lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b4d5aaaf-7fe6-29fd-645a-62a4032820ae@huawei.com>
Date:   Fri, 25 Aug 2023 15:34:45 +0800
From:   Pu Lehui <pulehui@...wei.com>
To:     Puranjay Mohan <puranjay12@...il.com>
CC:     <bjorn@...nel.org>, <paul.walmsley@...ive.com>,
        <palmer@...belt.com>, <aou@...s.berkeley.edu>,
        <conor.dooley@...rochip.com>, <ast@...nel.org>,
        <daniel@...earbox.net>, <andrii@...nel.org>,
        <martin.lau@...ux.dev>, <song@...nel.org>, <yhs@...com>,
        <linux-riscv@...ts.infradead.org>, <bpf@...r.kernel.org>,
        <kpsingh@...nel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf-next v2 3/3] bpf, riscv: use prog pack allocator in
 the BPF JIT



On 2023/8/25 15:09, Pu Lehui wrote:
> Hi Puranjay,
> 
> Happy to see the RV64 pack allocator implementation.

RV32 also

> 
> On 2023/8/24 21:31, Puranjay Mohan wrote:
>> Use bpf_jit_binary_pack_alloc() for memory management of JIT binaries in
>> RISCV BPF JIT. The bpf_jit_binary_pack_alloc creates a pair of RW and RX
>> buffers. The JIT writes the program into the RW buffer. When the JIT is
>> done, the program is copied to the final RX buffer with
>> bpf_jit_binary_pack_finalize.
>>
>> Implement bpf_arch_text_copy() and bpf_arch_text_invalidate() for RISCV
>> JIT as these functions are required by bpf_jit_binary_pack allocator.
>>
>> Signed-off-by: Puranjay Mohan <puranjay12@...il.com>
>> ---
>>   arch/riscv/net/bpf_jit.h        |   3 +
>>   arch/riscv/net/bpf_jit_comp64.c |  56 +++++++++++++---
>>   arch/riscv/net/bpf_jit_core.c   | 113 +++++++++++++++++++++++++++-----
>>   3 files changed, 146 insertions(+), 26 deletions(-)
>>
>> diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h
>> index 2717f5490428..ad69319c8ea7 100644
>> --- a/arch/riscv/net/bpf_jit.h
>> +++ b/arch/riscv/net/bpf_jit.h
>> @@ -68,6 +68,7 @@ static inline bool is_creg(u8 reg)
>>   struct rv_jit_context {
>>       struct bpf_prog *prog;
>>       u16 *insns;        /* RV insns */
>> +    u16 *ro_insns;

In fact, the definition of w/ or w/o ro_ still looks a bit confusing. 
Maybe it is better for us not to change the current framework, as the 
current `image` is the final executed RX image, and the trampoline 
treats `image` as the same. Maybe it would be better to add a new RW 
image, such like `rw_iamge`, so that we do not break the existing 
framework and do not have to add too many comments.

And any other parts, it looks great.😄

>>       int ninsns;
>>       int prologue_len;
>>       int epilogue_offset;
>> @@ -85,7 +86,9 @@ static inline int ninsns_rvoff(int ninsns)
>>   struct rv_jit_data {
>>       struct bpf_binary_header *header;
>> +    struct bpf_binary_header *ro_header;
>>       u8 *image;
>> +    u8 *ro_image;
>>       struct rv_jit_context ctx;
>>   };
>> diff --git a/arch/riscv/net/bpf_jit_comp64.c 
>> b/arch/riscv/net/bpf_jit_comp64.c
>> index 0ca4f5c0097c..d77b16338ba2 100644
>> --- a/arch/riscv/net/bpf_jit_comp64.c
>> +++ b/arch/riscv/net/bpf_jit_comp64.c
>> @@ -144,7 +144,11 @@ static bool in_auipc_jalr_range(s64 val)
>>   /* Emit fixed-length instructions for address */
>>   static int emit_addr(u8 rd, u64 addr, bool extra_pass, struct 
>> rv_jit_context *ctx)
>>   {
>> -    u64 ip = (u64)(ctx->insns + ctx->ninsns);
>> +    /*
>> +     * Use the ro_insns(RX) to calculate the offset as the BPF 
>> program will
>> +     * finally run from this memory region.
>> +     */
>> +    u64 ip = (u64)(ctx->ro_insns + ctx->ninsns);
>>       s64 off = addr - ip;
>>       s64 upper = (off + (1 << 11)) >> 12;
>>       s64 lower = off & 0xfff;
>> @@ -465,7 +469,11 @@ static int emit_call(u64 addr, bool fixed_addr, 
>> struct rv_jit_context *ctx)
>>       u64 ip;
>>       if (addr && ctx->insns) {
> 
> ctx->insns need to sync to ctx->ro_insns
> 
>> -        ip = (u64)(long)(ctx->insns + ctx->ninsns);
>> +        /*
>> +         * Use the ro_insns(RX) to calculate the offset as the BPF
>> +         * program will finally run from this memory region.
>> +         */
>> +        ip = (u64)(long)(ctx->ro_insns + ctx->ninsns);
>>           off = addr - ip;
>>       }
>> @@ -578,7 +586,8 @@ static int add_exception_handler(const struct 
>> bpf_insn *insn,
>>   {
>>       struct exception_table_entry *ex;
>>       unsigned long pc;
>> -    off_t offset;
>> +    off_t ins_offset;
>> +    off_t fixup_offset;
>>       if (!ctx->insns || !ctx->prog->aux->extable || 
>> BPF_MODE(insn->code) != BPF_PROBE_MEM)
> 
> ctx->ro_insns need to be checked also.
> 
>>           return 0;
>> @@ -593,12 +602,17 @@ static int add_exception_handler(const struct 
>> bpf_insn *insn,
>>           return -EINVAL;
>>       ex = &ctx->prog->aux->extable[ctx->nexentries];
>> -    pc = (unsigned long)&ctx->insns[ctx->ninsns - insn_len];
>> +    pc = (unsigned long)&ctx->ro_insns[ctx->ninsns - insn_len];
>> -    offset = pc - (long)&ex->insn;
>> -    if (WARN_ON_ONCE(offset >= 0 || offset < INT_MIN))
>> +    /*
>> +     * This is the relative offset of the instruction that may fault 
>> from
>> +     * the exception table itself. This will be written to the exception
>> +     * table and if this instruction faults, the destination register 
>> will
>> +     * be set to '0' and the execution will jump to the next 
>> instruction.
>> +     */
>> +    ins_offset = pc - (long)&ex->insn;
>> +    if (WARN_ON_ONCE(ins_offset >= 0 || ins_offset < INT_MIN))
>>           return -ERANGE;
>> -    ex->insn = offset;
>>       /*
>>        * Since the extable follows the program, the fixup offset is 
>> always
>> @@ -607,12 +621,25 @@ static int add_exception_handler(const struct 
>> bpf_insn *insn,
>>        * bits. We don't need to worry about buildtime or runtime sort
>>        * modifying the upper bits because the table is already sorted, 
>> and
>>        * isn't part of the main exception table.
>> +     *
>> +     * The fixup_offset is set to the next instruction from the 
>> instruction
>> +     * that may fault. The execution will jump to this after handling 
>> the
>> +     * fault.
>>        */
>> -    offset = (long)&ex->fixup - (pc + insn_len * sizeof(u16));
>> -    if (!FIELD_FIT(BPF_FIXUP_OFFSET_MASK, offset))
>> +    fixup_offset = (long)&ex->fixup - (pc + insn_len * sizeof(u16));
>> +    if (!FIELD_FIT(BPF_FIXUP_OFFSET_MASK, fixup_offset))
>>           return -ERANGE;
>> -    ex->fixup = FIELD_PREP(BPF_FIXUP_OFFSET_MASK, offset) |
>> +    /*
>> +     * The offsets above have been calculated using the RO buffer but we
>> +     * need to use the R/W buffer for writes.
>> +     * switch ex to rw buffer for writing.
>> +     */
>> +    ex = (void *)ctx->insns + ((void *)ex - (void *)ctx->ro_insns);
>> +
>> +    ex->insn = ins_offset;
>> +
>> +    ex->fixup = FIELD_PREP(BPF_FIXUP_OFFSET_MASK, fixup_offset) |
>>           FIELD_PREP(BPF_FIXUP_REG_MASK, dst_reg);
>>       ex->type = EX_TYPE_BPF;
>> @@ -1006,6 +1033,7 @@ int arch_prepare_bpf_trampoline(struct 
>> bpf_tramp_image *im, void *image,
>>       ctx.ninsns = 0;
>>       ctx.insns = NULL;
>> +    ctx.ro_insns = NULL;
>>       ret = __arch_prepare_bpf_trampoline(im, m, tlinks, func_addr, 
>> flags, &ctx);
>>       if (ret < 0)
>>           return ret;
>> @@ -1014,7 +1042,15 @@ int arch_prepare_bpf_trampoline(struct 
>> bpf_tramp_image *im, void *image,
>>           return -EFBIG;
>>       ctx.ninsns = 0;
>> +    /*
>> +     * The bpf_int_jit_compile() uses a RW buffer (ctx.insns) to 
>> write the
>> +     * JITed instructions and later copies it to a RX region 
>> (ctx.ro_insns).
>> +     * It also uses ctx.ro_insns to calculate offsets for jumps etc. 
>> As the
>> +     * trampoline image uses the same memory area for writing and 
>> execution,
>> +     * both ctx.insns and ctx.ro_insns can be set to image.
>> +     */
>>       ctx.insns = image;
>> +    ctx.ro_insns = image;
>>       ret = __arch_prepare_bpf_trampoline(im, m, tlinks, func_addr, 
>> flags, &ctx);
>>       if (ret < 0)
>>           return ret;
>> diff --git a/arch/riscv/net/bpf_jit_core.c 
>> b/arch/riscv/net/bpf_jit_core.c
>> index 7a26a3e1c73c..4c8dffc09368 100644
>> --- a/arch/riscv/net/bpf_jit_core.c
>> +++ b/arch/riscv/net/bpf_jit_core.c
>> @@ -8,6 +8,8 @@
>>   #include <linux/bpf.h>
>>   #include <linux/filter.h>
>> +#include <linux/memory.h>
>> +#include <asm/patch.h>
>>   #include "bpf_jit.h"
>>   /* Number of iterations to try until offsets converge. */
>> @@ -117,16 +119,27 @@ struct bpf_prog *bpf_int_jit_compile(struct 
>> bpf_prog *prog)
>>                   sizeof(struct exception_table_entry);
>>               prog_size = sizeof(*ctx->insns) * ctx->ninsns;
>> -            jit_data->header =
>> -                bpf_jit_binary_alloc(prog_size + extable_size,
>> -                             &jit_data->image,
>> -                             sizeof(u32),
>> -                             bpf_fill_ill_insns);
>> -            if (!jit_data->header) {
>> +            jit_data->ro_header =
>> +                bpf_jit_binary_pack_alloc(prog_size +
>> +                              extable_size,
>> +                              &jit_data->ro_image,
>> +                              sizeof(u32),
>> +                              &jit_data->header,
>> +                              &jit_data->image,
>> +                              bpf_fill_ill_insns);
>> +            if (!jit_data->ro_header) {
>>                   prog = orig_prog;
>>                   goto out_offset;
>>               }
>> +            /*
>> +             * Use the image(RW) for writing the JITed instructions. 
>> But also save
>> +             * the ro_image(RX) for calculating the offsets in the 
>> image. The RW
>> +             * image will be later copied to the RX image from where 
>> the program
>> +             * will run. The bpf_jit_binary_pack_finalize() will do 
>> this copy in the
>> +             * final step.
>> +             */
>> +            ctx->ro_insns = (u16 *)jit_data->ro_image;
>>               ctx->insns = (u16 *)jit_data->image;
>>               /*
>>                * Now, when the image is allocated, the image can
>> @@ -138,14 +151,12 @@ struct bpf_prog *bpf_int_jit_compile(struct 
>> bpf_prog *prog)
>>       if (i == NR_JIT_ITERATIONS) {
>>           pr_err("bpf-jit: image did not converge in <%d passes!\n", i);
>> -        if (jit_data->header)
>> -            bpf_jit_binary_free(jit_data->header);
>>           prog = orig_prog;
>> -        goto out_offset;
>> +        goto out_free_hdr;
>>       }
>>       if (extable_size)
>> -        prog->aux->extable = (void *)ctx->insns + prog_size;
>> +        prog->aux->extable = (void *)ctx->ro_insns + prog_size;
>>   skip_init_ctx:
>>       pass++;
>> @@ -154,23 +165,35 @@ struct bpf_prog *bpf_int_jit_compile(struct 
>> bpf_prog *prog)
>>       bpf_jit_build_prologue(ctx);
>>       if (build_body(ctx, extra_pass, NULL)) {
>> -        bpf_jit_binary_free(jit_data->header);
>>           prog = orig_prog;
>> -        goto out_offset;
>> +        goto out_free_hdr;
>>       }
>>       bpf_jit_build_epilogue(ctx);
>>       if (bpf_jit_enable > 1)
>>           bpf_jit_dump(prog->len, prog_size, pass, ctx->insns);
>> -    prog->bpf_func = (void *)ctx->insns;
>> +    prog->bpf_func = (void *)ctx->ro_insns;
>>       prog->jited = 1;
>>       prog->jited_len = prog_size;
>> -    bpf_flush_icache(jit_data->header, ctx->insns + ctx->ninsns);
>> -
>>       if (!prog->is_func || extra_pass) {
>> -        bpf_jit_binary_lock_ro(jit_data->header);
>> +        if (WARN_ON(bpf_jit_binary_pack_finalize(prog,
>> +                             jit_data->ro_header,
>> +                             jit_data->header))) {
>> +            /* ro_header has been freed */
>> +            jit_data->ro_header = NULL;
>> +            prog = orig_prog;
>> +            goto out_offset;
>> +        }
>> +        /*
>> +         * The instructions have now been copied to the ROX region from
>> +         * where they will execute.
>> +         * Write any modified data cache blocks out to memory and
>> +         * invalidate the corresponding blocks in the instruction cache.
>> +         */
>> +        bpf_flush_icache(jit_data->ro_header,
>> +                 ctx->ro_insns + ctx->ninsns);
>>           for (i = 0; i < prog->len; i++)
>>               ctx->offset[i] = ninsns_rvoff(ctx->offset[i]);
>>           bpf_prog_fill_jited_linfo(prog, ctx->offset);
>> @@ -185,6 +208,15 @@ struct bpf_prog *bpf_int_jit_compile(struct 
>> bpf_prog *prog)
>>           bpf_jit_prog_release_other(prog, prog == orig_prog ?
>>                          tmp : orig_prog);
>>       return prog;
>> +
>> +out_free_hdr:
>> +    if (jit_data->header) {
>> +        bpf_arch_text_copy(&jit_data->ro_header->size,
>> +                   &jit_data->header->size,
>> +                   sizeof(jit_data->header->size));
>> +        bpf_jit_binary_pack_free(jit_data->ro_header, jit_data->header);
>> +    }
>> +    goto out_offset;
>>   }
>>   u64 bpf_jit_alloc_exec_limit(void)
>> @@ -204,3 +236,52 @@ void bpf_jit_free_exec(void *addr)
>>   {
>>       return vfree(addr);
>>   }
>> +
>> +void *bpf_arch_text_copy(void *dst, void *src, size_t len)
>> +{
>> +    int ret;
>> +
>> +    mutex_lock(&text_mutex);
>> +    ret = patch_text_nosync(dst, src, len);
>> +    mutex_unlock(&text_mutex);
>> +
>> +    if (ret)
>> +        return ERR_PTR(-EINVAL);
>> +
>> +    return dst;
>> +}
>> +
>> +int bpf_arch_text_invalidate(void *dst, size_t len)
>> +{
>> +    int ret = 0;
> 
> no need to initialize it
> 
>> +
>> +    mutex_lock(&text_mutex);
>> +    ret = patch_text_set_nosync(dst, 0, len);
>> +    mutex_unlock(&text_mutex);
>> +
>> +    return ret;
>> +}
>> +
>> +void bpf_jit_free(struct bpf_prog *prog)
>> +{
>> +    if (prog->jited) {
>> +        struct rv_jit_data *jit_data = prog->aux->jit_data;
>> +        struct bpf_binary_header *hdr;
>> +
>> +        /*
>> +         * If we fail the final pass of JIT (from jit_subprogs),
>> +         * the program may not be finalized yet. Call finalize here
>> +         * before freeing it.
>> +         */
>> +        if (jit_data) {
>> +            bpf_jit_binary_pack_finalize(prog, jit_data->ro_header,
>> +                             jit_data->header);
>> +            kfree(jit_data);
>> +        }
>> +        hdr = bpf_jit_binary_pack_hdr(prog);
>> +        bpf_jit_binary_pack_free(hdr, NULL);
>> +        WARN_ON_ONCE(!bpf_prog_kallsyms_verify_off(prog));
>> +    }
>> +
>> +    bpf_prog_unlock_free(prog);
>> +}
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ