From: Leon Hwang <leon.hwang@linux.dev>
To: menglong8.dong@gmail.com
Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
daniel@iogearbox.net, eddyz87@gmail.com, haoluo@google.com,
jiang.biao@linux.dev, john.fastabend@gmail.com, jolsa@kernel.org,
kpsingh@kernel.org, linux-kernel@vger.kernel.org,
linux-trace-kernel@vger.kernel.org, mark.rutland@arm.com,
martin.lau@linux.dev, mathieu.desnoyers@efficios.com,
mhiramat@kernel.org, rostedt@goodmis.org, sdf@fomichev.me,
song@kernel.org, yonghong.song@linux.dev,
Leon Hwang <leon.hwang@linux.dev>
Subject: Re: [PATCH bpf-next v3 0/6] bpf trampoline support "jmp" mode
Date: Thu, 2 Apr 2026 14:12:51 +0800 [thread overview]
Message-ID: <20260402061251.273705-1-leon.hwang@linux.dev> (raw)
In-Reply-To: <20251118123639.688444-1-dongml2@chinatelecom.cn>
On Tue, Nov 18, 2025 at 08:36:28PM +0800, Menglong Dong wrote:
>For now, the bpf trampoline is called by the "call" instruction. However,
>it break the RSB and introduce extra overhead in x86_64 arch.
>
>For example, we hook the function "foo" with fexit, the call and return
>logic will be like this:
> call foo -> call trampoline -> call foo-body ->
> return foo-body -> return foo
>
>As we can see above, there are 3 call, but 2 return, which break the RSB
>balance. We can pseudo a "return" here, but it's not the best choice,
>as it will still cause once RSB miss:
> call foo -> call trampoline -> call foo-body ->
> return foo-body -> return dummy -> return foo
>
>The "return dummy" doesn't pair the "call trampoline", which can also
>cause the RSB miss.
>
>Therefore, we introduce the "jmp" mode for bpf trampoline, as advised by
>Alexei in [1]. And the logic will become this:
> call foo -> jmp trampoline -> call foo-body ->
> return foo-body -> return foo
>
>As we can see above, the RSB is totally balanced after this series.
>
Hi, this is a late footnote for this optimization.
As this optimization landed in the 6.19 kernel, the function graph feature
of bpfsnoop [1] cannot work because of the missing tracee's FP/IP for
fexit.
Before this optimization,
caller
-> call icmp_rcv caller IP/FP
-> call trampoline icmp_rcv IP/FP
-> call icmp_rcv body trampoline IP/FP
<- return to trampoline
<- return to caller
After this optimization,
caller
-> call icmp_rcv caller IP/FP
-> jump to trampoline
-> call icmp_rcv body trampoline IP/FP
<- return to trampoline
<- return to caller
As a result, the function call stack entry for icmp_rcv has gone.
It can be confirmed by bpf_get_stack*() helpers.
$ sudo bpfsnoop -k icmp_rcv --output-stack -v
In 6.14,
0xffff8000802bda44:bpfsnoop_fn+0x6a4
0xffff8000802bda44:bpfsnoop_fn+0x6a4
0xffff8000802bd064:bpf_trampoline_6442573163+0xa4
0xffffc7825c984df0:icmp_rcv+0x8
0xffffc7825c91bcb8:ip_protocol_deliver_rcu+0x48
0xffffc7825c91bfd4:ip_local_deliver_finish+0x8c
0xffffc7825c91c0d0:ip_local_deliver+0x88
In 6.19,
0xffffffffc0209069:bpfsnoop_fn+0x449
0xffffffffc01ef2a4:bpf_trampoline_6442568724+0x64
0xffffffffb1085cda:ip_protocol_deliver_rcu+0x1ea
0xffffffffb1085d96:ip_local_deliver_finish+0x86
0xffffffffb1085e95:ip_local_deliver+0x65
So, it would surprise users who care about the tracee entry.
[1] https://github.com/bpfsnoop/bpfsnoop
Thanks,
Leon
[...]
next prev parent reply other threads:[~2026-04-02 6:13 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-18 12:36 [PATCH bpf-next v3 0/6] bpf trampoline support "jmp" mode Menglong Dong
2025-11-18 12:36 ` [PATCH bpf-next v3 1/6] ftrace: introduce FTRACE_OPS_FL_JMP Menglong Dong
2025-11-18 13:25 ` bot+bpf-ci
2025-11-18 13:51 ` Steven Rostedt
2025-11-18 12:36 ` [PATCH bpf-next v3 2/6] x86/ftrace: implement DYNAMIC_FTRACE_WITH_JMP Menglong Dong
2025-11-18 22:01 ` Jiri Olsa
2025-11-19 1:05 ` Menglong Dong
2025-11-18 12:36 ` [PATCH bpf-next v3 3/6] bpf: fix the usage of BPF_TRAMP_F_SKIP_FRAME Menglong Dong
2025-12-18 14:45 ` Andreas Schwab
2025-12-18 14:45 ` Andreas Schwab
2025-12-18 15:05 ` Menglong Dong
2025-12-18 15:05 ` Menglong Dong
2025-12-19 2:22 ` Menglong Dong
2025-12-19 2:22 ` Menglong Dong
2025-12-19 11:41 ` Andreas Schwab
2025-12-19 11:41 ` Andreas Schwab
2025-12-19 12:27 ` Menglong Dong
2025-12-19 12:27 ` Menglong Dong
2025-12-19 13:31 ` Menglong Dong
2025-12-19 13:31 ` Menglong Dong
2025-12-19 13:48 ` Andreas Schwab
2025-12-19 13:48 ` Andreas Schwab
2025-12-19 14:04 ` Menglong Dong
2025-12-19 14:04 ` Menglong Dong
2025-12-19 14:50 ` Andreas Schwab
2025-12-19 14:50 ` Andreas Schwab
2025-12-19 14:54 ` Menglong Dong
2025-12-19 14:54 ` Menglong Dong
2025-11-18 12:36 ` [PATCH bpf-next v3 4/6] bpf,x86: adjust the "jmp" mode for bpf trampoline Menglong Dong
2025-11-18 12:36 ` [PATCH bpf-next v3 5/6] bpf: specify the old and new poke_type for bpf_arch_text_poke Menglong Dong
2025-11-18 12:36 ` [PATCH bpf-next v3 6/6] bpf: implement "jmp" mode for trampoline Menglong Dong
2025-11-19 0:59 ` Alexei Starovoitov
2025-11-19 1:03 ` Steven Rostedt
2025-11-22 2:37 ` Alexei Starovoitov
2025-11-24 14:50 ` Steven Rostedt
2025-11-19 0:28 ` [PATCH bpf-next v3 0/6] bpf trampoline support "jmp" mode Alexei Starovoitov
2025-11-19 2:47 ` Menglong Dong
2025-11-19 2:55 ` Leon Hwang
2025-11-19 12:36 ` Xu Kuohai
2025-11-20 2:07 ` Leon Hwang
2025-11-20 3:24 ` Xu Kuohai
2025-11-24 18:00 ` patchwork-bot+netdevbpf
2026-04-02 6:12 ` Leon Hwang [this message]
2026-04-02 7:51 ` Menglong Dong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260402061251.273705-1-leon.hwang@linux.dev \
--to=leon.hwang@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=jiang.biao@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=martin.lau@linux.dev \
--cc=mathieu.desnoyers@efficios.com \
--cc=menglong8.dong@gmail.com \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.