Re: [PATCH bpf-next] bpf: Prevent bpf program recursion for raw tracepoint probes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sdf@google.com
To: Jiri Olsa <jolsa@kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	syzbot+2251879aa068ad9c960d@syzkaller.appspotmail.com,
	bpf@vger.kernel.org, Martin KaFai Lau <kafai@fb.com>,
	Song Liu <songliubraving@fb.com>, Yonghong Song <yhs@fb.com>,
	John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@chromium.org>, Hao Luo <haoluo@google.com>
Subject: Re: [PATCH bpf-next] bpf: Prevent bpf program recursion for raw tracepoint probes
Date: Thu, 8 Sep 2022 11:15:49 -0700	[thread overview]
Message-ID: <YxoxVS4s9NgbpXrP@google.com> (raw)
In-Reply-To: <20220908114659.102775-1-jolsa@kernel.org>

On 09/08, Jiri Olsa wrote:
> We got report from sysbot [1] about warnings that were caused by
> bpf program attached to contention_begin raw tracepoint triggering
> the same tracepoint by using bpf_trace_printk helper that takes
> trace_printk_lock lock.

>   Call Trace:
>    <TASK>
>    ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90
>    bpf_trace_printk+0x2b/0xe0
>    bpf_prog_a9aec6167c091eef_prog+0x1f/0x24
>    bpf_trace_run2+0x26/0x90
>    native_queued_spin_lock_slowpath+0x1c6/0x2b0
>    _raw_spin_lock_irqsave+0x44/0x50
>    bpf_trace_printk+0x3f/0xe0
>    bpf_prog_a9aec6167c091eef_prog+0x1f/0x24
>    bpf_trace_run2+0x26/0x90
>    native_queued_spin_lock_slowpath+0x1c6/0x2b0
>    _raw_spin_lock_irqsave+0x44/0x50
>    bpf_trace_printk+0x3f/0xe0
>    bpf_prog_a9aec6167c091eef_prog+0x1f/0x24
>    bpf_trace_run2+0x26/0x90
>    native_queued_spin_lock_slowpath+0x1c6/0x2b0
>    _raw_spin_lock_irqsave+0x44/0x50
>    bpf_trace_printk+0x3f/0xe0
>    bpf_prog_a9aec6167c091eef_prog+0x1f/0x24
>    bpf_trace_run2+0x26/0x90
>    native_queued_spin_lock_slowpath+0x1c6/0x2b0
>    _raw_spin_lock_irqsave+0x44/0x50
>    __unfreeze_partials+0x5b/0x160
>    ...

> The can be reproduced by attaching bpf program as raw tracepoint on
> contention_begin tracepoint. The bpf prog calls bpf_trace_printk
> helper. Then by running perf bench the spin lock code is forced to
> take slowpath and call contention_begin tracepoint.

> Fixing this by skipping execution of the bpf program if it's
> already running, Using bpf prog 'active' field, which is being
> currently used by trampoline programs for the same reason.

Makes sense to me and seems to address Alexei's earlier point
about bpf_prog_active.

Reviewed-by: Stanislav Fomichev <sdf@google.com>

> Reported-by: syzbot+2251879aa068ad9c960d@syzkaller.appspotmail.com
> [1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t
> Signed-off-by: Jiri Olsa <jolsa@kernel.org>
> ---
>   include/linux/bpf.h      | 1 +
>   kernel/bpf/trampoline.c  | 6 +++---
>   kernel/trace/bpf_trace.c | 6 ++++++
>   3 files changed, 10 insertions(+), 3 deletions(-)

> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 48ae05099f36..4737bd0fcbb8 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -2640,4 +2640,5 @@ static inline void bpf_cgroup_atype_get(u32  
> attach_btf_id, int cgroup_atype) {}
>   static inline void bpf_cgroup_atype_put(int cgroup_atype) {}
>   #endif /* CONFIG_BPF_LSM */

> +void notrace bpf_prog_inc_misses_counter(struct bpf_prog *prog);
>   #endif /* _LINUX_BPF_H */
> diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
> index ad76940b02cc..a098bdc33209 100644
> --- a/kernel/bpf/trampoline.c
> +++ b/kernel/bpf/trampoline.c
> @@ -863,7 +863,7 @@ static __always_inline u64 notrace  
> bpf_prog_start_time(void)
>   	return start;
>   }

> -static void notrace inc_misses_counter(struct bpf_prog *prog)
> +void notrace bpf_prog_inc_misses_counter(struct bpf_prog *prog)
>   {
>   	struct bpf_prog_stats *stats;
>   	unsigned int flags;
> @@ -896,7 +896,7 @@ u64 notrace __bpf_prog_enter(struct bpf_prog *prog,  
> struct bpf_tramp_run_ctx *ru
>   	run_ctx->saved_run_ctx = bpf_set_run_ctx(&run_ctx->run_ctx);

>   	if (unlikely(this_cpu_inc_return(*(prog->active)) != 1)) {
> -		inc_misses_counter(prog);
> +		bpf_prog_inc_misses_counter(prog);
>   		return 0;
>   	}
>   	return bpf_prog_start_time();
> @@ -967,7 +967,7 @@ u64 notrace __bpf_prog_enter_sleepable(struct  
> bpf_prog *prog, struct bpf_tramp_r
>   	might_fault();

>   	if (unlikely(this_cpu_inc_return(*(prog->active)) != 1)) {
> -		inc_misses_counter(prog);
> +		bpf_prog_inc_misses_counter(prog);
>   		return 0;
>   	}

> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 68e5cdd24cef..c8cd1aa7b112 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -2042,9 +2042,15 @@ static __always_inline
>   void __bpf_trace_run(struct bpf_prog *prog, u64 *args)
>   {
>   	cant_sleep();
> +	if (unlikely(this_cpu_inc_return(*(prog->active)) != 1)) {
> +		bpf_prog_inc_misses_counter(prog);
> +		goto out;
> +	}
>   	rcu_read_lock();
>   	(void) bpf_prog_run(prog, args);
>   	rcu_read_unlock();
> +out:
> +	this_cpu_dec(*(prog->active));
>   }

>   #define UNPACK(...)			__VA_ARGS__
> --
> 2.37.3

next prev parent reply	other threads:[~2022-09-08 18:15 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-08 11:46 [PATCH bpf-next] bpf: Prevent bpf program recursion for raw tracepoint probes Jiri Olsa
2022-09-08 18:15 ` sdf [this message]
2022-09-09  4:19 ` kernel test robot
2022-09-09  5:41 ` kernel test robot
2022-09-09  7:27 ` kernel test robot
2022-09-09 10:22   ` Jiri Olsa
2022-09-09 10:22     ` Jiri Olsa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YxoxVS4s9NgbpXrP@google.com \
    --to=sdf@google.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kafai@fb.com \
    --cc=kpsingh@chromium.org \
    --cc=songliubraving@fb.com \
    --cc=syzbot+2251879aa068ad9c960d@syzkaller.appspotmail.com \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.