Hi Alexei,
On Wed, Jan 29, 2025 at 04:41:31PM -0800, Alexei Starovoitov wrote:
> > diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> > index da729cbbaeb9..ab082ab9d535 100644
> > --- a/kernel/bpf/core.c
> > +++ b/kernel/bpf/core.c
> > @@ -1663,14 +1663,17 @@ EXPORT_SYMBOL_GPL(__bpf_call_base);
> > INSN_3(JMP, JSET, K), \
> > INSN_2(JMP, JA), \
> > INSN_2(JMP32, JA), \
> > + /* Atomic operations. */ \
> > + INSN_3(STX, ATOMIC, B), \
> > + INSN_3(STX, ATOMIC, H), \
> > + INSN_3(STX, ATOMIC, W), \
> > + INSN_3(STX, ATOMIC, DW), \
> > /* Store instructions. */ \
> > /* Register based. */ \
> > INSN_3(STX, MEM, B), \
> > INSN_3(STX, MEM, H), \
> > INSN_3(STX, MEM, W), \
> > INSN_3(STX, MEM, DW), \
> > - INSN_3(STX, ATOMIC, W), \
> > - INSN_3(STX, ATOMIC, DW), \
> > /* Immediate based. */ \
> > INSN_3(ST, MEM, B), \
> > INSN_3(ST, MEM, H), \
> > @@ -2169,6 +2172,8 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
> >
> > STX_ATOMIC_DW:
> > STX_ATOMIC_W:
> > + STX_ATOMIC_H:
> > + STX_ATOMIC_B:
> > switch (IMM) {
> > ATOMIC_ALU_OP(BPF_ADD, add)
> > ATOMIC_ALU_OP(BPF_AND, and)
>
> STX_ATOMI_[BH] looks wrong.
> It will do atomic64_*() ops in wrong size.
> BPF_INSN_MAP() applies to bpf_opcode_in_insntable()
> and the verifier will allow such new insns.
We still have this check in check_atomic():
if (BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) {
verbose(env, "invalid atomic operand size\n");
return -EINVAL;
}
(moved to check_atomic_rmw() in PATCH 2/8)
Looks like it cannot be triggered before this patch, since
STX_ATOMIC_[BH] would've already been rejected by that
bpf_opcode_in_insntable() check before reaching check_atomic().
I agree that the interpreter code handling RMW atomics might now look a
bit confusing though. In v2 I'll refactor that part and/or add comments
to make it clearer in the code that:
* only W and DW are allowed for atomic RMW
* all of B, H, W and DW are allowed for atomic load/store
Thanks,
Peilin Ye
