lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 24 Jul 2020 18:02:30 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Maciej Fijalkowski <maciej.fijalkowski@...el.com>, ast@...nel.org
Cc:     bpf@...r.kernel.org, netdev@...r.kernel.org, bjorn.topel@...el.com,
        magnus.karlsson@...el.com
Subject: Re: [PATCH v4 bpf-next 2/6] bpf: propagate poke descriptors to
 subprograms

On 7/24/20 2:36 PM, Maciej Fijalkowski wrote:
> Previously, there was no need for poke descriptors being present in
> subprogram's bpf_prog_aux struct since tailcalls were simply not allowed
> in them. Each subprog is JITed independently so in order to enable
> JITing such subprograms, simply copy poke descriptors from main program
> to subprogram's poke tab.
> 
> Add also subprog's aux struct to the BPF map poke_progs list by calling
> on it map_poke_track().
> 
> In case of any error, call the map_poke_untrack() on subprog's aux
> structs that have already been registered to prog array map.
> 
> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@...el.com>
> ---
>   kernel/bpf/verifier.c | 41 +++++++++++++++++++++++++++++++++++++++++
>   1 file changed, 41 insertions(+)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 9a6703bc3f36..3e931e3e2239 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -9900,9 +9900,12 @@ static int jit_subprogs(struct bpf_verifier_env *env)
>   {
>   	struct bpf_prog *prog = env->prog, **func, *tmp;
>   	int i, j, subprog_start, subprog_end = 0, len, subprog;
> +	struct bpf_map *map_ptr;
>   	struct bpf_insn *insn;
>   	void *old_bpf_func;
>   	int err, num_exentries;
> +	int last_poke_desc = 0;
> +	int last_subprog = 0;
>   
>   	if (env->subprog_cnt <= 1)
>   		return 0;
> @@ -9967,6 +9970,26 @@ static int jit_subprogs(struct bpf_verifier_env *env)
>   		func[i]->aux->btf = prog->aux->btf;
>   		func[i]->aux->func_info = prog->aux->func_info;
>   
> +		for (j = 0; j < prog->aux->size_poke_tab; j++) {
> +			int ret;
> +
> +			ret = bpf_jit_add_poke_descriptor(func[i],
> +							  &prog->aux->poke_tab[j]);
> +			if (ret < 0) {
> +				verbose(env, "adding tail call poke descriptor failed\n");
> +				goto out_untrack;
> +			}
> +			map_ptr = func[i]->aux->poke_tab[j].tail_call.map;
> +			ret = map_ptr->ops->map_poke_track(map_ptr, func[i]->aux);
> +			if (ret < 0) {
> +				verbose(env, "tracking tail call prog failed\n");
> +				goto out_untrack;
> +			}
> +			last_poke_desc = j;
> +		}
> +		last_poke_desc = 0;
> +		last_subprog = i;
> +
>   		/* Use bpf_prog_F_tag to indicate functions in stack traces.
>   		 * Long term would need debug info to populate names
>   		 */
> @@ -10059,7 +10082,25 @@ static int jit_subprogs(struct bpf_verifier_env *env)
>   	prog->aux->func_cnt = env->subprog_cnt;
>   	bpf_prog_free_unused_jited_linfo(prog);
>   	return 0;
> +out_untrack:
> +	/* this loop is only for handling the case where propagating all of
> +	 * the main prog's poke descs was not successful for a particular
> +	 * subprog; last_poke_desc is zeroed once we walked through all
> +	 * of the poke descs; if last_poke_desc != 0 then 'i' is valid since
> +	 * it is pointing to the subprog that we were at when got an error
> +	 */
> +	while (last_poke_desc--) {
> +		map_ptr = func[i]->aux->poke_tab[last_poke_desc].tail_call.map;
> +		map_ptr->ops->map_poke_untrack(map_ptr, func[i]->aux);
> +	}
> +	last_subprog = i - 1;
>   out_free:
> +	for (i = last_subprog; i >= 0; i--) {
> +		for (j = 0; j < prog->aux->size_poke_tab; j++) {
> +			map_ptr = func[i]->aux->poke_tab[j].tail_call.map;
> +			map_ptr->ops->map_poke_untrack(map_ptr, func[i]->aux);
> +		}
> +	}

After staring at this code for a while, the logic looks correct to me, but feels overly
complicated with making sure all the corner cases do function above. I wonder, why didn't
you consider just something like ...

    	for (i = 0; i < env->subprog_cnt; i++)
    		if (func[i]) {
			for (j = 0; j < func[i]->aux->size_poke_tab; j++) {
				map_ptr = func[i]->aux->poke_tab[j].tail_call.map;
				map_ptr->ops->map_poke_untrack(map_ptr, func[i]->aux);
			}
    			bpf_jit_free(func[i]);
		}

... instead of last_poke_desc/last_subprog tracking and the fallthrough trick above. Am
I missing something?

>   	for (i = 0; i < env->subprog_cnt; i++)
>   		if (func[i])
>   			bpf_jit_free(func[i]);
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ