Re: [PATCH v4 bpf-next 1/9] bpf: introduce bpf_spin_lock

[Alexei Starovoitov <alexei.starovoitov@gmail.com>]

On Fri, Jan 25, 2019 at 02:46:55AM +0100, Jann Horn wrote:
> On Fri, Jan 25, 2019 at 2:22 AM Paul E. McKenney <paulmck@linux.ibm.com> wrote:
> > On Thu, Jan 24, 2019 at 04:05:16PM -0800, Alexei Starovoitov wrote:
> > > On Thu, Jan 24, 2019 at 03:42:32PM -0800, Paul E. McKenney wrote:
> > > > On Thu, Jan 24, 2019 at 07:56:52PM +0100, Peter Zijlstra wrote:
> > > > > On Thu, Jan 24, 2019 at 07:01:09PM +0100, Peter Zijlstra wrote:
> > > > > >
> > > > > > Thanks for having kernel/locking people on Cc...
> > > > > >
> > > > > > On Wed, Jan 23, 2019 at 08:13:55PM -0800, Alexei Starovoitov wrote:
> > > > > >
> > > > > > > Implementation details:
> > > > > > > - on !SMP bpf_spin_lock() becomes nop
> > > > > >
> > > > > > Because no BPF program is preemptible? I don't see any assertions or
> > > > > > even a comment that says this code is non-preemptible.
> > > > > >
> > > > > > AFAICT some of the BPF_RUN_PROG things are under rcu_read_lock() only,
> > > > > > which is not sufficient.
> > > > > >
> > > > > > > - on architectures that don't support queued_spin_lock trivial lock is used.
> > > > > > >   Note that arch_spin_lock cannot be used, since not all archs agree that
> > > > > > >   zero == unlocked and sizeof(arch_spinlock_t) != sizeof(__u32).
> > > > > >
> > > > > > I really don't much like direct usage of qspinlock; esp. not as a
> > > > > > surprise.
> > > >
> > > > Substituting the lightweight-reader SRCU as discussed earlier would allow
> > > > use of a more generic locking primitive, for example, one that allowed
> > > > blocking, at least in cases were the context allowed this.
> > > >
> > > > git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git
> > > > branch srcu-lr.2019.01.16a.
> > > >
> > > > One advantage of a more generic locking primitive would be keeping BPF
> > > > programs independent of internal changes to spinlock primitives.
> > >
> > > Let's keep "srcu in bpf" discussion separate from bpf_spin_lock discussion.
> > > bpf is not switching to srcu any time soon.
> > > If/when it happens it will be only for certain prog+map types
> > > like bpf syscall probes that need to be able to do copy_from_user
> > > from bpf prog.
> >
> > Hmmm...  What prevents BPF programs from looping infinitely within an
> > RCU reader, and as you noted, preemption disabled?
> >
> > If BPF programs are in fact allowed to loop infinitely, it would be
> > very good for the health of the kernel to have preemption enabled.
> > And to be within an SRCU read-side critical section instead of an RCU
> > read-side critical section.
> 
> The BPF verifier prevents loops; this is in push_insn() in
> kernel/bpf/verifier.c, which errors out with -EINVAL when a back edge
> is encountered. For non-root programs, that limits the maximum number
> of instructions per eBPF engine execution to
> BPF_MAXINSNS*MAX_TAIL_CALL_CNT==4096*32==131072 (but that includes
> call instructions, which can cause relatively expensive operations
> like hash table lookups).

correct.

> For programs created with CAP_SYS_ADMIN,
> things get more tricky because you can create your own functions and
> call them repeatedly; I'm not sure whether the pessimal runtime there
> becomes exponential, or whether there is some check that catches this.

I think you're referring to bpf-to-bpf calls.
The limit it still the same. 4k per program including all calls.
tail calls are not allowed when bpf-to-bpf is used. So no 32 multiplier.

Note that classic bpf has the same 4k limit and it can call
expensive functions too via SKF_AD extensions.