lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1520458979.109662.55.camel@gmail.com>
Date:   Wed, 07 Mar 2018 13:42:59 -0800
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     Daniel Borkmann <daniel@...earbox.net>, ast@...nel.org
Cc:     netdev@...r.kernel.org
Subject: Re: [PATCH bpf] bpf, x64: increase number of passes

On Wed, 2018-03-07 at 22:10 +0100, Daniel Borkmann wrote:
> In Cilium some of the main programs we run today are hitting 9 passes
> on x64's JIT compiler, and we've had cases already where we surpassed
> the limit where the JIT then punts the program to the interpreter
> instead, leading to insertion failures due to
> CONFIG_BPF_JIT_ALWAYS_ON
> or insertion failures due to the prog array owner being JITed but the
> program to insert not (both must have the same JITed/non-JITed
> property).
> 
> One concrete case the program image shrunk from 12,767 bytes down to
> 10,288 bytes where the image converged after 16 steps. I've measured
> that this took 340us in the JIT until it converges on my i7-6600U.
> Thus,
> increase the original limit we had from day one where the JIT covered
> cBPF only back then before we run into the case (as similar with the
> complexity limit) where we trip over this and hit program rejections.
> Also add a cond_resched() into the compilation loop, the JIT process
> runs without any locks and may sleep anyway.
> 
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> Acked-by: Alexei Starovoitov <ast@...nel.org>
> ---
>  arch/x86/net/bpf_jit_comp.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/net/bpf_jit_comp.c
> b/arch/x86/net/bpf_jit_comp.c
> index 45e4eb5..ce5b2eb 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
> @@ -1188,7 +1188,7 @@ struct bpf_prog *bpf_int_jit_compile(struct
> bpf_prog *prog)
>  	 * may converge on the last pass. In such case do one more
>  	 * pass to emit the final image
>  	 */
> -	for (pass = 0; pass < 10 || image; pass++) {
> +	for (pass = 0; pass < 20 || image; pass++) {
>  		proglen = do_jit(prog, addrs, image, oldproglen,
> &ctx);
>  		if (proglen <= 0) {
>  			image = NULL;
> @@ -1215,6 +1215,7 @@ struct bpf_prog *bpf_int_jit_compile(struct
> bpf_prog *prog)
>  			}
>  		}
>  		oldproglen = proglen;
> +		cond_resched();
>  	}
>  
>  	if (bpf_jit_enable > 1)

Thanks !

Reviewed-by: Eric Dumazet <edumazet@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ