1. 17 Jun, 2022 5 commits
  2. 16 Jun, 2022 2 commits
    • Jakub Sitnicki's avatar
      selftests/bpf: Test tail call counting with bpf2bpf and data on stack · 5e0b0a4c
      Jakub Sitnicki authored
      Cover the case when tail call count needs to be passed from BPF function to
      BPF function, and the caller has data on stack. Specifically when the size
      of data allocated on BPF stack is not a multiple on 8.
      Signed-off-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20220616162037.535469-3-jakub@cloudflare.com
      5e0b0a4c
    • Jakub Sitnicki's avatar
      bpf, x86: Fix tail call count offset calculation on bpf2bpf call · ff672c67
      Jakub Sitnicki authored
      On x86-64 the tail call count is passed from one BPF function to another
      through %rax. Additionally, on function entry, the tail call count value
      is stored on stack right after the BPF program stack, due to register
      shortage.
      
      The stored count is later loaded from stack either when performing a tail
      call - to check if we have not reached the tail call limit - or before
      calling another BPF function call in order to pass it via %rax.
      
      In the latter case, we miscalculate the offset at which the tail call count
      was stored on function entry. The JIT does not take into account that the
      allocated BPF program stack is always a multiple of 8 on x86, while the
      actual stack depth does not have to be.
      
      This leads to a load from an offset that belongs to the BPF stack, as shown
      in the example below:
      
      SEC("tc")
      int entry(struct __sk_buff *skb)
      {
      	/* Have data on stack which size is not a multiple of 8 */
      	volatile char arr[1] = {};
      	return subprog_tail(skb);
      }
      
      int entry(struct __sk_buff * skb):
         0: (b4) w2 = 0
         1: (73) *(u8 *)(r10 -1) = r2
         2: (85) call pc+1#bpf_prog_ce2f79bb5f3e06dd_F
         3: (95) exit
      
      int entry(struct __sk_buff * skb):
         0xffffffffa0201788:  nop    DWORD PTR [rax+rax*1+0x0]
         0xffffffffa020178d:  xor    eax,eax
         0xffffffffa020178f:  push   rbp
         0xffffffffa0201790:  mov    rbp,rsp
         0xffffffffa0201793:  sub    rsp,0x8
         0xffffffffa020179a:  push   rax
         0xffffffffa020179b:  xor    esi,esi
         0xffffffffa020179d:  mov    BYTE PTR [rbp-0x1],sil
         0xffffffffa02017a1:  mov    rax,QWORD PTR [rbp-0x9]	!!! tail call count
         0xffffffffa02017a8:  call   0xffffffffa02017d8       !!! is at rbp-0x10
         0xffffffffa02017ad:  leave
         0xffffffffa02017ae:  ret
      
      Fix it by rounding up the BPF stack depth to a multiple of 8, when
      calculating the tail call count offset on stack.
      
      Fixes: ebf7d1f5 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
      Signed-off-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarMaciej Fijalkowski <maciej.fijalkowski@intel.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20220616162037.535469-2-jakub@cloudflare.com
      ff672c67
  3. 15 Jun, 2022 2 commits
  4. 14 Jun, 2022 4 commits
  5. 13 Jun, 2022 12 commits
  6. 11 Jun, 2022 5 commits
  7. 10 Jun, 2022 10 commits