From: Yonghong Song <yonghong.song@linux.dev>
To: Dave Marchevsky <davemarchevsky@fb.com>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@kernel.org>,
Kernel Team <kernel-team@fb.com>
Subject: Re: [PATCH v1 bpf-next 1/7] bpf: Ensure kptr_struct_meta is non-NULL for collection insert and refcount_acquire
Date: Tue, 1 Aug 2023 20:57:12 -0700 [thread overview]
Message-ID: <9643d04f-8102-b5b3-1edf-34b4e08485df@linux.dev> (raw)
In-Reply-To: <20230801203630.3581291-2-davemarchevsky@fb.com>
On 8/1/23 1:36 PM, Dave Marchevsky wrote:
> It's straightforward to prove that kptr_struct_meta must be non-NULL for
> any valid call to these kfuncs:
>
> * btf_parse_struct_metas in btf.c creates a btf_struct_meta for any
> struct in user BTF with a special field (e.g. bpf_refcount,
> {rb,list}_node). These are stored in that BTF's struct_meta_tab.
>
> * __process_kf_arg_ptr_to_graph_node in verifier.c ensures that nodes
> have {rb,list}_node field and that it's at the correct offset.
> Similarly, check_kfunc_args ensures bpf_refcount field existence for
> node param to bpf_refcount_acquire.
>
> * So a btf_struct_meta must have been created for the struct type of
> node param to these kfuncs
>
> * That BTF and its struct_meta_tab are guaranteed to still be around.
> Any arbitrary {rb,list} node the BPF program interacts with either:
> came from bpf_obj_new or a collection removal kfunc in the same
> program, in which case the BTF is associated with the program and
> still around; or came from bpf_kptr_xchg, in which case the BTF was
> associated with the map and is still around
>
> Instead of silently continuing with NULL struct_meta, which caused
> confusing bugs such as those addressed by commit 2140a6e3422d ("bpf: Set
> kptr_struct_meta for node param to list and rbtree insert funcs"), let's
> error out. Then, at runtime, we can confidently say that the
> implementations of these kfuncs were given a non-NULL kptr_struct_meta,
> meaning that special-field-specific functionality like
> bpf_obj_free_fields and the bpf_obj_drop change introduced later in this
> series are guaranteed to execute.
The subject says '... for collection insert and refcount_acquire'.
Why picks these? We could check for all kptr_struct_meta use cases?
>
> This patch doesn't change functionality, just makes it easier to reason
> about existing functionality.
>
> Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
> ---
> kernel/bpf/verifier.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e7b1af016841..ec37e84a11c6 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -18271,6 +18271,13 @@ static int fixup_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
> struct btf_struct_meta *kptr_struct_meta = env->insn_aux_data[insn_idx].kptr_struct_meta;
> struct bpf_insn addr[2] = { BPF_LD_IMM64(BPF_REG_2, (long)kptr_struct_meta) };
>
> + if (desc->func_id == special_kfunc_list[KF_bpf_refcount_acquire_impl] &&
Why check for KF_bpf_refcount_acquire_impl? We can cover all cases in
this 'if' branch, right?
> + !kptr_struct_meta) {
> + verbose(env, "verifier internal error: kptr_struct_meta expected at insn_idx %d\n",
> + insn_idx);
> + return -EFAULT;
> + }
> +
> insn_buf[0] = addr[0];
> insn_buf[1] = addr[1];
> insn_buf[2] = *insn;
> @@ -18278,6 +18285,7 @@ static int fixup_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
> } else if (desc->func_id == special_kfunc_list[KF_bpf_list_push_back_impl] ||
> desc->func_id == special_kfunc_list[KF_bpf_list_push_front_impl] ||
> desc->func_id == special_kfunc_list[KF_bpf_rbtree_add_impl]) {
> + struct btf_struct_meta *kptr_struct_meta = env->insn_aux_data[insn_idx].kptr_struct_meta;
> int struct_meta_reg = BPF_REG_3;
> int node_offset_reg = BPF_REG_4;
>
> @@ -18287,6 +18295,12 @@ static int fixup_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
> node_offset_reg = BPF_REG_5;
> }
>
> + if (!kptr_struct_meta) {
> + verbose(env, "verifier internal error: kptr_struct_meta expected at insn_idx %d\n",
> + insn_idx);
> + return -EFAULT;
> + }
> +
> __fixup_collection_insert_kfunc(&env->insn_aux_data[insn_idx], struct_meta_reg,
> node_offset_reg, insn, insn_buf, cnt);
> } else if (desc->func_id == special_kfunc_list[KF_bpf_cast_to_kern_ctx] ||
In my opinion, such selective defensive programming is not necessary. By
searching kptr_struct_meta in the code, it is reasonably easy to find
whether we have any mismatch or not. Also self test coverage should
cover these cases (probably already) right?
If the defensive programming here is still desirable to warn at
verification time, I think we should just check all of uses for
kptr_struct_meta.
next prev parent reply other threads:[~2023-08-02 3:57 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-01 20:36 [PATCH v1 bpf-next 0/7] BPF Refcount followups 3: bpf_mem_free_rcu refcounted nodes Dave Marchevsky
2023-08-01 20:36 ` [PATCH v1 bpf-next 1/7] bpf: Ensure kptr_struct_meta is non-NULL for collection insert and refcount_acquire Dave Marchevsky
2023-08-02 3:57 ` Yonghong Song [this message]
2023-08-02 19:23 ` Dave Marchevsky
2023-08-02 21:41 ` Yonghong Song
2023-08-04 6:17 ` David Marchevsky
2023-08-04 15:37 ` Yonghong Song
2023-08-01 20:36 ` [PATCH v1 bpf-next 2/7] bpf: Consider non-owning refs trusted Dave Marchevsky
2023-08-02 4:11 ` Yonghong Song
2023-08-01 20:36 ` [PATCH v1 bpf-next 3/7] bpf: Use bpf_mem_free_rcu when bpf_obj_dropping refcounted nodes Dave Marchevsky
2023-08-02 4:15 ` Yonghong Song
2023-08-01 20:36 ` [PATCH v1 bpf-next 4/7] bpf: Reenable bpf_refcount_acquire Dave Marchevsky
2023-08-02 5:21 ` Yonghong Song
2023-08-01 20:36 ` [PATCH v1 bpf-next 5/7] bpf: Consider non-owning refs to refcounted nodes RCU protected Dave Marchevsky
2023-08-02 5:59 ` Yonghong Song
2023-08-04 6:47 ` David Marchevsky
2023-08-04 15:43 ` Yonghong Song
2023-08-02 22:50 ` Alexei Starovoitov
2023-08-04 6:55 ` David Marchevsky
2023-08-01 20:36 ` [PATCH v1 bpf-next 6/7] [RFC] bpf: Allow bpf_spin_{lock,unlock} in sleepable prog's RCU CS Dave Marchevsky
2023-08-02 6:33 ` Yonghong Song
2023-08-02 22:55 ` Alexei Starovoitov
2023-08-01 20:36 ` [PATCH v1 bpf-next 7/7] selftests/bpf: Add tests for rbtree API interaction in sleepable progs Dave Marchevsky
2023-08-02 23:07 ` Alexei Starovoitov
2023-08-02 3:07 ` [PATCH v1 bpf-next 0/7] BPF Refcount followups 3: bpf_mem_free_rcu refcounted nodes Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9643d04f-8102-b5b3-1edf-34b4e08485df@linux.dev \
--to=yonghong.song@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davemarchevsky@fb.com \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox