| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260102150032.53106-1-leon.hwang@linux.dev>
Date: Fri, 2 Jan 2026 23:00:28 +0800
From: Leon Hwang <leon.hwang@...ux.dev>
To: bpf@...r.kernel.org
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>,
Eduard Zingerman <eddyz87@...il.com>,
Song Liu <song@...nel.org>,
Yonghong Song <yonghong.song@...ux.dev>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...ichev.me>,
Hao Luo <haoluo@...gle.com>,
Jiri Olsa <jolsa@...nel.org>,
Puranjay Mohan <puranjay@...nel.org>,
Xu Kuohai <xukuohai@...weicloud.com>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
"David S . Miller" <davem@...emloft.net>,
David Ahern <dsahern@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
x86@...nel.org,
"H . Peter Anvin" <hpa@...or.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-arm-kernel@...ts.infradead.org,
linux-kernel@...r.kernel.org,
netdev@...r.kernel.org,
kernel-patches-bot@...com,
Leon Hwang <leon.hwang@...ux.dev>
Subject: [PATCH bpf-next 0/4] bpf: tailcall: Eliminate max_entries and bpf_func access at runtime
This patch series optimizes BPF tail calls on x86_64 and arm64 by
eliminating runtime memory accesses for max_entries and 'prog->bpf_func'
when the prog array map is known at verification time.
Currently, every tail call requires:
1. Loading max_entries from the prog array map
2. Dereferencing 'prog->bpf_func' to get the target address
This series introduces a mechanism to precompute and cache the tail call
target addresses (bpf_func + prologue_offset) in the prog array itself:
array->ptrs[max_entries + index] = prog->bpf_func + prologue_offset
When a program is added to or removed from the prog array, the cached
target is atomically updated via xchg().
The verifier now encodes additional information in the tail call
instruction's imm field:
- bits 0-7: map index in used_maps[]
- bits 8-15: dynamic array flag (1 if map pointer is poisoned)
- bits 16-31: poke table index + 1 for direct tail calls
For static tail calls (map known at verification time):
- max_entries is embedded as an immediate in the comparison instruction
- The cached target from array->ptrs[max_entries + index] is used
directly, avoiding the 'prog->bpf_func' dereference
For dynamic tail calls (map pointer poisoned):
- Fall back to runtime lookup of max_entries and prog->bpf_func
This reduces cache misses and improves tail call performance for the
common case where the prog array is statically known.
Leon Hwang (4):
bpf: tailcall: Introduce bpf_arch_tail_call_prologue_offset
bpf, x64: tailcall: Eliminate max_entries and bpf_func access at
runtime
bpf, arm64: tailcall: Eliminate max_entries and bpf_func access at
runtime
bpf, lib/test_bpf: Fix broken tailcall tests
arch/arm64/net/bpf_jit_comp.c | 71 +++++++++++++++++++++++++----------
arch/x86/net/bpf_jit_comp.c | 51 ++++++++++++++++++-------
include/linux/bpf.h | 1 +
kernel/bpf/arraymap.c | 27 ++++++++++++-
kernel/bpf/verifier.c | 30 ++++++++++++++-
lib/test_bpf.c | 39 ++++++++++++++++---
6 files changed, 178 insertions(+), 41 deletions(-)
--
2.52.0
Powered by blists - more mailing lists