* [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
@ 2021-02-02 13:50 Brendan Jackman
2021-02-03 17:07 ` Yonghong Song
2021-06-27 15:34 ` [BUG soft lockup] " Jiri Olsa
0 siblings, 2 replies; 16+ messages in thread
From: Brendan Jackman @ 2021-02-02 13:50 UTC (permalink / raw)
To: bpf
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, KP Singh,
Florent Revest, John Fastabend, linux-kernel, Brendan Jackman
When BPF_FETCH is set, atomic instructions load a value from memory
into a register. The current verifier code first checks via
check_mem_access whether we can access the memory, and then checks
via check_reg_arg whether we can write into the register.
For loads, check_reg_arg has the side-effect of marking the
register's value as unkonwn, and check_mem_access has the side effect
of propagating bounds from memory to the register. This currently only
takes effect for stack memory.
Therefore with the current order, bounds information is thrown away,
but by simply reversing the order of check_reg_arg
vs. check_mem_access, we can instead propagate bounds smartly.
A simple test is added with an infinite loop that can only be proved
unreachable if this propagation is present. This is implemented both
with C and directly in test_verifier using assembly.
Suggested-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Brendan Jackman <jackmanb@google.com>
---
Difference from v2->v3 [1]:
* Fixed missing ENABLE_ATOMICS_TESTS check.
Difference from v1->v2:
* Reworked commit message to clarify this only affects stack memory
* Added the Suggested-by
* Added a C-based test.
[1]: https://lore.kernel.org/bpf/CA+i-1C2ZWUbGxWJ8kAxbri9rBboyuMaVj_BBhg+2Zf_Su9BOJA@mail.gmail.com/T/#t
kernel/bpf/verifier.c | 32 +++++++++++--------
.../selftests/bpf/prog_tests/atomic_bounds.c | 15 +++++++++
.../selftests/bpf/progs/atomic_bounds.c | 24 ++++++++++++++
.../selftests/bpf/verifier/atomic_bounds.c | 27 ++++++++++++++++
4 files changed, 84 insertions(+), 14 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/atomic_bounds.c
create mode 100644 tools/testing/selftests/bpf/progs/atomic_bounds.c
create mode 100644 tools/testing/selftests/bpf/verifier/atomic_bounds.c
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 972fc38eb62d..5e09632efddb 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3665,9 +3665,26 @@ static int check_atomic(struct bpf_verifier_env *env, int insn_idx, struct bpf_i
return -EACCES;
}
+ if (insn->imm & BPF_FETCH) {
+ if (insn->imm == BPF_CMPXCHG)
+ load_reg = BPF_REG_0;
+ else
+ load_reg = insn->src_reg;
+
+ /* check and record load of old value */
+ err = check_reg_arg(env, load_reg, DST_OP);
+ if (err)
+ return err;
+ } else {
+ /* This instruction accesses a memory location but doesn't
+ * actually load it into a register.
+ */
+ load_reg = -1;
+ }
+
/* check whether we can read the memory */
err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
- BPF_SIZE(insn->code), BPF_READ, -1, true);
+ BPF_SIZE(insn->code), BPF_READ, load_reg, true);
if (err)
return err;
@@ -3677,19 +3694,6 @@ static int check_atomic(struct bpf_verifier_env *env, int insn_idx, struct bpf_i
if (err)
return err;
- if (!(insn->imm & BPF_FETCH))
- return 0;
-
- if (insn->imm == BPF_CMPXCHG)
- load_reg = BPF_REG_0;
- else
- load_reg = insn->src_reg;
-
- /* check and record load of old value */
- err = check_reg_arg(env, load_reg, DST_OP);
- if (err)
- return err;
-
return 0;
}
diff --git a/tools/testing/selftests/bpf/prog_tests/atomic_bounds.c b/tools/testing/selftests/bpf/prog_tests/atomic_bounds.c
new file mode 100644
index 000000000000..addf127068e4
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/atomic_bounds.c
@@ -0,0 +1,15 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+
+#include "atomic_bounds.skel.h"
+
+void test_atomic_bounds(void)
+{
+ struct atomic_bounds *skel;
+ __u32 duration = 0;
+
+ skel = atomic_bounds__open_and_load();
+ if (CHECK(!skel, "skel_load", "couldn't load program\n"))
+ return;
+}
diff --git a/tools/testing/selftests/bpf/progs/atomic_bounds.c b/tools/testing/selftests/bpf/progs/atomic_bounds.c
new file mode 100644
index 000000000000..e5fff7fc7f8f
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/atomic_bounds.c
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <stdbool.h>
+
+#ifdef ENABLE_ATOMICS_TESTS
+bool skip_tests __attribute((__section__(".data"))) = false;
+#else
+bool skip_tests = true;
+#endif
+
+SEC("fentry/bpf_fentry_test1")
+int BPF_PROG(sub, int x)
+{
+#ifdef ENABLE_ATOMICS_TESTS
+ int a = 0;
+ int b = __sync_fetch_and_add(&a, 1);
+ /* b is certainly 0 here. Can the verifier tell? */
+ while (b)
+ continue;
+#endif
+ return 0;
+}
diff --git a/tools/testing/selftests/bpf/verifier/atomic_bounds.c b/tools/testing/selftests/bpf/verifier/atomic_bounds.c
new file mode 100644
index 000000000000..e82183e4914f
--- /dev/null
+++ b/tools/testing/selftests/bpf/verifier/atomic_bounds.c
@@ -0,0 +1,27 @@
+{
+ "BPF_ATOMIC bounds propagation, mem->reg",
+ .insns = {
+ /* a = 0; */
+ /*
+ * Note this is implemented with two separate instructions,
+ * where you might think one would suffice:
+ *
+ * BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ *
+ * This is because BPF_ST_MEM doesn't seem to set the stack slot
+ * type to 0 when storing an immediate.
+ */
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
+ /* b = atomic_fetch_add(&a, 1); */
+ BPF_MOV64_IMM(BPF_REG_1, 1),
+ BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -8),
+ /* Verifier should be able to tell that this infinite loop isn't reachable. */
+ /* if (b) while (true) continue; */
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, -1),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .result_unpriv = REJECT,
+ .errstr_unpriv = "back-edge",
+},
base-commit: 61ca36c8c4eb3bae35a285b1ae18c514cde65439
--
2.30.0.365.g02bc693789-goog
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-02-02 13:50 [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH Brendan Jackman
@ 2021-02-03 17:07 ` Yonghong Song
2021-02-03 17:37 ` Alexei Starovoitov
2021-06-27 15:34 ` [BUG soft lockup] " Jiri Olsa
1 sibling, 1 reply; 16+ messages in thread
From: Yonghong Song @ 2021-02-03 17:07 UTC (permalink / raw)
To: Brendan Jackman, bpf
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, KP Singh,
Florent Revest, John Fastabend, linux-kernel
On 2/2/21 5:50 AM, Brendan Jackman wrote:
> When BPF_FETCH is set, atomic instructions load a value from memory
> into a register. The current verifier code first checks via
> check_mem_access whether we can access the memory, and then checks
> via check_reg_arg whether we can write into the register.
>
> For loads, check_reg_arg has the side-effect of marking the
> register's value as unkonwn, and check_mem_access has the side effect
> of propagating bounds from memory to the register. This currently only
> takes effect for stack memory.
>
> Therefore with the current order, bounds information is thrown away,
> but by simply reversing the order of check_reg_arg
> vs. check_mem_access, we can instead propagate bounds smartly.
>
> A simple test is added with an infinite loop that can only be proved
> unreachable if this propagation is present. This is implemented both
> with C and directly in test_verifier using assembly.
>
> Suggested-by: John Fastabend <john.fastabend@gmail.com>
> Signed-off-by: Brendan Jackman <jackmanb@google.com>
Ack with a nit below.
Acked-by: Yonghong Song <yhs@fb.com>
> ---
>
> Difference from v2->v3 [1]:
>
> * Fixed missing ENABLE_ATOMICS_TESTS check.
>
> Difference from v1->v2:
>
> * Reworked commit message to clarify this only affects stack memory
> * Added the Suggested-by
> * Added a C-based test.
>
> [1]: https://lore.kernel.org/bpf/CA+i-1C2ZWUbGxWJ8kAxbri9rBboyuMaVj_BBhg+2Zf_Su9BOJA@mail.gmail.com/T/#t
>
> kernel/bpf/verifier.c | 32 +++++++++++--------
> .../selftests/bpf/prog_tests/atomic_bounds.c | 15 +++++++++
> .../selftests/bpf/progs/atomic_bounds.c | 24 ++++++++++++++
> .../selftests/bpf/verifier/atomic_bounds.c | 27 ++++++++++++++++
> 4 files changed, 84 insertions(+), 14 deletions(-)
> create mode 100644 tools/testing/selftests/bpf/prog_tests/atomic_bounds.c
> create mode 100644 tools/testing/selftests/bpf/progs/atomic_bounds.c
> create mode 100644 tools/testing/selftests/bpf/verifier/atomic_bounds.c
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 972fc38eb62d..5e09632efddb 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3665,9 +3665,26 @@ static int check_atomic(struct bpf_verifier_env *env, int insn_idx, struct bpf_i
> return -EACCES;
> }
>
> + if (insn->imm & BPF_FETCH) {
> + if (insn->imm == BPF_CMPXCHG)
> + load_reg = BPF_REG_0;
> + else
> + load_reg = insn->src_reg;
> +
> + /* check and record load of old value */
> + err = check_reg_arg(env, load_reg, DST_OP);
> + if (err)
> + return err;
> + } else {
> + /* This instruction accesses a memory location but doesn't
> + * actually load it into a register.
> + */
> + load_reg = -1;
> + }
> +
> /* check whether we can read the memory */
> err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
> - BPF_SIZE(insn->code), BPF_READ, -1, true);
> + BPF_SIZE(insn->code), BPF_READ, load_reg, true);
> if (err)
> return err;
>
> @@ -3677,19 +3694,6 @@ static int check_atomic(struct bpf_verifier_env *env, int insn_idx, struct bpf_i
> if (err)
> return err;
>
> - if (!(insn->imm & BPF_FETCH))
> - return 0;
> -
> - if (insn->imm == BPF_CMPXCHG)
> - load_reg = BPF_REG_0;
> - else
> - load_reg = insn->src_reg;
> -
> - /* check and record load of old value */
> - err = check_reg_arg(env, load_reg, DST_OP);
> - if (err)
> - return err;
> -
> return 0;
> }
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/atomic_bounds.c b/tools/testing/selftests/bpf/prog_tests/atomic_bounds.c
> new file mode 100644
> index 000000000000..addf127068e4
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/atomic_bounds.c
> @@ -0,0 +1,15 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +#include <test_progs.h>
> +
> +#include "atomic_bounds.skel.h"
> +
> +void test_atomic_bounds(void)
> +{
> + struct atomic_bounds *skel;
> + __u32 duration = 0;
> +
> + skel = atomic_bounds__open_and_load();
> + if (CHECK(!skel, "skel_load", "couldn't load program\n"))
> + return;
You are missing
atomic_bounds__destroy(skel);
here.
> +}
> diff --git a/tools/testing/selftests/bpf/progs/atomic_bounds.c b/tools/testing/selftests/bpf/progs/atomic_bounds.c
> new file mode 100644
> index 000000000000..e5fff7fc7f8f
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/atomic_bounds.c
> @@ -0,0 +1,24 @@
> +// SPDX-License-Identifier: GPL-2.0
> +#include <linux/bpf.h>
> +#include <bpf/bpf_helpers.h>
> +#include <bpf/bpf_tracing.h>
> +#include <stdbool.h>
> +
> +#ifdef ENABLE_ATOMICS_TESTS
> +bool skip_tests __attribute((__section__(".data"))) = false;
> +#else
> +bool skip_tests = true;
> +#endif
> +
> +SEC("fentry/bpf_fentry_test1")
> +int BPF_PROG(sub, int x)
> +{
> +#ifdef ENABLE_ATOMICS_TESTS
> + int a = 0;
> + int b = __sync_fetch_and_add(&a, 1);
> + /* b is certainly 0 here. Can the verifier tell? */
> + while (b)
> + continue;
> +#endif
> + return 0;
> +}
[...]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-02-03 17:07 ` Yonghong Song
@ 2021-02-03 17:37 ` Alexei Starovoitov
0 siblings, 0 replies; 16+ messages in thread
From: Alexei Starovoitov @ 2021-02-03 17:37 UTC (permalink / raw)
To: Yonghong Song
Cc: Brendan Jackman, bpf, Alexei Starovoitov, Daniel Borkmann,
Andrii Nakryiko, KP Singh, Florent Revest, John Fastabend, LKML
On Wed, Feb 3, 2021 at 9:07 AM Yonghong Song <yhs@fb.com> wrote:
>
>
>
> On 2/2/21 5:50 AM, Brendan Jackman wrote:
> > When BPF_FETCH is set, atomic instructions load a value from memory
> > into a register. The current verifier code first checks via
> > check_mem_access whether we can access the memory, and then checks
> > via check_reg_arg whether we can write into the register.
> >
> > For loads, check_reg_arg has the side-effect of marking the
> > register's value as unkonwn, and check_mem_access has the side effect
> > of propagating bounds from memory to the register. This currently only
> > takes effect for stack memory.
> >
> > Therefore with the current order, bounds information is thrown away,
> > but by simply reversing the order of check_reg_arg
> > vs. check_mem_access, we can instead propagate bounds smartly.
> >
> > A simple test is added with an infinite loop that can only be proved
> > unreachable if this propagation is present. This is implemented both
> > with C and directly in test_verifier using assembly.
> >
> > Suggested-by: John Fastabend <john.fastabend@gmail.com>
> > Signed-off-by: Brendan Jackman <jackmanb@google.com>
>
> Ack with a nit below.
Sorry it was already applied yesterday.
patchbot just didn't send auto-reply.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-02-02 13:50 [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH Brendan Jackman
2021-02-03 17:07 ` Yonghong Song
@ 2021-06-27 15:34 ` Jiri Olsa
2021-06-28 9:21 ` Brendan Jackman
1 sibling, 1 reply; 16+ messages in thread
From: Jiri Olsa @ 2021-06-27 15:34 UTC (permalink / raw)
To: Brendan Jackman
Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
KP Singh, Florent Revest, John Fastabend, linux-kernel,
Naveen N. Rao, Sandipan Das
On Tue, Feb 02, 2021 at 01:50:02PM +0000, Brendan Jackman wrote:
SNIP
> diff --git a/tools/testing/selftests/bpf/verifier/atomic_bounds.c b/tools/testing/selftests/bpf/verifier/atomic_bounds.c
> new file mode 100644
> index 000000000000..e82183e4914f
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/verifier/atomic_bounds.c
> @@ -0,0 +1,27 @@
> +{
> + "BPF_ATOMIC bounds propagation, mem->reg",
> + .insns = {
> + /* a = 0; */
> + /*
> + * Note this is implemented with two separate instructions,
> + * where you might think one would suffice:
> + *
> + * BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> + *
> + * This is because BPF_ST_MEM doesn't seem to set the stack slot
> + * type to 0 when storing an immediate.
> + */
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
> + /* b = atomic_fetch_add(&a, 1); */
> + BPF_MOV64_IMM(BPF_REG_1, 1),
> + BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -8),
> + /* Verifier should be able to tell that this infinite loop isn't reachable. */
> + /* if (b) while (true) continue; */
> + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, -1),
> + BPF_EXIT_INSN(),
> + },
> + .result = ACCEPT,
> + .result_unpriv = REJECT,
> + .errstr_unpriv = "back-edge",
> +},
>
> base-commit: 61ca36c8c4eb3bae35a285b1ae18c514cde65439
> --
> 2.30.0.365.g02bc693789-goog
>
hi,
I tracked soft lock up on powerpc to this test:
[root@ibm-p9z-07-lp1 bpf]# ./test_verifier 25
#25/u BPF_ATOMIC bounds propagation, mem->reg SKIP
#25/p BPF_ATOMIC bounds propagation, mem->reg
Message from syslogd@ibm-p9z-07-lp1 at Jun 27 11:24:34 ...
kernel:watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_verifier:1055]
Message from syslogd@ibm-p9z-07-lp1 at Jun 27 11:25:04 ...
kernel:watchdog: BUG: soft lockup - CPU#2 stuck for 48s! [test_verifier:1055]
please check the console output below.. it looks like the verifier
allowed the loop to happen for some reason on powerpc.. any idea?
I'm on latest bpf-next/master, I can send the config if needed
thanks,
jirka
---
ibm-p9z-07-lp1 login: [ 184.108655] watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_verifier:1055]
[ 184.108679] Modules linked in: snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_seq_device(E) snd_timer(E) snd(E) soundcore(E) bonding(E) tls(E) rfkill(E) pseries_rng(E) drm(E) fuse(E) drm_panel_orientation_quirks(E) xfs(E) libcrc32c(E) sd_mod(E) t10_pi(E) ibmvscsi(E) ibmveth(E) scsi_transport_srp(E) vmx_crypto(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
[ 184.108722] CPU: 2 PID: 1055 Comm: test_verifier Tainted: G E 5.13.0-rc3+ #3
[ 184.108728] NIP: c00800000131314c LR: c000000000c56918 CTR: c008000001313118
[ 184.108733] REGS: c0000000119ef820 TRAP: 0900 Tainted: G E (5.13.0-rc3+)
[ 184.108739] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 44222840 XER: 20040003
[ 184.108752] CFAR: c008000001313150 IRQMASK: 0
[ 184.108752] GPR00: c000000000c5671c c0000000119efac0 c000000002a08400 0000000000000001
[ 184.108752] GPR04: c0080000010c0048 ffffffffffffffff 0000000001f3f8ec 0000000000000008
[ 184.108752] GPR08: 0000000000000000 c0000000119efae8 0000000000000001 49adb8fcb8417937
[ 184.108752] GPR12: c008000001313118 c00000001ecae400 0000000000000000 0000000000000000
[ 184.108752] GPR16: 0000000000000000 0000000000000000 0000000000000000 c0000000021cf6f8
[ 184.108752] GPR20: 0000000000000000 c0000000119efc34 c0000000119efc30 c0080000010c0048
[ 184.108752] GPR24: c00000000a1dc100 0000000000000001 c000000011fadc80 c0000000021cf638
[ 184.108752] GPR28: c0080000010c0000 0000000000000001 c0000000021cf638 c0000000119efaf0
[ 184.108812] NIP [c00800000131314c] bpf_prog_a2eb9104e5e8a5bf+0x34/0xcee8
[ 184.108819] LR [c000000000c56918] bpf_test_run+0x2f8/0x470
[ 184.108826] Call Trace:
[ 184.108828] [c0000000119efac0] [c0000000119efb30] 0xc0000000119efb30 (unreliable)
[ 184.108835] [c0000000119efb30] [c000000000c5671c] bpf_test_run+0xfc/0x470
[ 184.108841] [c0000000119efc10] [c000000000c57b6c] bpf_prog_test_run_skb+0x38c/0x660
[ 184.108848] [c0000000119efcb0] [c00000000035de6c] __sys_bpf+0x46c/0xd60
[ 184.108854] [c0000000119efd90] [c00000000035e810] sys_bpf+0x30/0x40
[ 184.108859] [c0000000119efdb0] [c00000000002ea34] system_call_exception+0x144/0x280
[ 184.108866] [c0000000119efe10] [c00000000000c570] system_call_vectored_common+0xf0/0x268
[ 184.108874] --- interrupt: 3000 at 0x7fff8bb3ef24
[ 184.108878] NIP: 00007fff8bb3ef24 LR: 0000000000000000 CTR: 0000000000000000
[ 184.108883] REGS: c0000000119efe80 TRAP: 3000 Tainted: G E (5.13.0-rc3+)
[ 184.108887] MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 28000848 XER: 00000000
[ 184.108903] IRQMASK: 0
[ 184.108903] GPR00: 0000000000000169 00007fffe4577710 00007fff8bc27200 000000000000000a
[ 184.108903] GPR04: 00007fffe45777b8 0000000000000080 0000000000000001 0000000000000008
[ 184.108903] GPR08: 000000000000000a 0000000000000000 0000000000000000 0000000000000000
[ 184.108903] GPR12: 0000000000000000 00007fff8be1c400 0000000000000000 0000000000000000
[ 184.108903] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 184.108903] GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 184.108903] GPR24: 0000000000000000 0000000000000000 0000000000000000 000000001000d1d0
[ 184.108903] GPR28: 0000000000000002 00007fffe4578128 00007fffe45782c0 00007fffe4577710
[ 184.108960] NIP [00007fff8bb3ef24] 0x7fff8bb3ef24
[ 184.108964] LR [0000000000000000] 0x0
[ 184.108967] --- interrupt: 3000
[ 184.108970] Instruction dump:
[ 184.108974] 60000000 f821ff91 fbe10068 3be10030 39000000 f91ffff8 38600001 393ffff8
[ 184.108985] 7d4048a8 7d4a1a14 7d4049ad 4082fff4 <28230000> 4082fffc 60000000 ebe10068
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-06-27 15:34 ` [BUG soft lockup] " Jiri Olsa
@ 2021-06-28 9:21 ` Brendan Jackman
2021-06-29 14:10 ` Jiri Olsa
0 siblings, 1 reply; 16+ messages in thread
From: Brendan Jackman @ 2021-06-28 9:21 UTC (permalink / raw)
To: Jiri Olsa
Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
KP Singh, Florent Revest, John Fastabend, LKML, Naveen N. Rao,
Sandipan Das
On Sun, 27 Jun 2021 at 17:34, Jiri Olsa <jolsa@redhat.com> wrote:
>
> On Tue, Feb 02, 2021 at 01:50:02PM +0000, Brendan Jackman wrote:
>
> SNIP
>
> > diff --git a/tools/testing/selftests/bpf/verifier/atomic_bounds.c b/tools/testing/selftests/bpf/verifier/atomic_bounds.c
> > new file mode 100644
> > index 000000000000..e82183e4914f
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/verifier/atomic_bounds.c
> > @@ -0,0 +1,27 @@
> > +{
> > + "BPF_ATOMIC bounds propagation, mem->reg",
> > + .insns = {
> > + /* a = 0; */
> > + /*
> > + * Note this is implemented with two separate instructions,
> > + * where you might think one would suffice:
> > + *
> > + * BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> > + *
> > + * This is because BPF_ST_MEM doesn't seem to set the stack slot
> > + * type to 0 when storing an immediate.
> > + */
> > + BPF_MOV64_IMM(BPF_REG_0, 0),
> > + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
> > + /* b = atomic_fetch_add(&a, 1); */
> > + BPF_MOV64_IMM(BPF_REG_1, 1),
> > + BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -8),
> > + /* Verifier should be able to tell that this infinite loop isn't reachable. */
> > + /* if (b) while (true) continue; */
> > + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, -1),
> > + BPF_EXIT_INSN(),
> > + },
> > + .result = ACCEPT,
> > + .result_unpriv = REJECT,
> > + .errstr_unpriv = "back-edge",
> > +},
> >
> > base-commit: 61ca36c8c4eb3bae35a285b1ae18c514cde65439
> > --
> > 2.30.0.365.g02bc693789-goog
> >
>
> hi,
> I tracked soft lock up on powerpc to this test:
>
> [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 25
> #25/u BPF_ATOMIC bounds propagation, mem->reg SKIP
> #25/p BPF_ATOMIC bounds propagation, mem->reg
>
> Message from syslogd@ibm-p9z-07-lp1 at Jun 27 11:24:34 ...
> kernel:watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_verifier:1055]
>
> Message from syslogd@ibm-p9z-07-lp1 at Jun 27 11:25:04 ...
> kernel:watchdog: BUG: soft lockup - CPU#2 stuck for 48s! [test_verifier:1055]
>
> please check the console output below.. it looks like the verifier
> allowed the loop to happen for some reason on powerpc.. any idea?
>
> I'm on latest bpf-next/master, I can send the config if needed
>
> thanks,
> jirka
>
>
> ---
> ibm-p9z-07-lp1 login: [ 184.108655] watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_verifier:1055]
> [ 184.108679] Modules linked in: snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_seq_device(E) snd_timer(E) snd(E) soundcore(E) bonding(E) tls(E) rfkill(E) pseries_rng(E) drm(E) fuse(E) drm_panel_orientation_quirks(E) xfs(E) libcrc32c(E) sd_mod(E) t10_pi(E) ibmvscsi(E) ibmveth(E) scsi_transport_srp(E) vmx_crypto(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
> [ 184.108722] CPU: 2 PID: 1055 Comm: test_verifier Tainted: G E 5.13.0-rc3+ #3
> [ 184.108728] NIP: c00800000131314c LR: c000000000c56918 CTR: c008000001313118
> [ 184.108733] REGS: c0000000119ef820 TRAP: 0900 Tainted: G E (5.13.0-rc3+)
> [ 184.108739] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 44222840 XER: 20040003
> [ 184.108752] CFAR: c008000001313150 IRQMASK: 0
> [ 184.108752] GPR00: c000000000c5671c c0000000119efac0 c000000002a08400 0000000000000001
> [ 184.108752] GPR04: c0080000010c0048 ffffffffffffffff 0000000001f3f8ec 0000000000000008
> [ 184.108752] GPR08: 0000000000000000 c0000000119efae8 0000000000000001 49adb8fcb8417937
> [ 184.108752] GPR12: c008000001313118 c00000001ecae400 0000000000000000 0000000000000000
> [ 184.108752] GPR16: 0000000000000000 0000000000000000 0000000000000000 c0000000021cf6f8
> [ 184.108752] GPR20: 0000000000000000 c0000000119efc34 c0000000119efc30 c0080000010c0048
> [ 184.108752] GPR24: c00000000a1dc100 0000000000000001 c000000011fadc80 c0000000021cf638
> [ 184.108752] GPR28: c0080000010c0000 0000000000000001 c0000000021cf638 c0000000119efaf0
> [ 184.108812] NIP [c00800000131314c] bpf_prog_a2eb9104e5e8a5bf+0x34/0xcee8
> [ 184.108819] LR [c000000000c56918] bpf_test_run+0x2f8/0x470
> [ 184.108826] Call Trace:
> [ 184.108828] [c0000000119efac0] [c0000000119efb30] 0xc0000000119efb30 (unreliable)
> [ 184.108835] [c0000000119efb30] [c000000000c5671c] bpf_test_run+0xfc/0x470
> [ 184.108841] [c0000000119efc10] [c000000000c57b6c] bpf_prog_test_run_skb+0x38c/0x660
> [ 184.108848] [c0000000119efcb0] [c00000000035de6c] __sys_bpf+0x46c/0xd60
> [ 184.108854] [c0000000119efd90] [c00000000035e810] sys_bpf+0x30/0x40
> [ 184.108859] [c0000000119efdb0] [c00000000002ea34] system_call_exception+0x144/0x280
> [ 184.108866] [c0000000119efe10] [c00000000000c570] system_call_vectored_common+0xf0/0x268
> [ 184.108874] --- interrupt: 3000 at 0x7fff8bb3ef24
> [ 184.108878] NIP: 00007fff8bb3ef24 LR: 0000000000000000 CTR: 0000000000000000
> [ 184.108883] REGS: c0000000119efe80 TRAP: 3000 Tainted: G E (5.13.0-rc3+)
> [ 184.108887] MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 28000848 XER: 00000000
> [ 184.108903] IRQMASK: 0
> [ 184.108903] GPR00: 0000000000000169 00007fffe4577710 00007fff8bc27200 000000000000000a
> [ 184.108903] GPR04: 00007fffe45777b8 0000000000000080 0000000000000001 0000000000000008
> [ 184.108903] GPR08: 000000000000000a 0000000000000000 0000000000000000 0000000000000000
> [ 184.108903] GPR12: 0000000000000000 00007fff8be1c400 0000000000000000 0000000000000000
> [ 184.108903] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [ 184.108903] GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [ 184.108903] GPR24: 0000000000000000 0000000000000000 0000000000000000 000000001000d1d0
> [ 184.108903] GPR28: 0000000000000002 00007fffe4578128 00007fffe45782c0 00007fffe4577710
> [ 184.108960] NIP [00007fff8bb3ef24] 0x7fff8bb3ef24
> [ 184.108964] LR [0000000000000000] 0x0
> [ 184.108967] --- interrupt: 3000
> [ 184.108970] Instruction dump:
> [ 184.108974] 60000000 f821ff91 fbe10068 3be10030 39000000 f91ffff8 38600001 393ffff8
> [ 184.108985] 7d4048a8 7d4a1a14 7d4049ad 4082fff4 <28230000> 4082fffc 60000000 ebe10068
Hmm, is the test prog from atomic_bounds.c getting JITed there (my
dumb guess at what '0xc0000000119efb30 (unreliable)' means)? That
shouldn't happen - should get 'eBPF filter atomic op code %02x (@%d)
unsupported\n' in dmesg instead. I wonder if I missed something in
commit 91c960b0056 (bpf: Rename BPF_XADD and prepare to encode other
atomics in .imm). Any idea if this test was ever passing on PowerPC?
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-06-28 9:21 ` Brendan Jackman
@ 2021-06-29 14:10 ` Jiri Olsa
2021-06-29 16:04 ` Jiri Olsa
0 siblings, 1 reply; 16+ messages in thread
From: Jiri Olsa @ 2021-06-29 14:10 UTC (permalink / raw)
To: Brendan Jackman
Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
KP Singh, Florent Revest, John Fastabend, LKML, Naveen N. Rao,
Sandipan Das
On Mon, Jun 28, 2021 at 11:21:42AM +0200, Brendan Jackman wrote:
> On Sun, 27 Jun 2021 at 17:34, Jiri Olsa <jolsa@redhat.com> wrote:
> >
> > On Tue, Feb 02, 2021 at 01:50:02PM +0000, Brendan Jackman wrote:
> >
> > SNIP
> >
> > > diff --git a/tools/testing/selftests/bpf/verifier/atomic_bounds.c b/tools/testing/selftests/bpf/verifier/atomic_bounds.c
> > > new file mode 100644
> > > index 000000000000..e82183e4914f
> > > --- /dev/null
> > > +++ b/tools/testing/selftests/bpf/verifier/atomic_bounds.c
> > > @@ -0,0 +1,27 @@
> > > +{
> > > + "BPF_ATOMIC bounds propagation, mem->reg",
> > > + .insns = {
> > > + /* a = 0; */
> > > + /*
> > > + * Note this is implemented with two separate instructions,
> > > + * where you might think one would suffice:
> > > + *
> > > + * BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> > > + *
> > > + * This is because BPF_ST_MEM doesn't seem to set the stack slot
> > > + * type to 0 when storing an immediate.
> > > + */
> > > + BPF_MOV64_IMM(BPF_REG_0, 0),
> > > + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
> > > + /* b = atomic_fetch_add(&a, 1); */
> > > + BPF_MOV64_IMM(BPF_REG_1, 1),
> > > + BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -8),
> > > + /* Verifier should be able to tell that this infinite loop isn't reachable. */
> > > + /* if (b) while (true) continue; */
> > > + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, -1),
> > > + BPF_EXIT_INSN(),
> > > + },
> > > + .result = ACCEPT,
> > > + .result_unpriv = REJECT,
> > > + .errstr_unpriv = "back-edge",
> > > +},
> > >
> > > base-commit: 61ca36c8c4eb3bae35a285b1ae18c514cde65439
> > > --
> > > 2.30.0.365.g02bc693789-goog
> > >
> >
> > hi,
> > I tracked soft lock up on powerpc to this test:
> >
> > [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 25
> > #25/u BPF_ATOMIC bounds propagation, mem->reg SKIP
> > #25/p BPF_ATOMIC bounds propagation, mem->reg
> >
> > Message from syslogd@ibm-p9z-07-lp1 at Jun 27 11:24:34 ...
> > kernel:watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_verifier:1055]
> >
> > Message from syslogd@ibm-p9z-07-lp1 at Jun 27 11:25:04 ...
> > kernel:watchdog: BUG: soft lockup - CPU#2 stuck for 48s! [test_verifier:1055]
> >
> > please check the console output below.. it looks like the verifier
> > allowed the loop to happen for some reason on powerpc.. any idea?
> >
> > I'm on latest bpf-next/master, I can send the config if needed
> >
> > thanks,
> > jirka
> >
> >
> > ---
> > ibm-p9z-07-lp1 login: [ 184.108655] watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_verifier:1055]
> > [ 184.108679] Modules linked in: snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_seq_device(E) snd_timer(E) snd(E) soundcore(E) bonding(E) tls(E) rfkill(E) pseries_rng(E) drm(E) fuse(E) drm_panel_orientation_quirks(E) xfs(E) libcrc32c(E) sd_mod(E) t10_pi(E) ibmvscsi(E) ibmveth(E) scsi_transport_srp(E) vmx_crypto(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
> > [ 184.108722] CPU: 2 PID: 1055 Comm: test_verifier Tainted: G E 5.13.0-rc3+ #3
> > [ 184.108728] NIP: c00800000131314c LR: c000000000c56918 CTR: c008000001313118
> > [ 184.108733] REGS: c0000000119ef820 TRAP: 0900 Tainted: G E (5.13.0-rc3+)
> > [ 184.108739] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 44222840 XER: 20040003
> > [ 184.108752] CFAR: c008000001313150 IRQMASK: 0
> > [ 184.108752] GPR00: c000000000c5671c c0000000119efac0 c000000002a08400 0000000000000001
> > [ 184.108752] GPR04: c0080000010c0048 ffffffffffffffff 0000000001f3f8ec 0000000000000008
> > [ 184.108752] GPR08: 0000000000000000 c0000000119efae8 0000000000000001 49adb8fcb8417937
> > [ 184.108752] GPR12: c008000001313118 c00000001ecae400 0000000000000000 0000000000000000
> > [ 184.108752] GPR16: 0000000000000000 0000000000000000 0000000000000000 c0000000021cf6f8
> > [ 184.108752] GPR20: 0000000000000000 c0000000119efc34 c0000000119efc30 c0080000010c0048
> > [ 184.108752] GPR24: c00000000a1dc100 0000000000000001 c000000011fadc80 c0000000021cf638
> > [ 184.108752] GPR28: c0080000010c0000 0000000000000001 c0000000021cf638 c0000000119efaf0
> > [ 184.108812] NIP [c00800000131314c] bpf_prog_a2eb9104e5e8a5bf+0x34/0xcee8
> > [ 184.108819] LR [c000000000c56918] bpf_test_run+0x2f8/0x470
> > [ 184.108826] Call Trace:
> > [ 184.108828] [c0000000119efac0] [c0000000119efb30] 0xc0000000119efb30 (unreliable)
> > [ 184.108835] [c0000000119efb30] [c000000000c5671c] bpf_test_run+0xfc/0x470
> > [ 184.108841] [c0000000119efc10] [c000000000c57b6c] bpf_prog_test_run_skb+0x38c/0x660
> > [ 184.108848] [c0000000119efcb0] [c00000000035de6c] __sys_bpf+0x46c/0xd60
> > [ 184.108854] [c0000000119efd90] [c00000000035e810] sys_bpf+0x30/0x40
> > [ 184.108859] [c0000000119efdb0] [c00000000002ea34] system_call_exception+0x144/0x280
> > [ 184.108866] [c0000000119efe10] [c00000000000c570] system_call_vectored_common+0xf0/0x268
> > [ 184.108874] --- interrupt: 3000 at 0x7fff8bb3ef24
> > [ 184.108878] NIP: 00007fff8bb3ef24 LR: 0000000000000000 CTR: 0000000000000000
> > [ 184.108883] REGS: c0000000119efe80 TRAP: 3000 Tainted: G E (5.13.0-rc3+)
> > [ 184.108887] MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 28000848 XER: 00000000
> > [ 184.108903] IRQMASK: 0
> > [ 184.108903] GPR00: 0000000000000169 00007fffe4577710 00007fff8bc27200 000000000000000a
> > [ 184.108903] GPR04: 00007fffe45777b8 0000000000000080 0000000000000001 0000000000000008
> > [ 184.108903] GPR08: 000000000000000a 0000000000000000 0000000000000000 0000000000000000
> > [ 184.108903] GPR12: 0000000000000000 00007fff8be1c400 0000000000000000 0000000000000000
> > [ 184.108903] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> > [ 184.108903] GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> > [ 184.108903] GPR24: 0000000000000000 0000000000000000 0000000000000000 000000001000d1d0
> > [ 184.108903] GPR28: 0000000000000002 00007fffe4578128 00007fffe45782c0 00007fffe4577710
> > [ 184.108960] NIP [00007fff8bb3ef24] 0x7fff8bb3ef24
> > [ 184.108964] LR [0000000000000000] 0x0
> > [ 184.108967] --- interrupt: 3000
> > [ 184.108970] Instruction dump:
> > [ 184.108974] 60000000 f821ff91 fbe10068 3be10030 39000000 f91ffff8 38600001 393ffff8
> > [ 184.108985] 7d4048a8 7d4a1a14 7d4049ad 4082fff4 <28230000> 4082fffc 60000000 ebe10068
>
> Hmm, is the test prog from atomic_bounds.c getting JITed there (my
> dumb guess at what '0xc0000000119efb30 (unreliable)' means)? That
> shouldn't happen - should get 'eBPF filter atomic op code %02x (@%d)
> unsupported\n' in dmesg instead. I wonder if I missed something in
> commit 91c960b0056 (bpf: Rename BPF_XADD and prepare to encode other
> atomics in .imm). Any idea if this test was ever passing on PowerPC?
>
hum, I guess not.. will check
jirka
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-06-29 14:10 ` Jiri Olsa
@ 2021-06-29 16:04 ` Jiri Olsa
2021-06-29 16:25 ` Brendan Jackman
0 siblings, 1 reply; 16+ messages in thread
From: Jiri Olsa @ 2021-06-29 16:04 UTC (permalink / raw)
To: Brendan Jackman
Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
KP Singh, Florent Revest, John Fastabend, LKML, Naveen N. Rao,
Sandipan Das
On Tue, Jun 29, 2021 at 04:10:12PM +0200, Jiri Olsa wrote:
> On Mon, Jun 28, 2021 at 11:21:42AM +0200, Brendan Jackman wrote:
> > On Sun, 27 Jun 2021 at 17:34, Jiri Olsa <jolsa@redhat.com> wrote:
> > >
> > > On Tue, Feb 02, 2021 at 01:50:02PM +0000, Brendan Jackman wrote:
> > >
> > > SNIP
> > >
> > > > diff --git a/tools/testing/selftests/bpf/verifier/atomic_bounds.c b/tools/testing/selftests/bpf/verifier/atomic_bounds.c
> > > > new file mode 100644
> > > > index 000000000000..e82183e4914f
> > > > --- /dev/null
> > > > +++ b/tools/testing/selftests/bpf/verifier/atomic_bounds.c
> > > > @@ -0,0 +1,27 @@
> > > > +{
> > > > + "BPF_ATOMIC bounds propagation, mem->reg",
> > > > + .insns = {
> > > > + /* a = 0; */
> > > > + /*
> > > > + * Note this is implemented with two separate instructions,
> > > > + * where you might think one would suffice:
> > > > + *
> > > > + * BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> > > > + *
> > > > + * This is because BPF_ST_MEM doesn't seem to set the stack slot
> > > > + * type to 0 when storing an immediate.
> > > > + */
> > > > + BPF_MOV64_IMM(BPF_REG_0, 0),
> > > > + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
> > > > + /* b = atomic_fetch_add(&a, 1); */
> > > > + BPF_MOV64_IMM(BPF_REG_1, 1),
> > > > + BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -8),
> > > > + /* Verifier should be able to tell that this infinite loop isn't reachable. */
> > > > + /* if (b) while (true) continue; */
> > > > + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, -1),
> > > > + BPF_EXIT_INSN(),
> > > > + },
> > > > + .result = ACCEPT,
> > > > + .result_unpriv = REJECT,
> > > > + .errstr_unpriv = "back-edge",
> > > > +},
> > > >
> > > > base-commit: 61ca36c8c4eb3bae35a285b1ae18c514cde65439
> > > > --
> > > > 2.30.0.365.g02bc693789-goog
> > > >
> > >
> > > hi,
> > > I tracked soft lock up on powerpc to this test:
> > >
> > > [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 25
> > > #25/u BPF_ATOMIC bounds propagation, mem->reg SKIP
> > > #25/p BPF_ATOMIC bounds propagation, mem->reg
> > >
> > > Message from syslogd@ibm-p9z-07-lp1 at Jun 27 11:24:34 ...
> > > kernel:watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_verifier:1055]
> > >
> > > Message from syslogd@ibm-p9z-07-lp1 at Jun 27 11:25:04 ...
> > > kernel:watchdog: BUG: soft lockup - CPU#2 stuck for 48s! [test_verifier:1055]
> > >
> > > please check the console output below.. it looks like the verifier
> > > allowed the loop to happen for some reason on powerpc.. any idea?
> > >
> > > I'm on latest bpf-next/master, I can send the config if needed
> > >
> > > thanks,
> > > jirka
> > >
> > >
> > > ---
> > > ibm-p9z-07-lp1 login: [ 184.108655] watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_verifier:1055]
> > > [ 184.108679] Modules linked in: snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_seq_device(E) snd_timer(E) snd(E) soundcore(E) bonding(E) tls(E) rfkill(E) pseries_rng(E) drm(E) fuse(E) drm_panel_orientation_quirks(E) xfs(E) libcrc32c(E) sd_mod(E) t10_pi(E) ibmvscsi(E) ibmveth(E) scsi_transport_srp(E) vmx_crypto(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
> > > [ 184.108722] CPU: 2 PID: 1055 Comm: test_verifier Tainted: G E 5.13.0-rc3+ #3
> > > [ 184.108728] NIP: c00800000131314c LR: c000000000c56918 CTR: c008000001313118
> > > [ 184.108733] REGS: c0000000119ef820 TRAP: 0900 Tainted: G E (5.13.0-rc3+)
> > > [ 184.108739] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 44222840 XER: 20040003
> > > [ 184.108752] CFAR: c008000001313150 IRQMASK: 0
> > > [ 184.108752] GPR00: c000000000c5671c c0000000119efac0 c000000002a08400 0000000000000001
> > > [ 184.108752] GPR04: c0080000010c0048 ffffffffffffffff 0000000001f3f8ec 0000000000000008
> > > [ 184.108752] GPR08: 0000000000000000 c0000000119efae8 0000000000000001 49adb8fcb8417937
> > > [ 184.108752] GPR12: c008000001313118 c00000001ecae400 0000000000000000 0000000000000000
> > > [ 184.108752] GPR16: 0000000000000000 0000000000000000 0000000000000000 c0000000021cf6f8
> > > [ 184.108752] GPR20: 0000000000000000 c0000000119efc34 c0000000119efc30 c0080000010c0048
> > > [ 184.108752] GPR24: c00000000a1dc100 0000000000000001 c000000011fadc80 c0000000021cf638
> > > [ 184.108752] GPR28: c0080000010c0000 0000000000000001 c0000000021cf638 c0000000119efaf0
> > > [ 184.108812] NIP [c00800000131314c] bpf_prog_a2eb9104e5e8a5bf+0x34/0xcee8
> > > [ 184.108819] LR [c000000000c56918] bpf_test_run+0x2f8/0x470
> > > [ 184.108826] Call Trace:
> > > [ 184.108828] [c0000000119efac0] [c0000000119efb30] 0xc0000000119efb30 (unreliable)
> > > [ 184.108835] [c0000000119efb30] [c000000000c5671c] bpf_test_run+0xfc/0x470
> > > [ 184.108841] [c0000000119efc10] [c000000000c57b6c] bpf_prog_test_run_skb+0x38c/0x660
> > > [ 184.108848] [c0000000119efcb0] [c00000000035de6c] __sys_bpf+0x46c/0xd60
> > > [ 184.108854] [c0000000119efd90] [c00000000035e810] sys_bpf+0x30/0x40
> > > [ 184.108859] [c0000000119efdb0] [c00000000002ea34] system_call_exception+0x144/0x280
> > > [ 184.108866] [c0000000119efe10] [c00000000000c570] system_call_vectored_common+0xf0/0x268
> > > [ 184.108874] --- interrupt: 3000 at 0x7fff8bb3ef24
> > > [ 184.108878] NIP: 00007fff8bb3ef24 LR: 0000000000000000 CTR: 0000000000000000
> > > [ 184.108883] REGS: c0000000119efe80 TRAP: 3000 Tainted: G E (5.13.0-rc3+)
> > > [ 184.108887] MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 28000848 XER: 00000000
> > > [ 184.108903] IRQMASK: 0
> > > [ 184.108903] GPR00: 0000000000000169 00007fffe4577710 00007fff8bc27200 000000000000000a
> > > [ 184.108903] GPR04: 00007fffe45777b8 0000000000000080 0000000000000001 0000000000000008
> > > [ 184.108903] GPR08: 000000000000000a 0000000000000000 0000000000000000 0000000000000000
> > > [ 184.108903] GPR12: 0000000000000000 00007fff8be1c400 0000000000000000 0000000000000000
> > > [ 184.108903] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> > > [ 184.108903] GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> > > [ 184.108903] GPR24: 0000000000000000 0000000000000000 0000000000000000 000000001000d1d0
> > > [ 184.108903] GPR28: 0000000000000002 00007fffe4578128 00007fffe45782c0 00007fffe4577710
> > > [ 184.108960] NIP [00007fff8bb3ef24] 0x7fff8bb3ef24
> > > [ 184.108964] LR [0000000000000000] 0x0
> > > [ 184.108967] --- interrupt: 3000
> > > [ 184.108970] Instruction dump:
> > > [ 184.108974] 60000000 f821ff91 fbe10068 3be10030 39000000 f91ffff8 38600001 393ffff8
> > > [ 184.108985] 7d4048a8 7d4a1a14 7d4049ad 4082fff4 <28230000> 4082fffc 60000000 ebe10068
> >
> > Hmm, is the test prog from atomic_bounds.c getting JITed there (my
> > dumb guess at what '0xc0000000119efb30 (unreliable)' means)? That
> > shouldn't happen - should get 'eBPF filter atomic op code %02x (@%d)
> > unsupported\n' in dmesg instead. I wonder if I missed something in
> > commit 91c960b0056 (bpf: Rename BPF_XADD and prepare to encode other
I see that for all the other atomics tests:
[root@ibm-p9z-07-lp1 bpf]# ./test_verifier 21
#21/p BPF_ATOMIC_AND without fetch FAIL
Failed to load prog 'Unknown error 524'!
verification time 32 usec
stack depth 8
processed 10 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
Summary: 0 PASSED, 0 SKIPPED, 2 FAILED
console:
[ 51.850952] eBPF filter atomic op code db (@2) unsupported
[ 51.851134] eBPF filter atomic op code db (@2) unsupported
[root@ibm-p9z-07-lp1 bpf]# ./test_verifier 22
#22/u BPF_ATOMIC_AND with fetch FAIL
Failed to load prog 'Unknown error 524'!
verification time 38 usec
stack depth 8
processed 14 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
#22/p BPF_ATOMIC_AND with fetch FAIL
Failed to load prog 'Unknown error 524'!
verification time 26 usec
stack depth 8
processed 14 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
console:
[ 223.231420] eBPF filter atomic op code db (@3) unsupported
[ 223.231596] eBPF filter atomic op code db (@3) unsupported
...
but no such console output for:
[root@ibm-p9z-07-lp1 bpf]# ./test_verifier 24
#24/u BPF_ATOMIC bounds propagation, mem->reg OK
> > atomics in .imm). Any idea if this test was ever passing on PowerPC?
> >
>
> hum, I guess not.. will check
nope, it locks up the same:
ibm-p9z-07-lp1 login: [ 88.070644] watchdog: BUG: soft lockup - CPU#4 stuck for 22s! [test_verifier:950]
[ 88.070674] Modules linked in: snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_seq_device(E) snd_timer(E) snd(E) soundcore(E) bonding(E) tls(E) rfkill(E) pseries_rng(E) drm(E) fuse(E) drm_panel_orientation_quirks(E) xfs(E) libcrc32c(E) sd_mod(E) t10_pi(E) ibmvscsi(E) ibmveth(E) scsi_transport_srp(E) vmx_crypto(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
[ 88.070714] CPU: 4 PID: 950 Comm: test_verifier Tainted: G E 5.11.0-rc4+ #4
[ 88.070721] NIP: c0080000017daad8 LR: c000000000c26ea8 CTR: c0080000017daaa0
[ 88.070726] REGS: c000000011407870 TRAP: 0900 Tainted: G E (5.11.0-rc4+)
[ 88.070732] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 44222840 XER: 20040169
[ 88.070745] CFAR: c0080000017daad8 IRQMASK: 0
[ 88.070745] GPR00: c000000000c26d1c c000000011407b10 c000000002011600 0000000000000001
[ 88.070745] GPR04: c0080000016d0038 ffffffffffffffff 0000000001f3f8ec 0017b1edefe5ad37
[ 88.070745] GPR08: 0000000000000000 c000000011407b38 0000000000000001 f5d4bac969e94f08
[ 88.070745] GPR12: c0080000017daaa0 c00000001ecab400 0000000000000000 0000000000000000
[ 88.070745] GPR16: 000000001003a348 000000001003a3e8 0000000000000000 0000000000000000
[ 88.070745] GPR20: c000000011407c64 c0080000016d0038 c000000011407c60 c000000001734238
[ 88.070745] GPR24: c000000012ce8400 0000000000000001 c000000001734230 c0000000113e9300
[ 88.070745] GPR28: 0000000e5b65166b 0000000000000001 c0080000016d0000 c000000011407b40
[ 88.070807] NIP [c0080000017daad8] bpf_prog_a2eb9104e5e8a5bf+0x38/0x5560
[ 88.070815] LR [c000000000c26ea8] bpf_test_run+0x288/0x470
[ 88.070823] Call Trace:
[ 88.070825] [c000000011407b10] [c000000011407b80] 0xc000000011407b80 (unreliable)
[ 88.070832] [c000000011407b80] [c000000000c26d1c] bpf_test_run+0xfc/0x470
[ 88.070840] [c000000011407c40] [c000000000c2823c] bpf_prog_test_run_skb+0x38c/0x660
[ 88.070846] [c000000011407ce0] [c00000000035896c] __do_sys_bpf+0x4cc/0xf30
[ 88.070853] [c000000011407db0] [c000000000037a14] system_call_exception+0x134/0x230
[ 88.070861] [c000000011407e10] [c00000000000c874] system_call_vectored_common+0xf4/0x26c
[ 88.070869] Instruction dump:
[ 88.070873] f821ff91 fbe10068 3be10030 39000000 f91ffff8 38600001 393ffff8 7d4048a8
[ 88.070886] 7d4a1a14 7d4049ad 4082fff4 28230000 <4082fffc> 60000000 ebe10068 38210070
ibm-p9z-07-lp1 login: [ 121.762511] rcu: INFO: rcu_sched self-detected stall on CPU
[ 121.762536] rcu: 4-....: (5999 ticks this GP) idle=9ee/1/0x4000000000000002 softirq=2299/2299 fqs=2998
[ 121.762546] (t=6000 jiffies g=3681 q=798)
[ 121.762551] NMI backtrace for cpu 4
[ 121.762555] CPU: 4 PID: 950 Comm: test_verifier Tainted: G EL 5.11.0-rc4+ #4
[ 121.762562] Call Trace:
[ 121.762565] [c0000000114072b0] [c0000000007cfe9c] dump_stack+0xc0/0x104 (unreliable)
[ 121.762575] [c000000011407300] [c0000000007dd028] nmi_cpu_backtrace+0xe8/0x130
[ 121.762582] [c000000011407370] [c0000000007dd21c] nmi_trigger_cpumask_backtrace+0x1ac/0x1f0
[ 121.762589] [c000000011407410] [c0000000000718a8] arch_trigger_cpumask_backtrace+0x28/0x40
[ 121.762596] [c000000011407430] [c000000000215740] rcu_dump_cpu_stacks+0x10c/0x168
[ 121.762604] [c000000011407480] [c00000000020b080] print_cpu_stall+0x1d0/0x2a0
[ 121.762611] [c000000011407530] [c00000000020e4d4] check_cpu_stall+0x174/0x340
[ 121.762618] [c000000011407560] [c000000000213b28] rcu_sched_clock_irq+0x98/0x3f0
[ 121.762625] [c0000000114075a0] [c00000000022b974] update_process_times+0xc4/0x150
[ 121.762631] [c0000000114075e0] [c000000000245cec] tick_sched_handle+0x3c/0xd0
[ 121.762638] [c000000011407610] [c000000000246408] tick_sched_timer+0x68/0xe0
[ 121.762645] [c000000011407650] [c00000000022ca18] __hrtimer_run_queues+0x1c8/0x430
[ 121.762652] [c0000000114076f0] [c00000000022ddd4] hrtimer_interrupt+0x124/0x300
[ 121.762658] [c0000000114077a0] [c0000000000286a4] timer_interrupt+0x104/0x290
[ 121.762665] [c000000011407800] [c000000000009978] decrementer_common_virt+0x1c8/0x1d0
[ 121.762673] --- interrupt: 900 at bpf_prog_a2eb9104e5e8a5bf+0x34/0x5560
[ 121.762680] NIP: c0080000017daad4 LR: c000000000c26ea8 CTR: c0080000017daaa0
[ 121.762684] REGS: c000000011407870 TRAP: 0900 Tainted: G EL (5.11.0-rc4+)
[ 121.762689] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 44222840 XER: 20040169
[ 121.762702] CFAR: c0080000017daad8 IRQMASK: 0
[ 121.762702] GPR00: c000000000c26d1c c000000011407b10 c000000002011600 0000000000000001
[ 121.762702] GPR04: c0080000016d0038 ffffffffffffffff 0000000001f3f8ec 0017b1edefe5ad37
[ 121.762702] GPR08: 0000000000000000 c000000011407b38 0000000000000001 f5d4bac969e94f08
[ 121.762702] GPR12: c0080000017daaa0 c00000001ecab400 0000000000000000 0000000000000000
[ 121.762702] GPR16: 000000001003a348 000000001003a3e8 0000000000000000 0000000000000000
[ 121.762702] GPR20: c000000011407c64 c0080000016d0038 c000000011407c60 c000000001734238
[ 121.762702] GPR24: c000000012ce8400 0000000000000001 c000000001734230 c0000000113e9300
[ 121.762702] GPR28: 0000000e5b65166b 0000000000000001 c0080000016d0000 c000000011407b40
[ 121.762765] NIP [c0080000017daad4] bpf_prog_a2eb9104e5e8a5bf+0x34/0x5560
[ 121.762770] LR [c000000000c26ea8] bpf_test_run+0x288/0x470
[ 121.762777] --- interrupt: 900
[ 121.762779] [c000000011407b10] [c000000011407b80] 0xc000000011407b80 (unreliable)
[ 121.762786] [c000000011407b80] [c000000000c26d1c] bpf_test_run+0xfc/0x470
[ 121.762793] [c000000011407c40] [c000000000c2823c] bpf_prog_test_run_skb+0x38c/0x660
[ 121.762800] [c000000011407ce0] [c00000000035896c] __do_sys_bpf+0x4cc/0xf30
[ 121.762807] [c000000011407db0] [c000000000037a14] system_call_exception+0x134/0x230
[ 121.762814] [c000000011407e10] [c00000000000c874] system_call_vectored_common+0xf4/0x26c
[ 148.073962] watchdog: BUG: soft lockup - CPU#4 stuck for 22s! [test_verifier:950]
[ 148.073990] Modules linked in: snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_seq_device(E) snd_timer(E) snd(E) soundcore(E) bonding(E) tls(E) rfkill(E) pseries_rng(E) drm(E) fuse(E) drm_panel_orientation_quirks(E) xfs(E) libcrc32c(E) sd_mod(E) t10_pi(E) ibmvscsi(E) ibmveth(E) scsi_transport_srp(E) vmx_crypto(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
[ 148.074029] CPU: 4 PID: 950 Comm: test_verifier Tainted: G EL 5.11.0-rc4+ #4
[ 148.074036] NIP: c0080000017daad8 LR: c000000000c26ea8 CTR: c0080000017daaa0
[ 148.074041] REGS: c000000011407870 TRAP: 0900 Tainted: G EL (5.11.0-rc4+)
[ 148.074047] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 44222840 XER: 20040169
[ 148.074060] CFAR: c0080000017daad8 IRQMASK: 0
[ 148.074060] GPR00: c000000000c26d1c c000000011407b10 c000000002011600 0000000000000001
[ 148.074060] GPR04: c0080000016d0038 ffffffffffffffff 0000000001f3f8ec 0017b1edefe5ad37
[ 148.074060] GPR08: 0000000000000000 c000000011407b38 0000000000000001 f5d4bac969e94f08
[ 148.074060] GPR12: c0080000017daaa0 c00000001ecab400 0000000000000000 0000000000000000
[ 148.074060] GPR16: 000000001003a348 000000001003a3e8 0000000000000000 0000000000000000
[ 148.074060] GPR20: c000000011407c64 c0080000016d0038 c000000011407c60 c000000001734238
[ 148.074060] GPR24: c000000012ce8400 0000000000000001 c000000001734230 c0000000113e9300
[ 148.074060] GPR28: 0000000e5b65166b 0000000000000001 c0080000016d0000 c000000011407b40
[ 148.074122] NIP [c0080000017daad8] bpf_prog_a2eb9104e5e8a5bf+0x38/0x5560
[ 148.074129] LR [c000000000c26ea8] bpf_test_run+0x288/0x470
[ 148.074137] Call Trace:
[ 148.074139] [c000000011407b10] [c000000011407b80] 0xc000000011407b80 (unreliable)
[ 148.074147] [c000000011407b80] [c000000000c26d1c] bpf_test_run+0xfc/0x470
[ 148.074154] [c000000011407c40] [c000000000c2823c] bpf_prog_test_run_skb+0x38c/0x660
[ 148.074160] [c000000011407ce0] [c00000000035896c] __do_sys_bpf+0x4cc/0xf30
[ 148.074168] [c000000011407db0] [c000000000037a14] system_call_exception+0x134/0x230
[ 148.074175] [c000000011407e10] [c00000000000c874] system_call_vectored_common+0xf4/0x26c
[ 148.074183] Instruction dump:
[ 148.074188] f821ff91 fbe10068 3be10030 39000000 f91ffff8 38600001 393ffff8 7d4048a8
[ 148.074199] 7d4a1a14 7d4049ad 4082fff4 28230000 <4082fffc> 60000000 ebe10068 38210070
jirka
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-06-29 16:04 ` Jiri Olsa
@ 2021-06-29 16:25 ` Brendan Jackman
2021-06-29 16:41 ` Jiri Olsa
0 siblings, 1 reply; 16+ messages in thread
From: Brendan Jackman @ 2021-06-29 16:25 UTC (permalink / raw)
To: Jiri Olsa
Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
KP Singh, Florent Revest, John Fastabend, LKML, Naveen N. Rao,
Sandipan Das
On Tue, 29 Jun 2021 at 18:04, Jiri Olsa <jolsa@redhat.com> wrote:
>
> On Tue, Jun 29, 2021 at 04:10:12PM +0200, Jiri Olsa wrote:
> > On Mon, Jun 28, 2021 at 11:21:42AM +0200, Brendan Jackman wrote:
> > > On Sun, 27 Jun 2021 at 17:34, Jiri Olsa <jolsa@redhat.com> wrote:
> > > >
> > > > On Tue, Feb 02, 2021 at 01:50:02PM +0000, Brendan Jackman wrote:
[snip]
> > > Hmm, is the test prog from atomic_bounds.c getting JITed there (my
> > > dumb guess at what '0xc0000000119efb30 (unreliable)' means)? That
> > > shouldn't happen - should get 'eBPF filter atomic op code %02x (@%d)
> > > unsupported\n' in dmesg instead. I wonder if I missed something in
> > > commit 91c960b0056 (bpf: Rename BPF_XADD and prepare to encode other
>
> I see that for all the other atomics tests:
>
> [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 21
> #21/p BPF_ATOMIC_AND without fetch FAIL
> Failed to load prog 'Unknown error 524'!
> verification time 32 usec
> stack depth 8
> processed 10 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
> Summary: 0 PASSED, 0 SKIPPED, 2 FAILED
Hm that's also not good - failure to JIT shouldn't mean failure to
load. Are there other test_verifier failures or is it just the atomics
ones?
> console:
>
> [ 51.850952] eBPF filter atomic op code db (@2) unsupported
> [ 51.851134] eBPF filter atomic op code db (@2) unsupported
>
>
> [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 22
> #22/u BPF_ATOMIC_AND with fetch FAIL
> Failed to load prog 'Unknown error 524'!
> verification time 38 usec
> stack depth 8
> processed 14 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
> #22/p BPF_ATOMIC_AND with fetch FAIL
> Failed to load prog 'Unknown error 524'!
> verification time 26 usec
> stack depth 8
> processed 14 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
>
> console:
> [ 223.231420] eBPF filter atomic op code db (@3) unsupported
> [ 223.231596] eBPF filter atomic op code db (@3) unsupported
>
> ...
>
>
> but no such console output for:
>
> [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 24
> #24/u BPF_ATOMIC bounds propagation, mem->reg OK
>
>
> > > atomics in .imm). Any idea if this test was ever passing on PowerPC?
> > >
> >
> > hum, I guess not.. will check
>
> nope, it locks up the same:
Do you mean it locks up at commit 91c960b0056 too?
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-06-29 16:25 ` Brendan Jackman
@ 2021-06-29 16:41 ` Jiri Olsa
2021-06-29 21:08 ` Jiri Olsa
0 siblings, 1 reply; 16+ messages in thread
From: Jiri Olsa @ 2021-06-29 16:41 UTC (permalink / raw)
To: Brendan Jackman
Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
KP Singh, Florent Revest, John Fastabend, LKML, Naveen N. Rao,
Sandipan Das
On Tue, Jun 29, 2021 at 06:25:33PM +0200, Brendan Jackman wrote:
> On Tue, 29 Jun 2021 at 18:04, Jiri Olsa <jolsa@redhat.com> wrote:
> >
> > On Tue, Jun 29, 2021 at 04:10:12PM +0200, Jiri Olsa wrote:
> > > On Mon, Jun 28, 2021 at 11:21:42AM +0200, Brendan Jackman wrote:
> > > > On Sun, 27 Jun 2021 at 17:34, Jiri Olsa <jolsa@redhat.com> wrote:
> > > > >
> > > > > On Tue, Feb 02, 2021 at 01:50:02PM +0000, Brendan Jackman wrote:
> [snip]
> > > > Hmm, is the test prog from atomic_bounds.c getting JITed there (my
> > > > dumb guess at what '0xc0000000119efb30 (unreliable)' means)? That
> > > > shouldn't happen - should get 'eBPF filter atomic op code %02x (@%d)
> > > > unsupported\n' in dmesg instead. I wonder if I missed something in
> > > > commit 91c960b0056 (bpf: Rename BPF_XADD and prepare to encode other
> >
> > I see that for all the other atomics tests:
> >
> > [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 21
> > #21/p BPF_ATOMIC_AND without fetch FAIL
> > Failed to load prog 'Unknown error 524'!
> > verification time 32 usec
> > stack depth 8
> > processed 10 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
> > Summary: 0 PASSED, 0 SKIPPED, 2 FAILED
>
> Hm that's also not good - failure to JIT shouldn't mean failure to
> load. Are there other test_verifier failures or is it just the atomics
> ones?
I have CONFIG_BPF_JIT_ALWAYS_ON=y so I think that's fine
>
> > console:
> >
> > [ 51.850952] eBPF filter atomic op code db (@2) unsupported
> > [ 51.851134] eBPF filter atomic op code db (@2) unsupported
> >
> >
> > [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 22
> > #22/u BPF_ATOMIC_AND with fetch FAIL
> > Failed to load prog 'Unknown error 524'!
> > verification time 38 usec
> > stack depth 8
> > processed 14 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
> > #22/p BPF_ATOMIC_AND with fetch FAIL
> > Failed to load prog 'Unknown error 524'!
> > verification time 26 usec
> > stack depth 8
> > processed 14 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
> >
> > console:
> > [ 223.231420] eBPF filter atomic op code db (@3) unsupported
> > [ 223.231596] eBPF filter atomic op code db (@3) unsupported
> >
> > ...
> >
> >
> > but no such console output for:
> >
> > [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 24
> > #24/u BPF_ATOMIC bounds propagation, mem->reg OK
> >
> >
> > > > atomics in .imm). Any idea if this test was ever passing on PowerPC?
> > > >
> > >
> > > hum, I guess not.. will check
> >
> > nope, it locks up the same:
>
> Do you mean it locks up at commit 91c960b0056 too?
>
I tried this one:
37086bfdc737 bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
I will check also 91c960b0056, but I think it's the new test issue
jirka
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-06-29 16:41 ` Jiri Olsa
@ 2021-06-29 21:08 ` Jiri Olsa
2021-06-30 10:34 ` Brendan Jackman
0 siblings, 1 reply; 16+ messages in thread
From: Jiri Olsa @ 2021-06-29 21:08 UTC (permalink / raw)
To: Brendan Jackman
Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
KP Singh, Florent Revest, John Fastabend, LKML, Naveen N. Rao,
Sandipan Das
On Tue, Jun 29, 2021 at 06:41:24PM +0200, Jiri Olsa wrote:
> On Tue, Jun 29, 2021 at 06:25:33PM +0200, Brendan Jackman wrote:
> > On Tue, 29 Jun 2021 at 18:04, Jiri Olsa <jolsa@redhat.com> wrote:
> > >
> > > On Tue, Jun 29, 2021 at 04:10:12PM +0200, Jiri Olsa wrote:
> > > > On Mon, Jun 28, 2021 at 11:21:42AM +0200, Brendan Jackman wrote:
> > > > > On Sun, 27 Jun 2021 at 17:34, Jiri Olsa <jolsa@redhat.com> wrote:
> > > > > >
> > > > > > On Tue, Feb 02, 2021 at 01:50:02PM +0000, Brendan Jackman wrote:
> > [snip]
> > > > > Hmm, is the test prog from atomic_bounds.c getting JITed there (my
> > > > > dumb guess at what '0xc0000000119efb30 (unreliable)' means)? That
> > > > > shouldn't happen - should get 'eBPF filter atomic op code %02x (@%d)
> > > > > unsupported\n' in dmesg instead. I wonder if I missed something in
> > > > > commit 91c960b0056 (bpf: Rename BPF_XADD and prepare to encode other
> > >
> > > I see that for all the other atomics tests:
> > >
> > > [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 21
> > > #21/p BPF_ATOMIC_AND without fetch FAIL
> > > Failed to load prog 'Unknown error 524'!
> > > verification time 32 usec
> > > stack depth 8
> > > processed 10 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
> > > Summary: 0 PASSED, 0 SKIPPED, 2 FAILED
> >
> > Hm that's also not good - failure to JIT shouldn't mean failure to
> > load. Are there other test_verifier failures or is it just the atomics
> > ones?
>
> I have CONFIG_BPF_JIT_ALWAYS_ON=y so I think that's fine
>
> >
> > > console:
> > >
> > > [ 51.850952] eBPF filter atomic op code db (@2) unsupported
> > > [ 51.851134] eBPF filter atomic op code db (@2) unsupported
> > >
> > >
> > > [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 22
> > > #22/u BPF_ATOMIC_AND with fetch FAIL
> > > Failed to load prog 'Unknown error 524'!
> > > verification time 38 usec
> > > stack depth 8
> > > processed 14 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
> > > #22/p BPF_ATOMIC_AND with fetch FAIL
> > > Failed to load prog 'Unknown error 524'!
> > > verification time 26 usec
> > > stack depth 8
> > > processed 14 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
> > >
> > > console:
> > > [ 223.231420] eBPF filter atomic op code db (@3) unsupported
> > > [ 223.231596] eBPF filter atomic op code db (@3) unsupported
> > >
> > > ...
> > >
> > >
> > > but no such console output for:
> > >
> > > [root@ibm-p9z-07-lp1 bpf]# ./test_verifier 24
> > > #24/u BPF_ATOMIC bounds propagation, mem->reg OK
> > >
> > >
> > > > > atomics in .imm). Any idea if this test was ever passing on PowerPC?
> > > > >
> > > >
> > > > hum, I guess not.. will check
> > >
> > > nope, it locks up the same:
> >
> > Do you mean it locks up at commit 91c960b0056 too?
> >
>
> I tried this one:
> 37086bfdc737 bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
>
> I will check also 91c960b0056, but I think it's the new test issue
for i91c960b0056 in HEAD I'm getting just 2 fails:
#1097/p xadd/w check whether src/dst got mangled, 1 FAIL
Failed to load prog 'Unknown error 524'!
verification time 25 usec
stack depth 8
processed 12 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 0
#1098/p xadd/w check whether src/dst got mangled, 2 FAIL
Failed to load prog 'Unknown error 524'!
verification time 30 usec
stack depth 8
processed 12 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 0
with console output:
[ 289.499341] eBPF filter atomic op code db (@4) unsupported
[ 289.499510] eBPF filter atomic op code c3 (@4) unsupported
no lock up
jirka
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-06-29 21:08 ` Jiri Olsa
@ 2021-06-30 10:34 ` Brendan Jackman
[not found] ` <YNxmwZGtnqiXGnF0@krava>
0 siblings, 1 reply; 16+ messages in thread
From: Brendan Jackman @ 2021-06-30 10:34 UTC (permalink / raw)
To: Jiri Olsa
Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
KP Singh, Florent Revest, John Fastabend, LKML, Naveen N. Rao,
Sandipan Das
On Tue, 29 Jun 2021 at 23:09, Jiri Olsa <jolsa@redhat.com> wrote:
>
> On Tue, Jun 29, 2021 at 06:41:24PM +0200, Jiri Olsa wrote:
> > On Tue, Jun 29, 2021 at 06:25:33PM +0200, Brendan Jackman wrote:
> > > On Tue, 29 Jun 2021 at 18:04, Jiri Olsa <jolsa@redhat.com> wrote:
> > > > On Tue, Jun 29, 2021 at 04:10:12PM +0200, Jiri Olsa wrote:
> > > > > On Mon, Jun 28, 2021 at 11:21:42AM +0200, Brendan Jackman wrote:
> > > > > > atomics in .imm). Any idea if this test was ever passing on PowerPC?
> > > > > >
> > > > >
> > > > > hum, I guess not.. will check
> > > >
> > > > nope, it locks up the same:
> > >
> > > Do you mean it locks up at commit 91c960b0056 too?
Sorry I was being stupid here - the test didn't exist at this commit
> > I tried this one:
> > 37086bfdc737 bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
> >
> > I will check also 91c960b0056, but I think it's the new test issue
So yeah hard to say whether this was broken on PowerPC all along. How
hard is it for me to get set up to reproduce the failure? Is there a
rootfs I can download, and some instructions for running a PowerPC
QEMU VM? If so if you can also share your config and I'll take a look.
If it's not as simple as that, I'll stare at the code for a while and
see if anything jumps out.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
[not found] ` <YNxmwZGtnqiXGnF0@krava>
@ 2021-07-01 8:18 ` Brendan Jackman
2021-07-01 10:16 ` Jiri Olsa
2021-07-01 11:02 ` Naveen N. Rao
0 siblings, 2 replies; 16+ messages in thread
From: Brendan Jackman @ 2021-07-01 8:18 UTC (permalink / raw)
To: Jiri Olsa, Sandipan Das, Naveen N. Rao
Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
KP Singh, Florent Revest, John Fastabend, LKML
On Wed, 30 Jun 2021 at 14:42, Jiri Olsa <jolsa@redhat.com> wrote:
>
> On Wed, Jun 30, 2021 at 12:34:58PM +0200, Brendan Jackman wrote:
> > On Tue, 29 Jun 2021 at 23:09, Jiri Olsa <jolsa@redhat.com> wrote:
> > >
> > > On Tue, Jun 29, 2021 at 06:41:24PM +0200, Jiri Olsa wrote:
> > > > On Tue, Jun 29, 2021 at 06:25:33PM +0200, Brendan Jackman wrote:
> > > > > On Tue, 29 Jun 2021 at 18:04, Jiri Olsa <jolsa@redhat.com> wrote:
> > > > > > On Tue, Jun 29, 2021 at 04:10:12PM +0200, Jiri Olsa wrote:
> > > > > > > On Mon, Jun 28, 2021 at 11:21:42AM +0200, Brendan Jackman wrote:
> >
> > > > > > > > atomics in .imm). Any idea if this test was ever passing on PowerPC?
> > > > > > > >
> > > > > > >
> > > > > > > hum, I guess not.. will check
> > > > > >
> > > > > > nope, it locks up the same:
> > > > >
> > > > > Do you mean it locks up at commit 91c960b0056 too?
> >
> > Sorry I was being stupid here - the test didn't exist at this commit
> >
> > > > I tried this one:
> > > > 37086bfdc737 bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
> > > >
> > > > I will check also 91c960b0056, but I think it's the new test issue
> >
> > So yeah hard to say whether this was broken on PowerPC all along. How
> > hard is it for me to get set up to reproduce the failure? Is there a
> > rootfs I can download, and some instructions for running a PowerPC
> > QEMU VM? If so if you can also share your config and I'll take a look.
> >
> > If it's not as simple as that, I'll stare at the code for a while and
> > see if anything jumps out.
> >
>
> I have latest fedora ppc server and compile/install latest bpf-next tree
> I think it will be reproduced also on vm, I attached my config
OK, getting set up to boot a PowerPC QEMU isn't practical here unless
someone's got commands I can copy-paste (suspect it will need .config
hacking too). Looks like you need to build a proper bootloader, and
boot an installer disk.
Looked at the code for a bit but nothing jumped out. It seems like the
verifier is seeing a BPF_ADD | BPF_FETCH, which means it doesn't
detect an infinite loop, but then we lose the BPF_FETCH flag somewhere
between do_check in verifier.c and bpf_jit_build_body in
bpf_jit_comp64.c. That would explain why we don't get the "eBPF filter
atomic op code %02x (@%d) unsupported", and would also explain the
lockup because a normal atomic add without fetch would leave BPF R1
unchanged.
We should be able to confirm that theory by disassembling the JITted
code that gets hexdumped by bpf_jit_dump when bpf_jit_enable is set to
2... at least for PowerPC 32-bit... maybe you could paste those lines
into the 64-bit version too? Here's some notes I made for
disassembling the hexdump on x86, I guess you'd just need to change
the objdump flags:
--
- Enable console JIT output:
```shell
echo 2 > /proc/sys/net/core/bpf_jit_enable
```
- Load & run the program of interest.
- Copy the hex code from the kernel console to `/tmp/jit.txt`. Here's what a
short program looks like. This includes a line of context - don't paste the
`flen=` line.
```
[ 79.381020] flen=8 proglen=54 pass=4 image=000000001af6f390
from=test_verifier pid=258
[ 79.389568] JIT code: 00000000: 0f 1f 44 00 00 66 90 55 48 89 e5 48 81 ec 08 00
[ 79.397411] JIT code: 00000010: 00 00 48 c7 45 f8 64 00 00 00 bf 04 00 00 00 48
[ 79.405965] JIT code: 00000020: f7 df f0 48 29 7d f8 8b 45 f8 48 83 f8 60 74 02
[ 79.414719] JIT code: 00000030: c9 c3 31 c0 eb fa
```
- This incantation will split out and decode the hex, then disassemble the
result:
```shell
cat /tmp/jit.txt | cut -d: -f2- | xxd -r >/tmp/obj && objdump -D -b
binary -m i386:x86-64 /tmp/obj
```
--
Sandipan, Naveen, do you know of anything in the PowerPC code that
might be leading us to drop the BPF_FETCH flag from the atomic
instruction in tools/testing/selftests/bpf/verifier/atomic_bounds.c?
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-07-01 8:18 ` Brendan Jackman
@ 2021-07-01 10:16 ` Jiri Olsa
2021-07-01 11:02 ` Naveen N. Rao
1 sibling, 0 replies; 16+ messages in thread
From: Jiri Olsa @ 2021-07-01 10:16 UTC (permalink / raw)
To: Brendan Jackman
Cc: Sandipan Das, Naveen N. Rao, bpf, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, KP Singh, Florent Revest,
John Fastabend, LKML
On Thu, Jul 01, 2021 at 10:18:39AM +0200, Brendan Jackman wrote:
> On Wed, 30 Jun 2021 at 14:42, Jiri Olsa <jolsa@redhat.com> wrote:
> >
> > On Wed, Jun 30, 2021 at 12:34:58PM +0200, Brendan Jackman wrote:
> > > On Tue, 29 Jun 2021 at 23:09, Jiri Olsa <jolsa@redhat.com> wrote:
> > > >
> > > > On Tue, Jun 29, 2021 at 06:41:24PM +0200, Jiri Olsa wrote:
> > > > > On Tue, Jun 29, 2021 at 06:25:33PM +0200, Brendan Jackman wrote:
> > > > > > On Tue, 29 Jun 2021 at 18:04, Jiri Olsa <jolsa@redhat.com> wrote:
> > > > > > > On Tue, Jun 29, 2021 at 04:10:12PM +0200, Jiri Olsa wrote:
> > > > > > > > On Mon, Jun 28, 2021 at 11:21:42AM +0200, Brendan Jackman wrote:
> > >
> > > > > > > > > atomics in .imm). Any idea if this test was ever passing on PowerPC?
> > > > > > > > >
> > > > > > > >
> > > > > > > > hum, I guess not.. will check
> > > > > > >
> > > > > > > nope, it locks up the same:
> > > > > >
> > > > > > Do you mean it locks up at commit 91c960b0056 too?
> > >
> > > Sorry I was being stupid here - the test didn't exist at this commit
> > >
> > > > > I tried this one:
> > > > > 37086bfdc737 bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
> > > > >
> > > > > I will check also 91c960b0056, but I think it's the new test issue
> > >
> > > So yeah hard to say whether this was broken on PowerPC all along. How
> > > hard is it for me to get set up to reproduce the failure? Is there a
> > > rootfs I can download, and some instructions for running a PowerPC
> > > QEMU VM? If so if you can also share your config and I'll take a look.
> > >
> > > If it's not as simple as that, I'll stare at the code for a while and
> > > see if anything jumps out.
> > >
> >
> > I have latest fedora ppc server and compile/install latest bpf-next tree
> > I think it will be reproduced also on vm, I attached my config
>
> OK, getting set up to boot a PowerPC QEMU isn't practical here unless
> someone's got commands I can copy-paste (suspect it will need .config
> hacking too). Looks like you need to build a proper bootloader, and
> boot an installer disk.
>
> Looked at the code for a bit but nothing jumped out. It seems like the
> verifier is seeing a BPF_ADD | BPF_FETCH, which means it doesn't
> detect an infinite loop, but then we lose the BPF_FETCH flag somewhere
> between do_check in verifier.c and bpf_jit_build_body in
> bpf_jit_comp64.c. That would explain why we don't get the "eBPF filter
> atomic op code %02x (@%d) unsupported", and would also explain the
> lockup because a normal atomic add without fetch would leave BPF R1
> unchanged.
>
> We should be able to confirm that theory by disassembling the JITted
> code that gets hexdumped by bpf_jit_dump when bpf_jit_enable is set to
> 2... at least for PowerPC 32-bit... maybe you could paste those lines
> into the 64-bit version too? Here's some notes I made for
> disassembling the hexdump on x86, I guess you'd just need to change
> the objdump flags:
>
> --
>
> - Enable console JIT output:
> ```shell
> echo 2 > /proc/sys/net/core/bpf_jit_enable
> ```
> - Load & run the program of interest.
> - Copy the hex code from the kernel console to `/tmp/jit.txt`. Here's what a
> short program looks like. This includes a line of context - don't paste the
> `flen=` line.
> ```
> [ 79.381020] flen=8 proglen=54 pass=4 image=000000001af6f390
> from=test_verifier pid=258
> [ 79.389568] JIT code: 00000000: 0f 1f 44 00 00 66 90 55 48 89 e5 48 81 ec 08 00
> [ 79.397411] JIT code: 00000010: 00 00 48 c7 45 f8 64 00 00 00 bf 04 00 00 00 48
> [ 79.405965] JIT code: 00000020: f7 df f0 48 29 7d f8 8b 45 f8 48 83 f8 60 74 02
> [ 79.414719] JIT code: 00000030: c9 c3 31 c0 eb fa
> ```
> - This incantation will split out and decode the hex, then disassemble the
> result:
> ```shell
> cat /tmp/jit.txt | cut -d: -f2- | xxd -r >/tmp/obj && objdump -D -b
> binary -m i386:x86-64 /tmp/obj
> ```
that's where I decided to write to list and ask for help before
googling ppc assembly ;-)
I changed the test_verifier to stop before executing the test
so I can dump the program via bpftool:
[root@ibm-p9z-07-lp1 bpf-next]# bpftool prog dump xlated id 48
0: (b7) r0 = 0
1: (7b) *(u64 *)(r10 -8) = r0
2: (b7) r1 = 1
3: (db) r1 = atomic64_fetch_add((u64 *)(r10 -8), r1)
4: (55) if r1 != 0x0 goto pc-1
5: (95) exit
[root@ibm-p9z-07-lp1 bpf-next]# bpftool prog dump jited id 48
bpf_prog_a2eb9104e5e8a5bf:
0: nop
4: nop
8: stdu r1,-112(r1)
c: std r31,104(r1)
10: addi r31,r1,48
14: li r8,0
18: std r8,-8(r31)
1c: li r3,1
20: addi r9,r31,-8
24: ldarx r10,0,r9
28: add r10,r10,r3
2c: stdcx. r10,0,r9
30: bne 0x0000000000000024
34: cmpldi r3,0
38: bne 0x0000000000000034
3c: nop
40: ld r31,104(r1)
44: addi r1,r1,112
48: mr r3,r8
4c: blr
I wanted to also do it through bpf_jit_enable and bpf_jit_dump, but I need to check
the setup, because I can't set bpf_jit_enable to 2 at the moment.. might take some time
[root@ibm-p9z-07-lp1 bpf-next]# echo 2 > /proc/sys/net/core/bpf_jit_enable
-bash: echo: write error: Invalid argument
jirka
>
> --
>
> Sandipan, Naveen, do you know of anything in the PowerPC code that
> might be leading us to drop the BPF_FETCH flag from the atomic
> instruction in tools/testing/selftests/bpf/verifier/atomic_bounds.c?
>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-07-01 8:18 ` Brendan Jackman
2021-07-01 10:16 ` Jiri Olsa
@ 2021-07-01 11:02 ` Naveen N. Rao
2021-07-01 14:15 ` Jiri Olsa
1 sibling, 1 reply; 16+ messages in thread
From: Naveen N. Rao @ 2021-07-01 11:02 UTC (permalink / raw)
To: Brendan Jackman, Jiri Olsa, Sandipan Das
Cc: Andrii Nakryiko, Alexei Starovoitov, bpf, Daniel Borkmann,
John Fastabend, KP Singh, LKML, Florent Revest
Hi Brendan, Hi Jiri,
Brendan Jackman wrote:
> On Wed, 30 Jun 2021 at 14:42, Jiri Olsa <jolsa@redhat.com> wrote:
>>
>> On Wed, Jun 30, 2021 at 12:34:58PM +0200, Brendan Jackman wrote:
>> > On Tue, 29 Jun 2021 at 23:09, Jiri Olsa <jolsa@redhat.com> wrote:
>> > >
>> > > On Tue, Jun 29, 2021 at 06:41:24PM +0200, Jiri Olsa wrote:
>> > > > On Tue, Jun 29, 2021 at 06:25:33PM +0200, Brendan Jackman wrote:
>> > > > > On Tue, 29 Jun 2021 at 18:04, Jiri Olsa <jolsa@redhat.com> wrote:
>> > > > > > On Tue, Jun 29, 2021 at 04:10:12PM +0200, Jiri Olsa wrote:
>> > > > > > > On Mon, Jun 28, 2021 at 11:21:42AM +0200, Brendan Jackman wrote:
>> >
>> > > > > > > > atomics in .imm). Any idea if this test was ever passing on PowerPC?
>> > > > > > > >
>> > > > > > >
>> > > > > > > hum, I guess not.. will check
>> > > > > >
>> > > > > > nope, it locks up the same:
>> > > > >
>> > > > > Do you mean it locks up at commit 91c960b0056 too?
>> >
>> > Sorry I was being stupid here - the test didn't exist at this commit
>> >
>> > > > I tried this one:
>> > > > 37086bfdc737 bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
>> > > >
>> > > > I will check also 91c960b0056, but I think it's the new test issue
>> >
>> > So yeah hard to say whether this was broken on PowerPC all along. How
>> > hard is it for me to get set up to reproduce the failure? Is there a
>> > rootfs I can download, and some instructions for running a PowerPC
>> > QEMU VM? If so if you can also share your config and I'll take a look.
>> >
>> > If it's not as simple as that, I'll stare at the code for a while and
>> > see if anything jumps out.
>> >
>>
>> I have latest fedora ppc server and compile/install latest bpf-next tree
>> I think it will be reproduced also on vm, I attached my config
>
> OK, getting set up to boot a PowerPC QEMU isn't practical here unless
> someone's got commands I can copy-paste (suspect it will need .config
> hacking too). Looks like you need to build a proper bootloader, and
> boot an installer disk.
There are some notes put up here, though we can do better:
https://github.com/linuxppc/wiki/wiki/Booting-with-Qemu
If you are familiar with ubuntu/fedora cloud images (and cloud-init),
you should be able to grab one of the ppc64le images and boot it in
qemu:
https://cloud-images.ubuntu.com/releases/hirsute/release/
https://alt.fedoraproject.org/alt/
>
> Looked at the code for a bit but nothing jumped out. It seems like the
> verifier is seeing a BPF_ADD | BPF_FETCH, which means it doesn't
> detect an infinite loop, but then we lose the BPF_FETCH flag somewhere
> between do_check in verifier.c and bpf_jit_build_body in
> bpf_jit_comp64.c. That would explain why we don't get the "eBPF filter
> atomic op code %02x (@%d) unsupported", and would also explain the
> lockup because a normal atomic add without fetch would leave BPF R1
> unchanged.
>
> We should be able to confirm that theory by disassembling the JITted
> code that gets hexdumped by bpf_jit_dump when bpf_jit_enable is set to
> 2... at least for PowerPC 32-bit... maybe you could paste those lines
> into the 64-bit version too? Here's some notes I made for
> disassembling the hexdump on x86, I guess you'd just need to change
> the objdump flags:
>
> --
>
> - Enable console JIT output:
> ```shell
> echo 2 > /proc/sys/net/core/bpf_jit_enable
> ```
> - Load & run the program of interest.
> - Copy the hex code from the kernel console to `/tmp/jit.txt`. Here's what a
> short program looks like. This includes a line of context - don't paste the
> `flen=` line.
> ```
> [ 79.381020] flen=8 proglen=54 pass=4 image=000000001af6f390
> from=test_verifier pid=258
> [ 79.389568] JIT code: 00000000: 0f 1f 44 00 00 66 90 55 48 89 e5 48 81 ec 08 00
> [ 79.397411] JIT code: 00000010: 00 00 48 c7 45 f8 64 00 00 00 bf 04 00 00 00 48
> [ 79.405965] JIT code: 00000020: f7 df f0 48 29 7d f8 8b 45 f8 48 83 f8 60 74 02
> [ 79.414719] JIT code: 00000030: c9 c3 31 c0 eb fa
> ```
> - This incantation will split out and decode the hex, then disassemble the
> result:
> ```shell
> cat /tmp/jit.txt | cut -d: -f2- | xxd -r >/tmp/obj && objdump -D -b
> binary -m i386:x86-64 /tmp/obj
> ```
>
> --
>
> Sandipan, Naveen, do you know of anything in the PowerPC code that
> might be leading us to drop the BPF_FETCH flag from the atomic
> instruction in tools/testing/selftests/bpf/verifier/atomic_bounds.c?
Yes, I think I just found the issue. We aren't looking at the correct
BPF instruction when checking the IMM value.
--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -673,7 +673,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
* BPF_STX ATOMIC (atomic ops)
*/
case BPF_STX | BPF_ATOMIC | BPF_W:
- if (insn->imm != BPF_ADD) {
+ if (insn[i].imm != BPF_ADD) {
pr_err_ratelimited(
"eBPF filter atomic op code %02x (@%d) unsupported\n",
code, i);
@@ -695,7 +695,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
PPC_BCC_SHORT(COND_NE, tmp_idx);
break;
case BPF_STX | BPF_ATOMIC | BPF_DW:
- if (insn->imm != BPF_ADD) {
+ if (insn[i].imm != BPF_ADD) {
pr_err_ratelimited(
"eBPF filter atomic op code %02x (@%d) unsupported\n",
code, i);
Thanks,
Naveen
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-07-01 11:02 ` Naveen N. Rao
@ 2021-07-01 14:15 ` Jiri Olsa
2021-07-02 9:44 ` Brendan Jackman
0 siblings, 1 reply; 16+ messages in thread
From: Jiri Olsa @ 2021-07-01 14:15 UTC (permalink / raw)
To: Naveen N. Rao
Cc: Brendan Jackman, Sandipan Das, Andrii Nakryiko,
Alexei Starovoitov, bpf, Daniel Borkmann, John Fastabend,
KP Singh, LKML, Florent Revest
On Thu, Jul 01, 2021 at 04:32:03PM +0530, Naveen N. Rao wrote:
> Hi Brendan, Hi Jiri,
>
>
> Brendan Jackman wrote:
> > On Wed, 30 Jun 2021 at 14:42, Jiri Olsa <jolsa@redhat.com> wrote:
> > >
> > > On Wed, Jun 30, 2021 at 12:34:58PM +0200, Brendan Jackman wrote:
> > > > On Tue, 29 Jun 2021 at 23:09, Jiri Olsa <jolsa@redhat.com> wrote:
> > > > >
> > > > > On Tue, Jun 29, 2021 at 06:41:24PM +0200, Jiri Olsa wrote:
> > > > > > On Tue, Jun 29, 2021 at 06:25:33PM +0200, Brendan Jackman wrote:
> > > > > > > On Tue, 29 Jun 2021 at 18:04, Jiri Olsa <jolsa@redhat.com> wrote:
> > > > > > > > On Tue, Jun 29, 2021 at 04:10:12PM +0200, Jiri Olsa wrote:
> > > > > > > > > On Mon, Jun 28, 2021 at 11:21:42AM +0200, Brendan Jackman wrote:
> > > >
> > > > > > > > > > atomics in .imm). Any idea if this test was ever passing on PowerPC?
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > hum, I guess not.. will check
> > > > > > > >
> > > > > > > > nope, it locks up the same:
> > > > > > >
> > > > > > > Do you mean it locks up at commit 91c960b0056 too?
> > > >
> > > > Sorry I was being stupid here - the test didn't exist at this commit
> > > >
> > > > > > I tried this one:
> > > > > > 37086bfdc737 bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
> > > > > >
> > > > > > I will check also 91c960b0056, but I think it's the new test issue
> > > >
> > > > So yeah hard to say whether this was broken on PowerPC all along. How
> > > > hard is it for me to get set up to reproduce the failure? Is there a
> > > > rootfs I can download, and some instructions for running a PowerPC
> > > > QEMU VM? If so if you can also share your config and I'll take a look.
> > > >
> > > > If it's not as simple as that, I'll stare at the code for a while and
> > > > see if anything jumps out.
> > > >
> > >
> > > I have latest fedora ppc server and compile/install latest bpf-next tree
> > > I think it will be reproduced also on vm, I attached my config
> >
> > OK, getting set up to boot a PowerPC QEMU isn't practical here unless
> > someone's got commands I can copy-paste (suspect it will need .config
> > hacking too). Looks like you need to build a proper bootloader, and
> > boot an installer disk.
>
> There are some notes put up here, though we can do better:
> https://github.com/linuxppc/wiki/wiki/Booting-with-Qemu
>
> If you are familiar with ubuntu/fedora cloud images (and cloud-init), you
> should be able to grab one of the ppc64le images and boot it in qemu:
> https://cloud-images.ubuntu.com/releases/hirsute/release/
> https://alt.fedoraproject.org/alt/
>
> >
> > Looked at the code for a bit but nothing jumped out. It seems like the
> > verifier is seeing a BPF_ADD | BPF_FETCH, which means it doesn't
> > detect an infinite loop, but then we lose the BPF_FETCH flag somewhere
> > between do_check in verifier.c and bpf_jit_build_body in
> > bpf_jit_comp64.c. That would explain why we don't get the "eBPF filter
> > atomic op code %02x (@%d) unsupported", and would also explain the
> > lockup because a normal atomic add without fetch would leave BPF R1
> > unchanged.
> >
> > We should be able to confirm that theory by disassembling the JITted
> > code that gets hexdumped by bpf_jit_dump when bpf_jit_enable is set to
> > 2... at least for PowerPC 32-bit... maybe you could paste those lines
> > into the 64-bit version too? Here's some notes I made for
> > disassembling the hexdump on x86, I guess you'd just need to change
> > the objdump flags:
> >
> > --
> >
> > - Enable console JIT output:
> > ```shell
> > echo 2 > /proc/sys/net/core/bpf_jit_enable
> > ```
> > - Load & run the program of interest.
> > - Copy the hex code from the kernel console to `/tmp/jit.txt`. Here's what a
> > short program looks like. This includes a line of context - don't paste the
> > `flen=` line.
> > ```
> > [ 79.381020] flen=8 proglen=54 pass=4 image=000000001af6f390
> > from=test_verifier pid=258
> > [ 79.389568] JIT code: 00000000: 0f 1f 44 00 00 66 90 55 48 89 e5 48 81 ec 08 00
> > [ 79.397411] JIT code: 00000010: 00 00 48 c7 45 f8 64 00 00 00 bf 04 00 00 00 48
> > [ 79.405965] JIT code: 00000020: f7 df f0 48 29 7d f8 8b 45 f8 48 83 f8 60 74 02
> > [ 79.414719] JIT code: 00000030: c9 c3 31 c0 eb fa
> > ```
> > - This incantation will split out and decode the hex, then disassemble the
> > result:
> > ```shell
> > cat /tmp/jit.txt | cut -d: -f2- | xxd -r >/tmp/obj && objdump -D -b
> > binary -m i386:x86-64 /tmp/obj
> > ```
> >
> > --
> >
> > Sandipan, Naveen, do you know of anything in the PowerPC code that
> > might be leading us to drop the BPF_FETCH flag from the atomic
> > instruction in tools/testing/selftests/bpf/verifier/atomic_bounds.c?
>
> Yes, I think I just found the issue. We aren't looking at the correct BPF
> instruction when checking the IMM value.
great, nice catch! :-) that fixes it for me..
Tested-by: Jiri Olsa <jolsa@redhat.com>
thanks,
jirka
>
>
> --- a/arch/powerpc/net/bpf_jit_comp64.c
> +++ b/arch/powerpc/net/bpf_jit_comp64.c
> @@ -673,7 +673,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
> * BPF_STX ATOMIC (atomic ops)
> */
> case BPF_STX | BPF_ATOMIC | BPF_W:
> - if (insn->imm != BPF_ADD) {
> + if (insn[i].imm != BPF_ADD) {
> pr_err_ratelimited(
> "eBPF filter atomic op code %02x (@%d) unsupported\n",
> code, i);
> @@ -695,7 +695,7 @@ int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, struct codegen_context *
> PPC_BCC_SHORT(COND_NE, tmp_idx);
> break;
> case BPF_STX | BPF_ATOMIC | BPF_DW:
> - if (insn->imm != BPF_ADD) {
> + if (insn[i].imm != BPF_ADD) {
> pr_err_ratelimited(
> "eBPF filter atomic op code %02x (@%d) unsupported\n",
> code, i);
>
>
>
> Thanks,
> Naveen
>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [BUG soft lockup] Re: [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH
2021-07-01 14:15 ` Jiri Olsa
@ 2021-07-02 9:44 ` Brendan Jackman
0 siblings, 0 replies; 16+ messages in thread
From: Brendan Jackman @ 2021-07-02 9:44 UTC (permalink / raw)
To: Jiri Olsa
Cc: Naveen N. Rao, Sandipan Das, Andrii Nakryiko, Alexei Starovoitov,
bpf, Daniel Borkmann, John Fastabend, KP Singh, LKML,
Florent Revest
On Thu, 1 Jul 2021 at 16:15, Jiri Olsa <jolsa@redhat.com> wrote:
> On Thu, Jul 01, 2021 at 04:32:03PM +0530, Naveen N. Rao wrote:
> > Yes, I think I just found the issue. We aren't looking at the correct BPF
> > instruction when checking the IMM value.
>
> great, nice catch! :-) that fixes it for me..
Ahh, nice. +1 thanks for taking a look!
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2021-07-02 9:44 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-02 13:50 [PATCH bpf-next v3] bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH Brendan Jackman
2021-02-03 17:07 ` Yonghong Song
2021-02-03 17:37 ` Alexei Starovoitov
2021-06-27 15:34 ` [BUG soft lockup] " Jiri Olsa
2021-06-28 9:21 ` Brendan Jackman
2021-06-29 14:10 ` Jiri Olsa
2021-06-29 16:04 ` Jiri Olsa
2021-06-29 16:25 ` Brendan Jackman
2021-06-29 16:41 ` Jiri Olsa
2021-06-29 21:08 ` Jiri Olsa
2021-06-30 10:34 ` Brendan Jackman
[not found] ` <YNxmwZGtnqiXGnF0@krava>
2021-07-01 8:18 ` Brendan Jackman
2021-07-01 10:16 ` Jiri Olsa
2021-07-01 11:02 ` Naveen N. Rao
2021-07-01 14:15 ` Jiri Olsa
2021-07-02 9:44 ` Brendan Jackman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).