diff mbox series

[bpf-next] bpf, verifier: Correct tail_call_reachable for bpf prog

Message ID 20240609073100.42925-1-hffilwlqm@gmail.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series [bpf-next] bpf, verifier: Correct tail_call_reachable for bpf prog | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Unittests
bpf/vmtest-bpf-next-VM_Test-4 success Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-next-VM_Test-5 success Logs for aarch64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-9 success Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-3 success Logs for Validate matrix.py
bpf/vmtest-bpf-next-VM_Test-11 success Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-10 success Logs for aarch64-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-12 success Logs for s390x-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-16 success Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-13 success Logs for s390x-gcc / test (test_maps, false, 360) / test_maps on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-20 success Logs for x86_64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-18 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-19 success Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-24 success Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-17 success Logs for s390x-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-21 success Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-26 success Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-25 success Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-29 success Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17-O2
bpf/vmtest-bpf-next-VM_Test-28 success Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-30 success Logs for x86_64-llvm-17 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-34 success Logs for x86_64-llvm-17 / veristat
bpf/vmtest-bpf-next-VM_Test-33 success Logs for x86_64-llvm-17 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-37 success Logs for x86_64-llvm-18 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-35 success Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-36 success Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18-O2
bpf/vmtest-bpf-next-VM_Test-41 success Logs for x86_64-llvm-18 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-42 success Logs for x86_64-llvm-18 / veristat
bpf/vmtest-bpf-next-VM_Test-6 success Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-7 success Logs for aarch64-gcc / test (test_progs, false, 360) / test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-8 success Logs for aarch64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-15 success Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-14 success Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-23 success Logs for x86_64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-22 success Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-27 success Logs for x86_64-gcc / veristat / veristat on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-31 success Logs for x86_64-llvm-17 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-32 success Logs for x86_64-llvm-17 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-39 success Logs for x86_64-llvm-18 / test (test_progs_cpuv4, false, 360) / test_progs_cpuv4 on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-38 success Logs for x86_64-llvm-18 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-40 success Logs for x86_64-llvm-18 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-18
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for bpf-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 850 this patch: 850
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 10 maintainers not CCed: jolsa@kernel.org john.fastabend@gmail.com haoluo@google.com song@kernel.org martin.lau@linux.dev eddyz87@gmail.com andrii@kernel.org yonghong.song@linux.dev kpsingh@kernel.org sdf@google.com
netdev/build_clang success Errors and warnings before: 854 this patch: 854
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 864 this patch: 864
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Leon Hwang June 9, 2024, 7:31 a.m. UTC 
It's confusing to inspect 'prog->aux->tail_call_reachable' with drgn[0],
when bpf prog has tail call but 'tail_call_reachable' is false.

This patch corrects 'tail_call_reachable' when bpf prog has tail call.

[0] https://github.com/osandov/drgn

Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
---
 kernel/bpf/verifier.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)


base-commit: 2c6987105026a4395935a3db665c54eb1bafe782

Comments

Yonghong Song June 10, 2024, 5:26 a.m. UTC | #1 
On 6/9/24 12:31 AM, Leon Hwang wrote:
> It's confusing to inspect 'prog->aux->tail_call_reachable' with drgn[0],
> when bpf prog has tail call but 'tail_call_reachable' is false.
>
> This patch corrects 'tail_call_reachable' when bpf prog has tail call.
>
> [0] https://github.com/osandov/drgn
>
> Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
> ---
>   kernel/bpf/verifier.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 81a3d2ced78d5..d7045676246a7 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -2982,8 +2982,10 @@ static int check_subprogs(struct bpf_verifier_env *env)
>   
>   		if (code == (BPF_JMP | BPF_CALL) &&
>   		    insn[i].src_reg == 0 &&
> -		    insn[i].imm == BPF_FUNC_tail_call)
> +		    insn[i].imm == BPF_FUNC_tail_call) {
>   			subprog[cur_subprog].has_tail_call = true;
> +			subprog[cur_subprog].tail_call_reachable = true;

This tail_call_reachable is handled in jit. For example, in arch/x86/net/bpf_jit_comp.c:

static void detect_reg_usage(struct bpf_insn *insn, int insn_cnt,
                              bool *regs_used, bool *tail_call_seen)
{
         int i;

         for (i = 1; i <= insn_cnt; i++, insn++) {
                 if (insn->code == (BPF_JMP | BPF_TAIL_CALL))
                         *tail_call_seen = true;
                 if (insn->dst_reg == BPF_REG_6 || insn->src_reg == BPF_REG_6)
                         regs_used[0] = true;
                 if (insn->dst_reg == BPF_REG_7 || insn->src_reg == BPF_REG_7)
                         regs_used[1] = true;
                 if (insn->dst_reg == BPF_REG_8 || insn->src_reg == BPF_REG_8)
                         regs_used[2] = true;
                 if (insn->dst_reg == BPF_REG_9 || insn->src_reg == BPF_REG_9)
                         regs_used[3] = true;
         }
}

and

         detect_reg_usage(insn, insn_cnt, callee_regs_used,
                          &tail_call_seen);
         
         /* tail call's presence in current prog implies it is reachable */
         tail_call_reachable |= tail_call_seen;

I didn't check other architectures. If other arch is similar to x86 w.r.t.
tail_call_reachable marking, your change looks good. But you should also
make changes in jit to remove those redundent checking.

> +		}
>   		if (BPF_CLASS(code) == BPF_LD &&
>   		    (BPF_MODE(code) == BPF_ABS || BPF_MODE(code) == BPF_IND))
>   			subprog[cur_subprog].has_ld_abs = true;
>
> base-commit: 2c6987105026a4395935a3db665c54eb1bafe782
Leon Hwang June 10, 2024, 7:12 a.m. UTC | #2 
On 10/6/24 13:26, Yonghong Song wrote:
> 
> On 6/9/24 12:31 AM, Leon Hwang wrote:
>> It's confusing to inspect 'prog->aux->tail_call_reachable' with drgn[0],
>> when bpf prog has tail call but 'tail_call_reachable' is false.
>>
>> This patch corrects 'tail_call_reachable' when bpf prog has tail call.
>>
>> [0] https://github.com/osandov/drgn
>>
>> Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
>> ---
>>   kernel/bpf/verifier.c | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 81a3d2ced78d5..d7045676246a7 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -2982,8 +2982,10 @@ static int check_subprogs(struct
>> bpf_verifier_env *env)
>>             if (code == (BPF_JMP | BPF_CALL) &&
>>               insn[i].src_reg == 0 &&
>> -            insn[i].imm == BPF_FUNC_tail_call)
>> +            insn[i].imm == BPF_FUNC_tail_call) {
>>               subprog[cur_subprog].has_tail_call = true;
>> +            subprog[cur_subprog].tail_call_reachable = true;
> 
> This tail_call_reachable is handled in jit. For example, in
> arch/x86/net/bpf_jit_comp.c:
> 
> static void detect_reg_usage(struct bpf_insn *insn, int insn_cnt,
>                              bool *regs_used, bool *tail_call_seen)
> {
>         int i;
> 
>         for (i = 1; i <= insn_cnt; i++, insn++) {
>                 if (insn->code == (BPF_JMP | BPF_TAIL_CALL))
>                         *tail_call_seen = true;
>                 if (insn->dst_reg == BPF_REG_6 || insn->src_reg ==
> BPF_REG_6)
>                         regs_used[0] = true;
>                 if (insn->dst_reg == BPF_REG_7 || insn->src_reg ==
> BPF_REG_7)
>                         regs_used[1] = true;
>                 if (insn->dst_reg == BPF_REG_8 || insn->src_reg ==
> BPF_REG_8)
>                         regs_used[2] = true;
>                 if (insn->dst_reg == BPF_REG_9 || insn->src_reg ==
> BPF_REG_9)
>                         regs_used[3] = true;
>         }
> }
> 
> and
> 
>         detect_reg_usage(insn, insn_cnt, callee_regs_used,
>                          &tail_call_seen);
>                 /* tail call's presence in current prog implies it is
> reachable */
>         tail_call_reachable |= tail_call_seen;
> 
> I didn't check other architectures. If other arch is similar to x86 w.r.t.
> tail_call_reachable marking, your change looks good. But you should also
> make changes in jit to remove those redundent checking.
> 

By searching tail_call_reachable in arch directory, excluding x86, other
architectures do not check 'prog->aux->tail_call_reachable'.

By checking jit of arm64/loongarch/riscv/s390, they have their own way
to handle tail call, unlike x86's way to detect tail_call_reachable.

I'll send PATCH v2 to remove the redundant detecting in x86 jit.

Thanks,
Leon
diff mbox series

Patch

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 81a3d2ced78d5..d7045676246a7 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2982,8 +2982,10 @@  static int check_subprogs(struct bpf_verifier_env *env)
 
 		if (code == (BPF_JMP | BPF_CALL) &&
 		    insn[i].src_reg == 0 &&
-		    insn[i].imm == BPF_FUNC_tail_call)
+		    insn[i].imm == BPF_FUNC_tail_call) {
 			subprog[cur_subprog].has_tail_call = true;
+			subprog[cur_subprog].tail_call_reachable = true;
+		}
 		if (BPF_CLASS(code) == BPF_LD &&
 		    (BPF_MODE(code) == BPF_ABS || BPF_MODE(code) == BPF_IND))
 			subprog[cur_subprog].has_ld_abs = true;