From: Roberto Sassu <roberto.sassu@huawei.com>
To: Roberto Sassu <roberto.sassu@huawei.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>
Subject: RE: [PATCH bpf-next v1 1/2] bpf: Add support for per-parameter trusted args
Date: Thu, 28 Jul 2022 08:18:24 +0000 [thread overview]
Message-ID: <34ee6960df604501a5348eac7b1c5768@huawei.com> (raw)
In-Reply-To: <fd75bc5ed2564f558000284c44c89632@huawei.com>
> From: Roberto Sassu [mailto:roberto.sassu@huawei.com]
> Sent: Thursday, July 28, 2022 9:46 AM
> > From: Kumar Kartikeya Dwivedi [mailto:memxor@gmail.com]
> > Sent: Wednesday, July 27, 2022 10:16 AM
> > Similar to how we detect mem, size pairs in kfunc, teach verifier to
> > treat __ref suffix on argument name to imply that it must be a trusted
> > arg when passed to kfunc, similar to the effect of KF_TRUSTED_ARGS flag
> > but limited to the specific parameter. This is required to ensure that
> > kfunc that operate on some object only work on acquired pointers and not
> > normal PTR_TO_BTF_ID with same type which can be obtained by pointer
> > walking. Release functions need not specify such suffix on release
> > arguments as they are already expected to receive one referenced
> > argument.
>
> Thanks, Kumar. I will try it.
Uhm. I realized that I was already using another suffix,
__maybe_null, to indicate that a caller can pass NULL as
argument.
Wouldn't probably work well with two suffixes.
Have you considered to extend BTF_ID_FLAGS to take five
extra arguments, to set flags for each kfunc parameter?
Thanks
Roberto
> Roberto
>
> > Cc: Roberto Sassu <roberto.sassu@huawei.com>
> > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> > ---
> > Documentation/bpf/kfuncs.rst | 18 +++++++++++++++++
> > kernel/bpf/btf.c | 39 ++++++++++++++++++++++++------------
> > net/bpf/test_run.c | 9 +++++++--
> > 3 files changed, 51 insertions(+), 15 deletions(-)
> >
> > diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
> > index c0b7dae6dbf5..41dff6337446 100644
> > --- a/Documentation/bpf/kfuncs.rst
> > +++ b/Documentation/bpf/kfuncs.rst
> > @@ -72,6 +72,24 @@ argument as its size. By default, without __sz
> annotation,
> > the size of the type
> > of the pointer is used. Without __sz annotation, a kfunc cannot accept a void
> > pointer.
> >
> > +2.2.2 __ref Annotation
> > +----------------------
> > +
> > +This annotation is used to indicate that the argument is trusted, i.e. it will
> > +be a pointer from an acquire function (defined later), and its offset will be
> > +zero. This annotation has the same effect as the KF_TRUSTED_ARGS kfunc
> flag
> > but
> > +only on the parameter it is applied to. An example is shown below::
> > +
> > + void bpf_task_send_signal(struct task_struct *task__ref, int signal)
> > + {
> > + ...
> > + }
> > +
> > +Here, bpf_task_send_signal will only act on trusted task_struct pointers, and
> > +cannot be used on pointers obtained using pointer walking. This ensures that
> > +caller always calls this kfunc on a task whose lifetime is guaranteed for the
> > +duration of the call.
> > +
> > .. _BPF_kfunc_nodef:
> >
> > 2.3 Using an existing kernel function
> > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> > index 7ac971ea98d1..3ce9b2deef9c 100644
> > --- a/kernel/bpf/btf.c
> > +++ b/kernel/bpf/btf.c
> > @@ -6141,18 +6141,13 @@ static bool __btf_type_is_scalar_struct(struct
> > bpf_verifier_log *log,
> > return true;
> > }
> >
> > -static bool is_kfunc_arg_mem_size(const struct btf *btf,
> > - const struct btf_param *arg,
> > - const struct bpf_reg_state *reg)
> > +static bool btf_param_match_suffix(const struct btf *btf,
> > + const struct btf_param *arg,
> > + const char *suffix)
> > {
> > - int len, sfx_len = sizeof("__sz") - 1;
> > - const struct btf_type *t;
> > + int len, sfx_len = strlen(suffix);
> > const char *param_name;
> >
> > - t = btf_type_skip_modifiers(btf, arg->type, NULL);
> > - if (!btf_type_is_scalar(t) || reg->type != SCALAR_VALUE)
> > - return false;
> > -
> > /* In the future, this can be ported to use BTF tagging */
> > param_name = btf_name_by_offset(btf, arg->name_off);
> > if (str_is_empty(param_name))
> > @@ -6161,10 +6156,26 @@ static bool is_kfunc_arg_mem_size(const struct
> btf
> > *btf,
> > if (len < sfx_len)
> > return false;
> > param_name += len - sfx_len;
> > - if (strncmp(param_name, "__sz", sfx_len))
> > + return !strncmp(param_name, suffix, sfx_len);
> > +}
> > +
> > +static bool is_kfunc_arg_ref(const struct btf *btf,
> > + const struct btf_param *arg)
> > +{
> > + return btf_param_match_suffix(btf, arg, "__ref");
> > +}
> > +
> > +static bool is_kfunc_arg_mem_size(const struct btf *btf,
> > + const struct btf_param *arg,
> > + const struct bpf_reg_state *reg)
> > +{
> > + const struct btf_type *t;
> > +
> > + t = btf_type_skip_modifiers(btf, arg->type, NULL);
> > + if (!btf_type_is_scalar(t) || reg->type != SCALAR_VALUE)
> > return false;
> >
> > - return true;
> > + return btf_param_match_suffix(btf, arg, "__sz");
> > }
> >
> > static int btf_check_func_arg_match(struct bpf_verifier_env *env,
> > @@ -6174,7 +6185,7 @@ static int btf_check_func_arg_match(struct
> > bpf_verifier_env *env,
> > u32 kfunc_flags)
> > {
> > enum bpf_prog_type prog_type = resolve_prog_type(env->prog);
> > - bool rel = false, kptr_get = false, trusted_arg = false;
> > + bool rel = false, kptr_get = false, kf_trusted_args = false;
> > struct bpf_verifier_log *log = &env->log;
> > u32 i, nargs, ref_id, ref_obj_id = 0;
> > bool is_kfunc = btf_is_kernel(btf);
> > @@ -6211,7 +6222,7 @@ static int btf_check_func_arg_match(struct
> > bpf_verifier_env *env,
> > /* Only kfunc can be release func */
> > rel = kfunc_flags & KF_RELEASE;
> > kptr_get = kfunc_flags & KF_KPTR_GET;
> > - trusted_arg = kfunc_flags & KF_TRUSTED_ARGS;
> > + kf_trusted_args = kfunc_flags & KF_TRUSTED_ARGS;
> > }
> >
> > /* check that BTF function arguments match actual types that the
> > @@ -6221,6 +6232,7 @@ static int btf_check_func_arg_match(struct
> > bpf_verifier_env *env,
> > enum bpf_arg_type arg_type = ARG_DONTCARE;
> > u32 regno = i + 1;
> > struct bpf_reg_state *reg = ®s[regno];
> > + bool trusted_arg = false;
> >
> > t = btf_type_skip_modifiers(btf, args[i].type, NULL);
> > if (btf_type_is_scalar(t)) {
> > @@ -6239,6 +6251,7 @@ static int btf_check_func_arg_match(struct
> > bpf_verifier_env *env,
> > /* Check if argument must be a referenced pointer, args + i has
> > * been verified to be a pointer (after skipping modifiers).
> > */
> > + trusted_arg = kf_trusted_args || is_kfunc_arg_ref(btf, args + i);
> > if (is_kfunc && trusted_arg && !reg->ref_obj_id) {
> > bpf_log(log, "R%d must be referenced\n", regno);
> > return -EINVAL;
> > diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> > index cbc9cd5058cb..247bfe52e585 100644
> > --- a/net/bpf/test_run.c
> > +++ b/net/bpf/test_run.c
> > @@ -691,7 +691,11 @@ noinline void
> bpf_kfunc_call_test_mem_len_fail2(u64
> > *mem, int len)
> > {
> > }
> >
> > -noinline void bpf_kfunc_call_test_ref(struct prog_test_ref_kfunc *p)
> > +noinline void bpf_kfunc_call_test_trusted(struct prog_test_ref_kfunc *p)
> > +{
> > +}
> > +
> > +noinline void bpf_kfunc_call_test_ref(struct prog_test_ref_kfunc *p__ref)
> > {
> > }
> >
> > @@ -718,7 +722,8 @@ BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail3)
> > BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_pass1)
> > BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_fail1)
> > BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_fail2)
> > -BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_TRUSTED_ARGS)
> > +BTF_ID_FLAGS(func, bpf_kfunc_call_test_trusted, KF_TRUSTED_ARGS)
> > +BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref)
> > BTF_SET8_END(test_sk_check_kfunc_ids)
> >
> > static void *bpf_test_init(const union bpf_attr *kattr, u32 user_size,
> > --
> > 2.34.1
next prev parent reply other threads:[~2022-07-28 8:18 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 8:15 [PATCH bpf-next v1 0/2] Add __ref annotation for kfuncs Kumar Kartikeya Dwivedi
2022-07-27 8:15 ` [PATCH bpf-next v1 1/2] bpf: Add support for per-parameter trusted args Kumar Kartikeya Dwivedi
2022-07-28 7:46 ` Roberto Sassu
2022-07-28 8:18 ` Roberto Sassu [this message]
2022-07-28 8:45 ` Kumar Kartikeya Dwivedi
2022-07-28 9:02 ` Kumar Kartikeya Dwivedi
2022-08-02 4:45 ` Alexei Starovoitov
2022-08-02 10:07 ` Roberto Sassu
2022-08-02 15:05 ` Alexei Starovoitov
2022-08-02 16:01 ` Roberto Sassu
2022-08-03 14:34 ` Roberto Sassu
2022-07-28 9:02 ` Roberto Sassu
2022-07-27 8:15 ` [PATCH bpf-next v1 2/2] selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation Kumar Kartikeya Dwivedi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=34ee6960df604501a5348eac7b1c5768@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=memxor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox