From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63894C433E0 for ; Wed, 29 Jul 2020 21:30:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3D975206D7 for ; Wed, 29 Jul 2020 21:30:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596058242; bh=Rkb+yVU3xgcmvVOZjIk9GO+61I1wdDDEJj24FRfaGSk=; h=References:In-Reply-To:From:Date:Subject:To:Cc:List-ID:From; b=FTL68GpMgB7F90dbUnT535mWbHHYrrHw1xlDUKi09vABZzpMfDPATK5HGeadYcNVW KyftJ4Fc7Q3G11MOKKctRnW9cK8kj/OrR5YggHP1xWxl3d71QxysmJMt7UXsjK0vRC +Z2cB/vbaCGXH/0PnNKlaS3yBF3JnLW5xVp7dPsQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726476AbgG2Val (ORCPT ); Wed, 29 Jul 2020 17:30:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:40404 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726365AbgG2Val (ORCPT ); Wed, 29 Jul 2020 17:30:41 -0400 Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com [209.85.208.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A85C92082E; Wed, 29 Jul 2020 21:30:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596058241; bh=Rkb+yVU3xgcmvVOZjIk9GO+61I1wdDDEJj24FRfaGSk=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=s9VYAq6zXeqI/wCu+MQANaTrL+b8ngk3UhkRyklY8l6JXQaeQlkjjSg4BdyCZhiUu F1hNZVJwzy0Ye0P7lOtj8gA1k/CTeC2h+GtBs5B42/CqpKmngPKF/nSpFAHg97qY5C NBy7dbcN4/W6Wwr3c9pEJkVHnA8NKX1VCtbCMiNI= Received: by mail-lj1-f171.google.com with SMTP id g6so14016285ljn.11; Wed, 29 Jul 2020 14:30:40 -0700 (PDT) X-Gm-Message-State: AOAM533rHS46jNudZWXR2i8Iv4Vyf3N7CdTm2t/TXFRgk6a+/DLENX5w rlSiArR79fNX5GFQ40Z7tMG7evaLkSxTh1Uwfek= X-Google-Smtp-Source: ABdhPJyydIOOnGfPFsaMpDtfvP/MLe2XdJ0RL+Q94+UeIRlZcaI5EwIIXdtRxDSaLdWCb+tvULYlMU/AYOTjLVlZDhE= X-Received: by 2002:a2e:88c6:: with SMTP id a6mr184430ljk.27.1596058239018; Wed, 29 Jul 2020 14:30:39 -0700 (PDT) MIME-Version: 1.0 References: <159603940602.4454.2991262810036844039.stgit@john-Precision-5820-Tower> <159603979365.4454.14002555655802904027.stgit@john-Precision-5820-Tower> In-Reply-To: <159603979365.4454.14002555655802904027.stgit@john-Precision-5820-Tower> From: Song Liu Date: Wed, 29 Jul 2020 14:30:27 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [bpf PATCH v2 2/5] bpf: sock_ops sk access may stomp registers when dst_reg = src_reg To: John Fastabend Cc: Martin KaFai Lau , Daniel Borkmann , Alexei Starovoitov , Networking , bpf Content-Type: text/plain; charset="UTF-8" Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On Wed, Jul 29, 2020 at 9:25 AM John Fastabend wrote: > > Similar to patch ("bpf: sock_ops ctx access may stomp registers") if the > src_reg = dst_reg when reading the sk field of a sock_ops struct we > generate xlated code, > > 53: (61) r9 = *(u32 *)(r9 +28) > 54: (15) if r9 == 0x0 goto pc+3 > 56: (79) r9 = *(u64 *)(r9 +0) > > This stomps on the r9 reg to do the sk_fullsock check and then when > reading the skops->sk field instead of the sk pointer we get the > sk_fullsock. To fix use similar pattern noted in the previous fix > and use the temp field to save/restore a register used to do > sk_fullsock check. > > After the fix the generated xlated code reads, > > 52: (7b) *(u64 *)(r9 +32) = r8 > 53: (61) r8 = *(u32 *)(r9 +28) > 54: (15) if r9 == 0x0 goto pc+3 > 55: (79) r8 = *(u64 *)(r9 +32) > 56: (79) r9 = *(u64 *)(r9 +0) > 57: (05) goto pc+1 > 58: (79) r8 = *(u64 *)(r9 +32) > > Here r9 register was in-use so r8 is chosen as the temporary register. > In line 52 r8 is saved in temp variable and at line 54 restored in case > fullsock != 0. Finally we handle fullsock == 0 case by restoring at > line 58. > > This adds a new macro SOCK_OPS_GET_SK it is almost possible to merge > this with SOCK_OPS_GET_FIELD, but I found the extra branch logic a > bit more confusing than just adding a new macro despite a bit of > duplicating code. > > Fixes: 1314ef561102e ("bpf: export bpf_sock for BPF_PROG_TYPE_SOCK_OPS prog type") > Signed-off-by: John Fastabend Acked-by: Song Liu [...]