Re: Packet pointer invalidation and subprograms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 6 Dec 2024 at 19:26, Alexei Starovoitov
<alexei.starovoitov@xxxxxxxxx> wrote:
>
> On Fri, Dec 6, 2024 at 9:42 AM Andrii Nakryiko
> <andrii.nakryiko@xxxxxxxxx> wrote:
> >
> >
> > Or, *importantly*, if user anticipates that "freplace-ment" BPF
> > program for such subprog might need to invalidate packet pointers, but
> > the default subprog implementation doesn't actually call any of those
> > special helpers, user can just explicitly say that "yes, this subprog
> > should be treated as such that invalidates pkt pointers". With your
> > approach there is no way to even express this, unless you hack default
> > subprog implementation to intentionally have reachable
> > pkt-invalidating helper, but not really call it at runtime.
>
> Exactly.
> This artificial issue can be easily solved without tags.
> The nop subprog can have an empty call to bpf_skb_pull_data(skb, 0).
> And it will be much more obvious to anyone reading the C code
> instead of a magic tag.

Wouldn't it be less obvious? You would still need a fat comment
explaining why you're doing a dummy bpf_skb_pull_data, because
normally it wouldn't occur if it is to clear pkt pointers, and you
will say it's because it tells the verifier that it invalidates the
packet for the caller.

It would certainly be clear if we had a bpf_skb_clear_pkt_ptrs, which
would be a verifier built-in and no-op at runtime, but we don't. But
then that's the same as a tag.

>
> > No, it's not. It's conceptually absolutely the same. Verifier can
> > derive that global subprog arg has to be a trusted pointer. It's just
> > that with pkt invalidation it's trivial enough to detect (crudely and
> > eagerly, but still) in check_cfg(), while for trusted pointers you
> > can't take this shortcut.
>
> Not really. We only introduced the following tags:
> __arg_ctx
> __arg_trusted
> __arg_arena
> because the verifier cannot infer them.
> We are _not_ going to introduce __arg_dynptr as we argued in the past.
> Anything that can be expressed via normal C should stay in C.





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux