Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support eliding map lookup nullness #4814

Closed

Conversation

kernel-patches-daemon-bpf-rc[bot]
Copy link

Pull request for series with
subject: Support eliding map lookup nullness
version: 6
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=919724

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 8eef6ac
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=919724
version: 6

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c5d2bac
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=919724
version: 6

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c5d2bac
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=919724
version: 6

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c5d2bac
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=919724
version: 6

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 9468f39
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=919724
version: 6

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 654a338
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=919724
version: 6

The print was missing a newline.

Signed-off-by: Daniel Xu <[email protected]>
MEM_WRITE attribute is defined as: "Non-presence of MEM_WRITE means that
MEM is only being read". bpf_load_hdr_opt() both reads and writes from
its arg2 - void *search_res.

This matters a lot for the next commit where we more precisely track
stack accesses. Without this annotation, the verifier will make false
assumptions about the contents of memory written to by helpers and
possibly prune valid branches.

Fixes: 6fad274 ("bpf: Add MEM_WRITE attribute")
Acked-by: Martin KaFai Lau <[email protected]>
Signed-off-by: Daniel Xu <[email protected]>
Previously, the verifier was treating all PTR_TO_STACK registers passed
to a helper call as potentially written to by the helper. However, all
calls to check_stack_range_initialized() already have precise access type
information available.

Rather than treat ACCESS_HELPER as a proxy for BPF_WRITE, pass
enum bpf_access_type to check_stack_range_initialized() to more
precisely track helper arguments.

One benefit from this precision is that registers tracked as valid
spills and passed as a read-only helper argument remain tracked after
the call.  Rather than being marked STACK_MISC afterwards.

An additional benefit is the verifier logs are also more precise. For
this particular error, users will enjoy a slightly clearer message. See
included selftest updates for examples.

Acked-by: Eduard Zingerman <[email protected]>
Signed-off-by: Daniel Xu <[email protected]>
This commit allows progs to elide a null check on statically known map
lookup keys. In other words, if the verifier can statically prove that
the lookup will be in-bounds, allow the prog to drop the null check.

This is useful for two reasons:

1. Large numbers of nullness checks (especially when they cannot fail)
   unnecessarily pushes prog towards BPF_COMPLEXITY_LIMIT_JMP_SEQ.
2. It forms a tighter contract between programmer and verifier.

For (1), bpftrace is starting to make heavier use of percpu scratch
maps. As a result, for user scripts with large number of unrolled loops,
we are starting to hit jump complexity verification errors.  These
percpu lookups cannot fail anyways, as we only use static key values.
Eliding nullness probably results in less work for verifier as well.

For (2), percpu scratch maps are often used as a larger stack, as the
currrent stack is limited to 512 bytes. In these situations, it is
desirable for the programmer to express: "this lookup should never fail,
and if it does, it means I messed up the code". By omitting the null
check, the programmer can "ask" the verifier to double check the logic.

Tests also have to be updated in sync with these changes, as the
verifier is more efficient with this change. Notable, iters.c tests had
to be changed to use a map type that still requires null checks, as it's
exercising verifier tracking logic w.r.t iterators.

Signed-off-by: Daniel Xu <[email protected]>
Test that nullness elision works for common use cases. For example, we
want to check that both constant scalar spills and STACK_ZERO functions.
As well as when there's both const and non-const values of R2 leading up
to a lookup. And obviously some bound checks.

Particularly tricky are spills both smaller or larger than key size. For
smaller, we need to ensure verifier doesn't let through a potential read
into unchecked bytes. For larger, endianness comes into play, as the
native endian value tracked in the verifier may not be the bytes the
kernel would have read out of the key pointer. So check that we disallow
both.

Signed-off-by: Daniel Xu <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: dfa94ce
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=919724
version: 6

@kernel-patches-daemon-bpf-rc
Copy link
Author

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=917401 irrelevant now. Closing PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant