Re: [PATCH bpf-next v3 0/6] bpf trampoline support "jmp" mode

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Leon Hwang <leon.hwang@linux.dev>
To: menglong8.dong@gmail.com
Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
	daniel@iogearbox.net, eddyz87@gmail.com, haoluo@google.com,
	jiang.biao@linux.dev, john.fastabend@gmail.com, jolsa@kernel.org,
	kpsingh@kernel.org, linux-kernel@vger.kernel.org,
	linux-trace-kernel@vger.kernel.org, mark.rutland@arm.com,
	martin.lau@linux.dev, mathieu.desnoyers@efficios.com,
	mhiramat@kernel.org, rostedt@goodmis.org, sdf@fomichev.me,
	song@kernel.org, yonghong.song@linux.dev,
	Leon Hwang <leon.hwang@linux.dev>
Subject: Re: [PATCH bpf-next v3 0/6] bpf trampoline support "jmp" mode
Date: Thu,  2 Apr 2026 14:12:51 +0800	[thread overview]
Message-ID: <20260402061251.273705-1-leon.hwang@linux.dev> (raw)
In-Reply-To: <20251118123639.688444-1-dongml2@chinatelecom.cn>

On Tue, Nov 18, 2025 at 08:36:28PM +0800, Menglong Dong wrote:
>For now, the bpf trampoline is called by the "call" instruction. However,
>it break the RSB and introduce extra overhead in x86_64 arch.
>
>For example, we hook the function "foo" with fexit, the call and return
>logic will be like this:
>  call foo -> call trampoline -> call foo-body ->
>  return foo-body -> return foo
>
>As we can see above, there are 3 call, but 2 return, which break the RSB
>balance. We can pseudo a "return" here, but it's not the best choice,
>as it will still cause once RSB miss:
>  call foo -> call trampoline -> call foo-body ->
>  return foo-body -> return dummy -> return foo
>
>The "return dummy" doesn't pair the "call trampoline", which can also
>cause the RSB miss.
>
>Therefore, we introduce the "jmp" mode for bpf trampoline, as advised by
>Alexei in [1]. And the logic will become this:
>  call foo -> jmp trampoline -> call foo-body ->
>  return foo-body -> return foo
>
>As we can see above, the RSB is totally balanced after this series.
>

Hi, this is a late footnote for this optimization.

As this optimization landed in the 6.19 kernel, the function graph feature
of bpfsnoop [1] cannot work because of the missing tracee's FP/IP for
fexit.

Before this optimization,

caller
-> call icmp_rcv                caller IP/FP
   -> call trampoline           icmp_rcv IP/FP
      -> call icmp_rcv body     trampoline IP/FP
      <- return to trampoline
   <- return to caller

After this optimization,

caller
-> call icmp_rcv                caller IP/FP
   -> jump to trampoline
      -> call icmp_rcv body     trampoline IP/FP
      <- return to trampoline
   <- return to caller

As a result, the function call stack entry for icmp_rcv has gone.

It can be confirmed by bpf_get_stack*() helpers.

$ sudo bpfsnoop -k icmp_rcv --output-stack -v

In 6.14,

0xffff8000802bda44:bpfsnoop_fn+0x6a4
0xffff8000802bda44:bpfsnoop_fn+0x6a4
0xffff8000802bd064:bpf_trampoline_6442573163+0xa4
0xffffc7825c984df0:icmp_rcv+0x8
0xffffc7825c91bcb8:ip_protocol_deliver_rcu+0x48
0xffffc7825c91bfd4:ip_local_deliver_finish+0x8c
0xffffc7825c91c0d0:ip_local_deliver+0x88

In 6.19,

0xffffffffc0209069:bpfsnoop_fn+0x449
0xffffffffc01ef2a4:bpf_trampoline_6442568724+0x64
0xffffffffb1085cda:ip_protocol_deliver_rcu+0x1ea
0xffffffffb1085d96:ip_local_deliver_finish+0x86
0xffffffffb1085e95:ip_local_deliver+0x65

So, it would surprise users who care about the tracee entry.

[1] https://github.com/bpfsnoop/bpfsnoop

Thanks,
Leon

[...]

next prev parent reply	other threads:[~2026-04-02  6:13 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-18 12:36 [PATCH bpf-next v3 0/6] bpf trampoline support "jmp" mode Menglong Dong
2025-11-18 12:36 ` [PATCH bpf-next v3 1/6] ftrace: introduce FTRACE_OPS_FL_JMP Menglong Dong
2025-11-18 13:25   ` bot+bpf-ci
2025-11-18 13:51     ` Steven Rostedt
2025-11-18 12:36 ` [PATCH bpf-next v3 2/6] x86/ftrace: implement DYNAMIC_FTRACE_WITH_JMP Menglong Dong
2025-11-18 22:01   ` Jiri Olsa
2025-11-19  1:05     ` Menglong Dong
2025-11-18 12:36 ` [PATCH bpf-next v3 3/6] bpf: fix the usage of BPF_TRAMP_F_SKIP_FRAME Menglong Dong
2025-12-18 14:45   ` Andreas Schwab
2025-12-18 15:05     ` Menglong Dong
2025-12-19  2:22     ` Menglong Dong
2025-12-19 11:41       ` Andreas Schwab
2025-12-19 12:27         ` Menglong Dong
2025-12-19 13:31           ` Menglong Dong
2025-12-19 13:48             ` Andreas Schwab
2025-12-19 14:04               ` Menglong Dong
2025-12-19 14:50                 ` Andreas Schwab
2025-12-19 14:54                   ` Menglong Dong
2025-11-18 12:36 ` [PATCH bpf-next v3 4/6] bpf,x86: adjust the "jmp" mode for bpf trampoline Menglong Dong
2025-11-18 12:36 ` [PATCH bpf-next v3 5/6] bpf: specify the old and new poke_type for bpf_arch_text_poke Menglong Dong
2025-11-18 12:36 ` [PATCH bpf-next v3 6/6] bpf: implement "jmp" mode for trampoline Menglong Dong
2025-11-19  0:59   ` Alexei Starovoitov
2025-11-19  1:03     ` Steven Rostedt
2025-11-22  2:37       ` Alexei Starovoitov
2025-11-24 14:50         ` Steven Rostedt
2025-11-19  0:28 ` [PATCH bpf-next v3 0/6] bpf trampoline support "jmp" mode Alexei Starovoitov
2025-11-19  2:47   ` Menglong Dong
2025-11-19  2:55     ` Leon Hwang
2025-11-19 12:36       ` Xu Kuohai
2025-11-20  2:07         ` Leon Hwang
2025-11-20  3:24           ` Xu Kuohai
2025-11-24 18:00 ` patchwork-bot+netdevbpf
2026-04-02  6:12 ` Leon Hwang [this message]
2026-04-02  7:51   ` Menglong Dong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260402061251.273705-1-leon.hwang@linux.dev \
    --to=leon.hwang@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=haoluo@google.com \
    --cc=jiang.biao@linux.dev \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=martin.lau@linux.dev \
    --cc=mathieu.desnoyers@efficios.com \
    --cc=menglong8.dong@gmail.com \
    --cc=mhiramat@kernel.org \
    --cc=rostedt@goodmis.org \
    --cc=sdf@fomichev.me \
    --cc=song@kernel.org \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox