* [PATCH] bpftool: fix control flow graph segfault during edge creation
@ 2025-01-08 22:09 Christoph Werle
2025-01-09 18:19 ` Quentin Monnet
2025-01-10 22:20 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 5+ messages in thread
From: Christoph Werle @ 2025-01-08 22:09 UTC (permalink / raw)
To: Quentin Monnet, Alexei Starovoitov, Andrii Nakryiko
Cc: Christoph Werle, Daniel Borkmann, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, bpf,
linux-kernel
If the last instruction of a control flow graph building block is a
BPF_CALL, an incorrect edge with e->dst set to NULL is created and
results in a segfault during graph output.
Ensure that BPF_CALL as last instruction of a building block is handled
correctly and only generates a single edge unlike actual BPF_JUMP*
instructions.
Signed-off-by: Christoph Werle <christoph.werle@longjmp.de>
---
tools/bpf/bpftool/cfg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/bpf/bpftool/cfg.c b/tools/bpf/bpftool/cfg.c
index eec437cca2ea..e3785f9a697d 100644
--- a/tools/bpf/bpftool/cfg.c
+++ b/tools/bpf/bpftool/cfg.c
@@ -302,6 +302,7 @@ static bool func_add_bb_edges(struct func_node *func)
insn = bb->tail;
if (!is_jmp_insn(insn->code) ||
+ BPF_OP(insn->code) == BPF_CALL ||
BPF_OP(insn->code) == BPF_EXIT) {
e->dst = bb_next(bb);
e->flags |= EDGE_FLAG_FALLTHROUGH;
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] bpftool: fix control flow graph segfault during edge creation
2025-01-08 22:09 [PATCH] bpftool: fix control flow graph segfault during edge creation Christoph Werle
@ 2025-01-09 18:19 ` Quentin Monnet
2025-01-10 12:57 ` christoph.werle
2025-01-10 22:20 ` patchwork-bot+netdevbpf
1 sibling, 1 reply; 5+ messages in thread
From: Quentin Monnet @ 2025-01-09 18:19 UTC (permalink / raw)
To: Christoph Werle, Alexei Starovoitov, Andrii Nakryiko
Cc: Daniel Borkmann, Martin KaFai Lau, Eduard Zingerman, Song Liu,
Yonghong Song, John Fastabend, KP Singh, Stanislav Fomichev,
Hao Luo, Jiri Olsa, bpf, linux-kernel
On 08/01/2025 22:09, Christoph Werle wrote:
> If the last instruction of a control flow graph building block is a
> BPF_CALL, an incorrect edge with e->dst set to NULL is created and
> results in a segfault during graph output.
>
> Ensure that BPF_CALL as last instruction of a building block is handled
> correctly and only generates a single edge unlike actual BPF_JUMP*
> instructions.
>
> Signed-off-by: Christoph Werle <christoph.werle@longjmp.de>
Fixes: 0824611f9b38 ("tools: bpftool: partition basic-block for each function in the CFG")
> ---
> tools/bpf/bpftool/cfg.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/tools/bpf/bpftool/cfg.c b/tools/bpf/bpftool/cfg.c
> index eec437cca2ea..e3785f9a697d 100644
> --- a/tools/bpf/bpftool/cfg.c
> +++ b/tools/bpf/bpftool/cfg.c
> @@ -302,6 +302,7 @@ static bool func_add_bb_edges(struct func_node *func)
>
> insn = bb->tail;
> if (!is_jmp_insn(insn->code) ||
> + BPF_OP(insn->code) == BPF_CALL ||
> BPF_OP(insn->code) == BPF_EXIT) {
> e->dst = bb_next(bb);
> e->flags |= EDGE_FLAG_FALLTHROUGH;
Thanks for this! It looks OK, would you have a minimal reproducer by any
chance?
Quentin
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] bpftool: fix control flow graph segfault during edge creation
2025-01-09 18:19 ` Quentin Monnet
@ 2025-01-10 12:57 ` christoph.werle
2025-01-10 15:02 ` Quentin Monnet
0 siblings, 1 reply; 5+ messages in thread
From: christoph.werle @ 2025-01-10 12:57 UTC (permalink / raw)
To: Quentin Monnet, Alexei Starovoitov, Andrii Nakryiko
Cc: Daniel Borkmann, Martin KaFai Lau, Eduard Zingerman, Song Liu,
Yonghong Song, John Fastabend, KP Singh, Stanislav Fomichev,
Hao Luo, Jiri Olsa, bpf, linux-kernel
Hello Quentin,
> Thanks for this! It looks OK, would you have a minimal reproducer by any
> chance?
here's a small example based on libbpf-bootstrap:
------------- reprex_edge_segfault.bpf.c
// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
char LICENSE[] SEC("license") = "Dual BSD/GPL";
int __attribute__ ((noinline)) do_barf()
{
bpf_printk("We're doomed\n");
return 0;
}
SEC("tp/sched/sched_process_exec")
int handle__sched_process_exec(struct trace_event_raw_sched_process_exec *ctx)
{
if (ctx->pid > 1000)
do_barf();
return 0;
}
------------- reprex_edge_segfault.c
// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
#include <unistd.h>
#include <bpf/libbpf.h>
#include <bpf/bpf.h>
#include "reprex_edge_segfault.skel.h"
int main(int argc, char **argv)
{
struct reprex_edge_segfault_bpf *skel;
int err=0;
skel = reprex_edge_segfault_bpf__open();
err = reprex_edge_segfault_bpf__load(skel);
err = reprex_edge_segfault_bpf__attach(skel);
while (true)
sleep(1);
reprex_edge_segfault_bpf__destroy(skel);
return -err;
}
--------------
Then just add reprex_edge_segfault to APPS variable in examples/c/Makefile.
Kind regards,
Christoph
> Quentin Monnet <qmo@kernel.org> hat am 09.01.2025 19:19 CET geschrieben:
>
>
> On 08/01/2025 22:09, Christoph Werle wrote:
> > If the last instruction of a control flow graph building block is a
> > BPF_CALL, an incorrect edge with e->dst set to NULL is created and
> > results in a segfault during graph output.
> >
> > Ensure that BPF_CALL as last instruction of a building block is handled
> > correctly and only generates a single edge unlike actual BPF_JUMP*
> > instructions.
> >
> > Signed-off-by: Christoph Werle <christoph.werle@longjmp.de>
>
>
> Fixes: 0824611f9b38 ("tools: bpftool: partition basic-block for each function in the CFG")
>
>
> > ---
> > tools/bpf/bpftool/cfg.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/tools/bpf/bpftool/cfg.c b/tools/bpf/bpftool/cfg.c
> > index eec437cca2ea..e3785f9a697d 100644
> > --- a/tools/bpf/bpftool/cfg.c
> > +++ b/tools/bpf/bpftool/cfg.c
> > @@ -302,6 +302,7 @@ static bool func_add_bb_edges(struct func_node *func)
> >
> > insn = bb->tail;
> > if (!is_jmp_insn(insn->code) ||
> > + BPF_OP(insn->code) == BPF_CALL ||
> > BPF_OP(insn->code) == BPF_EXIT) {
> > e->dst = bb_next(bb);
> > e->flags |= EDGE_FLAG_FALLTHROUGH;
>
>
> Thanks for this! It looks OK, would you have a minimal reproducer by any
> chance?
>
> Quentin
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] bpftool: fix control flow graph segfault during edge creation
2025-01-10 12:57 ` christoph.werle
@ 2025-01-10 15:02 ` Quentin Monnet
0 siblings, 0 replies; 5+ messages in thread
From: Quentin Monnet @ 2025-01-10 15:02 UTC (permalink / raw)
To: christoph.werle, Alexei Starovoitov, Andrii Nakryiko
Cc: Daniel Borkmann, Martin KaFai Lau, Eduard Zingerman, Song Liu,
Yonghong Song, John Fastabend, KP Singh, Stanislav Fomichev,
Hao Luo, Jiri Olsa, bpf, linux-kernel
2025-01-10 13:57 UTC+0100 ~ christoph.werle@longjmp.de
> Hello Quentin,
>
>> Thanks for this! It looks OK, would you have a minimal reproducer by any
>> chance?
>
> here's a small example based on libbpf-bootstrap:
>
> ------------- reprex_edge_segfault.bpf.c
> // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
>
> #include "vmlinux.h"
> #include <bpf/bpf_helpers.h>
>
> char LICENSE[] SEC("license") = "Dual BSD/GPL";
>
> int __attribute__ ((noinline)) do_barf()
> {
> bpf_printk("We're doomed\n");
> return 0;
> }
>
> SEC("tp/sched/sched_process_exec")
> int handle__sched_process_exec(struct trace_event_raw_sched_process_exec *ctx)
> {
> if (ctx->pid > 1000)
> do_barf();
>
> return 0;
> }
>
> ------------- reprex_edge_segfault.c
> // SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
>
> #include <unistd.h>
> #include <bpf/libbpf.h>
> #include <bpf/bpf.h>
> #include "reprex_edge_segfault.skel.h"
>
> int main(int argc, char **argv)
> {
> struct reprex_edge_segfault_bpf *skel;
> int err=0;
>
> skel = reprex_edge_segfault_bpf__open();
> err = reprex_edge_segfault_bpf__load(skel);
> err = reprex_edge_segfault_bpf__attach(skel);
>
> while (true)
> sleep(1);
>
> reprex_edge_segfault_bpf__destroy(skel);
> return -err;
> }
> --------------
>
> Then just add reprex_edge_segfault to APPS variable in examples/c/Makefile.
>
> Kind regards,
> Christoph
Thanks a lot! I could successfully reproduce the issue and test your patch.
Tested-by: Quentin Monnet <qmo@kernel.org>
Reviewed-by: Quentin Monnet <qmo@kernel.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] bpftool: fix control flow graph segfault during edge creation
2025-01-08 22:09 [PATCH] bpftool: fix control flow graph segfault during edge creation Christoph Werle
2025-01-09 18:19 ` Quentin Monnet
@ 2025-01-10 22:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-01-10 22:20 UTC (permalink / raw)
To: Christoph Werle
Cc: qmo, ast, andrii, daniel, martin.lau, eddyz87, song,
yonghong.song, john.fastabend, kpsingh, sdf, haoluo, jolsa, bpf,
linux-kernel
Hello:
This patch was applied to bpf/bpf-next.git (master)
by Andrii Nakryiko <andrii@kernel.org>:
On Wed, 8 Jan 2025 23:09:37 +0100 you wrote:
> If the last instruction of a control flow graph building block is a
> BPF_CALL, an incorrect edge with e->dst set to NULL is created and
> results in a segfault during graph output.
>
> Ensure that BPF_CALL as last instruction of a building block is handled
> correctly and only generates a single edge unlike actual BPF_JUMP*
> instructions.
>
> [...]
Here is the summary with links:
- bpftool: fix control flow graph segfault during edge creation
https://git.kernel.org/bpf/bpf-next/c/defac894af93
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-01-10 22:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-08 22:09 [PATCH] bpftool: fix control flow graph segfault during edge creation Christoph Werle
2025-01-09 18:19 ` Quentin Monnet
2025-01-10 12:57 ` christoph.werle
2025-01-10 15:02 ` Quentin Monnet
2025-01-10 22:20 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox