| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251114092450.172024-1-dongml2@chinatelecom.cn> Date: Fri, 14 Nov 2025 17:24:43 +0800 From: Menglong Dong <menglong8.dong@...il.com> To: ast@...nel.org, rostedt@...dmis.org Cc: daniel@...earbox.net, john.fastabend@...il.com, andrii@...nel.org, martin.lau@...ux.dev, eddyz87@...il.com, song@...nel.org, yonghong.song@...ux.dev, kpsingh@...nel.org, sdf@...ichev.me, haoluo@...gle.com, jolsa@...nel.org, mhiramat@...nel.org, mark.rutland@....com, mathieu.desnoyers@...icios.com, bpf@...r.kernel.org, linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org Subject: [PATCH RFC bpf-next 0/7] bpf trampoline support "jmp" mode For now, the bpf trampoline is called by the "call" instruction. However, it break the RSB and introduce extra overhead in x86_64 arch. For example, we hook the function "foo" with fexit, the call and return logic will be like this: call foo -> call trampoline -> call foo-body -> return foo-body -> return foo As we can see above, there are 3 call, but 2 return, which break the RSB balance. We can pseudo a "return" here, but it's not the best choice, as it will still cause once RSB miss: call foo -> call trampoline -> call foo-body -> return foo-body -> return dummy -> return foo The "return dummy" doesn't pair the "call trampoline", which can also cause the RSB miss. Therefore, we introduce the "jmp" mode for bpf trampoline, as advised by Alexei in [1]. And the logic will become this: call foo -> jmp trampoline -> call foo-body -> return foo-body -> return foo As we can see above, the RSB is totally balanced. After the modification, the performance of fexit increases from 76M/s to 130M/s. In this series, we introduce the FTRACE_OPS_FL_JMP for ftrace to make it use the "jmp" instruction instead of "call". And we introduce the bpf_arch_text_poke_type(), which is able to specify both the current and new opcode. Not sure if I should split the first 2 patches into a separate series and send to the ftrace tree. Link: https://lore.kernel.org/bpf/CAADnVQLX54sVi1oaHrkSiLqjJaJdm3TQjoVrgU-LZimK6iDcSA@mail.gmail.com/[1] Menglong Dong (7): ftrace: introduce FTRACE_OPS_FL_JMP x86/ftrace: implement DYNAMIC_FTRACE_WITH_JMP bpf: fix the usage of BPF_TRAMP_F_SKIP_FRAME bpf,x86: adjust the "jmp" mode for bpf trampoline bpf: introduce bpf_arch_text_poke_type bpf,x86: implement bpf_arch_text_poke_type for x86_64 bpf: implement "jmp" mode for trampoline arch/riscv/net/bpf_jit_comp64.c | 2 +- arch/x86/Kconfig | 1 + arch/x86/kernel/ftrace.c | 7 ++++- arch/x86/kernel/ftrace_64.S | 12 +++++++- arch/x86/net/bpf_jit_comp.c | 45 ++++++++++++++++++++-------- include/linux/bpf.h | 22 ++++++++++++++ include/linux/ftrace.h | 48 +++++++++++++++++++++++++++++ kernel/bpf/core.c | 10 +++++++ kernel/bpf/trampoline.c | 53 +++++++++++++++++++++++++++------ kernel/trace/Kconfig | 12 ++++++++ kernel/trace/ftrace.c | 9 +++++- 11 files changed, 195 insertions(+), 26 deletions(-) -- 2.51.2
Powered by blists - more mailing lists