On Fri, Dec 06, 2024 at 07:10:48PM +0100, Kumar Kartikeya Dwivedi wrote: > On Fri, 6 Dec 2024 at 18:59, Alexei Starovoitov > <alexei.starovoitov@xxxxxxxxx> wrote: > > > > On Fri, Dec 6, 2024 at 8:11 AM Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> wrote: > > > > > > An implication of this fix, which follows from the way the raw_tp fixes > > > were implemented, is that all PTR_MAYBE_NULL trusted PTR_TO_BTF_ID are > > > engulfed by these checks, and PROBE_MEM will apply to all of them, incl. > > > those coming from helpers with KF_ACQUIRE returning maybe null trusted > > > pointers. This NULL tagging after this commit will be sticky. Compared > > > to a solution which only specially tagged raw_tp args with a different > > > special maybe null tag (like PTR_SOFT_NULL), it's a consequence of > > > overloading PTR_MAYBE_NULL with this meaning. > > > > > > Fixes: cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL") > > > Reported-by: Manu Bretelle <chantra@xxxxxxxx> > > > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> > > > --- > > > kernel/bpf/verifier.c | 6 ++++++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > > index 82f40d63ad7b..556fb609d4a4 100644 > > > --- a/kernel/bpf/verifier.c > > > +++ b/kernel/bpf/verifier.c > > > @@ -15365,6 +15365,12 @@ static void mark_ptr_or_null_reg(struct bpf_verifier_env *env, > > > return; > > > > > > if (is_null) { > > > + /* We never mark a raw_tp trusted pointer as scalar, to > > > + * preserve backwards compatibility, instead just leave > > > + * it as is. > > > + */ > > > + if (mask_raw_tp_reg_cond(env, reg)) > > > + return; > > > > The blast radius is getting too big. > > Patch 1 is ok, but here we're doubling down on > > the hack in commit > > cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL") > > There are two concerns: > First, it applies whether or not a register is a raw_tp arg. There is > a way to detect that (with some register state, instead of using a > separate tag). > Second, we treat the program in the == NULL branch as if the pointer > _maybe_ null, and in the != NULL as definitively not NULL. > I don't really see how that's too different, given we already allow direct > access etc. when the pointer is _unchecked_ after entry, and the state > is same as > the case where == NULL branch is explored. > > > > > I think we need to revert the raw_tp masking hack and > > go with denylist the way Jiri proposed: > > https://lore.kernel.org/bpf/ZrIj9jkXqpKXRuS7@krava/ > > > > denylist is certainly less safer and it's a whack-a-mole > > comparing to allowlist, but it's much much shorter > > according to Jiri's analysis: > > https://lore.kernel.org/bpf/Zr3q8ihbe8cUdpfp@krava/ > > Ok, let's revert. > Jiri, do you have the diff around for that attempt? Could you post a > revert of the patches and then the diff you shared? > If not, I can carry it as well with the revert, if you share it with > me (keeping the attribution etc.). Either is fine, lmk. hi, sorry for late reply.. I rebased it, there were some conflicts, it's compile tested, and perhaps not up2date: https://git.kernel.org/pub/scm/linux/kernel/git/jolsa/perf.git/log/?h=bpf/tp_fix jirka