From: Brendan Jackman <jackmanb@google.com>
To: Martin KaFai Lau <kafai@fb.com>
Cc: bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>,
KP Singh <kpsingh@chromium.org>,
Florent Revest <revest@chromium.org>,
Ilya Leoshkevich <iii@linux.ibm.com>
Subject: Re: [PATCH v4 bpf-next] bpf: Explicitly zero-extend R0 after 32-bit cmpxchg
Date: Wed, 24 Feb 2021 10:32:28 +0100 [thread overview]
Message-ID: <CA+i-1C0NyLrMDiFnD9Jdrs_ww-a7kX7XaEaT1YiyrC5w0LJdXA@mail.gmail.com> (raw)
In-Reply-To: <20210224054757.3b3zfzng2pvqhbf5@kafai-mbp.dhcp.thefacebook.com>
On Wed, 24 Feb 2021 at 06:48, Martin KaFai Lau <kafai@fb.com> wrote:
>
> On Tue, Feb 23, 2021 at 03:08:45PM +0000, Brendan Jackman wrote:
> [ ... ]
>
> > diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> > index 0ae015ad1e05..dcf18612841b 100644
> > --- a/kernel/bpf/core.c
> > +++ b/kernel/bpf/core.c
> > @@ -2342,6 +2342,10 @@ bool __weak bpf_helper_changes_pkt_data(void *func)
> > /* Return TRUE if the JIT backend wants verifier to enable sub-register usage
> > * analysis code and wants explicit zero extension inserted by verifier.
> > * Otherwise, return FALSE.
> > + *
> > + * The verifier inserts an explicit zero extension after BPF_CMPXCHGs even if
> > + * you don't override this. JITs that don't want these extra insns can detect
> > + * them using insn_is_zext.
> > */
> > bool __weak bpf_jit_needs_zext(void)
> > {
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 3d34ba492d46..ec1cbd565140 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -11061,8 +11061,16 @@ static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
> > */
> > if (WARN_ON(!(insn.imm & BPF_FETCH)))
> > return -EINVAL;
> > - load_reg = insn.imm == BPF_CMPXCHG ? BPF_REG_0
> > - : insn.src_reg;
> > + /* There should already be a zero-extension inserted after BPF_CMPXCHG. */
> > + if (insn.imm == BPF_CMPXCHG) {
> > + struct bpf_insn *next = &insns[adj_idx + 1];
> > +
> > + if (WARN_ON(!insn_is_zext(next) || next->dst_reg != insn.src_reg))
> > + return -EINVAL;
> > + continue;
> This is to avoid zext_patch again for the JITs with
> bpf_jit_needs_zext() == true.
>
> IIUC, at this point, aux[adj_idx].zext_dst == true which
> means that the check_atomic() has already marked the
> reg0->subreg_def properly.
That's right... sorry I'm not sure if you're implying something here
or just checking understanding?
> > + }
> > +
> > + load_reg = insn.src_reg;
> > } else {
> > load_reg = insn.dst_reg;
> > }
> > @@ -11666,6 +11674,27 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
> > continue;
> > }
> >
> > + /* BPF_CMPXCHG always loads a value into R0, therefore always
> > + * zero-extends. However some archs' equivalent instruction only
> > + * does this load when the comparison is successful. So here we
> > + * add a BPF_ZEXT_REG after every 32-bit CMPXCHG, so that such
> > + * archs' JITs don't need to deal with the issue. Archs that
> > + * don't face this issue may use insn_is_zext to detect and skip
> > + * the added instruction.
> > + */
> > + if (insn->code == (BPF_STX | BPF_W | BPF_ATOMIC) && insn->imm == BPF_CMPXCHG) {
> > + struct bpf_insn zext_patch[2] = { *insn, BPF_ZEXT_REG(BPF_REG_0) };
> Then should this zext_patch only be done for "!bpf_jit_needs_zext()"
> such that the above change in opt_subreg_zext_lo32_rnd_hi32()
> becomes unnecessary?
Yep that would work but I IMO it would be a more fragile expression of
the logic: instead of directly checking whether something was done
we'd be looking at a proxy for another part of the system's behaviour.
I don't think it would win us anything in terms of clarity either?
Thanks for taking a look!
next prev parent reply other threads:[~2021-02-24 9:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-23 15:08 [PATCH v4 bpf-next] bpf: Explicitly zero-extend R0 after 32-bit cmpxchg Brendan Jackman
2021-02-24 5:47 ` Martin KaFai Lau
2021-02-24 9:32 ` Brendan Jackman [this message]
2021-02-24 22:14 ` Martin KaFai Lau
2021-03-01 16:48 ` Brendan Jackman
2021-02-24 12:02 ` Ilya Leoshkevich
2021-02-24 14:16 ` Ilya Leoshkevich
2021-02-24 22:34 ` Martin KaFai Lau
2021-02-24 23:07 ` Ilya Leoshkevich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+i-1C0NyLrMDiFnD9Jdrs_ww-a7kX7XaEaT1YiyrC5w0LJdXA@mail.gmail.com \
--to=jackmanb@google.com \
--cc=andrii.nakryiko@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=iii@linux.ibm.com \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=revest@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).