Re: [PATCH bpf-next v1 2/9] bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL

Hao Luo <haoluo@xxxxxxxxxx> · Tue, 7 Dec 2021 10:52:11 -0800

On Mon, Dec 6, 2021 at 9:45 PM Andrii Nakryiko
<andrii.nakryiko@xxxxxxxxx> wrote:
>
> On Mon, Dec 6, 2021 at 3:22 PM Hao Luo <haoluo@xxxxxxxxxx> wrote:
> >
> > We have introduced a new type to make bpf_arg composable, by
> > reserving high bits of bpf_arg to represent flags of a type.
> >
> > One of the flags is PTR_MAYBE_NULL which indicates a pointer
> > may be NULL. When applying this flag to an arg_type, it means
> > the arg can take NULL pointer. This patch switches the
> > qualified arg_types to use this flag. The arg_types changed
> > in this patch include:
> >
> > 1. ARG_PTR_TO_MAP_VALUE_OR_NULL
> > 2. ARG_PTR_TO_MEM_OR_NULL
> > 3. ARG_PTR_TO_CTX_OR_NULL
> > 4. ARG_PTR_TO_SOCKET_OR_NULL
> > 5. ARG_PTR_TO_ALLOC_MEM_OR_NULL
> > 6. ARG_PTR_TO_STACK_OR_NULL
> >
> > This patch does not eliminate the use of these arg_types, instead
> > it makes them an alias to the 'ARG_XXX | PTR_MAYBE_NULL'.
> >
> > Signed-off-by: Hao Luo <haoluo@xxxxxxxxxx>
> > ---
> >  include/linux/bpf.h   | 15 +++++++++------
> >  kernel/bpf/verifier.c | 39 ++++++++++++++-------------------------
> >  2 files changed, 23 insertions(+), 31 deletions(-)
> >
> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > index d8e6f8cd78a2..b0d063972091 100644
> > --- a/include/linux/bpf.h
> > +++ b/include/linux/bpf.h
[...]
> > @@ -5267,10 +5255,11 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
> >                 err = check_helper_mem_access(env, regno,
> >                                               meta->map_ptr->key_size, false,
> >                                               NULL);
> > -       } else if (arg_type == ARG_PTR_TO_MAP_VALUE ||
> > -                  (arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL &&
> > -                   !register_is_null(reg)) ||
> > -                  arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) {
> > +       } else if (base_type(arg_type) == ARG_PTR_TO_MAP_VALUE ||
> > +                  base_type(arg_type) == ARG_PTR_TO_UNINIT_MAP_VALUE) {
> > +               if (type_may_be_null(arg_type) && register_is_null(reg))
> > +                       return err;
> > +
>
> small nit: return 0 would make it clear that we successfully checked
> everything (err is going to be zero here, but you need to scroll quite
> a lot up to check this, so it's a bit annoying).
>

Yes, that makes sense. Will do.

> >                 /* bpf_map_xxx(..., map_ptr, ..., value) call:
> >                  * check [value, value + map->value_size) validity
> >                  */
> > --
> > 2.34.1.400.ga245620fadb-goog
> >