| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1545902f-3cbb-73bc-e241-d2e8a3118cd4@iogearbox.net>
Date: Fri, 24 Jul 2020 18:02:30 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Maciej Fijalkowski <maciej.fijalkowski@...el.com>, ast@...nel.org
Cc: bpf@...r.kernel.org, netdev@...r.kernel.org, bjorn.topel@...el.com,
magnus.karlsson@...el.com
Subject: Re: [PATCH v4 bpf-next 2/6] bpf: propagate poke descriptors to
subprograms
On 7/24/20 2:36 PM, Maciej Fijalkowski wrote:
> Previously, there was no need for poke descriptors being present in
> subprogram's bpf_prog_aux struct since tailcalls were simply not allowed
> in them. Each subprog is JITed independently so in order to enable
> JITing such subprograms, simply copy poke descriptors from main program
> to subprogram's poke tab.
>
> Add also subprog's aux struct to the BPF map poke_progs list by calling
> on it map_poke_track().
>
> In case of any error, call the map_poke_untrack() on subprog's aux
> structs that have already been registered to prog array map.
>
> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@...el.com>
> ---
> kernel/bpf/verifier.c | 41 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 41 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 9a6703bc3f36..3e931e3e2239 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -9900,9 +9900,12 @@ static int jit_subprogs(struct bpf_verifier_env *env)
> {
> struct bpf_prog *prog = env->prog, **func, *tmp;
> int i, j, subprog_start, subprog_end = 0, len, subprog;
> + struct bpf_map *map_ptr;
> struct bpf_insn *insn;
> void *old_bpf_func;
> int err, num_exentries;
> + int last_poke_desc = 0;
> + int last_subprog = 0;
>
> if (env->subprog_cnt <= 1)
> return 0;
> @@ -9967,6 +9970,26 @@ static int jit_subprogs(struct bpf_verifier_env *env)
> func[i]->aux->btf = prog->aux->btf;
> func[i]->aux->func_info = prog->aux->func_info;
>
> + for (j = 0; j < prog->aux->size_poke_tab; j++) {
> + int ret;
> +
> + ret = bpf_jit_add_poke_descriptor(func[i],
> + &prog->aux->poke_tab[j]);
> + if (ret < 0) {
> + verbose(env, "adding tail call poke descriptor failed\n");
> + goto out_untrack;
> + }
> + map_ptr = func[i]->aux->poke_tab[j].tail_call.map;
> + ret = map_ptr->ops->map_poke_track(map_ptr, func[i]->aux);
> + if (ret < 0) {
> + verbose(env, "tracking tail call prog failed\n");
> + goto out_untrack;
> + }
> + last_poke_desc = j;
> + }
> + last_poke_desc = 0;
> + last_subprog = i;
> +
> /* Use bpf_prog_F_tag to indicate functions in stack traces.
> * Long term would need debug info to populate names
> */
> @@ -10059,7 +10082,25 @@ static int jit_subprogs(struct bpf_verifier_env *env)
> prog->aux->func_cnt = env->subprog_cnt;
> bpf_prog_free_unused_jited_linfo(prog);
> return 0;
> +out_untrack:
> + /* this loop is only for handling the case where propagating all of
> + * the main prog's poke descs was not successful for a particular
> + * subprog; last_poke_desc is zeroed once we walked through all
> + * of the poke descs; if last_poke_desc != 0 then 'i' is valid since
> + * it is pointing to the subprog that we were at when got an error
> + */
> + while (last_poke_desc--) {
> + map_ptr = func[i]->aux->poke_tab[last_poke_desc].tail_call.map;
> + map_ptr->ops->map_poke_untrack(map_ptr, func[i]->aux);
> + }
> + last_subprog = i - 1;
> out_free:
> + for (i = last_subprog; i >= 0; i--) {
> + for (j = 0; j < prog->aux->size_poke_tab; j++) {
> + map_ptr = func[i]->aux->poke_tab[j].tail_call.map;
> + map_ptr->ops->map_poke_untrack(map_ptr, func[i]->aux);
> + }
> + }
After staring at this code for a while, the logic looks correct to me, but feels overly
complicated with making sure all the corner cases do function above. I wonder, why didn't
you consider just something like ...
for (i = 0; i < env->subprog_cnt; i++)
if (func[i]) {
for (j = 0; j < func[i]->aux->size_poke_tab; j++) {
map_ptr = func[i]->aux->poke_tab[j].tail_call.map;
map_ptr->ops->map_poke_untrack(map_ptr, func[i]->aux);
}
bpf_jit_free(func[i]);
}
... instead of last_poke_desc/last_subprog tracking and the fallthrough trick above. Am
I missing something?
> for (i = 0; i < env->subprog_cnt; i++)
> if (func[i])
> bpf_jit_free(func[i]);
>
Powered by blists - more mailing lists