From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C835AC48297 for ; Sat, 10 Feb 2024 01:13:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0EB216B0074; Fri, 9 Feb 2024 20:13:27 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 09B266B0075; Fri, 9 Feb 2024 20:13:27 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E7DA76B0078; Fri, 9 Feb 2024 20:13:26 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id D89516B0074 for ; Fri, 9 Feb 2024 20:13:26 -0500 (EST) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 778F340306 for ; Sat, 10 Feb 2024 01:13:26 +0000 (UTC) X-FDA: 81774121212.21.F31EFD4 Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50]) by imf29.hostedemail.com (Postfix) with ESMTP id 927E9120008 for ; Sat, 10 Feb 2024 01:13:24 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=FNros0oV; spf=pass (imf29.hostedemail.com: domain of eddyz87@gmail.com designates 209.85.218.50 as permitted sender) smtp.mailfrom=eddyz87@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1707527604; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ji1u7BeI14ZwqfT4KGeJL8Zv5/8UnX+AUOOMw1FTRC4=; b=0TNHYj5K9HQfKNgqdkQVOFf6JX8Oqgvx3z+xTV6JZyHrtkcvuY4rbg7Qd+vwggEP+YfPNx ybIPfqhCr/2q9pc9Wx/sWTXfGrTtpdhuFePkp0nd400Rh+lYo8V4nm1uvnLoO8Eg0vWdom BIVvFv/YL74MTdhLbjmvUC0TBomA0R4= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1707527604; a=rsa-sha256; cv=none; b=Dk5rS1PS9Y7LXpfJxw9VLmuZOFVKR9m0tT8BjJ/vPOknhxElM8gwWiUhPEKRGGYbB5nO93 KmnIbCgvBFyGk8f/ZaRE+B1KC4AnMnink8020n39neMpYzOilgXImoyIBpQrLymTHru0ez 5ilvpFIBvL5mDHfy3vE2vrRHHgh5n5M= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=FNros0oV; spf=pass (imf29.hostedemail.com: domain of eddyz87@gmail.com designates 209.85.218.50 as permitted sender) smtp.mailfrom=eddyz87@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-ej1-f50.google.com with SMTP id a640c23a62f3a-a3916c1f9b0so210948266b.1 for ; Fri, 09 Feb 2024 17:13:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707527603; x=1708132403; darn=kvack.org; h=mime-version:user-agent:content-transfer-encoding:autocrypt :references:in-reply-to:date:cc:to:from:subject:message-id:from:to :cc:subject:date:message-id:reply-to; bh=ji1u7BeI14ZwqfT4KGeJL8Zv5/8UnX+AUOOMw1FTRC4=; b=FNros0oVmC/e9EEud5N84bhZam317KDBlm/41INlxh3YgDkJOng5EKMsH0iXwrZ1G+ 5hAMVzjX9gIAcl5uYNLZy3tD9/vRA5kDh7OPKQrctH6/KpaBvrbhbTY8S0uXSg/h4MSR oy/LOdsKtQqeeS9cBTJ9YySYeIhbl3skC5kE/VhEvnCmL7kng5qcAtsCTUOrjdr3eypJ tYHeds6LKYNKmm12qDQs4lYBgMsYyGsc1U9vt4xwNGvrcrKT6bQkC0EX53T1eReAVnC3 X/sISMrwocxnu2SOC+/QTCDZ3Q4QJiwtofHDeMrAv/+QV+UHaZmS+4l2YHxeIqsJVP8z vmpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707527603; x=1708132403; h=mime-version:user-agent:content-transfer-encoding:autocrypt :references:in-reply-to:date:cc:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ji1u7BeI14ZwqfT4KGeJL8Zv5/8UnX+AUOOMw1FTRC4=; b=FY/hSgxHU7aTlh8DzEqrDUNG5MjakQo1PnlrZ60xIqDVYQBCpjLWaa1yvPBVOEgStt DdAF5VF+CZKWGod9b0DUi8aZkztJ6pPHzCjpmJyfhI9KLO+HuF7wdP26SaHPOjcOFxMP uIG67IrtsDm32RVMSmE1TNprp+UEwX0PYsP35fknRjxh4eXrV2cv5ZamGxTznsz0sPUz +PQxdsa8D8C8JTeqW98ofD6yfUY3c4U0q9jvMCeN6l77O4WWY3EbhBG47Ybq9xb+vdpK xZ4nu5IKATkXnWUp49ElGQwA3xEHveQQFgwMyqBOgo8/617qFJih41uVz/tZA2XtLlAI ecbg== X-Forwarded-Encrypted: i=1; AJvYcCWtCrw5AO9D+X51PqxsedaoW8VZRNHp0xzTitmGWWRTh7vVBvxWm3cTCSHuQY/1KMAaA+52fyo82lqr1TQGd5uteDU= X-Gm-Message-State: AOJu0YytukSTLmew7hJnx+XSjkQHRFyeMzPisRW9TpZvXcXdk7xnLliz JRSiD5BLh81DqE4KKxllfY/oLtNpD61ealwlKiF8Dp2nWMLUCc/J X-Google-Smtp-Source: AGHT+IG1m0N3Dsd/+4G2398oFE8S7/7iiYkH1N27l+MBlp8C4h1dMOYH0G2gPRAOwtPzOZA3eld7UA== X-Received: by 2002:a17:907:3354:b0:a3c:809:c10c with SMTP id yr20-20020a170907335400b00a3c0809c10cmr419825ejb.22.1707527602644; Fri, 09 Feb 2024 17:13:22 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCWunIhWfgctJLaAuxiAFrSOi7RUwEbF5vIBjYTaKmQufuW88myfeRFsMn2p7krybSrOc7lOGYm7ym6rO45ANoY29ujX29ieCrjCggzoxosQIFfU7av9ABUlLWKisX34wMR8zYQyCowtTKIPJuHaYXlM3D+2v+gfGQUDXzjHsZvHmnTlt575tCVYK3SC3js+5t3HX1LW9Kzz3n3Ji8uqFXn0dxr1kF5ybZ0ogKK+wcxEcsHdi1H9wstVK8UFFNq69uIBCgdYDj8ZJb0vVQ7hJbhxogTyeGl6sF7reFgRLeW5qZjGnuBM/Hh3e+kG9KxgGr7sJOQHeSfD7jWpAC1MuKl3UAKdKrTQGyeJGFDoXoUrXW8UtWIqWqNm Received: from [192.168.1.94] (host-176-36-0-241.b024.la.net.ua. [176.36.0.241]) by smtp.gmail.com with ESMTPSA id cx9-20020a170907168900b00a3bdf8ae86asm1283984ejd.10.2024.02.09.17.13.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Feb 2024 17:13:22 -0800 (PST) Message-ID: Subject: Re: [PATCH v2 bpf-next 09/20] bpf: Recognize cast_kern/user instructions in the verifier. From: Eduard Zingerman To: Alexei Starovoitov , bpf@vger.kernel.org Cc: daniel@iogearbox.net, andrii@kernel.org, memxor@gmail.com, tj@kernel.org, brho@google.com, hannes@cmpxchg.org, lstoakes@gmail.com, akpm@linux-foundation.org, urezki@gmail.com, hch@infradead.org, linux-mm@kvack.org, kernel-team@fb.com Date: Sat, 10 Feb 2024 03:13:20 +0200 In-Reply-To: <20240209040608.98927-10-alexei.starovoitov@gmail.com> References: <20240209040608.98927-1-alexei.starovoitov@gmail.com> <20240209040608.98927-10-alexei.starovoitov@gmail.com> Autocrypt: addr=eddyz87@gmail.com; prefer-encrypt=mutual; keydata=mQGNBGKNNQEBDACwcUNXZOGTzn4rr7Sd18SA5Wv0Wna/ONE0ZwZEx+sIjyGrPOIhR14/DsOr3ZJer9UJ/WAJwbxOBj6E5Y2iF7grehljNbLr/jMjzPJ+hJpfOEAb5xjCB8xIqDoric1WRcCaRB+tDSk7jcsIIiMish0diTK3qTdu4MB6i/sh4aeFs2nifkNi3LdBuk8Xnk+RJHRoKFJ+C+EoSmQPuDQIRaF9N2m4yO0eG36N8jLwvUXnZzGvHkphoQ9ztbRJp58oh6xT7uH62m98OHbsVgzYKvHyBu/IU2ku5kVG9pLrFp25xfD4YdlMMkJH6l+jk+cpY0cvMTS1b6/g+1fyPM+uzD8Wy+9LtZ4PHwLZX+t4ONb/48i5AKq/jSsb5HWdciLuKEwlMyFAihZamZpEj+9n91NLPX4n7XeThXHaEvaeVVl4hfW/1Qsao7l1YjU/NCHuLaDeH4U1P59bagjwo9d1n5/PESeuD4QJFNqW+zkmE4tmyTZ6bPV6T5xdDRHeiITGc00AEQEAAbQkRWR1YXJkIFppbmdlcm1hbiA8ZWRkeXo4N0BnbWFpbC5jb20+iQHUBBMBCgA+FiEEx+6LrjApQyqnXCYELgxleklgRAkFAmKNNQECGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQLgxleklgRAlWZAv/cJ5v3zlEyP0/jMKQBqbVCCHTirPEw+nqxbkeSO6r2FUds0NnGA9a6NPOpBH+qW7a6+n6q3sIbvH7jlss4pzLI7LYlDC6z+egTv7KR5X1xFrY1uR5UGs1beAjnzYeV2hK4yqRUfygsT0Wk5e4FiNBv4+DUZ8r0cNDkO6swJxU55DO21mcteC147+4aDoHZ40R0tsAu+brDGSSoOPpb0RWVsEf9XOBJqWW A+T7mluw nYzhLWGcczc6J71q1Dje0l5vIPaSFOgwmWD4DA+WvuxM/shH4rtWeodbv iCTce6yYIygHgUAtJcHozAlgRrL0jz44cggBTcoeXp/atckXK546OugZPnl00J3qmm5uWAznU6T5YDv2vCvAMEbz69ib+kHtnOSBvR0Jb86UZZqSb4ATfwMOWe9htGTjKMb0QQOLK0mTcrk/TtymaG+T4Fsos0kgrxqjgfrxxEhYcVNW8v8HISmFGFbqsJmFbVtgk68BcU0wgF8oFxo7u+XYQDdKbI1uQGNBGKNNQEBDADbQIdo8L3sdSWGQtu+LnFqCZoAbYurZCmUjLV3df1b+sg+GJZvVTmMZnzDP/ADufcbjopBBjGTRAY4L76T2niu2EpjclMMM3mtrOc738Kr3+RvPjUupdkZ1ZEZaWpf4cZm+4wH5GUfyu5pmD5WXX2i1r9XaUjeVtebvbuXWmWI1ZDTfOkiz/6Z0GDSeQeEqx2PXYBcepU7S9UNWttDtiZ0+IH4DZcvyKPUcK3tOj4u8GvO3RnOrglERzNCM/WhVdG1+vgU9fXO83TB/PcfAsvxYSie7u792s/I+yA4XKKh82PSTvTzg2/4vEDGpI9yubkfXRkQN28w+HKF5qoRB8/L1ZW/brlXkNzA6SveJhCnH7aOF0Yezl6TfX27w1CW5Xmvfi7X33V/SPvo0tY1THrO1c+bOjt5F+2/K3tvejmXMS/I6URwa8n1e767y5ErFKyXAYRweE9zarEgpNZTuSIGNNAqK+SiLLXt51G7P30TVavIeB6s2lCt1QKt62ccLqUAEQEAAYkBvAQYAQoAJhYhBMfui64wKUMqp1wmBC4MZXpJYEQJBQJijTUBAhsMBQkDwmcAAAoJEC4MZXpJYEQJkRAMAKNvWVwtXm/WxWoiLnXyF2WGXKoDe5+itTLvBmKcV/b1OKZF1s90V7WfSBz712eFAynEzyeezPbwU8QBiTpZcHXwQni3 IYKvsh7s t1iq+gsfnXbPz5AnS598ScZI1oP7OrPSFJkt/z4acEbOQDQs8aUqrd46PV jsdqGvKnXZxzylux29UTNby4jTlz9pNJM+wPrDRmGfchLDUmf6CffaUYCbu4FiId+9+dcTCDvxbABRy1C3OJ8QY7cxfJ+pEZW18fRJ0XCl/fiV/ecAOfB3HsqgTzAn555h0rkFgay0hAvMU/mAW/CFNSIxV397zm749ZNLA0L2dMy1AKuOqH+/B+/ImBfJMDjmdyJQ8WU/OFRuGLdqOd2oZrA1iuPIa+yUYyZkaZfz/emQwpIL1+Q4p1R/OplA4yc301AqruXXUcVDbEB+joHW3hy5FwK5t5OwTKatrSJBkydSF9zdXy98fYzGniRyRA65P0Ix/8J3BYB4edY2/w0Ip/mdYsYQljBY0A== Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.50.3 MIME-Version: 1.0 X-Rspamd-Queue-Id: 927E9120008 X-Rspam-User: X-Stat-Signature: 199rgt8q9kscq1i56oii17tettmt6uta X-Rspamd-Server: rspam03 X-HE-Tag: 1707527604-160695 X-HE-Meta: U2FsdGVkX1+B5VDXPu/7dDReG00pu5GIJpx2B9x2j3T8xAEl7W9SDYAQzPmh1QkgvVfufXkjlCjbHf5/O2JhZlFhZGlwCihAV8e+NaD9cCJz57OOL7goE76vp6GfZGZWctkbu1gHkJPjSVfEzNiqPbs3pv4Gw6KmBZ2Qt6ETji2/A/imc1Ck0K+IO+jUoLX+2gVQ3NTip1nVkfR2PIvgCeaacbxKqfjYzmASvEpBJMu/EBrIPh02ZwgUn/dnOMYdlRiEC7+CTqJICxwXpQx0CLf85ynuaVXJ47ARu94utUhyq3+I6izF0vvSKy2wXuaebdzqqyrmdisxH8NtKXj4WN7ZWJ3DqDMvMKCx7Z2AvFQ5Ex2kqbVa3eMMaCpQDaMIfmLs3RcJSMugOOaTddKCnXL1K7xB+MM27Dif5rGiB86VWYlOEDx1fD1DYMd9bMt17GU+Aiukf4obA3G/345Xqq8cqBwluEeM8jSJUTIt+eJ1G6GoGldonxVmVKA+A9Es2FYO5gz7GzdbALSr4AdcA0NMpw3O0rvSEzzd7MEVGF2sWgbentyjr9P450S1+XiONoEUUBGMrMtQJo7tvv6EcLqofi7uodggVLiYuzbLdQ3H7Ccgdw/Xka/jnaSBjoB2nassWS6RpkhgUWr3FfUQZU7vYaNPoehi+4iw6QqI9ou4CGBrQD+Gnh6ns+Vt3Q65b0AxNYiyVP9bVumkFU6WtBCvxFmGHstwAmKxh4yn7ladyLUqDTmdGogHjecKxRRTFj/WeRQSOTqfHkghHMbty6Fm0eySc9CkFM1R+7aTORwPhP8vKw9YiPwiM+b1L7n1yx9iP+f6QPfrsNjrZGqcwmHoWtVWOXmv394Gdw271dfaUN2Ex1iuZBuzbUxlJnYqvDjp5G6vETb14rwRPNyhCcP6ugHeipPy2GeoTV44SoMCByOBujOUCjzmrydv1S8xZ0qpSz0WUB5j6bKYLd2 gdeBa7Ub 94dj9OD7ObUaLGhvs6RRrD9ap/xvPsy00pjbVdidnaY5DlzrBoCCX96Fp8+XXpwIZVZYwxuSzfPzR3mBQ+BV6ObHQWet9Za19T+lKTwj5Daa+iace/lxzwkrLQKktx4GYPclS/JOgdH0eTNeDWkd2Vf6UXTxiMvtuaPpbtFMDo3quasW9QlxWjCIWm0H51DFy3C7d X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, 2024-02-08 at 20:05 -0800, Alexei Starovoitov wrote: [...] > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 3c77a3ab1192..5eeb9bf7e324 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c [...] > @@ -13837,6 +13844,21 @@ static int adjust_reg_min_max_vals(struct bpf_ve= rifier_env *env, > =20 > dst_reg =3D ®s[insn->dst_reg]; > src_reg =3D NULL; > + > + if (dst_reg->type =3D=3D PTR_TO_ARENA) { > + struct bpf_insn_aux_data *aux =3D cur_aux(env); > + > + if (BPF_CLASS(insn->code) =3D=3D BPF_ALU64) > + /* > + * 32-bit operations zero upper bits automatically. > + * 64-bit operations need to be converted to 32. > + */ > + aux->needs_zext =3D true; It should be possible to write an example, when the same insn is visited with both PTR_TO_ARENA and some other PTR type. Such examples should be rejected as is currently done in do_check() for BPF_{ST,STX} using save_aux_ptr_type(). [...] > @@ -13954,16 +13976,17 @@ static int check_alu_op(struct bpf_verifier_env= *env, struct bpf_insn *insn) > } else if (opcode =3D=3D BPF_MOV) { > =20 > if (BPF_SRC(insn->code) =3D=3D BPF_X) { > - if (insn->imm !=3D 0) { > - verbose(env, "BPF_MOV uses reserved fields\n"); > - return -EINVAL; > - } > - > if (BPF_CLASS(insn->code) =3D=3D BPF_ALU) { > - if (insn->off !=3D 0 && insn->off !=3D 8 && insn->off !=3D 16) { > + if ((insn->off !=3D 0 && insn->off !=3D 8 && insn->off !=3D 16) || > + insn->imm) { > verbose(env, "BPF_MOV uses reserved fields\n"); > return -EINVAL; > } > + } else if (insn->off =3D=3D BPF_ARENA_CAST_KERN || insn->off =3D=3D B= PF_ARENA_CAST_USER) { > + if (!insn->imm) { > + verbose(env, "cast_kern/user insn must have non zero imm32\n"); > + return -EINVAL; > + } > } else { > if (insn->off !=3D 0 && insn->off !=3D 8 && insn->off !=3D 16 && > insn->off !=3D 32) { I think it is now necessary to check insn->imm here, as is it allows ALU64 move with non-zero imm. > @@ -13993,7 +14016,12 @@ static int check_alu_op(struct bpf_verifier_env = *env, struct bpf_insn *insn) > struct bpf_reg_state *dst_reg =3D regs + insn->dst_reg; > =20 > if (BPF_CLASS(insn->code) =3D=3D BPF_ALU64) { > - if (insn->off =3D=3D 0) { > + if (insn->imm) { > + /* off =3D=3D BPF_ARENA_CAST_KERN || off =3D=3D BPF_ARENA_CAST_USER= */ > + mark_reg_unknown(env, regs, insn->dst_reg); > + if (insn->off =3D=3D BPF_ARENA_CAST_KERN) > + dst_reg->type =3D PTR_TO_ARENA; This effectively allows casting anything to PTR_TO_ARENA. Do we want to check that src_reg somehow originates from arena? Might be tricky, a new type modifier bit or something like that. > + } else if (insn->off =3D=3D 0) { > /* case: R1 =3D R2 > * copy register state to dest reg > */ > @@ -14059,6 +14087,9 @@ static int check_alu_op(struct bpf_verifier_env *= env, struct bpf_insn *insn) > dst_reg->subreg_def =3D env->insn_idx + 1; > coerce_subreg_to_size_sx(dst_reg, insn->off >> 3); > } > + } else if (src_reg->type =3D=3D PTR_TO_ARENA) { > + mark_reg_unknown(env, regs, insn->dst_reg); > + dst_reg->type =3D PTR_TO_ARENA; This describes a case wX =3D wY, where rY is PTR_TO_ARENA, should rX be marked as SCALAR instead of PTR_TO_ARENA? [...] > @@ -18235,6 +18272,31 @@ static int resolve_pseudo_ldimm64(struct bpf_ver= ifier_env *env) > fdput(f); > return -EBUSY; > } > + if (map->map_type =3D=3D BPF_MAP_TYPE_ARENA) { > + if (env->prog->aux->arena) { Does this have to be (env->prog->aux->arena && env->prog->aux->arena !=3D m= ap) ? > + verbose(env, "Only one arena per program\n"); > + fdput(f); > + return -EBUSY; > + } [...] > @@ -18799,6 +18861,18 @@ static int convert_ctx_accesses(struct bpf_verif= ier_env *env) > insn->code =3D=3D (BPF_ST | BPF_MEM | BPF_W) || > insn->code =3D=3D (BPF_ST | BPF_MEM | BPF_DW)) { > type =3D BPF_WRITE; > + } else if (insn->code =3D=3D (BPF_ALU64 | BPF_MOV | BPF_X) && insn->im= m) { > + if (insn->off =3D=3D BPF_ARENA_CAST_KERN || > + (((struct bpf_map *)env->prog->aux->arena)->map_flags & BPF_F_NO_= USER_CONV)) { > + /* convert to 32-bit mov that clears upper 32-bit */ > + insn->code =3D BPF_ALU | BPF_MOV | BPF_X; > + /* clear off, so it's a normal 'wX =3D wY' from JIT pov */ > + insn->off =3D 0; > + } /* else insn->off =3D=3D BPF_ARENA_CAST_USER should be handled by J= IT */ > + continue; > + } else if (env->insn_aux_data[i + delta].needs_zext) { > + /* Convert BPF_CLASS(insn->code) =3D=3D BPF_ALU64 to 32-bit ALU */ > + insn->code =3D BPF_ALU | BPF_OP(insn->code) | BPF_SRC(insn->code); Tbh, I think this should be done in do_misc_fixups(), mixing it with context handling in convert_ctx_accesses() seems a bit confusing.