* [PATCH net-next v2 0/2] BPF inline improvements
@ 2017-08-19 1:12 Daniel Borkmann
2017-08-19 1:12 ` [PATCH net-next v2 1/2] bpf: make htab inlining more robust wrt assumptions Daniel Borkmann
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Daniel Borkmann @ 2017-08-19 1:12 UTC (permalink / raw)
To: davem; +Cc: ast, netdev, Daniel Borkmann
First one makes htab inlining more robust wrt future jits and
second one inlines map in map lookups through map_gen_lookup()
callback.
Thanks!
v1 -> v2:
- BITS_PER_LONG guard in patch 1
- BPF_EMIT_CALL is on __htab_map_lookup_elem
Daniel Borkmann (2):
bpf: make htab inlining more robust wrt assumptions
bpf: inline map in map lookup functions for array and htab
kernel/bpf/arraymap.c | 26 ++++++++++++++++++++++++++
kernel/bpf/hashtab.c | 17 +++++++++++++++++
kernel/bpf/verifier.c | 6 +++++-
3 files changed, 48 insertions(+), 1 deletion(-)
--
1.9.3
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH net-next v2 1/2] bpf: make htab inlining more robust wrt assumptions 2017-08-19 1:12 [PATCH net-next v2 0/2] BPF inline improvements Daniel Borkmann @ 2017-08-19 1:12 ` Daniel Borkmann 2017-08-19 1:20 ` Alexei Starovoitov 2017-08-19 1:12 ` [PATCH net-next v2 2/2] bpf: inline map in map lookup functions for array and htab Daniel Borkmann 2017-08-20 4:56 ` [PATCH net-next v2 0/2] BPF inline improvements David Miller 2 siblings, 1 reply; 5+ messages in thread From: Daniel Borkmann @ 2017-08-19 1:12 UTC (permalink / raw) To: davem; +Cc: ast, netdev, Daniel Borkmann Commit 9015d2f59535 ("bpf: inline htab_map_lookup_elem()") was making the assumption that a direct call emission to the function __htab_map_lookup_elem() will always work out for JITs. This is currently true since all JITs we have are for 64 bit archs, but in case of 32 bit JITs like upcoming arm32, we get a NULL pointer dereference when executing the call to __htab_map_lookup_elem() since passed arguments are of a different size (due to pointer args) than what we do out of BPF. Guard and thus limit this for now for the current 64 bit JITs only. Reported-by: Shubham Bansal <illusionist.neo@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> --- kernel/bpf/verifier.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 4f6e7eb..e42c096 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4160,7 +4160,11 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) continue; } - if (ebpf_jit_enabled() && insn->imm == BPF_FUNC_map_lookup_elem) { + /* BPF_EMIT_CALL() assumptions in some of the map_gen_lookup + * handlers are currently limited to 64 bit only. + */ + if (ebpf_jit_enabled() && BITS_PER_LONG == 64 && + insn->imm == BPF_FUNC_map_lookup_elem) { map_ptr = env->insn_aux_data[i + delta].map_ptr; if (map_ptr == BPF_MAP_PTR_POISON || !map_ptr->ops->map_gen_lookup) -- 1.9.3 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net-next v2 1/2] bpf: make htab inlining more robust wrt assumptions 2017-08-19 1:12 ` [PATCH net-next v2 1/2] bpf: make htab inlining more robust wrt assumptions Daniel Borkmann @ 2017-08-19 1:20 ` Alexei Starovoitov 0 siblings, 0 replies; 5+ messages in thread From: Alexei Starovoitov @ 2017-08-19 1:20 UTC (permalink / raw) To: Daniel Borkmann, davem; +Cc: netdev On 8/18/17 6:12 PM, Daniel Borkmann wrote: > Commit 9015d2f59535 ("bpf: inline htab_map_lookup_elem()") was > making the assumption that a direct call emission to the function > __htab_map_lookup_elem() will always work out for JITs. > > This is currently true since all JITs we have are for 64 bit archs, > but in case of 32 bit JITs like upcoming arm32, we get a NULL pointer > dereference when executing the call to __htab_map_lookup_elem() > since passed arguments are of a different size (due to pointer args) > than what we do out of BPF. Guard and thus limit this for now for > the current 64 bit JITs only. > > Reported-by: Shubham Bansal <illusionist.neo@gmail.com> > Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Thanks. That's good robustness fix. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net-next v2 2/2] bpf: inline map in map lookup functions for array and htab 2017-08-19 1:12 [PATCH net-next v2 0/2] BPF inline improvements Daniel Borkmann 2017-08-19 1:12 ` [PATCH net-next v2 1/2] bpf: make htab inlining more robust wrt assumptions Daniel Borkmann @ 2017-08-19 1:12 ` Daniel Borkmann 2017-08-20 4:56 ` [PATCH net-next v2 0/2] BPF inline improvements David Miller 2 siblings, 0 replies; 5+ messages in thread From: Daniel Borkmann @ 2017-08-19 1:12 UTC (permalink / raw) To: davem; +Cc: ast, netdev, Daniel Borkmann Avoid two successive functions calls for the map in map lookup, first is the bpf_map_lookup_elem() helper call, and second the callback via map->ops->map_lookup_elem() to get to the map in map implementation. Implementation inlines array and htab flavor for map in map lookups. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> --- kernel/bpf/arraymap.c | 26 ++++++++++++++++++++++++++ kernel/bpf/hashtab.c | 17 +++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c index d771a38..b25d6ce 100644 --- a/kernel/bpf/arraymap.c +++ b/kernel/bpf/arraymap.c @@ -603,6 +603,31 @@ static void *array_of_map_lookup_elem(struct bpf_map *map, void *key) return READ_ONCE(*inner_map); } +static u32 array_of_map_gen_lookup(struct bpf_map *map, + struct bpf_insn *insn_buf) +{ + u32 elem_size = round_up(map->value_size, 8); + struct bpf_insn *insn = insn_buf; + const int ret = BPF_REG_0; + const int map_ptr = BPF_REG_1; + const int index = BPF_REG_2; + + *insn++ = BPF_ALU64_IMM(BPF_ADD, map_ptr, offsetof(struct bpf_array, value)); + *insn++ = BPF_LDX_MEM(BPF_W, ret, index, 0); + *insn++ = BPF_JMP_IMM(BPF_JGE, ret, map->max_entries, 5); + if (is_power_of_2(elem_size)) + *insn++ = BPF_ALU64_IMM(BPF_LSH, ret, ilog2(elem_size)); + else + *insn++ = BPF_ALU64_IMM(BPF_MUL, ret, elem_size); + *insn++ = BPF_ALU64_REG(BPF_ADD, ret, map_ptr); + *insn++ = BPF_LDX_MEM(BPF_DW, ret, ret, 0); + *insn++ = BPF_JMP_IMM(BPF_JEQ, ret, 0, 1); + *insn++ = BPF_JMP_IMM(BPF_JA, 0, 0, 1); + *insn++ = BPF_MOV64_IMM(ret, 0); + + return insn - insn_buf; +} + const struct bpf_map_ops array_of_maps_map_ops = { .map_alloc = array_of_map_alloc, .map_free = array_of_map_free, @@ -612,4 +637,5 @@ static void *array_of_map_lookup_elem(struct bpf_map *map, void *key) .map_fd_get_ptr = bpf_map_fd_get_ptr, .map_fd_put_ptr = bpf_map_fd_put_ptr, .map_fd_sys_lookup_elem = bpf_map_fd_sys_lookup_elem, + .map_gen_lookup = array_of_map_gen_lookup, }; diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 4fb4631..3f9a5a2 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -1311,6 +1311,22 @@ static void *htab_of_map_lookup_elem(struct bpf_map *map, void *key) return READ_ONCE(*inner_map); } +static u32 htab_of_map_gen_lookup(struct bpf_map *map, + struct bpf_insn *insn_buf) +{ + struct bpf_insn *insn = insn_buf; + const int ret = BPF_REG_0; + + *insn++ = BPF_EMIT_CALL((u64 (*)(u64, u64, u64, u64, u64))__htab_map_lookup_elem); + *insn++ = BPF_JMP_IMM(BPF_JEQ, ret, 0, 2); + *insn++ = BPF_ALU64_IMM(BPF_ADD, ret, + offsetof(struct htab_elem, key) + + round_up(map->key_size, 8)); + *insn++ = BPF_LDX_MEM(BPF_DW, ret, ret, 0); + + return insn - insn_buf; +} + static void htab_of_map_free(struct bpf_map *map) { bpf_map_meta_free(map->inner_map_meta); @@ -1326,4 +1342,5 @@ static void htab_of_map_free(struct bpf_map *map) .map_fd_get_ptr = bpf_map_fd_get_ptr, .map_fd_put_ptr = bpf_map_fd_put_ptr, .map_fd_sys_lookup_elem = bpf_map_fd_sys_lookup_elem, + .map_gen_lookup = htab_of_map_gen_lookup, }; -- 1.9.3 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net-next v2 0/2] BPF inline improvements 2017-08-19 1:12 [PATCH net-next v2 0/2] BPF inline improvements Daniel Borkmann 2017-08-19 1:12 ` [PATCH net-next v2 1/2] bpf: make htab inlining more robust wrt assumptions Daniel Borkmann 2017-08-19 1:12 ` [PATCH net-next v2 2/2] bpf: inline map in map lookup functions for array and htab Daniel Borkmann @ 2017-08-20 4:56 ` David Miller 2 siblings, 0 replies; 5+ messages in thread From: David Miller @ 2017-08-20 4:56 UTC (permalink / raw) To: daniel; +Cc: ast, netdev From: Daniel Borkmann <daniel@iogearbox.net> Date: Sat, 19 Aug 2017 03:12:44 +0200 > First one makes htab inlining more robust wrt future jits and > second one inlines map in map lookups through map_gen_lookup() > callback. Series applied, thanks Daniel. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-08-20 4:56 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-08-19 1:12 [PATCH net-next v2 0/2] BPF inline improvements Daniel Borkmann 2017-08-19 1:12 ` [PATCH net-next v2 1/2] bpf: make htab inlining more robust wrt assumptions Daniel Borkmann 2017-08-19 1:20 ` Alexei Starovoitov 2017-08-19 1:12 ` [PATCH net-next v2 2/2] bpf: inline map in map lookup functions for array and htab Daniel Borkmann 2017-08-20 4:56 ` [PATCH net-next v2 0/2] BPF inline improvements David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).