Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ebpf cgroupdev program: fix device permission check issue #229

Closed
wants to merge 4 commits into from
Closed

ebpf cgroupdev program: fix device permission check issue #229

wants to merge 4 commits into from

Conversation

oOraph
Copy link
Contributor

@oOraph oOraph commented Nov 7, 2023

Related to:
#227

@oOraph oOraph mentioned this pull request Nov 7, 2023
Open
@elezar elezar requested a review from klueska November 10, 2023 01:41
elezar
elezar reviewed Nov 10, 2023
View reviewed changes
src/nvcgo/internal/cgroup/ebpf.go Outdated
@@ -136,10 +136,10 @@ func (p *program) appendDevice(dev specs.LinuxDeviceCgroup, labelPrefix string)
}
if hasAccess {
p.insts = append(p.insts,
// if (R3 & bpfAccess == 0 /* use R2 as a temp var */) goto next
// if (R3 & bpfAccess != R3 /* use R2 as a temp var */) goto next
asm.Mov.Reg32(asm.R2, asm.R3),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both runc and crun use R1 as a temporary variable here. Could it cause issues that we're using R2 since we're also using R2 in the hasAccess block above?

cc @klueska

Copy link
Contributor Author

@oOraph oOraph Nov 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elezar yes you're right ! Since we erase R2 the bpfType check in the next block will break. Interesting that the issue was never encountered before. Fixing: I'll just use a free register, R6 (I guess using R1 as you suggest would be safe as we have extracted all we needed from the struct)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done, thanks :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's rather use R1 since to align with the other implementations.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

elezar
elezar requested changes Nov 10, 2023
View reviewed changes
src/nvcgo/internal/cgroup/ebpf.go Outdated
asm.Mov.Reg32(asm.R2, asm.R3),
asm.And.Imm32(asm.R2, bpfAccess),
asm.JEq.Imm(asm.R2, 0, nextBlockSym),
// if (R3 & bpfAccess != R3 /* use R6 as a temp var */) goto next
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's use R1 to align with the crun and runc implementations

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@oOraph
R1 instead of R6
edba9af 
(it's ok, R1 holds the bpf ctx struct, everything has been extracted and stored in other registers)

Signed-off-by: Raphael Glon <[email protected]>
@oOraph oOraph requested a review from elezar November 10, 2023 16:22
@elezar
Add changelog entry
472a3d4 
Signed-off-by: Evan Lezar <[email protected]>
@elezar
Copy link
Member

elezar commented Nov 10, 2023

I have created https://gitlab.com/nvidia/container-toolkit/libnvidia-container/-/merge_requests/235 with these changes since we develop against GitLab. (If you prefer to create your own MR, please do so).

@oOraph
Copy link
Contributor Author

oOraph commented Nov 10, 2023
edited
Loading

I have created https://gitlab.com/nvidia/container-toolkit/libnvidia-container/-/merge_requests/235 with these changes since we develop against GitLab. (If you prefer to create your own MR, please do so).

can't not allowed to push code there

@elezar
Copy link
Member

elezar commented Nov 10, 2023

I have created https://gitlab.com/nvidia/container-toolkit/libnvidia-container/-/merge_requests/235 with these changes since we develop against GitLab. (If you prefer to create your own MR, please do so).

can't not allowed to push code there

No problem. Is it ok if I've pulled the commits overs, or would you prefer I reauthored this?

@oOraph
Copy link
Contributor Author

oOraph commented Nov 10, 2023

my bad done:
https://gitlab.com/nvidia/container-toolkit/libnvidia-container/-/merge_requests/236

@elezar
Copy link
Member

elezar commented Nov 10, 2023

Thanks. I have commented here: https://gitlab.com/nvidia/container-toolkit/libnvidia-container/-/merge_requests/236#note_1643699900

@oOraph
Copy link
Contributor Author

oOraph commented Nov 20, 2023

Closing, this pr, code has been merged, discussion logs available here:
https://gitlab.com/nvidia/container-toolkit/libnvidia-container/-/merge_requests/236

@oOraph oOraph closed this Nov 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elezar elezar elezar approved these changes

@klueska klueska Awaiting requested review from klueska

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@oOraph @elezar