Re: [PATCH v2 bpf-next 1/3] bpf: Support for pointers beyond pkt_end.

From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: John Fastabend <john.fastabend@gmail.com>
Cc: davem@davemloft.net, daniel@iogearbox.net,
	netdev@vger.kernel.org, bpf@vger.kernel.org, kernel-team@fb.com
Subject: Re: [PATCH v2 bpf-next 1/3] bpf: Support for pointers beyond pkt_end.
Date: Thu, 12 Nov 2020 15:59:34 -0800	[thread overview]
Message-ID: <20201112235934.gkydiegea4nhin3x@ast-mbp> (raw)
In-Reply-To: <5fad89fb649af_2a612088e@john-XPS-13-9370.notmuch>

On Thu, Nov 12, 2020 at 11:16:11AM -0800, John Fastabend wrote:
> Alexei Starovoitov wrote:
> > From: Alexei Starovoitov <ast@kernel.org>
> > 
> > This patch adds the verifier support to recognize inlined branch conditions.
> > The LLVM knows that the branch evaluates to the same value, but the verifier
> > couldn't track it. Hence causing valid programs to be rejected.
> > The potential LLVM workaround: https://reviews.llvm.org/D87428
> > can have undesired side effects, since LLVM doesn't know that
> > skb->data/data_end are being compared. LLVM has to introduce extra boolean
> > variable and use inline_asm trick to force easier for the verifier assembly.
> > 
> > Instead teach the verifier to recognize that
> > r1 = skb->data;
> > r1 += 10;
> > r2 = skb->data_end;
> > if (r1 > r2) {
> >   here r1 points beyond packet_end and
> >   subsequent
> >   if (r1 > r2) // always evaluates to "true".
> > }
> > 
> > Tested-by: Jiri Olsa <jolsa@redhat.com>
> > Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> > ---
> >  include/linux/bpf_verifier.h |   2 +-
> >  kernel/bpf/verifier.c        | 129 +++++++++++++++++++++++++++++------
> >  2 files changed, 108 insertions(+), 23 deletions(-)
> > 
> 
> Thanks, we can remove another set of inline asm logic.

Awesome! Please contribute your C examples to selftests when possible.

> Acked-by: John Fastabend <john.fastabend@gmail.com>
>  
> >  	if (pred >= 0) {
> > @@ -7517,7 +7601,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
> >  		 */
> >  		if (!__is_pointer_value(false, dst_reg))
> >  			err = mark_chain_precision(env, insn->dst_reg);
> > -		if (BPF_SRC(insn->code) == BPF_X && !err)
> > +		if (BPF_SRC(insn->code) == BPF_X && !err &&
> > +		    !__is_pointer_value(false, src_reg))
> 
> This could have been more specific with !type_is_pkt_pointer() correct? I
> think its fine as is though.

I actually meant to use __is_pointer_value() here for two reasons:
1. to match dst_reg check just few lines above.
2. mark_chain_precision() is for scalars only. If in the future
  is_*_branch_taken() will support other kinds of pointers the more
  precise !type_is_pkt_pointer() check would need to be modified.
  That would be unnecessary code churn.

Thanks for the review!