On Wed, 7 Sept 2022 at 06:27, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > > On Mon, Sep 5, 2022 at 6:14 AM Lorenzo Bianconi <lorenzo@xxxxxxxxxx> wrote: > > +int bpf_ct_set_nat_info(struct nf_conn___init *nfct__ref, > > + union nf_inet_addr *addr, __be16 *port, > > + enum nf_nat_manip_type manip) > > +{ > ... > > @@ -437,6 +483,7 @@ BTF_ID_FLAGS(func, bpf_ct_set_timeout, KF_TRUSTED_ARGS) > > BTF_ID_FLAGS(func, bpf_ct_change_timeout, KF_TRUSTED_ARGS) > > BTF_ID_FLAGS(func, bpf_ct_set_status, KF_TRUSTED_ARGS) > > BTF_ID_FLAGS(func, bpf_ct_change_status, KF_TRUSTED_ARGS) > > +BTF_ID_FLAGS(func, bpf_ct_set_nat_info) > > BTF_SET8_END(nf_ct_kfunc_set) > > Instead of __ref and patch 1 and 2 it would be better to > change the meaning of "trusted_args". > In this case "addr" and "port" are just as "trusted". > They're not refcounted per verifier definition, > but they need to be "trusted" by the helper. > At the end the "trusted_args" flags would mean > "this helper can assume that all pointers can be safely > accessed without worrying about lifetime". So you mean it only forces PTR_TO_BTF_ID to have reg->ref_obj_id > 0? But suppose in the future you have a type that has scalars only. struct foo { int a; int b; ... }; Just data, and this is acquired from a kfunc and released using another kfunc. Now with this new definition you are proposing, verifier ends up allowing PTR_TO_MEM to also be passed to such helpers for the struct foo *. I guess even reg->ref_obj_id check is not enough, user may also pass PTR_TO_MEM | MEM_ALLOC which can be refcounted. It would be easy to forget such subtle details later. What we want to actually force here is 'please give me refcounted PTR_TO_BTF_ID to foo'. So maybe KF_TRUSTED_ARGS should change meaning to what you described, and then a __btf tag should force PTR_TO_BTF_ID. KF_TRUSTED_ARGS then just forces reg->ref_obj_id for PTR_TO_BTF_ID.