From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=ChrB=QR=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E3C7FC282C2
	for <netdev@archiver.kernel.org>; Sun, 10 Feb 2019 07:19:04 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 94AE52173C
	for <netdev@archiver.kernel.org>; Sun, 10 Feb 2019 07:19:04 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=fb.com header.i=@fb.com header.b="hNdkMXXD";
	dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.i=@fb.onmicrosoft.com header.b="E2HtHH9P"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725958AbfBJHQB (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Sun, 10 Feb 2019 02:16:01 -0500
Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:54942 "EHLO
        mx0b-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1725862AbfBJHQA (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sun, 10 Feb 2019 02:16:00 -0500
Received: from pps.filterd (m0148460.ppops.net [127.0.0.1])
        by mx0a-00082601.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x1A7EclI006285;
        Sat, 9 Feb 2019 23:15:38 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject
 : date : message-id : references : in-reply-to : content-type : content-id
 : content-transfer-encoding : mime-version; s=facebook;
 bh=Y/qH6phaAR0SCtBzJntA430p6KKL31AG6uTH4Cqgh48=;
 b=hNdkMXXDvXhlODBm7bT4ih00KPU5kESBdT3Lvo5suFVIu/kwBd2SrnM96XJN3XVS+DUQ
 EW4GqHIcHl5VPox5uObFZ2xL9GvYvn2NLzONaNxEO8pBBG3n9jZDoMx+V4JXlQCHztg0
 acZ9OJh933YX0+q2WQEsDLlBimS9JOxiu+A= 
Received: from mail.thefacebook.com ([199.201.64.23])
        by mx0a-00082601.pphosted.com with ESMTP id 2qhw8whvca-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);
        Sat, 09 Feb 2019 23:15:38 -0800
Received: from prn-mbx08.TheFacebook.com (2620:10d:c081:6::22) by
 prn-hub02.TheFacebook.com (2620:10d:c081:35::126) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 15.1.1531.3; Sat, 9 Feb 2019 23:15:37 -0800
Received: from prn-hub03.TheFacebook.com (2620:10d:c081:35::127) by
 prn-mbx08.TheFacebook.com (2620:10d:c081:6::22) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 15.1.1531.3; Sat, 9 Feb 2019 23:15:36 -0800
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (192.168.54.28)
 by o365-in.thefacebook.com (192.168.16.27) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3
 via Frontend Transport; Sat, 9 Feb 2019 23:15:36 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com;
 s=selector1-fb-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Y/qH6phaAR0SCtBzJntA430p6KKL31AG6uTH4Cqgh48=;
 b=E2HtHH9PTLNaBN/4KoP6gIP+FDCwy+BVk5NXc27FxbloKgxAAmX+MkHtNjPEItMKcfIVWBmvvZ7OOqPi6ibyRi63lCCTRdl2RzTJMfkb1gmCwxmh7Av1Ccqq/i+CCZq9G+0L2XRepyrVMnxmxfHg/z7YCktq/eAAZmWcnnAmM24=
Received: from MWHPR15MB1790.namprd15.prod.outlook.com (10.174.255.19) by
 MWHPR15MB1567.namprd15.prod.outlook.com (10.173.235.140) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1601.22; Sun, 10 Feb 2019 07:15:17 +0000
Received: from MWHPR15MB1790.namprd15.prod.outlook.com
 ([fe80::ac2f:bf87:54e:48a2]) by MWHPR15MB1790.namprd15.prod.outlook.com
 ([fe80::ac2f:bf87:54e:48a2%12]) with mapi id 15.20.1601.016; Sun, 10 Feb 2019
 07:15:17 +0000
From:   Martin Lau <kafai@fb.com>
To:     Alexei Starovoitov <alexei.starovoitov@gmail.com>
CC:     "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        Alexei Starovoitov <ast@fb.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Kernel Team <Kernel-team@fb.com>,
        Joe Stringer <joe@wand.net.nz>
Subject: Re: [PATCH bpf] bpf: Fix narrow load on a bpf_sock returned from
 sk_lookup()
Thread-Topic: [PATCH bpf] bpf: Fix narrow load on a bpf_sock returned from
 sk_lookup()
Thread-Index: AQHUwEBWCugAAQ0sQEmFUpPULAB/qKXYanGAgAA1yIA=
Date:   Sun, 10 Feb 2019 07:15:17 +0000
Message-ID: <20190210071513.o56emdqcb23xtng3@kafai-mbp.dhcp.thefacebook.com>
References: <20190209062554.142612-1-kafai@fb.com>
 <20190210040241.wtsldfavw2vk3afv@ast-mbp>
In-Reply-To: <20190210040241.wtsldfavw2vk3afv@ast-mbp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-clientproxiedby: BYAPR05CA0056.namprd05.prod.outlook.com
 (2603:10b6:a03:74::33) To MWHPR15MB1790.namprd15.prod.outlook.com
 (2603:10b6:301:4e::19)
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2620:10d:c090:180::1:6fc9]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;MWHPR15MB1567;20:kpX+1GPvwWShux9UVnOJWAo7PUWDuTyfI8uTEmCqZTW3ZkzQJXR1hKzBNDgKrvkpP/VSqgomZClHzqiyie3MokkIMDvWbnklteCKkTw4M9MQ1jRBT93k0Jr/H3Vld99QG/JLzXijSAQDzaJTjgTAbsPiJryLJMSha1AQDSSqcec=
x-ms-office365-filtering-correlation-id: f62d7799-e838-42ac-b011-08d68f2781e2
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(7193020);SRVR:MWHPR15MB1567;
x-ms-traffictypediagnostic: MWHPR15MB1567:
x-microsoft-antispam-prvs: <MWHPR15MB15671D4216536DA30907B344D56B0@MWHPR15MB1567.namprd15.prod.outlook.com>
x-forefront-prvs: 09443CAA7E
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(346002)(366004)(136003)(39860400002)(376002)(396003)(199004)(189003)(6512007)(6246003)(9686003)(25786009)(46003)(186003)(53936002)(476003)(11346002)(446003)(71190400001)(71200400001)(4326008)(54906003)(256004)(486006)(97736004)(386003)(6506007)(14444005)(102836004)(99286004)(6436002)(76176011)(316002)(86362001)(52116002)(33896004)(68736007)(6916009)(6486002)(8936002)(8676002)(478600001)(81166006)(229853002)(305945005)(6116002)(7736002)(81156014)(106356001)(105586002)(2906002)(1076003)(14454004);DIR:OUT;SFP:1102;SCL:1;SRVR:MWHPR15MB1567;H:MWHPR15MB1790.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: fb.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: E0QmOvQ/Mco2UvKtJT9v+S6KKOmBzevtLdGLJVWeaSjO0kbiuR65JoivggzRmg1WXk3rooYJS1Aj4u0oBr1eXpCcMXMr3G9b3vNmx+B/nR7nNPHkVBQOQWTO22UsIxjxa2LO0IKntCNW3X4rJD5MDnUJJIHRtFa25jg03xQTBCu352EDxjGjm+ICik6CxF2G8I4sBEywQEeKCnM1rh+ifcJ1Tndm8RIQiUTIxn8HMk9+IxPJQMoXPNotRvzjV4wlr8gBEjoQr+/czKPtpwJMFVsy939kdsaQxnQ64S2glbGgnLdy/VN0YwLdsvE2hYQyPhGbOfFZZv9j7RcUELSAw7/pSvpYEAetHoG9Busb0EG/W9p+8hCUO93E9FdxapwNyw5iQKdLGhb0Z3EgjBo030LLjazHrCNr1if02wcHYGw=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <6C5321E1F413E14B9139A50AFC5EDD96@namprd15.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: f62d7799-e838-42ac-b011-08d68f2781e2
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2019 07:15:15.9032
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1567
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-10_06:,,
 signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Sat, Feb 09, 2019 at 08:02:43PM -0800, Alexei Starovoitov wrote:
> On Fri, Feb 08, 2019 at 10:25:54PM -0800, Martin KaFai Lau wrote:
> > By adding this test to test_verifier:
> > {
> > 	"reference tracking: access sk->src_ip4 (narrow load)",
> > 	.insns =3D {
> > 	BPF_SK_LOOKUP,
> > 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
> > 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
> > 	BPF_LDX_MEM(BPF_H, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, src=
_ip4) + 2),
> > 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> > 	BPF_EMIT_CALL(BPF_FUNC_sk_release),
> > 	BPF_EXIT_INSN(),
> > 	},
> > 	.prog_type =3D BPF_PROG_TYPE_SCHED_CLS,
> > 	.result =3D ACCEPT,
> > },
> >=20
> > The above test loads 2 bytes from sk->src_ip4 where
> > sk is obtained by bpf_sk_lookup_tcp().
> >=20
> > It hits an internal verifier error from convert_ctx_accesses():
> > [root@arch-fb-vm1 bpf]# ./test_verifier 665 665
> > Failed to load prog 'Invalid argument'!
> > 0: (b7) r2 =3D 0
> > 1: (63) *(u32 *)(r10 -8) =3D r2
> > 2: (7b) *(u64 *)(r10 -16) =3D r2
> > 3: (7b) *(u64 *)(r10 -24) =3D r2
> > 4: (7b) *(u64 *)(r10 -32) =3D r2
> > 5: (7b) *(u64 *)(r10 -40) =3D r2
> > 6: (7b) *(u64 *)(r10 -48) =3D r2
> > 7: (bf) r2 =3D r10
> > 8: (07) r2 +=3D -48
> > 9: (b7) r3 =3D 36
> > 10: (b7) r4 =3D 0
> > 11: (b7) r5 =3D 0
> > 12: (85) call bpf_sk_lookup_tcp#84
> > 13: (bf) r6 =3D r0
> > 14: (15) if r0 =3D=3D 0x0 goto pc+3
> >  R0=3Dsock(id=3D1,off=3D0,imm=3D0) R6=3Dsock(id=3D1,off=3D0,imm=3D0) R1=
0=3Dfp0,call_-1 fp-8=3D????0000 fp-16=3D0000mmmm fp-24=3Dmmmmmmmm fp-32=3Dm=
mmmmmmm fp-40=3Dmmmmmmmm fp-48=3Dmmmmmmmm refs=3D1
> > 15: (69) r2 =3D *(u16 *)(r0 +26)
> > 16: (bf) r1 =3D r6
> > 17: (85) call bpf_sk_release#86
> > 18: (95) exit
> >=20
> > from 14 to 18: safe
> > processed 20 insns (limit 131072), stack depth 48
> > bpf verifier is misconfigured
> > Summary: 0 PASSED, 0 SKIPPED, 1 FAILED
> >=20
> > The bpf_sock_is_valid_access() is expecting src_ip4 can be narrowly
> > loaded (meaning load any 1 or 2 bytes of the src_ip4) by
> > marking info->ctx_field_size.  However, this marked
> > ctx_field_size is not used.  This patch fixes it.
> >=20
> > Due to the recent refactoring in test_verifier,
> > this new test will be added to the bpf-next branch
> > (together with the bpf_tcp_sock patchset)
> > to avoid merge conflict.
> >=20
> > Fixes: c64b7983288e ("bpf: Add PTR_TO_SOCKET verifier type")
> > Cc: Joe Stringer <joe@wand.net.nz>
> > Signed-off-by: Martin KaFai Lau <kafai@fb.com>
>=20
> Applied to bpf tree.
Thanks!

>=20
> Martin, if your is_fullsock work depends on it, I can apply the fix
> to bpf-next as well. Just let me know.
Yes, the is_fullsock work depends on it.
I should have mentioned it in this commit log.