lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87sf8leasv.fsf@all.your.base.are.belong.to.us>
Date:   Mon, 14 Aug 2023 20:30:40 +0200
From:   Björn Töpel <bjorn@...nel.org>
To:     Puranjay Mohan <puranjay12@...il.com>
Cc:     paul.walmsley@...ive.com, palmer@...belt.com,
        aou@...s.berkeley.edu, pulehui@...wei.com,
        conor.dooley@...rochip.com, ast@...nel.org, daniel@...earbox.net,
        andrii@...nel.org, martin.lau@...ux.dev, song@...nel.org,
        yhs@...com, kpsingh@...nel.org, bpf@...r.kernel.org,
        linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH bpf-next 0/2] bpf, riscv: use BPF prog pack allocator in
 BPF JIT

Puranjay Mohan <puranjay12@...il.com> writes:

> Hi Björn,
>
> On Mon, Aug 14, 2023 at 4:29 PM Björn Töpel <bjorn@...nel.org> wrote:
>>
>> Puranjay Mohan <puranjay12@...il.com> writes:
>>
>> > On Mon, Aug 14, 2023 at 12:40 PM Björn Töpel <bjorn@...nel.org> wrote:
>> >>
>> >> Björn Töpel <bjorn@...nel.org> writes:
>> >>
>> >> > Puranjay Mohan <puranjay12@...il.com> writes:
>> >> >
>> >> >> BPF programs currently consume a page each on RISCV. For systems with many BPF
>> >> >> programs, this adds significant pressure to instruction TLB. High iTLB pressure
>> >> >> usually causes slow down for the whole system.
>> >> >>
>> >> >> Song Liu introduced the BPF prog pack allocator[1] to mitigate the above issue.
>> >> >> It packs multiple BPF programs into a single huge page. It is currently only
>> >> >> enabled for the x86_64 BPF JIT.
>> >> >>
>> >> >> I enabled this allocator on the ARM64 BPF JIT[2]. It is being reviewed now.
>> >> >>
>> >> >> This patch series enables the BPF prog pack allocator for the RISCV BPF JIT.
>> >> >> This series needs a patch[3] from the ARM64 series to work.
>> >> >>
>> >> >> ======================================================
>> >> >> Performance Analysis of prog pack allocator on RISCV64
>> >> >> ======================================================
>> >> >>
>> >> >> Test setup:
>> >> >> ===========
>> >> >>
>> >> >> Host machine: Debian GNU/Linux 11 (bullseye)
>> >> >> Qemu Version: QEMU emulator version 8.0.3 (Debian 1:8.0.3+dfsg-1)
>> >> >> u-boot-qemu Version: 2023.07+dfsg-1
>> >> >> opensbi Version: 1.3-1
>> >> >>
>> >> >> To test the performance of the BPF prog pack allocator on RV, a stresser
>> >> >> tool[4] linked below was built. This tool loads 8 BPF programs on the system and
>> >> >> triggers 5 of them in an infinite loop by doing system calls.
>> >> >>
>> >> >> The runner script starts 20 instances of the above which loads 8*20=160 BPF
>> >> >> programs on the system, 5*20=100 of which are being constantly triggered.
>> >> >> The script is passed a command which would be run in the above environment.
>> >> >>
>> >> >> The script was run with following perf command:
>> >> >> ./run.sh "perf stat -a \
>> >> >>         -e iTLB-load-misses \
>> >> >>         -e dTLB-load-misses  \
>> >> >>         -e dTLB-store-misses \
>> >> >>         -e instructions \
>> >> >>         --timeout 60000"
>> >> >>
>> >> >> The output of the above command is discussed below before and after enabling the
>> >> >> BPF prog pack allocator.
>> >> >>
>> >> >> The tests were run on qemu-system-riscv64 with 8 cpus, 16G memory. The rootfs
>> >> >> was created using Bjorn's riscv-cross-builder[5] docker container linked below.
>> >> >>
>> >> >> Results
>> >> >> =======
>> >> >>
>> >> >> Before enabling prog pack allocator:
>> >> >> ------------------------------------
>> >> >>
>> >> >> Performance counter stats for 'system wide':
>> >> >>
>> >> >>            4939048      iTLB-load-misses
>> >> >>            5468689      dTLB-load-misses
>> >> >>             465234      dTLB-store-misses
>> >> >>      1441082097998      instructions
>> >> >>
>> >> >>       60.045791200 seconds time elapsed
>> >> >>
>> >> >> After enabling prog pack allocator:
>> >> >> -----------------------------------
>> >> >>
>> >> >> Performance counter stats for 'system wide':
>> >> >>
>> >> >>            3430035      iTLB-load-misses
>> >> >>            5008745      dTLB-load-misses
>> >> >>             409944      dTLB-store-misses
>> >> >>      1441535637988      instructions
>> >> >>
>> >> >>       60.046296600 seconds time elapsed
>> >> >>
>> >> >> Improvements in metrics
>> >> >> =======================
>> >> >>
>> >> >> It was expected that the iTLB-load-misses would decrease as now a single huge
>> >> >> page is used to keep all the BPF programs compared to a single page for each
>> >> >> program earlier.
>> >> >>
>> >> >> --------------------------------------------
>> >> >> The improvement in iTLB-load-misses: -30.5 %
>> >> >> --------------------------------------------
>> >> >>
>> >> >> I repeated this expriment more than 100 times in different setups and the
>> >> >> improvement was always greater than 30%.
>> >> >>
>> >> >> This patch series is boot tested on the Starfive VisionFive 2 board[6].
>> >> >> The performance analysis was not done on the board because it doesn't
>> >> >> expose iTLB-load-misses, etc. The stresser program was run on the board to test
>> >> >> the loading and unloading of BPF programs
>> >> >>
>> >> >> [1] https://lore.kernel.org/bpf/20220204185742.271030-1-song@kernel.org/
>> >> >> [2] https://lore.kernel.org/all/20230626085811.3192402-1-puranjay12@gmail.com/
>> >> >> [3] https://lore.kernel.org/all/20230626085811.3192402-2-puranjay12@gmail.com/
>> >> >> [4] https://github.com/puranjaymohan/BPF-Allocator-Bench
>> >> >> [5] https://github.com/bjoto/riscv-cross-builder
>> >> >> [6] https://www.starfivetech.com/en/site/boards
>> >> >>
>> >> >> Puranjay Mohan (2):
>> >> >>   riscv: Extend patch_text_nosync() for multiple pages
>> >> >>   bpf, riscv: use prog pack allocator in the BPF JIT
>> >> >
>> >> > I get a hang for "test_tag", but it's not directly related to your
>> >> > series, but rather "remote fence.i".
>> >> >
>> >> >   | rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
>> >> >   | rcu:      0-....: (1400 ticks this GP) idle=d5e4/1/0x4000000000000000 softirq=5542/5542 fqs=1862
>> >> >   | rcu:      (detected by 1, t=5252 jiffies, g=10253, q=195 ncpus=4)
>> >> >   | Task dump for CPU 0:
>> >> >   | task:kworker/0:5     state:R  running task     stack:0     pid:319   ppid:2      flags:0x00000008
>> >> >   | Workqueue: events bpf_prog_free_deferred
>> >> >   | Call Trace:
>> >> >   | [<ffffffff80cbc444>] __schedule+0x2d0/0x940
>> >> >   | watchdog: BUG: soft lockup - CPU#0 stuck for 21s! [kworker/0:5:319]
>> >> >   | Modules linked in: nls_iso8859_1 drm fuse i2c_core drm_panel_orientation_quirks backlight dm_mod configfs ip_tables x_tables
>> >> >   | CPU: 0 PID: 319 Comm: kworker/0:5 Not tainted 6.5.0-rc5 #1
>> >> >   | Hardware name: riscv-virtio,qemu (DT)
>> >> >   | Workqueue: events bpf_prog_free_deferred
>> >> >   | epc : __sbi_rfence_v02_call.isra.0+0x74/0x11a
>> >> >   |  ra : __sbi_rfence_v02+0xda/0x1a4
>> >> >   | epc : ffffffff8000ab4c ra : ffffffff8000accc sp : ff20000001c9bbd0
>> >> >   |  gp : ffffffff82078c48 tp : ff600000888e6a40 t0 : ff20000001c9bd44
>> >> >   |  t1 : 0000000000000000 t2 : 0000000000000040 s0 : ff20000001c9bbf0
>> >> >   |  s1 : 0000000000000010 a0 : 0000000000000000 a1 : 0000000000000000
>> >> >   |  a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000
>> >> >   |  a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000052464e43
>> >> >   |  s2 : 000000000000ffff s3 : 00000000ffffffff s4 : ffffffff81667528
>> >> >   |  s5 : 0000000000000000 s6 : 0000000000000000 s7 : 0000000000000000
>> >> >   |  s8 : 0000000000000001 s9 : 0000000000000003 s10: 0000000000000040
>> >> >   |  s11: ffffffff8207d240 t3 : 000000000000000f t4 : 000000000000002a
>> >> >   |  t5 : ff600000872df140 t6 : ffffffff81e26828
>> >> >   | status: 0000000200000120 badaddr: 0000000000000000 cause: 8000000000000005
>> >> >   | [<ffffffff8000ab4c>] __sbi_rfence_v02_call.isra.0+0x74/0x11a
>> >> >   | [<ffffffff8000accc>] __sbi_rfence_v02+0xda/0x1a4
>> >> >   | [<ffffffff8000a886>] sbi_remote_fence_i+0x1e/0x26
>> >> >   | [<ffffffff8000cee2>] flush_icache_all+0x1a/0x48
>> >> >   | [<ffffffff80007736>] patch_text_nosync+0x6c/0x8c
>> >> >   | [<ffffffff8000f0f8>] bpf_arch_text_invalidate+0x62/0xac
>> >> >   | [<ffffffff8016c538>] bpf_prog_pack_free+0x9c/0x1b2
>> >> >   | [<ffffffff8016c84a>] bpf_jit_binary_pack_free+0x20/0x4a
>> >> >   | [<ffffffff8000f198>] bpf_jit_free+0x56/0x9e
>> >> >   | [<ffffffff8016b43a>] bpf_prog_free_deferred+0x15a/0x182
>> >> >   | [<ffffffff800576c4>] process_one_work+0x1b6/0x3d6
>> >> >   | [<ffffffff80057d52>] worker_thread+0x84/0x378
>> >> >   | [<ffffffff8005fc2c>] kthread+0xe8/0x108
>> >> >   | [<ffffffff80003ffa>] ret_from_fork+0xe/0x20
>> >> >
>> >> > I'm digging into that now, and I would appreciate if you could run the
>> >> > test_tag on VF2 or similar (I'm missing that HW).
>> >> >
>> >> > It seems like we're hitting a bug with this series, so let's try to
>> >> > figure out where the problems is, prior merging it.
>> >>
>> >> Hmm, it looks like the bpf_arch_text_invalidate() implementation is a
>> >> bit problematic:
>> >>
>> >> +int bpf_arch_text_invalidate(void *dst, size_t len)
>> >> +{
>> >> +       __le32 *ptr;
>> >> +       int ret = 0;
>> >> +       u32 inval = 0;
>> >> +
>> >> +       for (ptr = dst; ret == 0 && len >= sizeof(u32); len -= sizeof(u32)) {
>> >> +               mutex_lock(&text_mutex);
>> >> +               ret = patch_text_nosync(ptr++, &inval, sizeof(u32));
>> >> +               mutex_unlock(&text_mutex);
>> >> +       }
>> >> +
>> >> +       return ret;
>> >> +}
>> >>
>> >> Each patch_text_nosync() is a remote fence.i, and for a big "len", we'll
>> >> be flooded with remote fences.
>> >
>> > I understand this now, thanks for debugging this.
>> >
>> > We are calling patch_text_nosync() for each word (u32) which calls
>> > flush_icache_range() and therefore "fence.i" is inserted after every
>> > word.
>>
>> But more importantly, it does a remote fence.i (which is an IPI to all
>> cores).
>>
>> > I still don't fully understand how it causes this bug because I lack
>> > the prerequisite
>> > knowledge about test_tag and what the failing test is doing.
>>
>> The test_tag is part of kselftest/bpf:
>> tools/testing/selftests/bpf/test_tag.c
>>
>> TL;DR: it generates a bunch of programs, where some have a length of,
>> e.g, 41024. bpf_arch_text_invalidate() does ~10k of remote fences in
>> that case.
>>
>> > But to solve this issue we would need a function like the x86
>> > text_poke_set() that will only
>> > insert a single "fence.i" after setting the whole memory area. This
>> > can be done by
>> > implementing a wrapper around patch_insn_write() which would set the memory area
>> > and at the end call flush_icache_range().
>> >
>> > Something like:
>> >
>> > void *text_set_nosync(void *dst, int c, size_t len)
>> > {
>> >         __le32 *ptr;
>> >         int ret = 0;
>> >
>> >         for (ptr = dst; ret == 0 && len >= sizeof(u32); len -= sizeof(u32)) {
>> >                 ret = patch_insn_write(ptr++, &c, sizeof(u32));
>> >         }
>> >         if(!ret)
>> >                 flush_icache_range((uintptr_t) dst, (uintptr_t) dst + len);
>> >
>> >         return ret;
>> > }
>> >
>> > Let me know if this looks correct or we need more details here.
>> > I will then send v2 with this implemented as a separate patch.
>>
>> Can't we do better here? Perhaps a similar pattern like the 2 page fill?
>> Otherwise we'll have a bunch of fixmap updates as well.
>
> I agree that we can make it more efficient by first copying the value to a
> RW buffer using normal memcpy() and then copying that area to the RO area
> using patch_insn_write(). Then it would solve both problems. Or we implement
> a new function like patch_insn_write() that does the 2 page map and
> set explicitly.
>
> Which approach would you prefer?
> 1) Wrapper around patch_insn_write() that first memsets a RW buffer and then
> copies the complete RW buffer to the RO area by calling
> patch_insn_write() with len.
>
> 2) A new function like patch_insn_write() that takes dst, src, len and
> maps the dst, 2 pages
> at a time and sets it to *src in a loop.

A think 2) is the way to go: A "patch_insn_set(void *addr, u16 c, size_t
len)" or smth.

>> I'd keep the patch_ prefix in the name for consistency. Please measure
>> the runtime of test_tag pre/after the change.
>
> test_tag currently wouldn't even complete right? with the current
> version of the patch?

It will, but you'd need to crank up the watchdog timeout. :-) What I
meant was test_tag w/ and w/o your pack allocator.

>> I don't know if your arm64 work has similar problems?
>
> Thanks for bringing this up. I will revisit that and verify if
> test_tag is working
> there. There also the bpf_arch_text_invalidate() is calling
> aarch64_insn_patch_text_nosync()
> in a loop that in turn calls caches_clean_inval_pou(). So I might see
> similar issues there.

Ok!

> I think https://github.com/kernel-patches doesn't run test_tag hence I
> might have missed it.

You're right, it doesn't. I usually run the full suite locally.


Again, thanks a lot for spending time on this! It's nice work!
Björn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ