lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <n64nphqug6spftbr36tgf32qv5lipvugevyabcvrnefgarut4s@uymc5hm5jsq2>
Date:   Fri, 1 Dec 2023 17:13:42 -0700
From:   Daniel Xu <dxu@...uu.xyz>
To:     Andrii Nakryiko <andrii.nakryiko@...il.com>
Cc:     ndesaulniers@...gle.com, daniel@...earbox.net, nathan@...nel.org,
        ast@...nel.org, andrii@...nel.org, steffen.klassert@...unet.com,
        antony.antony@...unet.com, alexei.starovoitov@...il.com,
        yonghong.song@...ux.dev, eddyz87@...il.com, martin.lau@...ux.dev,
        song@...nel.org, john.fastabend@...il.com, kpsingh@...nel.org,
        sdf@...gle.com, haoluo@...gle.com, jolsa@...nel.org,
        trix@...hat.com, bpf@...r.kernel.org, linux-kernel@...r.kernel.org,
        llvm@...ts.linux.dev, devel@...ux-ipsec.org,
        netdev@...r.kernel.org, Jonathan Lemon <jlemon@...atrix.com>
Subject: Re: [PATCH ipsec-next v3 3/9] libbpf: Add BPF_CORE_WRITE_BITFIELD()
 macro

On Fri, Dec 01, 2023 at 03:49:30PM -0800, Andrii Nakryiko wrote:
> On Fri, Dec 1, 2023 at 12:24 PM Daniel Xu <dxu@...uu.xyz> wrote:
> >
> > === Motivation ===
> >
> > Similar to reading from CO-RE bitfields, we need a CO-RE aware bitfield
> > writing wrapper to make the verifier happy.
> >
> > Two alternatives to this approach are:
> >
> > 1. Use the upcoming `preserve_static_offset` [0] attribute to disable
> >    CO-RE on specific structs.
> > 2. Use broader byte-sized writes to write to bitfields.
> >
> > (1) is a bit hard to use. It requires specific and not-very-obvious
> > annotations to bpftool generated vmlinux.h. It's also not generally
> > available in released LLVM versions yet.
> >
> > (2) makes the code quite hard to read and write. And especially if
> > BPF_CORE_READ_BITFIELD() is already being used, it makes more sense to
> > to have an inverse helper for writing.
> >
> > === Implementation details ===
> >
> > Since the logic is a bit non-obvious, I thought it would be helpful
> > to explain exactly what's going on.
> >
> > To start, it helps by explaining what LSHIFT_U64 (lshift) and RSHIFT_U64
> > (rshift) is designed to mean. Consider the core of the
> > BPF_CORE_READ_BITFIELD() algorithm:
> >
> >         val <<= __CORE_RELO(s, field, LSHIFT_U64);
> >                 val = val >> __CORE_RELO(s, field, RSHIFT_U64);
> 
> nit: indentation is off?

Oops, it's cuz I only deleted the SIGNED check. Will fix.
> 
> >
> > Basically what happens is we lshift to clear the non-relevant (blank)
> > higher order bits. Then we rshift to bring the relevant bits (bitfield)
> > down to LSB position (while also clearing blank lower order bits). To
> > illustrate:
> >
> >         Start:    ........XXX......
> >         Lshift:   XXX......00000000
> >         Rshift:   00000000000000XXX
> >
> > where `.` means blank bit, `0` means 0 bit, and `X` means bitfield bit.
> >
> > After the two operations, the bitfield is ready to be interpreted as a
> > regular integer.
> >
> > Next, we want to build an alternative (but more helpful) mental model
> > on lshift and rshift. That is, to consider:
> >
> > * rshift as the total number of blank bits in the u64
> > * lshift as number of blank bits left of the bitfield in the u64
> >
> > Take a moment to consider why that is true by consulting the above
> > diagram.
> >
> > With this insight, we can how define the following relationship:
> >
> >               bitfield
> >                  _
> >                 | |
> >         0.....00XXX0...00
> >         |      |   |    |
> >         |______|   |    |
> >          lshift    |    |
> >                    |____|
> >               (rshift - lshift)
> >
> > That is, we know the number of higher order blank bits is just lshift.
> > And the number of lower order blank bits is (rshift - lshift).
> >
> 
> Nice diagrams and description, thanks!

Thanks!

> 
> > Finally, we can examine the core of the write side algorithm:
> >
> >         mask = (~0ULL << rshift) >> lshift;   // 1
> >         nval = new_val;                       // 2
> >         nval = (nval << rpad) & mask;         // 3
> >         val = (val & ~mask) | nval;           // 4
> >
> > (1): Compute a mask where the set bits are the bitfield bits. The first
> >      left shift zeros out exactly the number of blank bits, leaving a
> >      bitfield sized set of 1s. The subsequent right shift inserts the
> >      correct amount of higher order blank bits.
> > (2): Place the new value into a word sized container, nval.
> > (3): Place nval at the correct bit position and mask out blank bits.
> > (4): Mix the bitfield in with original surrounding blank bits.
> >
> > [0]: https://reviews.llvm.org/D133361
> > Co-authored-by: Eduard Zingerman <eddyz87@...il.com>
> > Signed-off-by: Eduard Zingerman <eddyz87@...il.com>
> > Co-authored-by: Jonathan Lemon <jlemon@...atrix.com>
> > Signed-off-by: Jonathan Lemon <jlemon@...atrix.com>
> > Signed-off-by: Daniel Xu <dxu@...uu.xyz>
> > ---
> >  tools/lib/bpf/bpf_core_read.h | 34 ++++++++++++++++++++++++++++++++++
> >  1 file changed, 34 insertions(+)
> >
> > diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h
> > index 1ac57bb7ac55..a7ffb80e3539 100644
> > --- a/tools/lib/bpf/bpf_core_read.h
> > +++ b/tools/lib/bpf/bpf_core_read.h
> > @@ -111,6 +111,40 @@ enum bpf_enum_value_kind {
> >         val;                                                                  \
> >  })
> >
> > +/*
> > + * Write to a bitfield, identified by s->field.
> > + * This is the inverse of BPF_CORE_WRITE_BITFIELD().
> > + */
> > +#define BPF_CORE_WRITE_BITFIELD(s, field, new_val) ({                  \
> > +       void *p = (void *)s + __CORE_RELO(s, field, BYTE_OFFSET);       \
> > +       unsigned int byte_size = __CORE_RELO(s, field, BYTE_SIZE);      \
> > +       unsigned int lshift = __CORE_RELO(s, field, LSHIFT_U64);        \
> > +       unsigned int rshift = __CORE_RELO(s, field, RSHIFT_U64);        \
> > +       unsigned int rpad = rshift - lshift;                            \
> > +       unsigned long long nval, mask, val;                             \
> > +                                                                       \
> > +       asm volatile("" : "+r"(p));                                     \
> > +                                                                       \
> > +       switch (byte_size) {                                            \
> > +       case 1: val = *(unsigned char *)p; break;                       \
> > +       case 2: val = *(unsigned short *)p; break;                      \
> > +       case 4: val = *(unsigned int *)p; break;                        \
> > +       case 8: val = *(unsigned long long *)p; break;                  \
> > +       }                                                               \
> > +                                                                       \
> > +       mask = (~0ULL << rshift) >> lshift;                             \
> > +       nval = new_val;                                                 \
> > +       nval = (nval << rpad) & mask;                                   \
> > +       val = (val & ~mask) | nval;                                     \
> 
> I'd simplify it to not need nval at all
> 
> val = (val & ~mask) | ((new_val << rpad) & mask);
> 
> I actually find it easier to follow and make sure we are not doing
> anything unexpected. First part before |, we take old value and clear
> bits we are about to set, second part after |, we take bitfield value,
> shift it in position, and just in case mask it out if it's too big to
> fit. Combine, done.
> 
> Other than that, it looks good.

I mostly left it there for the cast. Cuz injecting the `unsigned long
long` cast made the line really long. How about this instead?

diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h
index a7ffb80e3539..7325a12692a3 100644
--- a/tools/lib/bpf/bpf_core_read.h
+++ b/tools/lib/bpf/bpf_core_read.h
@@ -120,8 +120,8 @@ enum bpf_enum_value_kind {
        unsigned int byte_size = __CORE_RELO(s, field, BYTE_SIZE);      \
        unsigned int lshift = __CORE_RELO(s, field, LSHIFT_U64);        \
        unsigned int rshift = __CORE_RELO(s, field, RSHIFT_U64);        \
+       unsigned long long mask, val, nval = new_val;                   \
        unsigned int rpad = rshift - lshift;                            \
-       unsigned long long nval, mask, val;                             \
                                                                        \
        asm volatile("" : "+r"(p));                                     \
                                                                        \
@@ -133,9 +133,7 @@ enum bpf_enum_value_kind {
        }                                                               \
                                                                        \
        mask = (~0ULL << rshift) >> lshift;                             \
-       nval = new_val;                                                 \
-       nval = (nval << rpad) & mask;                                   \
-       val = (val & ~mask) | nval;                                     \
+       val = (val & ~mask) | ((nval << rpad) & mask);                  \
                                                                        \
        switch (byte_size) {                                            \
        case 1: *(unsigned char *)p      = val; break;                  \


Thanks,
Daniel

Powered by blists - more mailing lists