From: Song Liu <songliubraving@fb.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
David Miller <davem@davemloft.net>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"Kernel Team" <Kernel-team@fb.com>
Subject: Re: [PATCH bpf-next 3/6] bpf: Introduce function-by-function verification
Date: Wed, 8 Jan 2020 21:24:55 +0000 [thread overview]
Message-ID: <8721D350-1733-4327-A702-0575BDE6BBF6@fb.com> (raw)
In-Reply-To: <20200108202043.bo6sdqe5i7lttgvp@ast-mbp>
> On Jan 8, 2020, at 12:20 PM, Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote:
>
> On Wed, Jan 08, 2020 at 07:10:59PM +0000, Song Liu wrote:
>>
>>
>>> On Jan 7, 2020, at 11:25 PM, Alexei Starovoitov <ast@kernel.org> wrote:
>>>
>>> New llvm and old llvm with libbpf help produce BTF that distinguish global and
>>> static functions. Unlike arguments of static function the arguments of global
>>> functions cannot be removed or optimized away by llvm. The compiler has to use
>>> exactly the arguments specified in a function prototype. The argument type
>>> information allows the verifier validate each global function independently.
>>> For now only supported argument types are pointer to context and scalars. In
>>> the future pointers to structures, sizes, pointer to packet data can be
>>> supported as well. Consider the following example:
>>
>> [...]
>>
>>> The type information and static/global kind is preserved after the verification
>>> hence in the above example global function f2() and f3() can be replaced later
>>> by equivalent functions with the same types that are loaded and verified later
>>> without affecting safety of this main() program. Such replacement (re-linking)
>>> of global functions is a subject of future patches.
>>>
>>> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
>>> ---
>>> include/linux/bpf.h | 7 +-
>>> include/linux/bpf_verifier.h | 7 +-
>>> include/uapi/linux/btf.h | 6 +
>>> kernel/bpf/btf.c | 147 +++++++++++++++++-----
>>> kernel/bpf/verifier.c | 228 +++++++++++++++++++++++++++--------
>>> 5 files changed, 317 insertions(+), 78 deletions(-)
>>>
>>> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
>>> index b14e51d56a82..ceb5b6c13abc 100644
>>> --- a/include/linux/bpf.h
>>> +++ b/include/linux/bpf.h
>>> @@ -558,6 +558,7 @@ static inline void bpf_dispatcher_change_prog(struct bpf_dispatcher *d,
>>> #endif
>>>
>>> struct bpf_func_info_aux {
>>> + u32 linkage;
>>
>> How about we use u16 or even u8 for linkage? We are using BTF_INFO_VLEN() which
>> is 16-bit long. Maybe we should save some bits for future extensions?
>
> sure. u16 is fine.
> Will also introduce btf_func_kind() helper to avoid misleading BTF_INFO_VLEN macro.
>
>>> -int btf_check_func_arg_match(struct bpf_verifier_env *env, int subprog)
>>> +/* Compare BTF of a function with given bpf_reg_state */
>>> +int btf_check_func_arg_match(struct bpf_verifier_env *env, int subprog,
>>> + struct bpf_reg_state *reg)
>>
>> I think we need more comments for the retval of btf_check_func_arg_match().
>
> sure.
>
>>> {
>>> - struct bpf_verifier_state *st = env->cur_state;
>>> - struct bpf_func_state *func = st->frame[st->curframe];
>>> - struct bpf_reg_state *reg = func->regs;
>>> struct bpf_verifier_log *log = &env->log;
>>> struct bpf_prog *prog = env->prog;
>>> struct btf *btf = prog->aux->btf;
>> [...]
>>> +
>>> +/* Convert BTF of a function into bpf_reg_state if possible */
>>> +int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog,
>>> + struct bpf_reg_state *reg)
>>> +{
>>> + struct bpf_verifier_log *log = &env->log;
>>> + struct bpf_prog *prog = env->prog;
>>> + struct btf *btf = prog->aux->btf;
>>> + const struct btf_param *args;
>>> + const struct btf_type *t;
>>> + u32 i, nargs, btf_id;
>>> + const char *tname;
>>> +
>>> + if (!prog->aux->func_info ||
>>> + prog->aux->func_info_aux[subprog].linkage != BTF_FUNC_GLOBAL) {
>>> + bpf_log(log, "Verifier bug\n");
>>
>> IIUC, this should never happen? Maybe we need more details in the log, and
>> maybe also WARN_ONCE()?
>
> Should never happen and I think it's pretty clear from the diff, since
> this function is called after == FUNC_GLOBAL check in the caller.
> I didn't add WARN to avoid wasting .text even more here.
> Single 'if' above already feels a bit overly defensive.
> It's not like other cases in the verifier where we have WARN_ONCE.
> Those are for complex things. Here it's one callsite and trivial control flow.
Agreed. Current check is good enough.
>
>>> + if (prog->aux->func_info_aux[subprog].unreliable) {
>>> + bpf_log(log, "Verifier bug in function %s()\n", tname);
>>> + return -EFAULT;
>>
>> Why -EFAULT instead of -EINVAL? I think we treat them the same?
>
> EFAULT is a verifier bug like in all other places in the verifier
> where EFAULT is returned. EINVAL is normal error.
Thanks for the explanation.
Song
next prev parent reply other threads:[~2020-01-08 21:25 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-08 7:25 [PATCH bpf-next 0/6] bpf: Introduce global functions Alexei Starovoitov
2020-01-08 7:25 ` [PATCH bpf-next 1/6] libbpf: Sanitize BTF_KIND_FUNC linkage Alexei Starovoitov
2020-01-08 17:35 ` Song Liu
2020-01-08 18:57 ` Yonghong Song
2020-01-08 20:12 ` Alexei Starovoitov
2020-01-08 7:25 ` [PATCH bpf-next 2/6] libbpf: Collect static vs global info about functions Alexei Starovoitov
2020-01-08 10:25 ` Toke Høiland-Jørgensen
2020-01-08 16:25 ` Yonghong Song
2020-01-09 8:50 ` Toke Høiland-Jørgensen
2020-01-08 17:57 ` Song Liu
2020-01-08 20:10 ` Alexei Starovoitov
2020-01-08 7:25 ` [PATCH bpf-next 3/6] bpf: Introduce function-by-function verification Alexei Starovoitov
2020-01-08 10:28 ` Toke Høiland-Jørgensen
2020-01-08 20:06 ` Alexei Starovoitov
2020-01-09 8:57 ` Toke Høiland-Jørgensen
2020-01-09 23:03 ` Alexei Starovoitov
2020-01-10 10:08 ` Toke Høiland-Jørgensen
2020-01-08 19:10 ` Song Liu
2020-01-08 20:20 ` Alexei Starovoitov
2020-01-08 21:24 ` Song Liu [this message]
2020-01-08 23:05 ` Alexei Starovoitov
2020-01-14 23:39 ` Stanislav Fomichev
2020-01-14 23:56 ` Andrii Nakryiko
2020-01-15 0:44 ` Stanislav Fomichev
2020-01-08 7:25 ` [PATCH bpf-next 4/6] selftests/bpf: Add fexit-to-skb test for global funcs Alexei Starovoitov
2020-01-08 19:15 ` Song Liu
2020-01-08 7:25 ` [PATCH bpf-next 5/6] selftests/bpf: Add a test for a large global function Alexei Starovoitov
2020-01-08 19:16 ` Song Liu
2020-01-08 19:17 ` Song Liu
2020-01-08 7:25 ` [PATCH bpf-next 6/6] selftests/bpf: Modify a test to check global functions Alexei Starovoitov
2020-01-08 19:18 ` Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8721D350-1733-4327-A702-0575BDE6BBF6@fb.com \
--to=songliubraving@fb.com \
--cc=Kernel-team@fb.com \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).