From: Ilya Leoshkevich <iii@linux.ibm.com>
To: Brendan Jackman <jackmanb@google.com>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>,
KP Singh <kpsingh@chromium.org>,
Florent Revest <revest@chromium.org>
Subject: Re: [PATCH v2 bpf-next] bpf: Explicitly zero-extend R0 after 32-bit cmpxchg
Date: Tue, 16 Feb 2021 20:55:26 +0100 [thread overview]
Message-ID: <7bcfe4bfd5a2c4768fb07908b709e10ec089903b.camel@linux.ibm.com> (raw)
In-Reply-To: <20210216141925.1549405-1-jackmanb@google.com>
On Tue, 2021-02-16 at 14:19 +0000, Brendan Jackman wrote:
> As pointed out by Ilya and explained in the new comment, there's a
> discrepancy between x86 and BPF CMPXCHG semantics: BPF always loads
> the value from memory into r0, while x86 only does so when r0 and the
> value in memory are different. The same issue affects s390.
>
> At first this might sound like pure semantics, but it makes a real
> difference when the comparison is 32-bit, since the load will
> zero-extend r0/rax.
>
> The fix is to explicitly zero-extend rax after doing such a
> CMPXCHG. Since this problem affects multiple archs, this is done in
> the verifier by patching in a BPF_ZEXT_REG instruction after every
> 32-bit cmpxchg. Any archs that don't need such manual zero-extension
> can do a look-ahead with insn_is_zext to skip the unnecessary mov.
>
> Reported-by: Ilya Leoshkevich <iii@linux.ibm.com>
> Fixes: 5ffa25502b5a ("bpf: Add instructions for atomic_[cmp]xchg")
> Signed-off-by: Brendan Jackman <jackmanb@google.com>
> ---
>
> Difference from v1[1]: Now solved centrally in the verifier instead
> of
> specifically for the x86 JIT. Thanks to Ilya and Daniel for the
> suggestions!
>
> [1]
> https://lore.kernel.org/bpf/d7ebaefb-bfd6-a441-3ff2-2fdfe699b1d2@iogearbox.net/T/#t
>
> kernel/bpf/verifier.c | 36
> +++++++++++++++++++
> .../selftests/bpf/verifier/atomic_cmpxchg.c | 25 +++++++++++++
> .../selftests/bpf/verifier/atomic_or.c | 26 ++++++++++++++
> 3 files changed, 87 insertions(+)
I tried this with my s390 atomics patch, and it's working, thanks!
I was thinking whether this could go through the existing zext_dst
flag infrastructure, but it probably won't play too nicely with the
x86_64 JIT, which doesn't override bpf_jit_needs_zext().
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
[...]
next prev parent reply other threads:[~2021-02-16 19:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-16 14:19 [PATCH v2 bpf-next] bpf: Explicitly zero-extend R0 after 32-bit cmpxchg Brendan Jackman
2021-02-16 16:30 ` KP Singh
2021-02-16 19:55 ` Ilya Leoshkevich [this message]
2021-02-17 7:51 ` Brendan Jackman
2021-02-17 0:50 ` Daniel Borkmann
2021-02-17 1:43 ` KP Singh
2021-02-17 7:59 ` Brendan Jackman
2021-02-17 8:59 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7bcfe4bfd5a2c4768fb07908b709e10ec089903b.camel@linux.ibm.com \
--to=iii@linux.ibm.com \
--cc=andrii.nakryiko@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jackmanb@google.com \
--cc=kpsingh@chromium.org \
--cc=revest@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.