| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Feb 2024 19:20:53 +0100 From: Benjamin Tissoires <benjamin.tissoires@...hat.com> To: Toke Høiland-Jørgensen <toke@...hat.com> Cc: Benjamin Tissoires <bentiss@...nel.org>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, John Fastabend <john.fastabend@...il.com>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>, KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...gle.com>, Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>, Jiri Kosina <jikos@...nel.org>, Jonathan Corbet <corbet@....net>, Shuah Khan <shuah@...nel.org>, bpf@...r.kernel.org, linux-kernel@...r.kernel.org, linux-input@...r.kernel.org, linux-doc@...r.kernel.org, linux-kselftest@...r.kernel.org Subject: Re: [PATCH RFC bpf-next 0/9] allow HID-BPF to do device IOs On Mon, Feb 12, 2024 at 6:46 PM Toke Høiland-Jørgensen <toke@...hat.com> wrote: > > Benjamin Tissoires <benjamin.tissoires@...hat.com> writes: > > [...] > >> IIUC, the bpf_timer callback is just a function (subprog) from the > >> verifier PoV, so it is verified as whatever program type is creating the > >> timer. So in other words, as long as you setup the timer from inside a > >> tracing prog type, you should have access to all the same kfuncs, I > >> think? > > > > Yep, you are correct. But as mentioned above, I am now in trouble with > > the sleepable state: > > - I need to call timer_start() from a non sleepable tracing function > > (I'm in hard IRQ when dealing with a physical device) > > - but then, ideally, the callback function needs to be tagged as a > > sleepable one, so I can export my kfuncs which are doing kzalloc and > > device IO as such. > > > > However, I can not really teach the BPF verifier to do so: > > - it seems to check for the callback first when it is loaded, and > > there is no SEC() equivalent for static functions > > - libbpf doesn't have access to the callback as a prog as it has to be > > a static function, and thus isn't exported as a full-blown prog. > > - the verifier only checks for the callback when dealing with > > BPF_FUNC_timer_set_callback, which doesn't have a "flag" argument > > (though the validation of the callback has already been done while > > checking it first, so we are already too late to change the sleppable > > state of the callback) > > > > Right now, the only OK-ish version I have is declaring the kfunc as > > non-sleepable, but checking that we are in a different context than > > the IRQ of the initial event. This way, I am not crashing if this > > function is called from the initial IRQ, but will still crash if used > > outside of the hid context. > > > > This is not satisfactory, but I feel like it's going to be hard to > > teach the verifier that the callback function is sleepable in that > > case (maybe we could suffix the callback name, like we do for > > arguments, but this is not very clean either). > > The callback is only set once when the timer is first setup; I *think* > it works to do the setup (bpf_timer_init() and bpf_timer_set_callback()) > in the context you need (from a sleepable prog), but do the arming > (bpf_timer_start()) from a different program that is not itself sleepable? > Genius! It works, and I can just keep having them declared as a syscall kfunc, not as a tracing kfunc. But isn't this an issue outside of my use case? I mean, if the callback is assuming the environment for when it is set up but can be called from any context there seems to be a problem when 2 contexts are not equivalent, no?
Powered by blists - more mailing lists