From: Jiri Olsa <jolsa@redhat.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: davem@davemloft.net, daniel@iogearbox.net, andrii@kernel.org,
paulmck@kernel.org, bpf@vger.kernel.org, kernel-team@fb.com
Subject: Re: [PATCH bpf] bpf: Fix fexit trampoline.
Date: Mon, 22 Mar 2021 00:32:02 +0100 [thread overview]
Message-ID: <YFfXcqnksPsSe0Bv@krava> (raw)
In-Reply-To: <20210316210007.38949-1-alexei.starovoitov@gmail.com>
On Tue, Mar 16, 2021 at 02:00:07PM -0700, Alexei Starovoitov wrote:
> From: Alexei Starovoitov <ast@kernel.org>
>
> The fexit/fmod_ret programs can be attached to kernel functions that can sleep.
> The synchronize_rcu_tasks() will not wait for such tasks to complete.
> In such case the trampoline image will be freed and when the task
> wakes up the return IP will point to freed memory causing the crash.
> Solve this by adding percpu_ref_get/put for the duration of trampoline
> and separate trampoline vs its image life times.
> The "half page" optimization has to be removed, since
> first_half->second_half->first_half transition cannot be guaranteed to
> complete in deterministic time. Every trampoline update becomes a new image.
> The image with fmod_ret or fexit progs will be freed via percpu_ref_kill and
> call_rcu_tasks. Together they will wait for the original function and
> trampoline asm to complete. The trampoline is patched from nop to jmp to skip
> fexit progs. They are freed independently from the trampoline. The image with
> fentry progs only will be freed via call_rcu_tasks_trace+call_rcu_tasks which
> will wait for both sleepable and non-sleepable progs to complete.
>
> Reported-by: Andrii Nakryiko <andrii@kernel.org>
> Fixes: fec56f5890d9 ("bpf: Introduce BPF trampoline")
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> Acked-by: Paul E. McKenney <paulmck@kernel.org> # for RCU
> ---
> Without ftrace fix:
> https://patchwork.kernel.org/project/netdevbpf/patch/20210316195815.34714-1-alexei.starovoitov@gmail.com/
> this patch will trigger warn in ftrace.
>
> arch/x86/net/bpf_jit_comp.c | 26 ++++-
> include/linux/bpf.h | 24 +++-
> kernel/bpf/bpf_struct_ops.c | 2 +-
> kernel/bpf/core.c | 4 +-
> kernel/bpf/trampoline.c | 218 +++++++++++++++++++++++++++---------
> 5 files changed, 213 insertions(+), 61 deletions(-)
>
hi,
I'm on bpf/master and I'm triggering warnings below when running together:
# while :; do ./test_progs -t fentry_test ; done
# while :; do ./test_progs -t module_attach ; done
when I revert this patch (plus b90829704780) it seems ok
jirka
---
[ 548.594548] bpf_testmod: loading out-of-tree module taints kernel.
[ 548.600787] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 558.353423] ------------[ cut here ]------------
[ 558.358064] WARNING: CPU: 35 PID: 1572 at kernel/bpf/syscall.c:2516 bpf_tracing_link_release+0x3b/0x40
[ 558.367399] Modules linked in: intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif irqbypass rapl mei_me iTCO_wdt intel_cstate wmi_bmof iTCO_ve]
[ 558.409989] CPU: 35 PID: 1572 Comm: test-66 Tainted: G IOE 5.12.0-rc2+ #25
[ 558.418005] Hardware name: Dell Inc. PowerEdge R440/08CYF7, BIOS 1.7.0 12/14/2018
[ 558.425492] RIP: 0010:bpf_tracing_link_release+0x3b/0x40
[ 558.430829] Code: 48 8b 7f 18 e8 26 5c 02 00 85 c0 75 1d 48 8b 7b 48 e8 29 53 02 00 48 8b 7b 50 48 85 ff 74 05 e8 bb f4 ff ff 48 8b 5d f8 c9 c3 <0f> 0b eb df 90 0f 1f 44 00 00 55 48 89 e5 41 54 4f
[ 558.449588] RSP: 0018:ffffc90002107e40 EFLAGS: 00010286
[ 558.454828] RAX: 00000000ffffffed RBX: ffff888105982300 RCX: 0000000000000000
[ 558.461969] RDX: ffff8881132c2540 RSI: 4c376cb4fcbc233e RDI: ffff8881058595d0
[ 558.469110] RBP: ffffc90002107e48 R08: 0000000000000000 R09: 00000000ffff850f
[ 558.476250] R10: 000000000000000a R11: 0000000000000008 R12: ffff888105982300
[ 558.483391] R13: ffff8881040743f8 R14: ffff8881039465a0 R15: ffff888141359440
[ 558.490532] FS: 00007f4232341740(0000) GS:ffff8897e10c0000(0000) knlGS:0000000000000000
[ 558.498625] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 558.504371] CR2: 0000000001ef164d CR3: 000000014b23a002 CR4: 00000000007706e0
[ 558.511505] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 558.518645] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 558.525778] PKRU: 55555554
[ 558.528492] Call Trace:
[ 558.530956] bpf_link_free+0x55/0x80
[ 558.534539] bpf_link_release+0x29/0x70
[ 558.538389] __fput+0x9f/0x250
[ 558.541457] ____fput+0xe/0x10
[ 558.544525] task_work_run+0x64/0xa0
[ 558.548112] exit_to_user_mode_prepare+0x11c/0x120
[ 558.552914] syscall_exit_to_user_mode+0x21/0x40
[ 558.557543] ? __x64_sys_close+0x12/0x40
[ 558.561476] do_syscall_64+0x45/0x50
[ 558.565065] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 558.570125] RIP: 0033:0x7f4232524167
[ 558.573713] Code: 00 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0f
[ 558.592470] RSP: 002b:00007ffd76f88ec8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 558.600047] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007f4232524167
[ 558.607187] RDX: 0000000005824950 RSI: 000000000582ec50 RDI: 0000000000000009
[ 558.614326] RBP: 000000000582ec80 R08: 0000000000000000 R09: 00007ffd76f88df7
[ 558.621466] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 558.628600] R13: 00000000000001c8 R14: 00000000fffffffb R15: 000000000000000b
[ 558.635741] ---[ end trace 878f3b01fdcfe925 ]---
[ 563.521703] ------------[ cut here ]------------
[ 563.526335] WARNING: CPU: 37 PID: 1586 at kernel/trace/ftrace.c:6321 ftrace_module_enable+0x33d/0x370
[ 563.535559] Modules linked in: bpf_testmod(OE+) intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif irqbypass rapl mei_me iTCO_wdt intel_cstate]
[ 563.579581] CPU: 37 PID: 1586 Comm: test_progs Tainted: G W IOE 5.12.0-rc2+ #25
[ 563.587862] Hardware name: Dell Inc. PowerEdge R440/08CYF7, BIOS 1.7.0 12/14/2018
[ 563.595348] RIP: 0010:ftrace_module_enable+0x33d/0x370
[ 563.600495] Code: 74 99 48 81 ca 00 00 00 10 49 89 54 24 08 e9 dc fe ff ff 8b 8b 98 01 00 00 48 01 ca 48 39 d0 0f 83 2e fd ff ff e9 65 fd ff ff <0f> 0b e9 be fe ff ff 0f 0b e9 b7 fe ff ff 48 83 7d
[ 563.619249] RSP: 0018:ffffc90002137d18 EFLAGS: 00010206
[ 563.624483] RAX: 0000000000031045 RBX: ffffffffa06793c0 RCX: 000000000000003d
[ 563.631617] RDX: ffff888108eb2080 RSI: ffffffffa06763c0 RDI: 0000000000000000
[ 563.638757] RBP: ffffc90002137d40 R08: ffffffff82b32ea0 R09: 0000000000000000
[ 563.645890] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88810abd2030
[ 563.653027] R13: 61c8864680b583eb R14: 0000000000000003 R15: ffff888115d7d080
[ 563.660166] FS: 00007fcf8c7cb740(0000) GS:ffff8897e1140000(0000) knlGS:0000000000000000
[ 563.668259] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 563.674005] CR2: 000000000159d3d8 CR3: 000000010aad6001 CR4: 00000000007706e0
[ 563.681136] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 563.688270] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 563.695403] PKRU: 55555554
[ 563.698116] Call Trace:
[ 563.700573] load_module+0x2142/0x2610
[ 563.704333] __do_sys_finit_module+0xc2/0x120
[ 563.708700] __x64_sys_finit_module+0x1a/0x20
[ 563.713064] do_syscall_64+0x38/0x50
[ 563.716656] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 563.721715] RIP: 0033:0x7fcf8c8cc55d
[ 563.725302] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d eb 78 0c 00 f8
[ 563.744050] RSP: 002b:00007fffc6d14f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 563.751625] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcf8c8cc55d
[ 563.758764] RDX: 0000000000000000 RSI: 000000000159d3da RDI: 0000000000000004
[ 563.765899] RBP: 0000000000000004 R08: 0000000000000000 R09: 00007fffc6d83000
[ 563.773039] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
[ 563.780174] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 563.787316] ---[ end trace 878f3b01fdcfe926 ]---
[ 563.903431] ------------[ cut here ]------------
[ 563.908057] WARNING: CPU: 32 PID: 1584 at kernel/trace/ftrace.c:1748 __ftrace_hash_rec_update.part.0+0x326/0x430
[ 563.918243] Modules linked in: bpf_testmod(OE) intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif irqbypass rapl mei_me iTCO_wdt intel_cstate ]
[ 563.962163] CPU: 32 PID: 1584 Comm: test-38 Tainted: G W IOE 5.12.0-rc2+ #25
[ 563.970172] Hardware name: Dell Inc. PowerEdge R440/08CYF7, BIOS 1.7.0 12/14/2018
[ 563.977658] RIP: 0010:__ftrace_hash_rec_update.part.0+0x326/0x430
[ 563.983757] Code: e7 c4 82 75 ca 49 8b 41 08 e9 30 ff ff ff 49 8b 41 08 4d 85 d2 0f 84 23 ff ff ff 48 0d 00 00 00 10 49 89 41 08 e9 63 fe ff ff <0f> 0b c7 05 2e fa aa 01 01 00 00 00 c7 05 34 fa a0
[ 564.002503] RSP: 0018:ffffc9000212fc48 EFLAGS: 00010246
[ 564.007731] RAX: 0000000000000000 RBX: ffff888115d7d080 RCX: 0000000000000001
[ 564.014873] RDX: 0000000000000003 RSI: ffffffffa06763c0 RDI: 0000000000000000
[ 564.022015] RBP: ffffc9000212fcc0 R08: 0000000000000001 R09: ffff88810abd2030
[ 564.029154] R10: ffff888108eb2080 R11: 0000000000000000 R12: 0000000000000000
[ 564.036288] R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000003
[ 564.043418] FS: 00007ff79bdeb740(0000) GS:ffff8897e1000000(0000) knlGS:0000000000000000
[ 564.051503] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 564.057250] CR2: 00007ff79c039000 CR3: 000000010baee002 CR4: 00000000007706e0
[ 564.064383] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 564.071515] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 564.078649] PKRU: 55555554
[ 564.081361] Call Trace:
[ 564.083821] ? udp_destruct_sock+0x140/0x140
[ 564.088107] ftrace_hash_rec_update_modify+0x1f/0x80
[ 564.093081] ftrace_hash_move_and_update_ops+0xcf/0x240
[ 564.098314] ? bpf_fentry_test1+0x10/0x10
[ 564.102336] ftrace_set_hash+0x121/0x1d0
[ 564.106275] ? 0xffffffffa052e000
[ 564.109599] ? bpf_fentry_test1+0x10/0x10
[ 564.113620] unregister_ftrace_direct+0x7a/0x200
[ 564.118247] ? bpf_fentry_test1+0x10/0x10
[ 564.122271] bpf_trampoline_update+0x31e/0x3f0
[ 564.126726] ? __radix_tree_delete+0x87/0xf0
[ 564.131005] bpf_trampoline_unlink_prog+0x9c/0x140
[ 564.135808] bpf_tracing_link_release+0x1a/0x40
[ 564.140347] bpf_link_free+0x55/0x80
[ 564.143935] bpf_link_release+0x29/0x70
[ 564.147784] __fput+0x9f/0x250
[ 564.150851] ____fput+0xe/0x10
[ 564.153911] task_work_run+0x64/0xa0
[ 564.157498] exit_to_user_mode_prepare+0x11c/0x120
[ 564.162299] syscall_exit_to_user_mode+0x21/0x40
[ 564.166928] ? __x64_sys_close+0x12/0x40
[ 564.170863] do_syscall_64+0x45/0x50
[ 564.174451] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 564.179510] RIP: 0033:0x7ff79bfce167
[ 564.183090] Code: 00 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0f
[ 564.201836] RSP: 002b:00007ffd8a9d85a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 564.209403] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00007ff79bfce167
[ 564.216536] RDX: 0000000007274970 RSI: 0000000007276370 RDI: 000000000000000f
[ 564.223669] RBP: 00000000072763a0 R08: 0000000000000000 R09: 00007ffd8a9d84d7
[ 564.230801] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 564.237936] R13: 00007ff79c039030 R14: 0000000000000002 R15: 0000000000000000
[ 564.245077] ---[ end trace 878f3b01fdcfe927 ]---
[ 564.467617] ------------[ cut here ]------------
[ 564.472245] WARNING: CPU: 32 PID: 1584 at kernel/trace/ftrace.c:5228 unregister_ftrace_direct+0x1df/0x200
[ 564.481814] Modules linked in: bpf_testmod(OE) intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif irqbypass rapl mei_me iTCO_wdt intel_cstate ]
[ 564.525736] CPU: 32 PID: 1584 Comm: test-38 Tainted: G W IOE 5.12.0-rc2+ #25
[ 564.533745] Hardware name: Dell Inc. PowerEdge R440/08CYF7, BIOS 1.7.0 12/14/2018
[ 564.541233] RIP: 0010:unregister_ftrace_direct+0x1df/0x200
[ 564.546726] Code: 85 c0 75 0e 31 f6 48 c7 c7 a0 2e b3 82 e8 79 e4 ff ff 48 c7 c7 60 30 b3 82 e8 5d b1 94 00 e9 73 fe ff ff 0f 0b e9 1a ff ff ff <0f> 0b e9 a1 fe ff ff 0f 0b e9 0c ff ff ff 41 be e1
[ 564.565480] RSP: 0018:ffffc9000212fd90 EFLAGS: 00010286
[ 564.570716] RAX: 0000000000000001 RBX: ffffffffa0503000 RCX: ffffffff81954730
[ 564.577860] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff82b32ea0
[ 564.584996] RBP: ffffc9000212fdb8 R08: 0000000000000001 R09: 0000000000000000
[ 564.592128] R10: 0000000000000002 R11: ffff8881067cc790 R12: ffffffff81954730
[ 564.599261] R13: ffff888103ac18e0 R14: 00000000ffffffed R15: ffff888106251140
[ 564.606396] FS: 00007ff79bdeb740(0000) GS:ffff8897e1000000(0000) knlGS:0000000000000000
[ 564.614488] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 564.620235] CR2: 00007ff79c039000 CR3: 000000010baee002 CR4: 00000000007706e0
[ 564.627368] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 564.634500] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 564.641633] PKRU: 55555554
[ 564.644345] Call Trace:
[ 564.646800] ? bpf_fentry_test2+0x10/0x10
[ 564.650821] bpf_trampoline_update+0x31e/0x3f0
[ 564.655275] ? __radix_tree_delete+0x87/0xf0
[ 564.659558] bpf_trampoline_unlink_prog+0x9c/0x140
[ 564.664359] bpf_tracing_link_release+0x1a/0x40
[ 564.668900] bpf_link_free+0x55/0x80
[ 564.672486] bpf_link_release+0x29/0x70
[ 564.676333] __fput+0x9f/0x250
[ 564.679395] ____fput+0xe/0x10
[ 564.682462] task_work_run+0x64/0xa0
[ 564.686051] exit_to_user_mode_prepare+0x11c/0x120
[ 564.690869] syscall_exit_to_user_mode+0x21/0x40
[ 564.695502] ? __x64_sys_close+0x12/0x40
[ 564.699442] do_syscall_64+0x45/0x50
[ 564.703029] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 564.708089] RIP: 0033:0x7ff79bfce167
[ 564.711669] Code: 00 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0f
[ 564.730422] RSP: 002b:00007ffd8a9d85a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ 564.737989] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 00007ff79bfce167
[ 564.745121] RDX: 0000000007274970 RSI: 00000000072763a0 RDI: 0000000000000010
[ 564.752254] RBP: 00000000072763d0 R08: 0000000000000000 R09: 00007ffd8a9d84d7
[ 564.759387] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 564.766520] R13: 00007ff79c039030 R14: 0000000000000002 R15: 0000000000000000
[ 564.773655] ---[ end trace 878f3b01fdcfe928 ]---
[ 565.117608] ------------[ cut here ]------------
next prev parent reply other threads:[~2021-03-21 23:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 21:00 [PATCH bpf] bpf: Fix fexit trampoline Alexei Starovoitov
2021-03-17 23:30 ` patchwork-bot+netdevbpf
2021-03-21 23:32 ` Jiri Olsa [this message]
2021-03-22 16:24 ` Jiri Olsa
2021-03-22 18:53 ` Jiri Olsa
2021-03-23 12:59 ` Steven Rostedt
2021-03-23 14:50 ` Alexei Starovoitov
2021-03-23 20:59 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YFfXcqnksPsSe0Bv@krava \
--to=jolsa@redhat.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=kernel-team@fb.com \
--cc=paulmck@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).