Re: Question about pointer to forward type

From: Yonghong Song <yhs@fb.com>
To: Hou Tao <houtao1@huawei.com>, Martin KaFai Lau <kafai@fb.com>
Cc: bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>
Subject: Re: Question about pointer to forward type
Date: Wed, 3 Nov 2021 12:22:18 -0700	[thread overview]
Message-ID: <5ef48d28-c8f1-83de-a918-d7b670f6f4de@fb.com> (raw)
In-Reply-To: <bb306bdd-4770-6d47-c490-a206d191b1e8@huawei.com>

On 11/3/21 4:00 AM, Hou Tao wrote:
> Hi,
> 
> On 11/3/2021 11:58 AM, Yonghong Song wrote:
>>
>>
>> On 10/15/21 7:22 AM, Hou Tao wrote:
>>> Hi,
>>>
>>> When adding test case for BPF STRUCT OPS, I got the following error
>>> during test:
>>>
>>> libbpf: load bpf program failed: Permission denied
>>> libbpf: -- BEGIN DUMP LOG ---
>>> libbpf:
>>> R1 type=ctx expected=fp
>>> ; int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)
>>> 0: (b4) w0 = -218893067
>>> ; int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)
>>> 1: (79) r1 = *(u64 *)(r1 +0)
>>> func 'test_1' arg0 type FWD is not a struct
>>> invalid bpf_context access off=0 size=8
>>>
>>> The error is reported from btf_ctx_access(). And the cause is
>>> the definition of struct bpf_dummy_ops_state is separated from
>>> the definition of test_1 function:
>>>
>>> test_1 is defined in include/linux/bpf.h
>>>
>>> struct bpf_dummy_ops_state;
>>> struct bpf_dummy_ops {
>>>           int (*test_1)(struct bpf_dummy_ops_state *cb);
>>> }
>>>
>>> bpf_dummy_ops_state is defined in net/bpf/bpf_dummy_struct_ops.c
>>>
>>> struct bpf_dummy_ops_state {
>>> };
>>>
>>> So arg0 has BTF_KIND_FWD type, and the check in btf_ctx_access() fails.
>>> The problem can be fixed by moving the definition of bpf_dummy_ops_state
>>> into include/linux/bpf.h or using a void * instead of
>>> struct bpf_dummy_ops_state *. But forward declaration is possible under
>>> STRUCT_OPS scenario, so my question is whether or not it is a known issue
>>> and is there somebody working on this ?
>>
>> I suspect this is what happened.
>> The 'struct bpf_dummy_ops_state' is defined in net/bpf/bpf_dummy_struct_ops.c,
>> but this structure is not used in that file
>> so there is no definition in the bpf_dummy_struct_ops.o dwarf.
>>
>> Since in the final combined dwarf, there is no "struct bpf_dummy_ops_state"
>> definition, dedup won't be able to replace
>> forward declaration with actual definition. And this caused
>> your above issue.
>>
>> It would be good if you can verifier whether this is the case or
>> not. If bpf_dummy_ops_state definition is in the dwarf, then we
>> likely have a dedup problem.
> struct bpf_dummy_ops_state is used in net/bpf/bpf_dummy_struct_ops.c, but
> the problem still exists.
> 
> And it can be reproduced by moving the definition of bpf_dummy_ops_state
> from include/linux/bpf.h to bpf_dummy_struct_ops.c as shown below and
> running "./test_progs -t dummy_st_ops":
> 
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 2be6dfd68df9..1d1e6dff5ce8 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -1024,9 +1024,7 @@ static inline void bpf_module_put(const void *data, struct
> module *owner)
> 
>   #ifdef CONFIG_NET
>   /* Define it here to avoid the use of forward declaration */
> -struct bpf_dummy_ops_state {
> -       int val;
> -};
> +struct bpf_dummy_ops_state;
> 
>   struct bpf_dummy_ops {
>          int (*test_1)(struct bpf_dummy_ops_state *cb);
> diff --git a/net/bpf/bpf_dummy_struct_ops.c b/net/bpf/bpf_dummy_struct_ops.c
> index fbc896323bec..2beb755b5806 100644
> --- a/net/bpf/bpf_dummy_struct_ops.c
> +++ b/net/bpf/bpf_dummy_struct_ops.c
> @@ -9,6 +9,10 @@
> 
>   extern struct bpf_struct_ops bpf_bpf_dummy_ops;
> 
> +struct bpf_dummy_ops_state {
> +       int val;
> +};
> +
>   /* A common type for test_N with return value in bpf_dummy_ops */
>   typedef int (*dummy_ops_test_ret_fn)(struct bpf_dummy_ops_state *state, ...);
> 
> 
> The following is the output of vmliux btf dump. We can see that it does
> have the definition of bpf_dummy_ops_state.
> 
> # bpftool btf dump id 1 | grep "test_1\|bpf_dummy_ops_state" -A 6 -B 1
> [29190] STRUCT 'bpf_dummy_ops' size=16 vlen=2
>          'test_1' type_id=29194 bits_offset=0
>          'test_2' type_id=29196 bits_offset=64
> [29191] FUNC_PROTO '(anon)' ret_type_id=21 vlen=1
>          '(anon)' type_id=29192
> [29192] PTR '(anon)' type_id=29193
> [29193] FWD 'bpf_dummy_ops_state' fwd_kind=struct
> [29194] PTR '(anon)' type_id=29191
> 
> --
> [106565] STRUCT 'bpf_dummy_ops_state' size=4 vlen=1
>          'val' type_id=21 bits_offset=0
> [106566] TYPEDEF 'dummy_ops_test_ret_fn' type_id=106567
> [106567] PTR '(anon)' type_id=106568
> 
> And the definition of bpf_dummy_ops_state comes from
> bpf_dummy_struct_ops.o:
> 
> # pahole -JV build/net/bpf/bpf_dummy_struct_ops.o | grep bpf_dummy_ops_state
> [1910] STRUCT bpf_dummy_ops_state size=4

Thanks for the detailed information. It appears that current dedup 
didn't handle such a pattern.

Andrii provided the following excellent explanation.

=====
it does when you have two copies of the same struct and one of its field 
points to FWD in one copy and concrete STRUCT/UNION in another one
we don't resolve FWDs by name
there needs to be more type information available
so if you have

struct A;
struct B {
	struct A *a;
};

in one file

and

struct A { int xyz; }
struct B { struct A * a; }

in another

then BTF dedup will actually resolve struct A FWD in first file to point 
to real struct A from second file but if it's just first file in 
isolation, struct A will stay FWD, even if second file has a complete 
struct A { int xyz; } definition (but no struct B)

=====

So FWD resolution to actual structure is done due deduplication and
libbpf does not proactively resolve FWD based on matching names.

If there is nothing to dedup, which typically means you can put
the actual definition before the "forward"-decl usage and in this
case we should be fine. This is also exactly what you did in the
final code.

> 
>>
>>>
>>> Regards,
>>> Tao
>>>
>> .
> 