From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: kkd@meta.com, Puranjay Mohan <puranjay@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Rishabh Iyer <rishabh.iyer@berkeley.edu>,
Sanidhya Kashyap <sanidhya.kashyap@epfl.ch>,
x86@kernel.org, kernel-team@fb.com
Subject: [PATCH bpf-next v3 2/2] bpf, x86: Skip bounds checking for PROBE_MEM with SMAP
Date: Sun, 3 Nov 2024 11:35:12 -0800 [thread overview]
Message-ID: <20241103193512.4076710-3-memxor@gmail.com> (raw)
In-Reply-To: <20241103193512.4076710-1-memxor@gmail.com>
The previous patch changed the do_user_addr_fault page fault handler to
invoke BPF's fixup routines (by searching exception tables and calling
ex_handler_bpf). This would only occur when SMAP is enabled, such that
any user address access from BPF programs running in kernel mode would
reach this path and invoke the fixup routines.
Relying on this behavior, disable any bounds checking instrumentation in
the BPF JIT for x86 when X86_FEATURE_SMAP is available. All BPF
programs execute with SMAP enabled, therefore when this feature is
available, we can assume that SMAP will be enabled during program
execution at runtime.
This optimizes PROBE_MEM loads down to a normal unchecked load
instruction. Any page faults for user or kernel addresses will be
handled using the fixup routines, and the generation exception table
entries for such load instructions.
All in all, this ensures that PROBE_MEM loads will now incur no runtime
overhead, and become practically free.
Acked-by: Puranjay Mohan <puranjay@kernel.org>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
arch/x86/net/bpf_jit_comp.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index 06b080b61aa5..7e3bd589efc3 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -1954,8 +1954,8 @@ st: if (is_imm8(insn->off))
case BPF_LDX | BPF_PROBE_MEMSX | BPF_W:
insn_off = insn->off;
- if (BPF_MODE(insn->code) == BPF_PROBE_MEM ||
- BPF_MODE(insn->code) == BPF_PROBE_MEMSX) {
+ if ((BPF_MODE(insn->code) == BPF_PROBE_MEM ||
+ BPF_MODE(insn->code) == BPF_PROBE_MEMSX) && !cpu_feature_enabled(X86_FEATURE_SMAP)) {
/* Conservatively check that src_reg + insn->off is a kernel address:
* src_reg + insn->off > TASK_SIZE_MAX + PAGE_SIZE
* and
@@ -2002,6 +2002,9 @@ st: if (is_imm8(insn->off))
/* populate jmp_offset for JAE above to jump to start_of_ldx */
start_of_ldx = prog;
end_of_jmp[-1] = start_of_ldx - end_of_jmp;
+ } else if ((BPF_MODE(insn->code) == BPF_PROBE_MEM ||
+ BPF_MODE(insn->code) == BPF_PROBE_MEMSX)) {
+ start_of_ldx = prog;
}
if (BPF_MODE(insn->code) == BPF_PROBE_MEMSX ||
BPF_MODE(insn->code) == BPF_MEMSX)
@@ -2014,9 +2017,13 @@ st: if (is_imm8(insn->off))
u8 *_insn = image + proglen + (start_of_ldx - temp);
s64 delta;
+ if (cpu_feature_enabled(X86_FEATURE_SMAP))
+ goto extable_fixup;
+
/* populate jmp_offset for JMP above */
start_of_ldx[-1] = prog - start_of_ldx;
+ extable_fixup:
if (!bpf_prog->aux->extable)
break;
--
2.43.5
next prev parent reply other threads:[~2024-11-03 19:35 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-03 19:35 [PATCH bpf-next v3 0/2] Zero overhead PROBE_MEM Kumar Kartikeya Dwivedi
2024-11-03 19:35 ` [PATCH bpf-next v3 1/2] x86: Perform BPF exception fixup in do_user_addr_fault Kumar Kartikeya Dwivedi
2024-11-04 17:16 ` Dave Hansen
2024-11-04 17:50 ` Kumar Kartikeya Dwivedi
2024-11-04 18:09 ` Dave Hansen
2024-11-03 19:35 ` Kumar Kartikeya Dwivedi [this message]
2024-11-04 19:53 ` [PATCH bpf-next v3 2/2] bpf, x86: Skip bounds checking for PROBE_MEM with SMAP Peter Zijlstra
2024-11-05 18:35 ` Alexei Starovoitov
2024-11-06 15:21 ` Peter Zijlstra
2024-11-04 16:48 ` [PATCH bpf-next v3 0/2] Zero overhead PROBE_MEM Dave Hansen
2024-11-04 17:01 ` Kumar Kartikeya Dwivedi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241103193512.4076710-3-memxor@gmail.com \
--to=memxor@gmail.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@linux.intel.com \
--cc=eddyz87@gmail.com \
--cc=kernel-team@fb.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kkd@meta.com \
--cc=luto@kernel.org \
--cc=martin.lau@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=puranjay@kernel.org \
--cc=rishabh.iyer@berkeley.edu \
--cc=sanidhya.kashyap@epfl.ch \
--cc=song@kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox