On Fri, Dec 6, 2024 at 9:42 AM Andrii Nakryiko <andrii.nakryiko@xxxxxxxxx> wrote: > > > Or, *importantly*, if user anticipates that "freplace-ment" BPF > program for such subprog might need to invalidate packet pointers, but > the default subprog implementation doesn't actually call any of those > special helpers, user can just explicitly say that "yes, this subprog > should be treated as such that invalidates pkt pointers". With your > approach there is no way to even express this, unless you hack default > subprog implementation to intentionally have reachable > pkt-invalidating helper, but not really call it at runtime. Exactly. This artificial issue can be easily solved without tags. The nop subprog can have an empty call to bpf_skb_pull_data(skb, 0). And it will be much more obvious to anyone reading the C code instead of a magic tag. > No, it's not. It's conceptually absolutely the same. Verifier can > derive that global subprog arg has to be a trusted pointer. It's just > that with pkt invalidation it's trivial enough to detect (crudely and > eagerly, but still) in check_cfg(), while for trusted pointers you > can't take this shortcut. Not really. We only introduced the following tags: __arg_ctx __arg_trusted __arg_arena because the verifier cannot infer them. We are _not_ going to introduce __arg_dynptr as we argued in the past. Anything that can be expressed via normal C should stay in C.