ref release_on_unlock logic Dave Marchevsky
2022-12-01 3:21 ` [PATCH bpf-next 1/2] bpf: Fix release_on_unlock release logic for multiple refs Yonghong Song
2022-12-01 18:19 ` Dave Marchevsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=28e8797c-ff9c-dc35-d07a-52db5a7ed8e1@meta.com \
--to=davemarchevsky@meta.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davemarchevsky@fb.com \
--cc=kernel-team@fb.com \
--cc=memxor@gmail.com \
--cc=yhs@meta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox