[PATCH RFC] bpf: Fix trampoline for functions with variable arguments

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jiri Olsa <jolsa@kernel.org>
To: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andriin@fb.com>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
	Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
	Yonghong Song <yhs@fb.com>,
	John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@chromium.org>
Subject: [PATCH RFC] bpf: Fix trampoline for functions with variable arguments
Date: Thu, 29 Apr 2021 23:28:34 +0200	[thread overview]
Message-ID: <20210429212834.82621-1-jolsa@kernel.org> (raw)

For functions with variable arguments like:

  void set_worker_desc(const char *fmt, ...)

the BTF data contains void argument at the end:

[4061] FUNC_PROTO '(anon)' ret_type_id=0 vlen=2
        'fmt' type_id=3
        '(anon)' type_id=0

When attaching function with this void argument the btf_distill_func_proto
will set last btf_func_model's argument with size 0 and that
will cause extra loop in save_regs/restore_regs functions and
generate trampoline code like:

  55             push   %rbp
  48 89 e5       mov    %rsp,%rbp
  48 83 ec 10    sub    $0x10,%rsp
  53             push   %rbx
  48 89 7d f0    mov    %rdi,-0x10(%rbp)
  75 f8          jne    0xffffffffa00cf007
                 ^^^ extra jump

It's causing soft lockups/crashes probably depends on what context
is the attached function called, like for set_worker_desc:

  watchdog: BUG: soft lockup - CPU#16 stuck for 22s! [kworker/u40:4:239]
  CPU: 16 PID: 239 Comm: kworker/u40:4 Not tainted 5.12.0-rc4qemu+ #178
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-1.fc33 04/01/2014
  Workqueue: writeback wb_workfn
  RIP: 0010:bpf_trampoline_6442464853_0+0xa/0x1000
  Code: Unable to access opcode bytes at RIP 0xffffffffa3597fe0.
  RSP: 0018:ffffc90000687da8 EFLAGS: 00000217
  Call Trace:
   set_worker_desc+0x5/0xb0
   wb_workfn+0x48/0x4d0
   ? psi_group_change+0x41/0x210
   ? __bpf_prog_exit+0x15/0x20
   ? bpf_trampoline_6442458903_0+0x3b/0x1000
   ? update_pasid+0x5/0x90
   ? __switch_to+0x187/0x450
   process_one_work+0x1e7/0x380
   worker_thread+0x50/0x3b0
   ? rescuer_thread+0x380/0x380
   kthread+0x11b/0x140
   ? __kthread_bind_mask+0x60/0x60
   ret_from_fork+0x22/0x30

This patch is removing the void argument from struct btf_func_model
in btf_distill_func_proto, but perhaps we should also check for this
in JIT's save_regs/restore_regs functions.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 kernel/bpf/btf.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index b1a76fe046cb..017a80324139 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -5133,6 +5133,11 @@ int btf_distill_func_proto(struct bpf_verifier_log *log,
 				tname, i, btf_kind_str[BTF_INFO_KIND(t->info)]);
 			return -EINVAL;
 		}
+		/* void at the end of args means '...' argument, skip it */
+		if (!ret && (i + 1 == nargs)) {
+			nargs--;
+			break;
+		}
 		m->arg_size[i] = ret;
 	}
 	m->nr_args = nargs;
-- 
2.30.2

next             reply	other threads:[~2021-04-29 21:28 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-29 21:28 Jiri Olsa [this message]
2021-05-02 21:16 ` [PATCH RFC] bpf: Fix trampoline for functions with variable arguments Jiri Olsa
2021-05-03 22:32   ` Andrii Nakryiko
2021-05-04 13:27     ` Jiri Olsa
2021-05-04 22:37       ` Andrii Nakryiko
2021-05-05  4:11         ` Alexei Starovoitov
2021-05-05 12:42           ` Jiri Olsa

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b1a76fe046c dfblob:017a8032413 )
 OR (
bs:"[PATCH RFC] bpf: Fix trampoline for functions with variable arguments" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210429212834.82621-1-jolsa@kernel.org \
    --to=jolsa@kernel.org \
    --cc=andriin@fb.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=john.fastabend@gmail.com \
    --cc=kafai@fb.com \
    --cc=kpsingh@chromium.org \
    --cc=netdev@vger.kernel.org \
    --cc=songliubraving@fb.com \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.