[RFC PATCH bpf-next] bpf: allow JIT debugging if CONFIG_BPF_JIT_ALWAYS

bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [RFC PATCH bpf-next] bpf: allow JIT debugging if CONFIG_BPF_JIT_ALWAYS_ON is set
@ 2019-11-06 16:12 Ilya Leoshkevich
  2019-11-06 16:15 ` Alexei Starovoitov
  0 siblings, 1 reply; 7+ messages in thread
From: Ilya Leoshkevich @ 2019-11-06 16:12 UTC (permalink / raw)
  To: Daniel Borkmann, Alexei Starovoitov
  Cc: bpf, Heiko Carstens, Vasily Gorbik, Ilya Leoshkevich

Currently it's not possible to set bpf_jit_enable = 2 when
CONFIG_BPF_JIT_ALWAYS_ON is set, which makes debugging certain problems
harder.

It looks as if it's safe to allow this, because setting this knob
requires root anyway, but I'm not sure about all the security
implications, so sending this as an RFC.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
---
 net/core/sysctl_net_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index eb29e5adc84d..09f1218b5656 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -389,7 +389,7 @@ static struct ctl_table net_core_table[] = {
 		.proc_handler	= proc_dointvec_minmax_bpf_enable,
 # ifdef CONFIG_BPF_JIT_ALWAYS_ON
 		.extra1		= SYSCTL_ONE,
-		.extra2		= SYSCTL_ONE,
+		.extra2		= &two,
 # else
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= &two,
-- 
2.23.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [RFC PATCH bpf-next] bpf: allow JIT debugging if CONFIG_BPF_JIT_ALWAYS_ON is set
  2019-11-06 16:12 [RFC PATCH bpf-next] bpf: allow JIT debugging if CONFIG_BPF_JIT_ALWAYS_ON is set Ilya Leoshkevich
@ 2019-11-06 16:15 ` Alexei Starovoitov
  2019-11-06 16:28   ` Ilya Leoshkevich
  0 siblings, 1 reply; 7+ messages in thread
From: Alexei Starovoitov @ 2019-11-06 16:15 UTC (permalink / raw)
  To: Ilya Leoshkevich
  Cc: Daniel Borkmann, Alexei Starovoitov, bpf, Heiko Carstens, Vasily Gorbik

On Wed, Nov 6, 2019 at 8:12 AM Ilya Leoshkevich <iii@linux.ibm.com> wrote:
>
> Currently it's not possible to set bpf_jit_enable = 2 when
> CONFIG_BPF_JIT_ALWAYS_ON is set, which makes debugging certain problems
> harder.

This is obsolete way of debugging.
Please use bpftool dump jited instead.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC PATCH bpf-next] bpf: allow JIT debugging if CONFIG_BPF_JIT_ALWAYS_ON is set
  2019-11-06 16:15 ` Alexei Starovoitov
@ 2019-11-06 16:28   ` Ilya Leoshkevich
  2019-11-06 16:50     ` John Fastabend
  0 siblings, 1 reply; 7+ messages in thread
From: Ilya Leoshkevich @ 2019-11-06 16:28 UTC (permalink / raw)
  To: Alexei Starovoitov
  Cc: Daniel Borkmann, Alexei Starovoitov, bpf, Heiko Carstens, Vasily Gorbik

> Am 06.11.2019 um 17:15 schrieb Alexei Starovoitov <alexei.starovoitov@gmail.com>:
> 
> On Wed, Nov 6, 2019 at 8:12 AM Ilya Leoshkevich <iii@linux.ibm.com> wrote:
>> 
>> Currently it's not possible to set bpf_jit_enable = 2 when
>> CONFIG_BPF_JIT_ALWAYS_ON is set, which makes debugging certain problems
>> harder.
> 
> This is obsolete way of debugging.
> Please use bpftool dump jited instead.

Is there a way to integrate bpftool nicely with e.g. test_verifier?
With bpf_jit_enable = 2, I can see JITed code for each test right away,
without pausing it (via gdb or rebuilding with added sleep()) and
running bpftool.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC PATCH bpf-next] bpf: allow JIT debugging if CONFIG_BPF_JIT_ALWAYS_ON is set
  2019-11-06 16:28   ` Ilya Leoshkevich
@ 2019-11-06 16:50     ` John Fastabend
  2019-11-06 23:07       ` Daniel Borkmann
  0 siblings, 1 reply; 7+ messages in thread
From: John Fastabend @ 2019-11-06 16:50 UTC (permalink / raw)
  To: Ilya Leoshkevich, Alexei Starovoitov
  Cc: Daniel Borkmann, Alexei Starovoitov, bpf, Heiko Carstens, Vasily Gorbik

Ilya Leoshkevich wrote:
> > Am 06.11.2019 um 17:15 schrieb Alexei Starovoitov <alexei.starovoitov@gmail.com>:
> > 
> > On Wed, Nov 6, 2019 at 8:12 AM Ilya Leoshkevich <iii@linux.ibm.com> wrote:
> >> 
> >> Currently it's not possible to set bpf_jit_enable = 2 when
> >> CONFIG_BPF_JIT_ALWAYS_ON is set, which makes debugging certain problems
> >> harder.
> > 
> > This is obsolete way of debugging.
> > Please use bpftool dump jited instead.
> 
> Is there a way to integrate bpftool nicely with e.g. test_verifier?
> With bpf_jit_enable = 2, I can see JITed code for each test right away,
> without pausing it (via gdb or rebuilding with added sleep()) and
> running bpftool.

On the library side we can set the log_level causing the verifier logic
steps to be printed. I guess adding it to bpftool might be nice. At least
I would find it useful. I'll probably get to it sometime if its not
already there somewhere and/or someone doesn't beat me to it.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC PATCH bpf-next] bpf: allow JIT debugging if CONFIG_BPF_JIT_ALWAYS_ON is set
  2019-11-06 16:50     ` John Fastabend
@ 2019-11-06 23:07       ` Daniel Borkmann
  2019-11-07 15:30         ` Ilya Leoshkevich
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel Borkmann @ 2019-11-06 23:07 UTC (permalink / raw)
  To: John Fastabend, Ilya Leoshkevich, Alexei Starovoitov
  Cc: Alexei Starovoitov, bpf, Heiko Carstens, Vasily Gorbik

On 11/6/19 5:50 PM, John Fastabend wrote:
> Ilya Leoshkevich wrote:
>>> Am 06.11.2019 um 17:15 schrieb Alexei Starovoitov <alexei.starovoitov@gmail.com>:
>>> On Wed, Nov 6, 2019 at 8:12 AM Ilya Leoshkevich <iii@linux.ibm.com> wrote:
>>>>
>>>> Currently it's not possible to set bpf_jit_enable = 2 when
>>>> CONFIG_BPF_JIT_ALWAYS_ON is set, which makes debugging certain problems
>>>> harder.
>>>
>>> This is obsolete way of debugging.
>>> Please use bpftool dump jited instead.
>>
>> Is there a way to integrate bpftool nicely with e.g. test_verifier?
>> With bpf_jit_enable = 2, I can see JITed code for each test right away,
>> without pausing it (via gdb or rebuilding with added sleep()) and
>> running bpftool.
> 
> On the library side we can set the log_level causing the verifier logic
> steps to be printed. I guess adding it to bpftool might be nice. At least
> I would find it useful. I'll probably get to it sometime if its not
> already there somewhere and/or someone doesn't beat me to it.

+1

Was wondering whether it may be worth it moving parts of the logic from bpftool
into libbpf wrt jit dump as a higher level api, so it could be used directly for
checking out the jit disasm + opcodes for specific tests given we have the fd
there as well, but that might be too specific perhaps and would bring one more
lib dependency to libbpf for a rather narrow use case. Adding sleep before prog
fd close and/or shelling out to bpftool etc all is a crude temporary hack as
well (currently using something long these lines locally). Would it make sense
to dump some meta data and generated opcodes per test case to a file as opt-in
e.g. ./test_verifier 711 --dump produces 711.opcodes out of bpf_obj_get_info_by_fd()
which then bpftool could dump this artifact through its own disasm?

Thanks,
Daniel

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC PATCH bpf-next] bpf: allow JIT debugging if CONFIG_BPF_JIT_ALWAYS_ON is set
  2019-11-06 23:07       ` Daniel Borkmann
@ 2019-11-07 15:30         ` Ilya Leoshkevich
  2019-11-07 16:19           ` Daniel Borkmann
  0 siblings, 1 reply; 7+ messages in thread
From: Ilya Leoshkevich @ 2019-11-07 15:30 UTC (permalink / raw)
  To: Daniel Borkmann
  Cc: John Fastabend, Alexei Starovoitov, Alexei Starovoitov, bpf,
	Heiko Carstens, Vasily Gorbik

> Am 07.11.2019 um 00:07 schrieb Daniel Borkmann <daniel@iogearbox.net>:
> 
> On 11/6/19 5:50 PM, John Fastabend wrote:
>> Ilya Leoshkevich wrote:
>>>> Am 06.11.2019 um 17:15 schrieb Alexei Starovoitov <alexei.starovoitov@gmail.com>:
>>>> On Wed, Nov 6, 2019 at 8:12 AM Ilya Leoshkevich <iii@linux.ibm.com> wrote:
>>>>> 
>>>>> Currently it's not possible to set bpf_jit_enable = 2 when
>>>>> CONFIG_BPF_JIT_ALWAYS_ON is set, which makes debugging certain problems
>>>>> harder.
>>>> 
>>>> This is obsolete way of debugging.
>>>> Please use bpftool dump jited instead.
>>> 
>>> Is there a way to integrate bpftool nicely with e.g. test_verifier?
>>> With bpf_jit_enable = 2, I can see JITed code for each test right away,
>>> without pausing it (via gdb or rebuilding with added sleep()) and
>>> running bpftool.
>> On the library side we can set the log_level causing the verifier logic
>> steps to be printed. I guess adding it to bpftool might be nice. At least
>> I would find it useful. I'll probably get to it sometime if its not
>> already there somewhere and/or someone doesn't beat me to it.
> 
> +1
> 
> Was wondering whether it may be worth it moving parts of the logic from bpftool
> into libbpf wrt jit dump as a higher level api, so it could be used directly for
> checking out the jit disasm + opcodes for specific tests given we have the fd
> there as well, but that might be too specific perhaps and would bring one more
> lib dependency to libbpf for a rather narrow use case. Adding sleep before prog
> fd close and/or shelling out to bpftool etc all is a crude temporary hack as
> well (currently using something long these lines locally). Would it make sense
> to dump some meta data and generated opcodes per test case to a file as opt-in
> e.g. ./test_verifier 711 --dump produces 711.opcodes out of bpf_obj_get_info_by_fd()
> which then bpftool could dump this artifact through its own disasm?
> 
> Thanks,
> Daniel

Yes, this sounds fine - if the test fails or behaves strangely, I won't
have to re-run it using a special setup, but rather just disasm the
dumped JITted image (maybe even without bpftool, just with objdump).

Another question though: what about seccomp? It looks as if those
programs are not shown by bpftool, since they are not created using bpf
syscall.

Best regards,
Ilya

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC PATCH bpf-next] bpf: allow JIT debugging if CONFIG_BPF_JIT_ALWAYS_ON is set
  2019-11-07 15:30         ` Ilya Leoshkevich
@ 2019-11-07 16:19           ` Daniel Borkmann
  0 siblings, 0 replies; 7+ messages in thread
From: Daniel Borkmann @ 2019-11-07 16:19 UTC (permalink / raw)
  To: Ilya Leoshkevich
  Cc: John Fastabend, Alexei Starovoitov, Alexei Starovoitov, bpf,
	Heiko Carstens, Vasily Gorbik

On 11/7/19 4:30 PM, Ilya Leoshkevich wrote:
>> Am 07.11.2019 um 00:07 schrieb Daniel Borkmann <daniel@iogearbox.net>:
>>
>> On 11/6/19 5:50 PM, John Fastabend wrote:
>>> Ilya Leoshkevich wrote:
>>>>> Am 06.11.2019 um 17:15 schrieb Alexei Starovoitov <alexei.starovoitov@gmail.com>:
>>>>> On Wed, Nov 6, 2019 at 8:12 AM Ilya Leoshkevich <iii@linux.ibm.com> wrote:
>>>>>>
>>>>>> Currently it's not possible to set bpf_jit_enable = 2 when
>>>>>> CONFIG_BPF_JIT_ALWAYS_ON is set, which makes debugging certain problems
>>>>>> harder.
>>>>>
>>>>> This is obsolete way of debugging.
>>>>> Please use bpftool dump jited instead.
>>>>
>>>> Is there a way to integrate bpftool nicely with e.g. test_verifier?
>>>> With bpf_jit_enable = 2, I can see JITed code for each test right away,
>>>> without pausing it (via gdb or rebuilding with added sleep()) and
>>>> running bpftool.
>>> On the library side we can set the log_level causing the verifier logic
>>> steps to be printed. I guess adding it to bpftool might be nice. At least
>>> I would find it useful. I'll probably get to it sometime if its not
>>> already there somewhere and/or someone doesn't beat me to it.
>>
>> +1
>>
>> Was wondering whether it may be worth it moving parts of the logic from bpftool
>> into libbpf wrt jit dump as a higher level api, so it could be used directly for
>> checking out the jit disasm + opcodes for specific tests given we have the fd
>> there as well, but that might be too specific perhaps and would bring one more
>> lib dependency to libbpf for a rather narrow use case. Adding sleep before prog
>> fd close and/or shelling out to bpftool etc all is a crude temporary hack as
>> well (currently using something long these lines locally). Would it make sense
>> to dump some meta data and generated opcodes per test case to a file as opt-in
>> e.g. ./test_verifier 711 --dump produces 711.opcodes out of bpf_obj_get_info_by_fd()
>> which then bpftool could dump this artifact through its own disasm?
> 
> Yes, this sounds fine - if the test fails or behaves strangely, I won't
> have to re-run it using a special setup, but rather just disasm the
> dumped JITted image (maybe even without bpftool, just with objdump).
> 
> Another question though: what about seccomp? It looks as if those
> programs are not shown by bpftool, since they are not created using bpf
> syscall.

Correct, they are not shown because they are not native (e)BPF.

The criu folks are using PTRACE_SECCOMP_GET_FILTER as one option to dump (not
sure if that helps you much though):

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f8e529ed941ba2bbcbf310b575d968159ce7e895

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2019-11-07 16:19 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-06 16:12 [RFC PATCH bpf-next] bpf: allow JIT debugging if CONFIG_BPF_JIT_ALWAYS_ON is set Ilya Leoshkevich
2019-11-06 16:15 ` Alexei Starovoitov
2019-11-06 16:28   ` Ilya Leoshkevich
2019-11-06 16:50     ` John Fastabend
2019-11-06 23:07       ` Daniel Borkmann
2019-11-07 15:30         ` Ilya Leoshkevich
2019-11-07 16:19           ` Daniel Borkmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).