BPF Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling
@ 2021-01-13  5:38 Gilad Reti
  2021-01-13  5:38 ` [PATCH bpf v2 2/2] selftests/bpf: add verifier test for PTR_TO_MEM spill Gilad Reti
  2021-01-13 22:29 ` [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling KP Singh
  0 siblings, 2 replies; 6+ messages in thread
From: Gilad Reti @ 2021-01-13  5:38 UTC (permalink / raw)
  To: bpf
  Cc: gilad.reti, Yonghong Song, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, Martin KaFai Lau, Song Liu, John Fastabend,
	KP Singh, Shuah Khan, netdev, linux-kernel, linux-kselftest

Add support for pointer to mem register spilling, to allow the verifier
to track pointers to valid memory addresses. Such pointers are returned
for example by a successful call of the bpf_ringbuf_reserve helper.

The patch was partially contributed by CyberArk Software, Inc.

Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
Suggested-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Gilad Reti <gilad.reti@gmail.com>
---
 kernel/bpf/verifier.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 17270b8404f1..36af69fac591 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2217,6 +2217,8 @@ static bool is_spillable_regtype(enum bpf_reg_type type)
 	case PTR_TO_RDWR_BUF:
 	case PTR_TO_RDWR_BUF_OR_NULL:
 	case PTR_TO_PERCPU_BTF_ID:
+	case PTR_TO_MEM:
+	case PTR_TO_MEM_OR_NULL:
 		return true;
 	default:
 		return false;
-- 
2.27.0


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH bpf v2 2/2] selftests/bpf: add verifier test for PTR_TO_MEM spill
  2021-01-13  5:38 [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling Gilad Reti
@ 2021-01-13  5:38 ` Gilad Reti
  2021-01-13 16:05   ` Yonghong Song
  2021-01-13 22:29 ` [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling KP Singh
  1 sibling, 1 reply; 6+ messages in thread
From: Gilad Reti @ 2021-01-13  5:38 UTC (permalink / raw)
  To: bpf
  Cc: gilad.reti, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
	KP Singh, Shuah Khan, netdev, linux-kernel, linux-kselftest

Add a test to check that the verifier is able to recognize spilling of
PTR_TO_MEM registers, by reserving a ringbuf buffer, forcing the spill
of a pointer holding the buffer address to the stack, filling it back 
in from the stack and writing to the memory area pointed by it.

The patch was partially contributed by CyberArk Software, Inc.

Signed-off-by: Gilad Reti <gilad.reti@gmail.com>
---
 tools/testing/selftests/bpf/test_verifier.c   | 12 +++++++-
 .../selftests/bpf/verifier/spill_fill.c       | 30 +++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 777a81404fdb..f8569f04064b 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -50,7 +50,7 @@
 #define MAX_INSNS	BPF_MAXINSNS
 #define MAX_TEST_INSNS	1000000
 #define MAX_FIXUPS	8
-#define MAX_NR_MAPS	20
+#define MAX_NR_MAPS	21
 #define MAX_TEST_RUNS	8
 #define POINTER_VALUE	0xcafe4all
 #define TEST_DATA_LEN	64
@@ -87,6 +87,7 @@ struct bpf_test {
 	int fixup_sk_storage_map[MAX_FIXUPS];
 	int fixup_map_event_output[MAX_FIXUPS];
 	int fixup_map_reuseport_array[MAX_FIXUPS];
+	int fixup_map_ringbuf[MAX_FIXUPS];
 	const char *errstr;
 	const char *errstr_unpriv;
 	uint32_t insn_processed;
@@ -640,6 +641,7 @@ static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
 	int *fixup_sk_storage_map = test->fixup_sk_storage_map;
 	int *fixup_map_event_output = test->fixup_map_event_output;
 	int *fixup_map_reuseport_array = test->fixup_map_reuseport_array;
+	int *fixup_map_ringbuf = test->fixup_map_ringbuf;
 
 	if (test->fill_helper) {
 		test->fill_insns = calloc(MAX_TEST_INSNS, sizeof(struct bpf_insn));
@@ -817,6 +819,14 @@ static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
 			fixup_map_reuseport_array++;
 		} while (*fixup_map_reuseport_array);
 	}
+	if (*fixup_map_ringbuf) {
+		map_fds[20] = create_map(BPF_MAP_TYPE_RINGBUF, 0,
+					   0, 4096);
+		do {
+			prog[*fixup_map_ringbuf].imm = map_fds[20];
+			fixup_map_ringbuf++;
+		} while (*fixup_map_ringbuf);
+	}
 }
 
 struct libcap {
diff --git a/tools/testing/selftests/bpf/verifier/spill_fill.c b/tools/testing/selftests/bpf/verifier/spill_fill.c
index 45d43bf82f26..0b943897aaf6 100644
--- a/tools/testing/selftests/bpf/verifier/spill_fill.c
+++ b/tools/testing/selftests/bpf/verifier/spill_fill.c
@@ -28,6 +28,36 @@
 	.result = ACCEPT,
 	.result_unpriv = ACCEPT,
 },
+{
+	"check valid spill/fill, ptr to mem",
+	.insns = {
+	/* reserve 8 byte ringbuf memory */
+	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+	BPF_LD_MAP_FD(BPF_REG_1, 0),
+	BPF_MOV64_IMM(BPF_REG_2, 8),
+	BPF_MOV64_IMM(BPF_REG_3, 0),
+	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),
+	/* store a pointer to the reserved memory in R6 */
+	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
+	/* check whether the reservation was successful */
+	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+	/* spill R6(mem) into the stack */
+	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
+	/* fill it back in R7 */
+	BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8),
+	/* should be able to access *(R7) = 0 */
+	BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0),
+	/* submit the reserved ringbuf memory */
+	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
+	BPF_MOV64_IMM(BPF_REG_2, 0),
+	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),
+	BPF_MOV64_IMM(BPF_REG_0, 0),
+	BPF_EXIT_INSN(),
+	},
+	.fixup_map_ringbuf = { 1 },
+	.result = ACCEPT,
+	.result_unpriv = ACCEPT,
+},
 {
 	"check corrupted spill/fill",
 	.insns = {
-- 
2.27.0


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH bpf v2 2/2] selftests/bpf: add verifier test for PTR_TO_MEM spill
  2021-01-13  5:38 ` [PATCH bpf v2 2/2] selftests/bpf: add verifier test for PTR_TO_MEM spill Gilad Reti
@ 2021-01-13 16:05   ` Yonghong Song
  2021-01-13 22:28     ` KP Singh
  0 siblings, 1 reply; 6+ messages in thread
From: Yonghong Song @ 2021-01-13 16:05 UTC (permalink / raw)
  To: Gilad Reti, bpf
  Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Martin KaFai Lau, Song Liu, John Fastabend, KP Singh, Shuah Khan,
	netdev, linux-kernel, linux-kselftest



On 1/12/21 9:38 PM, Gilad Reti wrote:
> Add a test to check that the verifier is able to recognize spilling of
> PTR_TO_MEM registers, by reserving a ringbuf buffer, forcing the spill
> of a pointer holding the buffer address to the stack, filling it back
> in from the stack and writing to the memory area pointed by it.
> 
> The patch was partially contributed by CyberArk Software, Inc.
> 
> Signed-off-by: Gilad Reti <gilad.reti@gmail.com>

I didn't verify result_unpriv = ACCEPT part. I think it is correct
by checking code.

Acked-by: Yonghong Song <yhs@fb.com>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH bpf v2 2/2] selftests/bpf: add verifier test for PTR_TO_MEM spill
  2021-01-13 16:05   ` Yonghong Song
@ 2021-01-13 22:28     ` KP Singh
  0 siblings, 0 replies; 6+ messages in thread
From: KP Singh @ 2021-01-13 22:28 UTC (permalink / raw)
  To: Yonghong Song
  Cc: Gilad Reti, bpf, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, Martin KaFai Lau, Song Liu, John Fastabend,
	Shuah Khan, Networking, open list, linux-kselftest

On Wed, Jan 13, 2021 at 5:05 PM Yonghong Song <yhs@fb.com> wrote:
>
>
>
> On 1/12/21 9:38 PM, Gilad Reti wrote:
> > Add a test to check that the verifier is able to recognize spilling of
> > PTR_TO_MEM registers, by reserving a ringbuf buffer, forcing the spill
> > of a pointer holding the buffer address to the stack, filling it back
> > in from the stack and writing to the memory area pointed by it.
> >
> > The patch was partially contributed by CyberArk Software, Inc.
> >
> > Signed-off-by: Gilad Reti <gilad.reti@gmail.com>
>
> I didn't verify result_unpriv = ACCEPT part. I think it is correct
> by checking code.
>
> Acked-by: Yonghong Song <yhs@fb.com>

Thanks for the description!

Acked-by: KP Singh <kpsingh@kernel.org>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling
  2021-01-13  5:38 [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling Gilad Reti
  2021-01-13  5:38 ` [PATCH bpf v2 2/2] selftests/bpf: add verifier test for PTR_TO_MEM spill Gilad Reti
@ 2021-01-13 22:29 ` KP Singh
  2021-01-14  4:02   ` Alexei Starovoitov
  1 sibling, 1 reply; 6+ messages in thread
From: KP Singh @ 2021-01-13 22:29 UTC (permalink / raw)
  To: Gilad Reti
  Cc: bpf, Yonghong Song, Alexei Starovoitov, Daniel Borkmann,
	Andrii Nakryiko, Martin KaFai Lau, Song Liu, John Fastabend,
	Shuah Khan, Networking, open list, linux-kselftest

On Wed, Jan 13, 2021 at 6:38 AM Gilad Reti <gilad.reti@gmail.com> wrote:
>
> Add support for pointer to mem register spilling, to allow the verifier
> to track pointers to valid memory addresses. Such pointers are returned
> for example by a successful call of the bpf_ringbuf_reserve helper.
>
> The patch was partially contributed by CyberArk Software, Inc.
>
> Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
> Suggested-by: Yonghong Song <yhs@fb.com>
> Signed-off-by: Gilad Reti <gilad.reti@gmail.com>

Acked-by: KP Singh <kpsingh@kernel.org>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling
  2021-01-13 22:29 ` [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling KP Singh
@ 2021-01-14  4:02   ` Alexei Starovoitov
  0 siblings, 0 replies; 6+ messages in thread
From: Alexei Starovoitov @ 2021-01-14  4:02 UTC (permalink / raw)
  To: KP Singh
  Cc: Gilad Reti, bpf, Yonghong Song, Alexei Starovoitov,
	Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Song Liu,
	John Fastabend, Shuah Khan, Networking, open list,
	open list:KERNEL SELFTEST FRAMEWORK

On Wed, Jan 13, 2021 at 2:29 PM KP Singh <kpsingh@kernel.org> wrote:
>
> On Wed, Jan 13, 2021 at 6:38 AM Gilad Reti <gilad.reti@gmail.com> wrote:
> >
> > Add support for pointer to mem register spilling, to allow the verifier
> > to track pointers to valid memory addresses. Such pointers are returned
> > for example by a successful call of the bpf_ringbuf_reserve helper.
> >
> > The patch was partially contributed by CyberArk Software, Inc.
> >
> > Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
> > Suggested-by: Yonghong Song <yhs@fb.com>
> > Signed-off-by: Gilad Reti <gilad.reti@gmail.com>
>
> Acked-by: KP Singh <kpsingh@kernel.org>

It's a border line feature vs fix.
Since the patch is trivial and it addresses a real problem I've
applied to the bpf tree.
Thanks!

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-13  5:38 [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling Gilad Reti
2021-01-13  5:38 ` [PATCH bpf v2 2/2] selftests/bpf: add verifier test for PTR_TO_MEM spill Gilad Reti
2021-01-13 16:05   ` Yonghong Song
2021-01-13 22:28     ` KP Singh
2021-01-13 22:29 ` [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling KP Singh
2021-01-14  4:02   ` Alexei Starovoitov

BPF Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/bpf/0 bpf/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 bpf bpf/ https://lore.kernel.org/bpf \
		bpf@vger.kernel.org
	public-inbox-index bpf

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.bpf


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git