lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <n64nphqug6spftbr36tgf32qv5lipvugevyabcvrnefgarut4s@uymc5hm5jsq2> Date: Fri, 1 Dec 2023 17:13:42 -0700 From: Daniel Xu <dxu@...uu.xyz> To: Andrii Nakryiko <andrii.nakryiko@...il.com> Cc: ndesaulniers@...gle.com, daniel@...earbox.net, nathan@...nel.org, ast@...nel.org, andrii@...nel.org, steffen.klassert@...unet.com, antony.antony@...unet.com, alexei.starovoitov@...il.com, yonghong.song@...ux.dev, eddyz87@...il.com, martin.lau@...ux.dev, song@...nel.org, john.fastabend@...il.com, kpsingh@...nel.org, sdf@...gle.com, haoluo@...gle.com, jolsa@...nel.org, trix@...hat.com, bpf@...r.kernel.org, linux-kernel@...r.kernel.org, llvm@...ts.linux.dev, devel@...ux-ipsec.org, netdev@...r.kernel.org, Jonathan Lemon <jlemon@...atrix.com> Subject: Re: [PATCH ipsec-next v3 3/9] libbpf: Add BPF_CORE_WRITE_BITFIELD() macro On Fri, Dec 01, 2023 at 03:49:30PM -0800, Andrii Nakryiko wrote: > On Fri, Dec 1, 2023 at 12:24 PM Daniel Xu <dxu@...uu.xyz> wrote: > > > > === Motivation === > > > > Similar to reading from CO-RE bitfields, we need a CO-RE aware bitfield > > writing wrapper to make the verifier happy. > > > > Two alternatives to this approach are: > > > > 1. Use the upcoming `preserve_static_offset` [0] attribute to disable > > CO-RE on specific structs. > > 2. Use broader byte-sized writes to write to bitfields. > > > > (1) is a bit hard to use. It requires specific and not-very-obvious > > annotations to bpftool generated vmlinux.h. It's also not generally > > available in released LLVM versions yet. > > > > (2) makes the code quite hard to read and write. And especially if > > BPF_CORE_READ_BITFIELD() is already being used, it makes more sense to > > to have an inverse helper for writing. > > > > === Implementation details === > > > > Since the logic is a bit non-obvious, I thought it would be helpful > > to explain exactly what's going on. > > > > To start, it helps by explaining what LSHIFT_U64 (lshift) and RSHIFT_U64 > > (rshift) is designed to mean. Consider the core of the > > BPF_CORE_READ_BITFIELD() algorithm: > > > > val <<= __CORE_RELO(s, field, LSHIFT_U64); > > val = val >> __CORE_RELO(s, field, RSHIFT_U64); > > nit: indentation is off? Oops, it's cuz I only deleted the SIGNED check. Will fix. > > > > > Basically what happens is we lshift to clear the non-relevant (blank) > > higher order bits. Then we rshift to bring the relevant bits (bitfield) > > down to LSB position (while also clearing blank lower order bits). To > > illustrate: > > > > Start: ........XXX...... > > Lshift: XXX......00000000 > > Rshift: 00000000000000XXX > > > > where `.` means blank bit, `0` means 0 bit, and `X` means bitfield bit. > > > > After the two operations, the bitfield is ready to be interpreted as a > > regular integer. > > > > Next, we want to build an alternative (but more helpful) mental model > > on lshift and rshift. That is, to consider: > > > > * rshift as the total number of blank bits in the u64 > > * lshift as number of blank bits left of the bitfield in the u64 > > > > Take a moment to consider why that is true by consulting the above > > diagram. > > > > With this insight, we can how define the following relationship: > > > > bitfield > > _ > > | | > > 0.....00XXX0...00 > > | | | | > > |______| | | > > lshift | | > > |____| > > (rshift - lshift) > > > > That is, we know the number of higher order blank bits is just lshift. > > And the number of lower order blank bits is (rshift - lshift). > > > > Nice diagrams and description, thanks! Thanks! > > > Finally, we can examine the core of the write side algorithm: > > > > mask = (~0ULL << rshift) >> lshift; // 1 > > nval = new_val; // 2 > > nval = (nval << rpad) & mask; // 3 > > val = (val & ~mask) | nval; // 4 > > > > (1): Compute a mask where the set bits are the bitfield bits. The first > > left shift zeros out exactly the number of blank bits, leaving a > > bitfield sized set of 1s. The subsequent right shift inserts the > > correct amount of higher order blank bits. > > (2): Place the new value into a word sized container, nval. > > (3): Place nval at the correct bit position and mask out blank bits. > > (4): Mix the bitfield in with original surrounding blank bits. > > > > [0]: https://reviews.llvm.org/D133361 > > Co-authored-by: Eduard Zingerman <eddyz87@...il.com> > > Signed-off-by: Eduard Zingerman <eddyz87@...il.com> > > Co-authored-by: Jonathan Lemon <jlemon@...atrix.com> > > Signed-off-by: Jonathan Lemon <jlemon@...atrix.com> > > Signed-off-by: Daniel Xu <dxu@...uu.xyz> > > --- > > tools/lib/bpf/bpf_core_read.h | 34 ++++++++++++++++++++++++++++++++++ > > 1 file changed, 34 insertions(+) > > > > diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h > > index 1ac57bb7ac55..a7ffb80e3539 100644 > > --- a/tools/lib/bpf/bpf_core_read.h > > +++ b/tools/lib/bpf/bpf_core_read.h > > @@ -111,6 +111,40 @@ enum bpf_enum_value_kind { > > val; \ > > }) > > > > +/* > > + * Write to a bitfield, identified by s->field. > > + * This is the inverse of BPF_CORE_WRITE_BITFIELD(). > > + */ > > +#define BPF_CORE_WRITE_BITFIELD(s, field, new_val) ({ \ > > + void *p = (void *)s + __CORE_RELO(s, field, BYTE_OFFSET); \ > > + unsigned int byte_size = __CORE_RELO(s, field, BYTE_SIZE); \ > > + unsigned int lshift = __CORE_RELO(s, field, LSHIFT_U64); \ > > + unsigned int rshift = __CORE_RELO(s, field, RSHIFT_U64); \ > > + unsigned int rpad = rshift - lshift; \ > > + unsigned long long nval, mask, val; \ > > + \ > > + asm volatile("" : "+r"(p)); \ > > + \ > > + switch (byte_size) { \ > > + case 1: val = *(unsigned char *)p; break; \ > > + case 2: val = *(unsigned short *)p; break; \ > > + case 4: val = *(unsigned int *)p; break; \ > > + case 8: val = *(unsigned long long *)p; break; \ > > + } \ > > + \ > > + mask = (~0ULL << rshift) >> lshift; \ > > + nval = new_val; \ > > + nval = (nval << rpad) & mask; \ > > + val = (val & ~mask) | nval; \ > > I'd simplify it to not need nval at all > > val = (val & ~mask) | ((new_val << rpad) & mask); > > I actually find it easier to follow and make sure we are not doing > anything unexpected. First part before |, we take old value and clear > bits we are about to set, second part after |, we take bitfield value, > shift it in position, and just in case mask it out if it's too big to > fit. Combine, done. > > Other than that, it looks good. I mostly left it there for the cast. Cuz injecting the `unsigned long long` cast made the line really long. How about this instead? diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h index a7ffb80e3539..7325a12692a3 100644 --- a/tools/lib/bpf/bpf_core_read.h +++ b/tools/lib/bpf/bpf_core_read.h @@ -120,8 +120,8 @@ enum bpf_enum_value_kind { unsigned int byte_size = __CORE_RELO(s, field, BYTE_SIZE); \ unsigned int lshift = __CORE_RELO(s, field, LSHIFT_U64); \ unsigned int rshift = __CORE_RELO(s, field, RSHIFT_U64); \ + unsigned long long mask, val, nval = new_val; \ unsigned int rpad = rshift - lshift; \ - unsigned long long nval, mask, val; \ \ asm volatile("" : "+r"(p)); \ \ @@ -133,9 +133,7 @@ enum bpf_enum_value_kind { } \ \ mask = (~0ULL << rshift) >> lshift; \ - nval = new_val; \ - nval = (nval << rpad) & mask; \ - val = (val & ~mask) | nval; \ + val = (val & ~mask) | ((nval << rpad) & mask); \ \ switch (byte_size) { \ case 1: *(unsigned char *)p = val; break; \ Thanks, Daniel
Powered by blists - more mailing lists