Re: [RFC net-next PATCH 3/5] net: introduce XDP driver features interface

From: David Miller <davem@davemloft.net>
To: daniel@iogearbox.net
Cc: brouer@redhat.com, borkmann@iogearbox.net,
	alexei.starovoitov@gmail.com, john.r.fastabend@intel.com,
	netdev@vger.kernel.org
Subject: Re: [RFC net-next PATCH 3/5] net: introduce XDP driver features interface
Date: Fri, 19 May 2017 19:37:26 -0400 (EDT)	[thread overview]
Message-ID: <20170519.193726.1790829446714961930.davem@davemloft.net> (raw)
In-Reply-To: <591F27B9.9070003@iogearbox.net>

From: Daniel Borkmann <daniel@iogearbox.net>
Date: Fri, 19 May 2017 19:13:29 +0200

> The problem is that once you add bits markers to bpf_prog like we
> used to do in the past, then as you do in patch 4/5 with the
> xdp_rxhash_needed bit, they will need to be turned /on/
> unconditionally when a prog has tail calls.

Yeah that's the problem with feature checks, once you have tail calls
involved we have to say "entire universe" of features is possible
because it is (intentionally) not possible to track all paths
reachable via tail calls, and in fact these paths can dynamically and
arbitrarily change after the program using tail calls have been loaded
and verified completely.

For example, let's assume we have eBPF program A that uses tail calls
via slots in bpf MAP "M".  At verification time, sure, we could see
the MAP "M" points to programs B and C, which don't use tail calls and
look at what features they use.

But after loading "A", anyone with access to bpf MAP "M" can change
the tail call slots to point to bpf programs other than "B" and "C".
And maybe those new programs use features outside of the set we tested
for when "A" was verified.

So it is impossible to test feature "sets" with eBPF like this.