lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue,  6 Sep 2022 21:56:41 +0200
From:   Francis Laniel <flaniel@...ux.microsoft.com>
To:     bpf@...r.kernel.org
Cc:     Francis Laniel <flaniel@...ux.microsoft.com>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>,
        Martin KaFai Lau <martin.lau@...ux.dev>,
        Song Liu <song@...nel.org>, Yonghong Song <yhs@...com>,
        John Fastabend <john.fastabend@...il.com>,
        KP Singh <kpsingh@...nel.org>,
        Stanislav Fomichev <sdf@...gle.com>,
        Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>,
        Jonathan Corbet <corbet@....net>,
        Mykola Lysenko <mykolal@...com>, Shuah Khan <shuah@...nel.org>,
        Joanne Koong <joannelkoong@...il.com>,
        Lorenzo Bianconi <lorenzo@...nel.org>,
        Dave Marchevsky <davemarchevsky@...com>,
        Maxim Mikityanskiy <maximmi@...dia.com>,
        Geliang Tang <geliang.tang@...e.com>,
        "Naveen N. Rao" <naveen.n.rao@...ux.vnet.ibm.com>,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-kselftest@...r.kernel.org
Subject: [RFC PATCH v2 0/5] Make BPF ring buffer overwritable

Hi.


First, I hope you are fine and the same for your relatives.

Normally, when BPF ring buffer are full, producers cannot write anymore and
need to wait for consumer to get some data.
As a consequence, calling bpf_ringbuf_reserve() from eBPF code returns NULL.

This contribution adds a new flag to make BPF ring buffer overwritable.
Perf ring buffers already implement an option to be overwritable. In order to
avoid data corruption, the data is written backward, see
commit 9ecda41acb97 ("perf/core: Add ::write_backward attribute to perf event").
This patch series re-uses the same idea from perf ring buffers but in BPF ring
buffers.
So, calling bpf_ringbuf_reserve() on an overwritable BPF ring buffer never
returns NULL.
As a consequence, oldest data will be overwritten by the newest so consumer will
loose data.

Overwritable ring buffers are useful in BPF programs that are permanently
enabled but rarely read, only on-demand, for example in case of a user request
to investigate problems. We would like to use this in the Traceloop project [1].

The self test added in this series was tested and validated in a VM:
you@vm# ./share/linux/tools/testing/selftests/bpf/test_progs -t ringbuf_over
Can't find bpf_testmod.ko kernel module: -2
WARNING! Selftests relying on bpf_testmod.ko will be skipped.
#135     ringbuf_over_writable:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED

You can also test the libbpf implementation by using the last patch of this
series which should be applied to iovisor/bcc:
you@...e$ cd /path/to/iovisor/bcc
you@...e$ git am -3 v2-0005-for-test-purpose-only-Add-toy-to-play-with-BPF-ri.patch
you@...e$ cd /path/to/linux/tools/lib/bpf
you@...e$ make -j$(nproc)
you@...e$ cp libbpf.a /path/to/iovisor/bcc/libbpf-tools/.output
you@...e$ cd /path/to/iovisor/bcc/libbpf-tools/
you@...e$ make -j toy
# Start your VM and copy toy executable inside it.
root@...amd64:~# ./share/toy &
[1] 287
root@...amd64:~# for i in {1..16}; do ls > /dev/null; done
16
15
14
13
12
11
10
9
root@...amd64:~# ls > /dev/null && ls > /dev/null
18
17

As you can see, the first eight events are overwritten.

If you see any way to improve this contribution, feel free to share.

Changes since:
 v1:
  * Made producers write backward like perf ring buffer, so it permits avoiding
  memory corruption.
  * Added libbpf implementation to consume all events available.
  * Added selftest.
  * Added documentation.

Francis Laniel (5):
  bpf: Make ring buffer overwritable.
  selftests: Add BPF overwritable ring buffer self tests.
  docs/bpf: Add documentation for overwritable ring buffer.
  libbpf: Add implementation to consume overwritable BPF ring buffer.
  for test purpose only: Add toy to play with BPF ring.

 ...-only-Add-toy-to-play-with-BPF-ring-.patch | 147 ++++++++++++++++
 Documentation/bpf/ringbuf.rst                 |  18 +-
 include/uapi/linux/bpf.h                      |   3 +
 kernel/bpf/ringbuf.c                          |  43 +++--
 tools/include/uapi/linux/bpf.h                |   3 +
 tools/lib/bpf/ringbuf.c                       | 106 ++++++++++++
 tools/testing/selftests/bpf/Makefile          |   5 +-
 .../bpf/prog_tests/ringbuf_overwritable.c     | 158 ++++++++++++++++++
 .../bpf/progs/test_ringbuf_overwritable.c     |  61 +++++++
 9 files changed, 531 insertions(+), 13 deletions(-)
 create mode 100644 0001-for-test-purpose-only-Add-toy-to-play-with-BPF-ring-.patch
 create mode 100644 tools/testing/selftests/bpf/prog_tests/ringbuf_overwritable.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_ringbuf_overwritable.c


Best regards and thank you in advance.
---
[1] https://github.com/kinvolk/traceloop
Traceloop was presented at LPC 2020 (https://lpc.events/event/7/contributions/667/)
--
2.25.1

Powered by blists - more mailing lists