lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 29 May 2020 13:12:28 -0700
From:   Alexei Starovoitov <alexei.starovoitov@...il.com>
To:     Andrii Nakryiko <andrii.nakryiko@...il.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Daniel Borkmann <daniel@...earbox.net>,
        Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
        Kernel Team <kernel-team@...com>
Subject: Re: [PATCH v2 bpf-next 2/4] bpf: Introduce sleepable BPF programs

On Fri, May 29, 2020 at 01:25:06AM -0700, Andrii Nakryiko wrote:
> > index 11584618e861..26b18b6a3dbc 100644
> > --- a/kernel/bpf/arraymap.c
> > +++ b/kernel/bpf/arraymap.c
> > @@ -393,6 +393,11 @@ static void array_map_free(struct bpf_map *map)
> >          */
> >         synchronize_rcu();
> >
> > +       /* arrays could have been used by both sleepable and non-sleepable bpf
> > +        * progs. Make sure to wait for both prog types to finish executing.
> > +        */
> > +       synchronize_srcu(&bpf_srcu);
> > +
> 
> to minimize churn later on when you switch to rcu_trace, maybe extract
> synchronize_rcu() + synchronize_srcu(&bpf_srcu) into a function (e.g.,
> something like synchronize_sleepable_bpf?), exposed as an internal
> API? That way you also wouldn't need to add bpf_srcu to linux/bpf.h?

I think the opposite is must have actually. I think rcu operations should never
be hidden in helpers. All rcu/srcu/rcu_trace ops should always be open coded.

> > @@ -577,8 +577,8 @@ static void *__htab_map_lookup_elem(struct bpf_map *map, void *key)
> >         struct htab_elem *l;
> >         u32 hash, key_size;
> >
> > -       /* Must be called with rcu_read_lock. */
> > -       WARN_ON_ONCE(!rcu_read_lock_held());
> > +       /* Must be called with s?rcu_read_lock. */
> > +       WARN_ON_ONCE(!rcu_read_lock_held() && !srcu_read_lock_held(&bpf_srcu));
> >
> 
> Similar to above, might be worthwhile extracting into a function?

This one I'm 50/50, since this pattern will be in many places.
But what kind of helper that would be?
Clear name is very hard.
WARN_ON_ONCE(!bpf_specific_rcu_lock_held()) ?
Moving WARN into the helper would be even worse.

When rcu_trace is available the churn of patches to convert srcu to rcu_trace
will be a good thing. The patches will convey the difference.
Like bpf_srcu will disappear. They will give a way to do benchmarking before/after
and will help to go back to srcu in unlikely case there is some obscure bug
in rcu_trace. Hiding srcu vs rcu_trace details behind helpers is not how
the code should read. The trade off with one and another will be different
case by case. Like synchronize_srcu() is ok, but synchronize_rcu_trace()
may be too heavy in the trampoline update code and extra counter would be needed.
Also there will be synchronize_multi() that I plan to use as well.

> >
> > +       if (prog->aux->sleepable && prog->type != BPF_PROG_TYPE_TRACING &&
> > +           prog->type != BPF_PROG_TYPE_LSM) {
> > +               verbose(env, "Only fentry/fexit/fmod_ret and lsm programs can be sleepable\n");
> > +               return -EINVAL;
> > +       }
> 
> 
> BPF_PROG_TYPE_TRACING also includes iterator and raw tracepoint
> programs. You mention only fentry/fexit/fmod_ret are allowed. What
> about those two? I don't see any explicit checks for iterator and
> raw_tracepoint attach types in a switch below, so just checking if
> they should be allowed to be sleepable?

good point. tp_btf and iter don't use trampoline, so sleepable flag
is ignored. which is wrong. I'll add a check to get the prog rejected.

> Also seems like freplace ones are also sleeepable, if they replace
> sleepable programs, right?

freplace is a different program type. So it's rejected by this code already.
Eventually I'll add support to allow sleepable freplace prog that extend
sleepable target. But that's future.

> > +
> >         if (prog->type == BPF_PROG_TYPE_STRUCT_OPS)
> >                 return check_struct_ops_btf_id(env);
> >
> > @@ -10762,8 +10801,29 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
> >                         if (ret)
> >                                 verbose(env, "%s() is not modifiable\n",
> >                                         prog->aux->attach_func_name);
> > +               } else if (prog->aux->sleepable) {
> > +                       switch (prog->type) {
> > +                       case BPF_PROG_TYPE_TRACING:
> > +                               /* fentry/fexit progs can be sleepable only if they are
> > +                                * attached to ALLOW_ERROR_INJECTION or security_*() funcs.
> > +                                */
> > +                               ret = check_attach_modify_return(prog, addr);
> 
> I was so confused about this piece... check_attach_modify_return()
> should probably be renamed to something else, it's not for fmod_ret
> only anymore.

why? I think the name is correct. The helper checks whether target
allows modifying its return value. It's a first while list.
When that passes the black list applies via check_sleepable_blacklist() function.

I was considering using whitelist for sleepable as well, but that's overkill.
Too much overlap with mod_ret.
Imo check whitelist + check blacklist for white list exceptions is clean enough.

> 
> > +                               if (!ret)
> > +                                       ret = check_sleepable_blacklist(addr);
> > +                               break;
> > +                       case BPF_PROG_TYPE_LSM:
> > +                               /* LSM progs check that they are attached to bpf_lsm_*() funcs
> > +                                * which are sleepable too.
> > +                                */
> > +                               ret = check_sleepable_blacklist(addr);
> > +                               break;

Powered by blists - more mailing lists