On 11/21/19 9:50 PM, Brian Vazquez wrote:
> ACK to all the observations, will fix in the next version. There are
> just 2 things might be correct, PTAL.
>
> On Thu, Nov 21, 2019 at 10:00 AM Yonghong Song <yhs@xxxxxx> wrote:
>>
>>
>>
>> On 11/19/19 11:30 AM, Brian Vazquez wrote:
>>> This commit adds generic support for update and delete batch ops that
>>> can be used for almost all the bpf maps. These commands share the same
>>> UAPI attr that lookup and lookup_and_delete batch ops use and the
>>> syscall commands are:
>>>
>>> BPF_MAP_UPDATE_BATCH
>>> BPF_MAP_DELETE_BATCH
>>>
>>> The main difference between update/delete and lookup/lookup_and_delete
>>> batch ops is that for update/delete keys/values must be specified for
>>> userspace and because of that, neither in_batch nor out_batch are used.
>>>
>>> Suggested-by: Stanislav Fomichev <sdf@xxxxxxxxxx>
>>> Signed-off-by: Brian Vazquez <brianvv@xxxxxxxxxx>
>>> Signed-off-by: Yonghong Song <yhs@xxxxxx>
>>> ---
>>> include/linux/bpf.h | 10 ++++
>>> include/uapi/linux/bpf.h | 2 +
>>> kernel/bpf/syscall.c | 126 ++++++++++++++++++++++++++++++++++++++-
>>> 3 files changed, 137 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
>>> index 767a823dbac74..96a19e1fd2b5b 100644
>>> --- a/include/linux/bpf.h
>>> +++ b/include/linux/bpf.h
>>> @@ -46,6 +46,10 @@ struct bpf_map_ops {
>>> int (*map_lookup_and_delete_batch)(struct bpf_map *map,
>>> const union bpf_attr *attr,
>>> union bpf_attr __user *uattr);
>>> + int (*map_update_batch)(struct bpf_map *map, const union bpf_attr *attr,
>>> + union bpf_attr __user *uattr);
>>> + int (*map_delete_batch)(struct bpf_map *map, const union bpf_attr *attr,
>>> + union bpf_attr __user *uattr);
>>>
[...]
>>> +
>>> + preempt_disable();
>>> + __this_cpu_inc(bpf_prog_active);
>>> + rcu_read_lock();
>>> + err = map->ops->map_delete_elem(map, key);
>>> + rcu_read_unlock();
>>> + __this_cpu_dec(bpf_prog_active);
>>> + preempt_enable();
>>> + maybe_wait_bpf_programs(map);
>>> + if (err)
>>> + break;
>>> + }
>>> + if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
>>> + err = -EFAULT;
>>
>> If previous err = -EFAULT, even if copy_to_user() succeeded,
>> return value will be -EFAULT, so uattr->batch.count cannot be
>> trusted. So may be do
>> if (err != -EFAULT && copy_to_user(...))
>> err = -EFAULT
>> ?
>> There are several other places like this.
>
> I think whatever the err is, cp contains the right amount of entries
> correctly updated/deleted and the idea is that you should always try
> to copy that value to batch.count, and if that fails when uattr was
> created by libbpf, everything was set to 0.
This is what I mean:
err = -EFAULT; // from previous error
if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
err = -EFAULT;
return err;
User space will not trust uattr->batch.count even copy_to_user()
is successful since -EFAULT is returned.
There are two ways to address this issue if previous error is -EFAULT,
1. do not copy_to_user() and return -EFAULT, which is I suggested
in the above.
2. go ahead to do copy_to_user() and if it is successful, change
return value to something different from -EFAULT to indicate
that uattr->batch.count is valid.
I feel it is important to return actual error code -EFAULT to
user so user knows some fault happens. Returning other error code
may be misleading during debugging.
>
>>
>>> +err_put:
>>
>> You don't need err_put label in the above.
>>
>>> + return err;
>>> +}
>>> +int generic_map_update_batch(struct bpf_map *map,
>>> + const union bpf_attr *attr,
>>> + union bpf_attr __user *uattr)
>>> +{
>>> + void __user *values = u64_to_user_ptr(attr->batch.values);
>>> + void __user *keys = u64_to_user_ptr(attr->batch.keys);
>>> + u32 value_size, cp, max_count;
>>> + int ufd = attr->map_fd;
>>> + void *key, *value;
>>> + struct fd f;
>>> + int err;
>>> +
>>> + f = fdget(ufd);
>>> + if (attr->batch.elem_flags & ~BPF_F_LOCK)
>>> + return -EINVAL;
>>> +
>>> + if ((attr->batch.elem_flags & BPF_F_LOCK) &&
>>> + !map_value_has_spin_lock(map)) {
>>> + err = -EINVAL;
>>> + goto err_put;
>>
>> Directly return -EINVAL?
>>
>>> + }
>>> +
>>> + value_size = bpf_map_value_size(map);
>>> +
>>> + max_count = attr->batch.count;
>>> + if (!max_count)
>>> + return 0;
>>> +
>>> + err = -ENOMEM;
>>> + value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
>>> + if (!value)
>>> + goto err_put;
>>
>> Directly return -ENOMEM?
>>
>>> +
>>> + for (cp = 0; cp < max_count; cp++) {
>>> + key = __bpf_copy_key(keys + cp * map->key_size, map->key_size);
>>
>> Do you need to free 'key' after its use?
>>
>>> + if (IS_ERR(key)) {
>>> + err = PTR_ERR(key);
>>> + break;
>>> + }
>>> + err = -EFAULT;
>>> + if (copy_from_user(value, values + cp * value_size, value_size))
>>> + break;
>>> +
>>> + err = bpf_map_update_value(map, f, key, value,
>>> + attr->batch.elem_flags);
>>> +
>>> + if (err)
>>> + break;
>>> + }
>>> +
>>> + if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
>>> + err = -EFAULT;
>>
>> Similar to the above comment, if err already -EFAULT, no need
>> to do copy_to_user().
>>
>>> +
>>> + kfree(value);
>>> +err_put:
>>
>> err_put label is not needed.
>>
>>> + return err;
>>> +}
>>> +
>>> static int __generic_map_lookup_batch(struct bpf_map *map,
>>> const union bpf_attr *attr,
>>> union bpf_attr __user *uattr,
>>> @@ -3117,8 +3231,12 @@ static int bpf_map_do_batch(const union bpf_attr *attr,
>>>
>>> if (cmd == BPF_MAP_LOOKUP_BATCH)
>>> BPF_DO_BATCH(map->ops->map_lookup_batch);
>>> - else
>>> + else if (cmd == BPF_MAP_LOOKUP_AND_DELETE_BATCH)
>>> BPF_DO_BATCH(map->ops->map_lookup_and_delete_batch);
>>> + else if (cmd == BPF_MAP_UPDATE_BATCH)
>>> + BPF_DO_BATCH(map->ops->map_update_batch);
>>> + else
>>> + BPF_DO_BATCH(map->ops->map_delete_batch);
>>
>> Also need to check map_get_sys_perms() permissions for these two new
>> commands. Both delete and update needs FMODE_CAN_WRITE permission.
>>
> I also got confused for a moment, the check is correct since is using
> '!=' not '=='
> if (cmd != BPF_MAP_LOOKUP_BATCH &&
> !(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
>
> so basically that means that cmd is update,delete or lookup_and_delete
> so we check map_get_sys_perms.
I missed this. Thanks for explanation!
