1. Patch1 is dependent patch to fix zext extension error in 32-bit ARM. 2. Patch2 supports bpf fkunc in 32-bit ARM for EABI. 3. Patch3 is used to add test cases to cover some parameter scenarios states by AAPCS. 4. Patch4 fix a comment error.
The following is the test_progs result in the 32-bit ARM environment:
# uname -m armv7l # echo 1 > /proc/sys/net/core/bpf_jit_enable # ./test_progs -t kfunc_call #1/1 kfunc_call/kfunc_syscall_test_fail:OK #1/2 kfunc_call/kfunc_syscall_test_null_fail:OK #1/3 kfunc_call/kfunc_call_test_get_mem_fail_rdonly:OK #1/4 kfunc_call/kfunc_call_test_get_mem_fail_use_after_free:OK #1/5 kfunc_call/kfunc_call_test_get_mem_fail_oob:OK #1/6 kfunc_call/kfunc_call_test_get_mem_fail_not_const:OK #1/7 kfunc_call/kfunc_call_test_mem_acquire_fail:OK #1/8 kfunc_call/kfunc_call_test1:OK #1/9 kfunc_call/kfunc_call_test2:OK #1/10 kfunc_call/kfunc_call_test4:OK #1/11 kfunc_call/kfunc_call_test5:OK #1/12 kfunc_call/kfunc_call_test6:OK #1/13 kfunc_call/kfunc_call_test_ref_btf_id:OK #1/14 kfunc_call/kfunc_call_test_get_mem:OK #1/15 kfunc_call/kfunc_syscall_test:OK #1/16 kfunc_call/kfunc_syscall_test_null:OK #1/19 kfunc_call/destructive:OK
--- Changes since v2: - Remove patches to adjust sk size check for CO_RE in 32-bit arch. - Add check of kfunc's return value in insn_def_regno. - Adjust is_reg64 for insn_def_regno. - The check of CONFIG_AEABI is moved from emit_kfunc_call to bpf_jit_supports_kfunc_call. - Fix a comment error in fixup_kfunc_call.
Yang Jihong (4): bpf: Adapt 32-bit return value kfunc for 32-bit ARM when zext extension bpf: Add kernel function call support in 32-bit ARM for EABI bpf:selftests: Add kfunc_call test for mixing 32-bit and 64-bit parameters bpf: Fix comment error in fixup_kfunc_call function
arch/arm/net/bpf_jit_32.c | 137 ++++++++++++++++++ kernel/bpf/verifier.c | 46 +++++- net/bpf/test_run.c | 18 +++ .../selftests/bpf/prog_tests/kfunc_call.c | 3 + .../selftests/bpf/progs/kfunc_call_test.c | 52 +++++++ 5 files changed, 252 insertions(+), 4 deletions(-)
For ARM32 architecture, if data width of kfunc return value is 32 bits, need to do explicit zero extension for high 32-bit, insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL. Otherwise, opt_subreg_zext_lo32_rnd_hi32 returns -EFAULT, resulting in BPF failure.
Signed-off-by: Yang Jihong yangjihong1@huawei.com --- kernel/bpf/verifier.c | 44 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 264b3dc714cc..193ea927aa69 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1927,6 +1927,21 @@ find_kfunc_desc(const struct bpf_prog *prog, u32 func_id, u16 offset) sizeof(tab->descs[0]), kfunc_desc_cmp_by_id_off); }
+static int kfunc_desc_cmp_by_imm(const void *a, const void *b); + +static const struct bpf_kfunc_desc * +find_kfunc_desc_by_imm(const struct bpf_prog *prog, s32 imm) +{ + struct bpf_kfunc_desc desc = { + .imm = imm, + }; + struct bpf_kfunc_desc_tab *tab; + + tab = prog->aux->kfunc_tab; + return bsearch(&desc, tab->descs, tab->nr_descs, + sizeof(tab->descs[0]), kfunc_desc_cmp_by_imm); +} + static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env, s16 offset) { @@ -2342,6 +2357,13 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, */ if (insn->src_reg == BPF_PSEUDO_CALL) return false; + + /* Kfunc call will reach here because of insn_has_def32, + * conservatively return TRUE. + */ + if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) + return true; + /* Helper call will reach here because of arg type * check, conservatively return TRUE. */ @@ -2405,10 +2427,26 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, }
/* Return the regno defined by the insn, or -1. */ -static int insn_def_regno(const struct bpf_insn *insn) +static int insn_def_regno(struct bpf_verifier_env *env, const struct bpf_insn *insn) { switch (BPF_CLASS(insn->code)) { case BPF_JMP: + if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) { + const struct bpf_kfunc_desc *desc; + + /* The value of desc cannot be NULL */ + desc = find_kfunc_desc_by_imm(env->prog, insn->imm); + + /* A kfunc can return void. + * The btf type of the kfunc's return value needs + * to be checked against "void" first + */ + if (desc->func_model.ret_size == 0) + return -1; + else + return insn->dst_reg; + } + fallthrough; case BPF_JMP32: case BPF_ST: return -1; @@ -2430,7 +2468,7 @@ static int insn_def_regno(const struct bpf_insn *insn) /* Return TRUE if INSN has defined any 32-bit value explicitly. */ static bool insn_has_def32(struct bpf_verifier_env *env, struct bpf_insn *insn) { - int dst_reg = insn_def_regno(insn); + int dst_reg = insn_def_regno(env, insn);
if (dst_reg == -1) return false; @@ -13335,7 +13373,7 @@ static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env, int load_reg;
insn = insns[adj_idx]; - load_reg = insn_def_regno(&insn); + load_reg = insn_def_regno(env, &insn); if (!aux[adj_idx].zext_dst) { u8 code, class; u32 imm_rnd;
On Sat, Nov 26, 2022 at 05:45:27PM +0800, Yang Jihong wrote:
For ARM32 architecture, if data width of kfunc return value is 32 bits, need to do explicit zero extension for high 32-bit, insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL. Otherwise, opt_subreg_zext_lo32_rnd_hi32 returns -EFAULT, resulting in BPF failure.
Signed-off-by: Yang Jihong yangjihong1@huawei.com
kernel/bpf/verifier.c | 44 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 264b3dc714cc..193ea927aa69 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1927,6 +1927,21 @@ find_kfunc_desc(const struct bpf_prog *prog, u32 func_id, u16 offset) sizeof(tab->descs[0]), kfunc_desc_cmp_by_id_off); } +static int kfunc_desc_cmp_by_imm(const void *a, const void *b);
+static const struct bpf_kfunc_desc * +find_kfunc_desc_by_imm(const struct bpf_prog *prog, s32 imm) +{
- struct bpf_kfunc_desc desc = {
.imm = imm,- };
- struct bpf_kfunc_desc_tab *tab;
- tab = prog->aux->kfunc_tab;
- return bsearch(&desc, tab->descs, tab->nr_descs,
sizeof(tab->descs[0]), kfunc_desc_cmp_by_imm);+}
static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env, s16 offset) { @@ -2342,6 +2357,13 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, */ if (insn->src_reg == BPF_PSEUDO_CALL) return false;
/* Kfunc call will reach here because of insn_has_def32,* conservatively return TRUE.*/if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL)return true;/* Helper call will reach here because of arg type * check, conservatively return TRUE. */@@ -2405,10 +2427,26 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, } /* Return the regno defined by the insn, or -1. */ -static int insn_def_regno(const struct bpf_insn *insn) +static int insn_def_regno(struct bpf_verifier_env *env, const struct bpf_insn *insn) { switch (BPF_CLASS(insn->code)) { case BPF_JMP:
if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) {const struct bpf_kfunc_desc *desc;/* The value of desc cannot be NULL */desc = find_kfunc_desc_by_imm(env->prog, insn->imm);/* A kfunc can return void.* The btf type of the kfunc's return value needs* to be checked against "void" first*/if (desc->func_model.ret_size == 0)return -1;elsereturn insn->dst_reg;}fallthrough;
I cannot make any sense of this patch. insn->dst_reg above is 0. The kfunc call doesn't define a register from insn_def_regno() pov.
Are you hacking insn_def_regno() to return 0 so that if (WARN_ON(load_reg == -1)) { verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n"); return -EFAULT; } in opt_subreg_zext_lo32_rnd_hi32() doesn't trigger ?
But this verifier message should have been a hint that you need to analyze why zext_dst is set on this kfunc call. Maybe it shouldn't ? Did you analyze the logic of mark_btf_func_reg_size() ?
Before producing any patches please understand the logic fully. Your commit log "insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL."
Makes no sense to me, since dst_reg is unused in JMP insn. There is no concept of a src or dst register in a JMP insn.
32-bit x86 supports calling kfuncs. See emit_kfunc_call(). And we don't have this "verifier bug. zext_dst is set" issue there, right? But what you're saying in the commit log: "if data width of kfunc return value is 32 bits" should have been applicable to x86-32 as well. So please start with a test that demonstrates the issue on x86-32 and then we can discuss the way to fix it.
The patch 2 sort-of makes sense.
For patch 3 pls add new test funcs to bpf_testmod. We will move all of them from net/bpf/test_run.c to bpf_testmod eventually.
On 2022/11/28 9:57, Alexei Starovoitov wrote:
On Sat, Nov 26, 2022 at 05:45:27PM +0800, Yang Jihong wrote:
For ARM32 architecture, if data width of kfunc return value is 32 bits, need to do explicit zero extension for high 32-bit, insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL. Otherwise, opt_subreg_zext_lo32_rnd_hi32 returns -EFAULT, resulting in BPF failure.
Signed-off-by: Yang Jihong yangjihong1@huawei.com
kernel/bpf/verifier.c | 44 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 264b3dc714cc..193ea927aa69 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1927,6 +1927,21 @@ find_kfunc_desc(const struct bpf_prog *prog, u32 func_id, u16 offset) sizeof(tab->descs[0]), kfunc_desc_cmp_by_id_off); } +static int kfunc_desc_cmp_by_imm(const void *a, const void *b);
+static const struct bpf_kfunc_desc * +find_kfunc_desc_by_imm(const struct bpf_prog *prog, s32 imm) +{
- struct bpf_kfunc_desc desc = {
.imm = imm,- };
- struct bpf_kfunc_desc_tab *tab;
- tab = prog->aux->kfunc_tab;
- return bsearch(&desc, tab->descs, tab->nr_descs,
sizeof(tab->descs[0]), kfunc_desc_cmp_by_imm);+}
- static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env, s16 offset) {
@@ -2342,6 +2357,13 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, */ if (insn->src_reg == BPF_PSEUDO_CALL) return false;
/* Kfunc call will reach here because of insn_has_def32,* conservatively return TRUE.*/if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL)return true;/* Helper call will reach here because of arg type * check, conservatively return TRUE. */@@ -2405,10 +2427,26 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, } /* Return the regno defined by the insn, or -1. */ -static int insn_def_regno(const struct bpf_insn *insn) +static int insn_def_regno(struct bpf_verifier_env *env, const struct bpf_insn *insn) { switch (BPF_CLASS(insn->code)) { case BPF_JMP:
if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) {const struct bpf_kfunc_desc *desc;/* The value of desc cannot be NULL */desc = find_kfunc_desc_by_imm(env->prog, insn->imm);/* A kfunc can return void.* The btf type of the kfunc's return value needs* to be checked against "void" first*/if (desc->func_model.ret_size == 0)return -1;elsereturn insn->dst_reg;}fallthrough;I cannot make any sense of this patch. insn->dst_reg above is 0. The kfunc call doesn't define a register from insn_def_regno() pov.
Are you hacking insn_def_regno() to return 0 so that if (WARN_ON(load_reg == -1)) { verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n"); return -EFAULT; } in opt_subreg_zext_lo32_rnd_hi32() doesn't trigger ?
But this verifier message should have been a hint that you need to analyze why zext_dst is set on this kfunc call. Maybe it shouldn't ? Did you analyze the logic of mark_btf_func_reg_size() ?
make r0 zext is not caused by mark_btf_func_reg_size.
This problem occurs when running the kfunc_call_test_ref_btf_id test case in the 32-bit ARM environment. The bpf prog is as follows: int kfunc_call_test_ref_btf_id(struct __sk_buff *skb) { struct prog_test_ref_kfunc *pt; unsigned long s = 0; int ret = 0;
pt = bpf_kfunc_call_test_acquire(&s); if (pt) { // here, do_check clears the upper 32bits of r0 through: // check_alu_op // ->check_reg_arg // ->mark_insn_zext if (pt->a != 42 || pt->b != 108) ret = -1; bpf_kfunc_call_test_release(pt); } return ret; }
Before producing any patches please understand the logic fully. Your commit log "insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL."
Makes no sense to me, since dst_reg is unused in JMP insn. There is no concept of a src or dst register in a JMP insn.
32-bit x86 supports calling kfuncs. See emit_kfunc_call(). And we don't have this "verifier bug. zext_dst is set" issue there, right? But what you're saying in the commit log: "if data width of kfunc return value is 32 bits" should have been applicable to x86-32 as well. So please start with a test that demonstrates the issue on x86-32 and then we can discuss the way to fix it.
The patch 2 sort-of makes sense.
For patch 3 pls add new test funcs to bpf_testmod. We will move all of them from net/bpf/test_run.c to bpf_testmod eventually. .
On Mon, Nov 28, 2022 at 4:40 AM Yang Jihong yangjihong1@huawei.com wrote:
On 2022/11/28 9:57, Alexei Starovoitov wrote:
On Sat, Nov 26, 2022 at 05:45:27PM +0800, Yang Jihong wrote:
For ARM32 architecture, if data width of kfunc return value is 32 bits, need to do explicit zero extension for high 32-bit, insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL. Otherwise, opt_subreg_zext_lo32_rnd_hi32 returns -EFAULT, resulting in BPF failure.
Signed-off-by: Yang Jihong yangjihong1@huawei.com
kernel/bpf/verifier.c | 44 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 264b3dc714cc..193ea927aa69 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1927,6 +1927,21 @@ find_kfunc_desc(const struct bpf_prog *prog, u32 func_id, u16 offset) sizeof(tab->descs[0]), kfunc_desc_cmp_by_id_off); }
+static int kfunc_desc_cmp_by_imm(const void *a, const void *b);
+static const struct bpf_kfunc_desc * +find_kfunc_desc_by_imm(const struct bpf_prog *prog, s32 imm) +{
- struct bpf_kfunc_desc desc = {
.imm = imm,- };
- struct bpf_kfunc_desc_tab *tab;
- tab = prog->aux->kfunc_tab;
- return bsearch(&desc, tab->descs, tab->nr_descs,
sizeof(tab->descs[0]), kfunc_desc_cmp_by_imm);+}
- static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env, s16 offset) {
@@ -2342,6 +2357,13 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, */ if (insn->src_reg == BPF_PSEUDO_CALL) return false;
/* Kfunc call will reach here because of insn_has_def32,* conservatively return TRUE.*/if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL)return true;/* Helper call will reach here because of arg type * check, conservatively return TRUE. */@@ -2405,10 +2427,26 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, }
/* Return the regno defined by the insn, or -1. */ -static int insn_def_regno(const struct bpf_insn *insn) +static int insn_def_regno(struct bpf_verifier_env *env, const struct bpf_insn *insn) { switch (BPF_CLASS(insn->code)) { case BPF_JMP:
if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) {const struct bpf_kfunc_desc *desc;/* The value of desc cannot be NULL */desc = find_kfunc_desc_by_imm(env->prog, insn->imm);/* A kfunc can return void.* The btf type of the kfunc's return value needs* to be checked against "void" first*/if (desc->func_model.ret_size == 0)return -1;elsereturn insn->dst_reg;}fallthrough;I cannot make any sense of this patch. insn->dst_reg above is 0. The kfunc call doesn't define a register from insn_def_regno() pov.
Are you hacking insn_def_regno() to return 0 so that if (WARN_ON(load_reg == -1)) { verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n"); return -EFAULT; } in opt_subreg_zext_lo32_rnd_hi32() doesn't trigger ?
But this verifier message should have been a hint that you need to analyze why zext_dst is set on this kfunc call. Maybe it shouldn't ? Did you analyze the logic of mark_btf_func_reg_size() ?
make r0 zext is not caused by mark_btf_func_reg_size.
This problem occurs when running the kfunc_call_test_ref_btf_id test case in the 32-bit ARM environment.
Why is it not failing on x86-32 ?
The bpf prog is as follows: int kfunc_call_test_ref_btf_id(struct __sk_buff *skb) { struct prog_test_ref_kfunc *pt; unsigned long s = 0; int ret = 0;
pt = bpf_kfunc_call_test_acquire(&s); if (pt) { // here, do_check clears the upper 32bits of r0 through: // check_alu_op // ->check_reg_arg // ->mark_insn_zext if (pt->a != 42 || pt->b != 108) ret = -1; bpf_kfunc_call_test_release(pt); } return ret; }
Before producing any patches please understand the logic fully. Your commit log "insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL."
Makes no sense to me, since dst_reg is unused in JMP insn. There is no concept of a src or dst register in a JMP insn.
32-bit x86 supports calling kfuncs. See emit_kfunc_call(). And we don't have this "verifier bug. zext_dst is set" issue there, right? But what you're saying in the commit log: "if data width of kfunc return value is 32 bits" should have been applicable to x86-32 as well. So please start with a test that demonstrates the issue on x86-32 and then we can discuss the way to fix it.
The patch 2 sort-of makes sense.
For patch 3 pls add new test funcs to bpf_testmod. We will move all of them from net/bpf/test_run.c to bpf_testmod eventually. .
On 2022/11/29 0:41, Alexei Starovoitov wrote:
On Mon, Nov 28, 2022 at 4:40 AM Yang Jihong yangjihong1@huawei.com wrote:
On 2022/11/28 9:57, Alexei Starovoitov wrote:
On Sat, Nov 26, 2022 at 05:45:27PM +0800, Yang Jihong wrote:
For ARM32 architecture, if data width of kfunc return value is 32 bits, need to do explicit zero extension for high 32-bit, insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL. Otherwise, opt_subreg_zext_lo32_rnd_hi32 returns -EFAULT, resulting in BPF failure.
Signed-off-by: Yang Jihong yangjihong1@huawei.com
kernel/bpf/verifier.c | 44 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 264b3dc714cc..193ea927aa69 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1927,6 +1927,21 @@ find_kfunc_desc(const struct bpf_prog *prog, u32 func_id, u16 offset) sizeof(tab->descs[0]), kfunc_desc_cmp_by_id_off); }
+static int kfunc_desc_cmp_by_imm(const void *a, const void *b);
+static const struct bpf_kfunc_desc * +find_kfunc_desc_by_imm(const struct bpf_prog *prog, s32 imm) +{
- struct bpf_kfunc_desc desc = {
.imm = imm,- };
- struct bpf_kfunc_desc_tab *tab;
- tab = prog->aux->kfunc_tab;
- return bsearch(&desc, tab->descs, tab->nr_descs,
sizeof(tab->descs[0]), kfunc_desc_cmp_by_imm);+}
- static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env, s16 offset) {
@@ -2342,6 +2357,13 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, */ if (insn->src_reg == BPF_PSEUDO_CALL) return false;
/* Kfunc call will reach here because of insn_has_def32,* conservatively return TRUE.*/if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL)return true;/* Helper call will reach here because of arg type * check, conservatively return TRUE. */@@ -2405,10 +2427,26 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, }
/* Return the regno defined by the insn, or -1. */ -static int insn_def_regno(const struct bpf_insn *insn) +static int insn_def_regno(struct bpf_verifier_env *env, const struct bpf_insn *insn) { switch (BPF_CLASS(insn->code)) { case BPF_JMP:
if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) {const struct bpf_kfunc_desc *desc;/* The value of desc cannot be NULL */desc = find_kfunc_desc_by_imm(env->prog, insn->imm);/* A kfunc can return void.* The btf type of the kfunc's return value needs* to be checked against "void" first*/if (desc->func_model.ret_size == 0)return -1;elsereturn insn->dst_reg;}fallthrough;I cannot make any sense of this patch. insn->dst_reg above is 0. The kfunc call doesn't define a register from insn_def_regno() pov.
Are you hacking insn_def_regno() to return 0 so that if (WARN_ON(load_reg == -1)) { verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n"); return -EFAULT; } in opt_subreg_zext_lo32_rnd_hi32() doesn't trigger ?
But this verifier message should have been a hint that you need to analyze why zext_dst is set on this kfunc call. Maybe it shouldn't ? Did you analyze the logic of mark_btf_func_reg_size() ?
make r0 zext is not caused by mark_btf_func_reg_size.
This problem occurs when running the kfunc_call_test_ref_btf_id test case in the 32-bit ARM environment.
Why is it not failing on x86-32 ?
Use the latest mainline kernel code to test on the x86_32 machine. The test also fails:
# ./test_progs -t kfunc_call/kfunc_call_test_ref_btf_id Failed to load bpf_testmod.ko into the kernel: -8 WARNING! Selftests relying on bpf_testmod.ko will be skipped. libbpf: prog 'kfunc_call_test_ref_btf_id': BPF program load failed: Bad address libbpf: prog 'kfunc_call_test_ref_btf_id': -- BEGIN PROG LOAD LOG -- processed 25 insns (limit 1000000) max_states_per_insn 0 total_states 2 peak_states 2 mark_read 1 -- END PROG LOAD LOG -- libbpf: prog 'kfunc_call_test_ref_btf_id': failed to load: -14 libbpf: failed to load object 'kfunc_call_test' libbpf: failed to load BPF skeleton 'kfunc_call_test': -14 verify_success:FAIL:skel unexpected error: -14
Therefore, this problem also exists on x86_32: "verifier bug. zext_dst is set, but no reg is defined"
The bpf prog is as follows: int kfunc_call_test_ref_btf_id(struct __sk_buff *skb) { struct prog_test_ref_kfunc *pt; unsigned long s = 0; int ret = 0;
pt = bpf_kfunc_call_test_acquire(&s); if (pt) { // here, do_check clears the upper 32bits of r0 through: // check_alu_op // ->check_reg_arg // ->mark_insn_zext if (pt->a != 42 || pt->b != 108) ret = -1; bpf_kfunc_call_test_release(pt); } return ret; }
Before producing any patches please understand the logic fully. Your commit log "insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL."
Makes no sense to me, since dst_reg is unused in JMP insn. There is no concept of a src or dst register in a JMP insn.
32-bit x86 supports calling kfuncs. See emit_kfunc_call(). And we don't have this "verifier bug. zext_dst is set" issue there, right? But what you're saying in the commit log: "if data width of kfunc return value is 32 bits" should have been applicable to x86-32 as well. So please start with a test that demonstrates the issue on x86-32 and then we can discuss the way to fix it.
The patch 2 sort-of makes sense.
For patch 3 pls add new test funcs to bpf_testmod. We will move all of them from net/bpf/test_run.c to bpf_testmod eventually. .
.
On Fri, Dec 2, 2022 at 6:58 PM Yang Jihong yangjihong1@huawei.com wrote:
On 2022/11/29 0:41, Alexei Starovoitov wrote:
On Mon, Nov 28, 2022 at 4:40 AM Yang Jihong yangjihong1@huawei.com wrote:
On 2022/11/28 9:57, Alexei Starovoitov wrote:
On Sat, Nov 26, 2022 at 05:45:27PM +0800, Yang Jihong wrote:
For ARM32 architecture, if data width of kfunc return value is 32 bits, need to do explicit zero extension for high 32-bit, insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL. Otherwise, opt_subreg_zext_lo32_rnd_hi32 returns -EFAULT, resulting in BPF failure.
Signed-off-by: Yang Jihong yangjihong1@huawei.com
kernel/bpf/verifier.c | 44 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 264b3dc714cc..193ea927aa69 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1927,6 +1927,21 @@ find_kfunc_desc(const struct bpf_prog *prog, u32 func_id, u16 offset) sizeof(tab->descs[0]), kfunc_desc_cmp_by_id_off); }
+static int kfunc_desc_cmp_by_imm(const void *a, const void *b);
+static const struct bpf_kfunc_desc * +find_kfunc_desc_by_imm(const struct bpf_prog *prog, s32 imm) +{
- struct bpf_kfunc_desc desc = {
.imm = imm,- };
- struct bpf_kfunc_desc_tab *tab;
- tab = prog->aux->kfunc_tab;
- return bsearch(&desc, tab->descs, tab->nr_descs,
sizeof(tab->descs[0]), kfunc_desc_cmp_by_imm);+}
- static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env, s16 offset) {
@@ -2342,6 +2357,13 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, */ if (insn->src_reg == BPF_PSEUDO_CALL) return false;
/* Kfunc call will reach here because of insn_has_def32,* conservatively return TRUE.*/if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL)return true;/* Helper call will reach here because of arg type * check, conservatively return TRUE. */@@ -2405,10 +2427,26 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, }
/* Return the regno defined by the insn, or -1. */ -static int insn_def_regno(const struct bpf_insn *insn) +static int insn_def_regno(struct bpf_verifier_env *env, const struct bpf_insn *insn) { switch (BPF_CLASS(insn->code)) { case BPF_JMP:
if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) {const struct bpf_kfunc_desc *desc;/* The value of desc cannot be NULL */desc = find_kfunc_desc_by_imm(env->prog, insn->imm);/* A kfunc can return void.* The btf type of the kfunc's return value needs* to be checked against "void" first*/if (desc->func_model.ret_size == 0)return -1;elsereturn insn->dst_reg;}fallthrough;I cannot make any sense of this patch. insn->dst_reg above is 0. The kfunc call doesn't define a register from insn_def_regno() pov.
Are you hacking insn_def_regno() to return 0 so that if (WARN_ON(load_reg == -1)) { verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n"); return -EFAULT; } in opt_subreg_zext_lo32_rnd_hi32() doesn't trigger ?
But this verifier message should have been a hint that you need to analyze why zext_dst is set on this kfunc call. Maybe it shouldn't ? Did you analyze the logic of mark_btf_func_reg_size() ?
make r0 zext is not caused by mark_btf_func_reg_size.
This problem occurs when running the kfunc_call_test_ref_btf_id test case in the 32-bit ARM environment.
Why is it not failing on x86-32 ?
Use the latest mainline kernel code to test on the x86_32 machine. The test also fails:
# ./test_progs -t kfunc_call/kfunc_call_test_ref_btf_id Failed to load bpf_testmod.ko into the kernel: -8 WARNING! Selftests relying on bpf_testmod.ko will be skipped. libbpf: prog 'kfunc_call_test_ref_btf_id': BPF program load failed: Bad address libbpf: prog 'kfunc_call_test_ref_btf_id': -- BEGIN PROG LOAD LOG -- processed 25 insns (limit 1000000) max_states_per_insn 0 total_states 2 peak_states 2 mark_read 1 -- END PROG LOAD LOG -- libbpf: prog 'kfunc_call_test_ref_btf_id': failed to load: -14 libbpf: failed to load object 'kfunc_call_test' libbpf: failed to load BPF skeleton 'kfunc_call_test': -14 verify_success:FAIL:skel unexpected error: -14
Therefore, this problem also exists on x86_32: "verifier bug. zext_dst is set, but no reg is defined"
The kernel returns -14 == EFAULT. That's a completely different issue.
On 2022/12/4 0:40, Alexei Starovoitov wrote:
On Fri, Dec 2, 2022 at 6:58 PM Yang Jihong yangjihong1@huawei.com wrote:
On 2022/11/29 0:41, Alexei Starovoitov wrote:
On Mon, Nov 28, 2022 at 4:40 AM Yang Jihong yangjihong1@huawei.com wrote:
On 2022/11/28 9:57, Alexei Starovoitov wrote:
On Sat, Nov 26, 2022 at 05:45:27PM +0800, Yang Jihong wrote:
For ARM32 architecture, if data width of kfunc return value is 32 bits, need to do explicit zero extension for high 32-bit, insn_def_regno should return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL. Otherwise, opt_subreg_zext_lo32_rnd_hi32 returns -EFAULT, resulting in BPF failure.
Signed-off-by: Yang Jihong yangjihong1@huawei.com
kernel/bpf/verifier.c | 44 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-)diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 264b3dc714cc..193ea927aa69 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1927,6 +1927,21 @@ find_kfunc_desc(const struct bpf_prog *prog, u32 func_id, u16 offset) sizeof(tab->descs[0]), kfunc_desc_cmp_by_id_off); }
+static int kfunc_desc_cmp_by_imm(const void *a, const void *b);
+static const struct bpf_kfunc_desc * +find_kfunc_desc_by_imm(const struct bpf_prog *prog, s32 imm) +{
- struct bpf_kfunc_desc desc = {
.imm = imm,- };
- struct bpf_kfunc_desc_tab *tab;
- tab = prog->aux->kfunc_tab;
- return bsearch(&desc, tab->descs, tab->nr_descs,
sizeof(tab->descs[0]), kfunc_desc_cmp_by_imm);+}
- static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env, s16 offset) {
@@ -2342,6 +2357,13 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, */ if (insn->src_reg == BPF_PSEUDO_CALL) return false;
/* Kfunc call will reach here because of insn_has_def32,* conservatively return TRUE.*/if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL)return true;/* Helper call will reach here because of arg type * check, conservatively return TRUE. */@@ -2405,10 +2427,26 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, }
/* Return the regno defined by the insn, or -1. */-static int insn_def_regno(const struct bpf_insn *insn) +static int insn_def_regno(struct bpf_verifier_env *env, const struct bpf_insn *insn) { switch (BPF_CLASS(insn->code)) { case BPF_JMP:
if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) {const struct bpf_kfunc_desc *desc;/* The value of desc cannot be NULL */desc = find_kfunc_desc_by_imm(env->prog, insn->imm);/* A kfunc can return void.* The btf type of the kfunc's return value needs* to be checked against "void" first*/if (desc->func_model.ret_size == 0)return -1;elsereturn insn->dst_reg;}fallthrough;I cannot make any sense of this patch. insn->dst_reg above is 0. The kfunc call doesn't define a register from insn_def_regno() pov.
Are you hacking insn_def_regno() to return 0 so that if (WARN_ON(load_reg == -1)) { verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n"); return -EFAULT; } in opt_subreg_zext_lo32_rnd_hi32() doesn't trigger ?
But this verifier message should have been a hint that you need to analyze why zext_dst is set on this kfunc call. Maybe it shouldn't ? Did you analyze the logic of mark_btf_func_reg_size() ?
make r0 zext is not caused by mark_btf_func_reg_size.
This problem occurs when running the kfunc_call_test_ref_btf_id test case in the 32-bit ARM environment.
Why is it not failing on x86-32 ?
Use the latest mainline kernel code to test on the x86_32 machine. The test also fails:
# ./test_progs -t kfunc_call/kfunc_call_test_ref_btf_id Failed to load bpf_testmod.ko into the kernel: -8 WARNING! Selftests relying on bpf_testmod.ko will be skipped. libbpf: prog 'kfunc_call_test_ref_btf_id': BPF program load failed:Bad address libbpf: prog 'kfunc_call_test_ref_btf_id': -- BEGIN PROG LOAD LOG -- processed 25 insns (limit 1000000) max_states_per_insn 0 total_states 2 peak_states 2 mark_read 1 -- END PROG LOAD LOG -- libbpf: prog 'kfunc_call_test_ref_btf_id': failed to load: -14 libbpf: failed to load object 'kfunc_call_test' libbpf: failed to load BPF skeleton 'kfunc_call_test': -14 verify_success:FAIL:skel unexpected error: -14
Therefore, this problem also exists on x86_32: "verifier bug. zext_dst is set, but no reg is defined"
The kernel returns -14 == EFAULT. That's a completely different issue.
It's the same problem. The opt_subreg_zext_lo32_rnd_hi32 function fails to check here and returns -EFAULT
opt_subreg_zext_lo32_rnd_hi32 { ... if (WARN_ON(load_reg == -1)) {
verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n"); return -EFAULT;
} ... }
.
Hello,
On 2022/12/5 9:19, Yang Jihong wrote:
On 2022/12/4 0:40, Alexei Starovoitov wrote:
On Fri, Dec 2, 2022 at 6:58 PM Yang Jihong yangjihong1@huawei.com wrote:
On 2022/11/29 0:41, Alexei Starovoitov wrote:
On Mon, Nov 28, 2022 at 4:40 AM Yang Jihong yangjihong1@huawei.com wrote:
On 2022/11/28 9:57, Alexei Starovoitov wrote:
On Sat, Nov 26, 2022 at 05:45:27PM +0800, Yang Jihong wrote: > For ARM32 architecture, if data width of kfunc return value is 32 > bits, > need to do explicit zero extension for high 32-bit, > insn_def_regno should > return dst_reg for BPF_JMP type of BPF_PSEUDO_KFUNC_CALL. Otherwise, > opt_subreg_zext_lo32_rnd_hi32 returns -EFAULT, resulting in BPF > failure. > > Signed-off-by: Yang Jihong yangjihong1@huawei.com > --- > kernel/bpf/verifier.c | 44 > ++++++++++++++++++++++++++++++++++++++++--- > 1 file changed, 41 insertions(+), 3 deletions(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 264b3dc714cc..193ea927aa69 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -1927,6 +1927,21 @@ find_kfunc_desc(const struct bpf_prog > *prog, u32 func_id, u16 offset) > sizeof(tab->descs[0]), > kfunc_desc_cmp_by_id_off); > } > > +static int kfunc_desc_cmp_by_imm(const void *a, const void *b); > + > +static const struct bpf_kfunc_desc * > +find_kfunc_desc_by_imm(const struct bpf_prog *prog, s32 imm) > +{ > + struct bpf_kfunc_desc desc = { > + .imm = imm, > + }; > + struct bpf_kfunc_desc_tab *tab; > + > + tab = prog->aux->kfunc_tab; > + return bsearch(&desc, tab->descs, tab->nr_descs, > + sizeof(tab->descs[0]), kfunc_desc_cmp_by_imm); > +} > + > static struct btf *__find_kfunc_desc_btf(struct > bpf_verifier_env *env, > s16 offset) > { > @@ -2342,6 +2357,13 @@ static bool is_reg64(struct > bpf_verifier_env *env, struct bpf_insn *insn, > */ > if (insn->src_reg == BPF_PSEUDO_CALL) > return false; > + > + /* Kfunc call will reach here because of > insn_has_def32, > + * conservatively return TRUE. > + */ > + if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) > + return true; > + > /* Helper call will reach here because of > arg type > * check, conservatively return TRUE. > */ > @@ -2405,10 +2427,26 @@ static bool is_reg64(struct > bpf_verifier_env *env, struct bpf_insn *insn, > } > > /* Return the regno defined by the insn, or -1. */ > -static int insn_def_regno(const struct bpf_insn *insn) > +static int insn_def_regno(struct bpf_verifier_env *env, const > struct bpf_insn *insn) > { > switch (BPF_CLASS(insn->code)) { > case BPF_JMP: > + if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) { > + const struct bpf_kfunc_desc *desc; > + > + /* The value of desc cannot be NULL */ > + desc = find_kfunc_desc_by_imm(env->prog, > insn->imm); > + > + /* A kfunc can return void. > + * The btf type of the kfunc's return value > needs > + * to be checked against "void" first > + */ > + if (desc->func_model.ret_size == 0) > + return -1; > + else > + return insn->dst_reg; > + } > + fallthrough;
I cannot make any sense of this patch. insn->dst_reg above is 0. The kfunc call doesn't define a register from insn_def_regno() pov.
Are you hacking insn_def_regno() to return 0 so that if (WARN_ON(load_reg == -1)) { verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n"); return -EFAULT; } in opt_subreg_zext_lo32_rnd_hi32() doesn't trigger ?
But this verifier message should have been a hint that you need to analyze why zext_dst is set on this kfunc call. Maybe it shouldn't ? Did you analyze the logic of mark_btf_func_reg_size() ?
make r0 zext is not caused by mark_btf_func_reg_size.
This problem occurs when running the kfunc_call_test_ref_btf_id test case in the 32-bit ARM environment.
Why is it not failing on x86-32 ?
Use the latest mainline kernel code to test on the x86_32 machine. The test also fails:
# ./test_progs -t kfunc_call/kfunc_call_test_ref_btf_id Failed to load bpf_testmod.ko into the kernel: -8 WARNING! Selftests relying on bpf_testmod.ko will be skipped. libbpf: prog 'kfunc_call_test_ref_btf_id': BPF program load failed: Bad address libbpf: prog 'kfunc_call_test_ref_btf_id': -- BEGIN PROG LOAD LOG -- processed 25 insns (limit 1000000) max_states_per_insn 0 total_states 2 peak_states 2 mark_read 1 -- END PROG LOAD LOG -- libbpf: prog 'kfunc_call_test_ref_btf_id': failed to load: -14 libbpf: failed to load object 'kfunc_call_test' libbpf: failed to load BPF skeleton 'kfunc_call_test': -14 verify_success:FAIL:skel unexpected error: -14
Therefore, this problem also exists on x86_32: "verifier bug. zext_dst is set, but no reg is defined"
The kernel returns -14 == EFAULT. That's a completely different issue.
It's the same problem. The opt_subreg_zext_lo32_rnd_hi32 function fails to check here and returns -EFAULT
opt_subreg_zext_lo32_rnd_hi32 { ... if (WARN_ON(load_reg == -1)) { verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n"); return -EFAULT; } ... }
.
I see that there are emails from the community talking about the same problem, and come up with a solution: https://lore.kernel.org/bpf/20221202103620.1915679-1-bjorn@kernel.org/T/
will remove this patch based on that patch.
Thanks, Yang
.
This patch adds kernel function call support to 32-bit ARM bpf jit for EABI.
Signed-off-by: Yang Jihong yangjihong1@huawei.com --- arch/arm/net/bpf_jit_32.c | 137 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 137 insertions(+)
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c index 6a1c9fca5260..ae3a36d909f4 100644 --- a/arch/arm/net/bpf_jit_32.c +++ b/arch/arm/net/bpf_jit_32.c @@ -1337,6 +1337,125 @@ static void build_epilogue(struct jit_ctx *ctx) #endif }
+/* + * Input parameters of function in 32-bit ARM architecture: + * The first four word-sized parameters passed to a function will be + * transferred in registers R0-R3. Sub-word sized arguments, for example, + * char, will still use a whole register. + * Arguments larger than a word will be passed in multiple registers. + * If more arguments are passed, the fifth and subsequent words will be passed + * on the stack. + * + * The first for args of a function will be considered for + * putting into the 32bit register R1, R2, R3 and R4. + * + * Two 32bit registers are used to pass a 64bit arg. + * + * For example, + * void foo(u32 a, u32 b, u32 c, u32 d, u32 e): + * u32 a: R0 + * u32 b: R1 + * u32 c: R2 + * u32 d: R3 + * u32 e: stack + * + * void foo(u64 a, u32 b, u32 c, u32 d): + * u64 a: R0 (lo32) R1 (hi32) + * u32 b: R2 + * u32 c: R3 + * u32 d: stack + * + * void foo(u32 a, u64 b, u32 c, u32 d): + * u32 a: R0 + * u64 b: R2 (lo32) R3 (hi32) + * u32 c: stack + * u32 d: stack + * + * void foo(u32 a, u32 b, u64 c, u32 d): + * u32 a: R0 + * u32 b: R1 + * u64 c: R2 (lo32) R3 (hi32) + * u32 d: stack + * + * void foo(u64 a, u64 b): + * u64 a: R0 (lo32) R1 (hi32) + * u64 b: R2 (lo32) R3 (hi32) + * + * The return value will be stored in the R0 (and R1 for 64bit value). + * + * For example, + * u32 foo(u32 a, u32 b, u32 c): + * return value: R0 + * + * u64 foo(u32 a, u32 b, u32 c): + * return value: R0 (lo32) R1 (hi32) + * + * The above is for AEABI only, OABI does not support this function. + */ +static int emit_kfunc_call(const struct bpf_insn *insn, struct jit_ctx *ctx, const u32 func) +{ + int i; + const struct btf_func_model *fm; + const s8 *tmp = bpf2a32[TMP_REG_1]; + const u8 arg_regs[] = { ARM_R0, ARM_R1, ARM_R2, ARM_R3 }; + int nr_arg_regs = ARRAY_SIZE(arg_regs); + int arg_regs_idx = 0, stack_off = 0; + const s8 *rd; + s8 rt; + + fm = bpf_jit_find_kfunc_model(ctx->prog, insn); + if (!fm) + return -EINVAL; + + for (i = 0; i < fm->nr_args; i++) { + if (fm->arg_size[i] > sizeof(u32)) { + rd = arm_bpf_get_reg64(bpf2a32[BPF_REG_1 + i], tmp, ctx); + + if (arg_regs_idx + 1 < nr_arg_regs) { + /* + * AAPCS states: + * A double-word sized type is passed in two + * consecutive registers (e.g., r0 and r1, or + * r2 and r3). The content of the registers is + * as if the value had been loaded from memory + * representation with a single LDM instruction. + */ + if (arg_regs_idx & 1) + arg_regs_idx++; + + emit(ARM_MOV_R(arg_regs[arg_regs_idx++], rd[1]), ctx); + emit(ARM_MOV_R(arg_regs[arg_regs_idx++], rd[0]), ctx); + } else { + stack_off = ALIGN(stack_off, STACK_ALIGNMENT); + + if (__LINUX_ARM_ARCH__ >= 6 || + ctx->cpu_architecture >= CPU_ARCH_ARMv5TE) { + emit(ARM_STRD_I(rd[1], ARM_SP, stack_off), ctx); + } else { + emit(ARM_STR_I(rd[1], ARM_SP, stack_off), ctx); + emit(ARM_STR_I(rd[0], ARM_SP, stack_off), ctx); + } + + stack_off += 8; + } + } else { + rt = arm_bpf_get_reg32(bpf2a32[BPF_REG_1 + i][1], tmp[1], ctx); + + if (arg_regs_idx < nr_arg_regs) { + emit(ARM_MOV_R(arg_regs[arg_regs_idx++], rt), ctx); + } else { + emit(ARM_STR_I(rt, ARM_SP, stack_off), ctx); + stack_off += 4; + } + } + } + + emit_a32_mov_i(tmp[1], func, ctx); + emit_blx_r(tmp[1], ctx); + + return 0; +} + /* * Convert an eBPF instruction to native instruction, i.e * JITs an eBPF instruction. @@ -1603,6 +1722,10 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx) case BPF_LDX | BPF_MEM | BPF_H: case BPF_LDX | BPF_MEM | BPF_B: case BPF_LDX | BPF_MEM | BPF_DW: + case BPF_LDX | BPF_PROBE_MEM | BPF_W: + case BPF_LDX | BPF_PROBE_MEM | BPF_H: + case BPF_LDX | BPF_PROBE_MEM | BPF_B: + case BPF_LDX | BPF_PROBE_MEM | BPF_DW: rn = arm_bpf_get_reg32(src_lo, tmp2[1], ctx); emit_ldx_r(dst, rn, off, ctx, BPF_SIZE(code)); break; @@ -1785,6 +1908,16 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx) const s8 *r5 = bpf2a32[BPF_REG_5]; const u32 func = (u32)__bpf_call_base + (u32)imm;
+ if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) { + int err; + + err = emit_kfunc_call(insn, ctx, func); + + if (err) + return err; + break; + } + emit_a32_mov_r64(true, r0, r1, ctx); emit_a32_mov_r64(true, r1, r2, ctx); emit_push_r64(r5, ctx); @@ -2022,3 +2155,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) return prog; }
+bool bpf_jit_supports_kfunc_call(void) +{ + return IS_ENABLED(CONFIG_AEABI); +}
32-bit ARM has four registers to save function parameters, add test cases to cover additional scenarios.
Signed-off-by: Yang Jihong yangjihong1@huawei.com --- net/bpf/test_run.c | 18 +++++++ .../selftests/bpf/prog_tests/kfunc_call.c | 3 ++ .../selftests/bpf/progs/kfunc_call_test.c | 52 +++++++++++++++++++ 3 files changed, 73 insertions(+)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index fcb3e6c5e03c..5e8895027f0d 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -551,6 +551,21 @@ struct sock * noinline bpf_kfunc_call_test3(struct sock *sk) return sk; }
+u64 noinline bpf_kfunc_call_test4(struct sock *sk, u64 a, u64 b, u32 c, u32 d) +{ + return a + b + c + d; +} + +u64 noinline bpf_kfunc_call_test5(u64 a, u64 b) +{ + return a + b; +} + +u64 noinline bpf_kfunc_call_test6(u32 a, u32 b, u32 c, u32 d, u32 e) +{ + return a + b + c + d + e; +} + struct prog_test_member1 { int a; }; @@ -739,6 +754,9 @@ BTF_SET8_START(test_sk_check_kfunc_ids) BTF_ID_FLAGS(func, bpf_kfunc_call_test1) BTF_ID_FLAGS(func, bpf_kfunc_call_test2) BTF_ID_FLAGS(func, bpf_kfunc_call_test3) +BTF_ID_FLAGS(func, bpf_kfunc_call_test4) +BTF_ID_FLAGS(func, bpf_kfunc_call_test5) +BTF_ID_FLAGS(func, bpf_kfunc_call_test6) BTF_ID_FLAGS(func, bpf_kfunc_call_test_acquire, KF_ACQUIRE | KF_RET_NULL) BTF_ID_FLAGS(func, bpf_kfunc_call_memb_acquire, KF_ACQUIRE | KF_RET_NULL) BTF_ID_FLAGS(func, bpf_kfunc_call_test_release, KF_RELEASE) diff --git a/tools/testing/selftests/bpf/prog_tests/kfunc_call.c b/tools/testing/selftests/bpf/prog_tests/kfunc_call.c index 5af1ee8f0e6e..6a6822e99071 100644 --- a/tools/testing/selftests/bpf/prog_tests/kfunc_call.c +++ b/tools/testing/selftests/bpf/prog_tests/kfunc_call.c @@ -72,6 +72,9 @@ static struct kfunc_test_params kfunc_tests[] = { /* success cases */ TC_TEST(kfunc_call_test1, 12), TC_TEST(kfunc_call_test2, 3), + TC_TEST(kfunc_call_test4, 16), + TC_TEST(kfunc_call_test5, 7), + TC_TEST(kfunc_call_test6, 15), TC_TEST(kfunc_call_test_ref_btf_id, 0), TC_TEST(kfunc_call_test_get_mem, 42), SYSCALL_TEST(kfunc_syscall_test, 0), diff --git a/tools/testing/selftests/bpf/progs/kfunc_call_test.c b/tools/testing/selftests/bpf/progs/kfunc_call_test.c index f636e50be259..0385ce2d4c6e 100644 --- a/tools/testing/selftests/bpf/progs/kfunc_call_test.c +++ b/tools/testing/selftests/bpf/progs/kfunc_call_test.c @@ -6,6 +6,11 @@ extern int bpf_kfunc_call_test2(struct sock *sk, __u32 a, __u32 b) __ksym; extern __u64 bpf_kfunc_call_test1(struct sock *sk, __u32 a, __u64 b, __u32 c, __u64 d) __ksym; +extern __u64 bpf_kfunc_call_test4(struct sock *sk, __u64 a, __u64 b, + __u32 c, __u32 d) __ksym; +extern __u64 bpf_kfunc_call_test5(__u64 a, __u64 b) __ksym; +extern __u64 bpf_kfunc_call_test6(__u32 a, __u32 b, __u32 c, __u32 d, + __u32 e) __ksym;
extern struct prog_test_ref_kfunc *bpf_kfunc_call_test_acquire(unsigned long *sp) __ksym; extern void bpf_kfunc_call_test_release(struct prog_test_ref_kfunc *p) __ksym; @@ -17,6 +22,53 @@ extern void bpf_kfunc_call_test_mem_len_fail2(__u64 *mem, int len) __ksym; extern int *bpf_kfunc_call_test_get_rdwr_mem(struct prog_test_ref_kfunc *p, const int rdwr_buf_size) __ksym; extern int *bpf_kfunc_call_test_get_rdonly_mem(struct prog_test_ref_kfunc *p, const int rdonly_buf_size) __ksym;
+SEC("tc") +int kfunc_call_test6(struct __sk_buff *skb) +{ + __u64 a = 1ULL << 32; + __u32 ret; + + a = bpf_kfunc_call_test6(1, 2, 3, 4, 5); + ret = a >> 32; /* ret should be 0 */ + ret += (__u32)a; /* ret should be 15 */ + + return ret; +} + +SEC("tc") +int kfunc_call_test5(struct __sk_buff *skb) +{ + __u64 a = 1ULL << 32; + __u32 ret; + + a = bpf_kfunc_call_test5(a | 2, a | 3); + ret = a >> 32; /* ret should be 2 */ + ret += (__u32)a; /* ret should be 7 */ + + return ret; +} + +SEC("tc") +int kfunc_call_test4(struct __sk_buff *skb) +{ + struct bpf_sock *sk = skb->sk; + __u64 a = 1ULL << 32; + __u32 ret; + + if (!sk) + return -1; + + sk = bpf_sk_fullsock(sk); + if (!sk) + return -1; + + a = bpf_kfunc_call_test4((struct sock *)sk, a | 2, a | 3, 4, 5); + ret = a >> 32; /* ret should be 2 */ + ret += (__u32)a; /* ret should be 16 */ + + return ret; +} + SEC("tc") int kfunc_call_test2(struct __sk_buff *skb) {
insn->imm for kfunc is the relative address of __bpf_call_base, instead of __bpf_base_call, Fix the comment error.
Signed-off-by: Yang Jihong yangjihong1@huawei.com --- kernel/bpf/verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 193ea927aa69..eb58fea645ca 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -13927,7 +13927,7 @@ static int fixup_kfunc_call(struct bpf_verifier_env *env, }
/* insn->imm has the btf func_id. Replace it with - * an address (relative to __bpf_base_call). + * an address (relative to __bpf_call_base). */ desc = find_kfunc_desc(env->prog, insn->imm, insn->off); if (!desc) {
linux-kselftest-mirror@lists.linaro.org
-
Alexei Starovoitov -
Yang Jihong