lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJnrk1amsYS51deoXTOnWvMKSQNvbCK_JSPaGW=OBZZsEyNVuQ@mail.gmail.com> Date: Tue, 23 Aug 2022 11:52:33 -0700 From: Joanne Koong <joannelkoong@...il.com> To: Kumar Kartikeya Dwivedi <memxor@...il.com> Cc: bpf@...r.kernel.org, andrii@...nel.org, daniel@...earbox.net, ast@...nel.org, kafai@...com, kuba@...nel.org, netdev@...r.kernel.org Subject: Re: [PATCH bpf-next v4 0/3] Add skb + xdp dynptrs On Mon, Aug 22, 2022 at 7:32 PM Kumar Kartikeya Dwivedi <memxor@...il.com> wrote: > > On Tue, 23 Aug 2022 at 02:06, Joanne Koong <joannelkoong@...il.com> wrote: > > > > This patchset is the 2nd in the dynptr series. The 1st can be found here [0]. > > > > This patchset adds skb and xdp type dynptrs, which have two main benefits for > > packet parsing: > > * allowing operations on sizes that are not statically known at > > compile-time (eg variable-sized accesses). > > * more ergonomic and less brittle iteration through data (eg does not need > > manual if checking for being within bounds of data_end) > > > > Just curious: so would you be adding a dynptr interface for obtaining > data_meta slices as well in the future? Since the same manual bounds > checking is needed for data_meta vs data. How would that look in the > generic dynptr interface of data/read/write this set is trying to fit > things in? Oh cool, I didn't realize there is also a data_meta used in packet parsing - thanks for bringing this up. I think there are 2 options for how data_meta can be incorporated into the dynptr interface: 1) have a separate api "bpf_dynptr_from_{skb/xdp}_meta. We'll have to have a function in the verifier that does something similar to 'may_access_direct_pkt_data' but for pkt data meta, since skb progs can have different access restrictions for data vs. data_meta. 2) ideally, the flags arg would be used to indicate whether the parsing should be for data_meta. To support this though, I think we'd need to do access type checking within the helper instead of at the verifier level. One idea is to pass in the env->ops ptr as a 4th arg (manually patching it from the verifier) to the helper, which can be used to determine if data_meta access is permitted. In both options, there'll be a new BPF_DYNPTR_{SKB/XDP}_META dynptr type and data/read/write will be supported for it. What are your thoughts? > > > > > When comparing the differences in runtime for packet parsing without dynptrs > > vs. with dynptrs for the more simple cases, there is no noticeable difference. > > For the more complex cases where lengths are non-statically known at compile > > time, there can be a significant speed-up when using dynptrs (eg a 2x speed up > > for cls redirection). Patch 3 contains more details as well as examples of how > > to use skb and xdp dynptrs. > > > > [0] https://lore.kernel.org/bpf/20220523210712.3641569-1-joannelkoong@gmail.com/ > > > > --
Powered by blists - more mailing lists