Re: [PATCH v2 bpf-next 3/9] bpf: add generic support for update and delete batch ops

[Yonghong Song]

On 11/21/19 9:50 PM, Brian Vazquez wrote:
> ACK to all the observations, will fix in the next version. There are
> just 2 things might be correct, PTAL.
> 
> On Thu, Nov 21, 2019 at 10:00 AM Yonghong Song <yhs@xxxxxx> wrote:
>>
>>
>>
>> On 11/19/19 11:30 AM, Brian Vazquez wrote:
>>> This commit adds generic support for update and delete batch ops that
>>> can be used for almost all the bpf maps. These commands share the same
>>> UAPI attr that lookup and lookup_and_delete batch ops use and the
>>> syscall commands are:
>>>
>>>     BPF_MAP_UPDATE_BATCH
>>>     BPF_MAP_DELETE_BATCH
>>>
>>> The main difference between update/delete and lookup/lookup_and_delete
>>> batch ops is that for update/delete keys/values must be specified for
>>> userspace and because of that, neither in_batch nor out_batch are used.
>>>
>>> Suggested-by: Stanislav Fomichev <sdf@xxxxxxxxxx>
>>> Signed-off-by: Brian Vazquez <brianvv@xxxxxxxxxx>
>>> Signed-off-by: Yonghong Song <yhs@xxxxxx>
>>> ---
>>>    include/linux/bpf.h      |  10 ++++
>>>    include/uapi/linux/bpf.h |   2 +
>>>    kernel/bpf/syscall.c     | 126 ++++++++++++++++++++++++++++++++++++++-
>>>    3 files changed, 137 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
>>> index 767a823dbac74..96a19e1fd2b5b 100644
>>> --- a/include/linux/bpf.h
>>> +++ b/include/linux/bpf.h
>>> @@ -46,6 +46,10 @@ struct bpf_map_ops {
>>>        int (*map_lookup_and_delete_batch)(struct bpf_map *map,
>>>                                           const union bpf_attr *attr,
>>>                                           union bpf_attr __user *uattr);
>>> +     int (*map_update_batch)(struct bpf_map *map, const union bpf_attr *attr,
>>> +                             union bpf_attr __user *uattr);
>>> +     int (*map_delete_batch)(struct bpf_map *map, const union bpf_attr *attr,
>>> +                             union bpf_attr __user *uattr);
>>>
[...]
>>> +
>>> +             preempt_disable();
>>> +             __this_cpu_inc(bpf_prog_active);
>>> +             rcu_read_lock();
>>> +             err = map->ops->map_delete_elem(map, key);
>>> +             rcu_read_unlock();
>>> +             __this_cpu_dec(bpf_prog_active);
>>> +             preempt_enable();
>>> +             maybe_wait_bpf_programs(map);
>>> +             if (err)
>>> +                     break;
>>> +     }
>>> +     if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
>>> +             err = -EFAULT;
>>
>> If previous err = -EFAULT, even if copy_to_user() succeeded,
>> return value will be -EFAULT, so uattr->batch.count cannot be
>> trusted. So may be do
>>      if (err != -EFAULT && copy_to_user(...))
>>         err = -EFAULT
>> ?
>> There are several other places like this.
> 
> I think whatever the err is, cp contains the right amount of entries
> correctly updated/deleted and the idea is that you should always try
> to copy that value to batch.count, and if that fails when uattr was
> created by libbpf, everything was set to  0.

This is what I mean:
   err = -EFAULT; // from previous error
   if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
     err = -EFAULT;
   return err;
User space will not trust uattr->batch.count even copy_to_user()
is successful since -EFAULT is returned.

There are two ways to address this issue if previous error is -EFAULT,
   1. do not copy_to_user() and return -EFAULT, which is I suggested
      in the above.
   2. go ahead to do copy_to_user() and if it is successful, change
      return value to something different from -EFAULT to indicate
      that uattr->batch.count is valid.

I feel it is important to return actual error code -EFAULT to
user so user knows some fault happens. Returning other error code
may be misleading during debugging.

> 
>>
>>> +err_put:
>>
>> You don't need err_put label in the above.
>>
>>> +     return err;
>>> +}
>>> +int generic_map_update_batch(struct bpf_map *map,
>>> +                          const union bpf_attr *attr,
>>> +                          union bpf_attr __user *uattr)
>>> +{
>>> +     void __user *values = u64_to_user_ptr(attr->batch.values);
>>> +     void __user *keys = u64_to_user_ptr(attr->batch.keys);
>>> +     u32 value_size, cp, max_count;
>>> +     int ufd = attr->map_fd;
>>> +     void *key, *value;
>>> +     struct fd f;
>>> +     int err;
>>> +
>>> +     f = fdget(ufd);
>>> +     if (attr->batch.elem_flags & ~BPF_F_LOCK)
>>> +             return -EINVAL;
>>> +
>>> +     if ((attr->batch.elem_flags & BPF_F_LOCK) &&
>>> +         !map_value_has_spin_lock(map)) {
>>> +             err = -EINVAL;
>>> +             goto err_put;
>>
>> Directly return -EINVAL?
>>
>>> +     }
>>> +
>>> +     value_size = bpf_map_value_size(map);
>>> +
>>> +     max_count = attr->batch.count;
>>> +     if (!max_count)
>>> +             return 0;
>>> +
>>> +     err = -ENOMEM;
>>> +     value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
>>> +     if (!value)
>>> +             goto err_put;
>>
>> Directly return -ENOMEM?
>>
>>> +
>>> +     for (cp = 0; cp < max_count; cp++) {
>>> +             key = __bpf_copy_key(keys + cp * map->key_size, map->key_size);
>>
>> Do you need to free 'key' after its use?
>>
>>> +             if (IS_ERR(key)) {
>>> +                     err = PTR_ERR(key);
>>> +                     break;
>>> +             }
>>> +             err = -EFAULT;
>>> +             if (copy_from_user(value, values + cp * value_size, value_size))
>>> +                     break;
>>> +
>>> +             err = bpf_map_update_value(map, f, key, value,
>>> +                                        attr->batch.elem_flags);
>>> +
>>> +             if (err)
>>> +                     break;
>>> +     }
>>> +
>>> +     if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
>>> +             err = -EFAULT;
>>
>> Similar to the above comment, if err already -EFAULT, no need
>> to do copy_to_user().
>>
>>> +
>>> +     kfree(value);
>>> +err_put:
>>
>> err_put label is not needed.
>>
>>> +     return err;
>>> +}
>>> +
>>>    static int __generic_map_lookup_batch(struct bpf_map *map,
>>>                                      const union bpf_attr *attr,
>>>                                      union bpf_attr __user *uattr,
>>> @@ -3117,8 +3231,12 @@ static int bpf_map_do_batch(const union bpf_attr *attr,
>>>
>>>        if (cmd == BPF_MAP_LOOKUP_BATCH)
>>>                BPF_DO_BATCH(map->ops->map_lookup_batch);
>>> -     else
>>> +     else if (cmd == BPF_MAP_LOOKUP_AND_DELETE_BATCH)
>>>                BPF_DO_BATCH(map->ops->map_lookup_and_delete_batch);
>>> +     else if (cmd == BPF_MAP_UPDATE_BATCH)
>>> +             BPF_DO_BATCH(map->ops->map_update_batch);
>>> +     else
>>> +             BPF_DO_BATCH(map->ops->map_delete_batch);
>>
>> Also need to check map_get_sys_perms() permissions for these two new
>> commands. Both delete and update needs FMODE_CAN_WRITE permission.
>>
> I also got confused for a moment, the check is correct since is using
> '!=' not '=='
> if (cmd != BPF_MAP_LOOKUP_BATCH &&
>              !(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
> 
> so basically that means that cmd is update,delete or lookup_and_delete
> so we check map_get_sys_perms.

I missed this. Thanks for explanation!