Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp891401pxp; Wed, 16 Mar 2022 20:21:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzsSPXjbkSL2TnBOfqvmmmYeE70zsZ3/gGq3nVNqBD8RT/Ubj2Vbd1oZJaVrvoUp8d1Ql+o X-Received: by 2002:a63:c00c:0:b0:37c:942e:6c3c with SMTP id h12-20020a63c00c000000b0037c942e6c3cmr2133853pgg.336.1647487318432; Wed, 16 Mar 2022 20:21:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647487318; cv=none; d=google.com; s=arc-20160816; b=fSv0BXSCBcaLce6AnrM55yoLxOS3HNZ/pLwbiTZjJYhXKasEdHbGNc0s7teclHxuqX dHuY5D2HaWJWXuo4LvmHY8H+02WjZoVwb0MaFTefx25W9OGTHRrx+cg6Rvcc1G5ijJzU klVjbDpzaTI1Fro4QdkEX6VtdXDs/Y1Q1IPsnpBehTMsFzwPk6PLGYaQ08lscYcX0EKM SAyYDXWLTbSN/jMHYwl3TLBwyDciQhT7j411XBK4fbJJoJ9v7VZzqU991gRm8H8M78Aw j/fyprMHl9rpWM2IqjJuw1quaZj38nM2Z4LmQ57vv51w5xI6c0d9VOhox9xfgH8BN+W4 /lfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=GCxpSBs3Gx6ynfc4UHzJ++m/rIraYosWSpTUGwQPXIk=; b=cpyBsOhE7Y9Bs7EHKatffFiYX0a/yFD83QJS5Jd9NOqmpzvy4u0zrPGkmaK8e0Lb4M +FbE+afBmmeqOhQ21AcOikK3gzD/s6cbt3K8lFrW1r0A0BZMJw1kgji+S5T+DJ1l4UUi 4BMfEi8fqGb/cPoYiaD1kHzL2sYBNausGom5bQJKGpVQr4rFoOhXg1oc/K93NC9iR/Th Gpz6nYjsiEaFv0ByDte90o9X9WQJpY++Wl3BFaz9fJKXBKZCydlTMJdxvePpqP7H98ZK keNpHQK9vzqtatw9PaPuAjIaspPse3IcUN1AFaoAEkUEDklEf+rNa8ZGKhFGDAdb6xYj mNYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=hYB0QIH3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id p24-20020a634f58000000b003816043f049si921101pgl.574.2022.03.16.20.21.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Mar 2022 20:21:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=hYB0QIH3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 589FF27B1A; Wed, 16 Mar 2022 20:21:49 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355267AbiCPLOC (ORCPT + 99 others); Wed, 16 Mar 2022 07:14:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345082AbiCPLOA (ORCPT ); Wed, 16 Mar 2022 07:14:00 -0400 Received: from mail-pf1-x443.google.com (mail-pf1-x443.google.com [IPv6:2607:f8b0:4864:20::443]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5273E64BE0; Wed, 16 Mar 2022 04:12:46 -0700 (PDT) Received: by mail-pf1-x443.google.com with SMTP id t5so3644679pfg.4; Wed, 16 Mar 2022 04:12:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=GCxpSBs3Gx6ynfc4UHzJ++m/rIraYosWSpTUGwQPXIk=; b=hYB0QIH3TFBnwMq4um2DykqO+IY6LgrkypF/Vro++4c+V6P5d28O8oBBGRq3RXmf9Y HE0rtJIZeIoqO0zCzPRgYvaDGHlGNB3m0F6XTkPwZ3iHfYkvsZqCEs7mj3vHO2PZr/vG CljBkQQf2leIlM1J/xhtnbUHA0yfuhHbPDUmeySsXdneK+Uno3lN/ICBQTjd9OgzAkvC crea+AZcrU5DpFHcQCwOLE4uR84FsZAFS7+T6P4u2kHhxrw9xi6sBsJ6auhtfGz2z8p7 62j8yXTAEEFrlR2iG6eItka7cWI97nvLnyL0H7M+56SQdPDn1y80MDaEzHHhOkxHQNLW cdWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=GCxpSBs3Gx6ynfc4UHzJ++m/rIraYosWSpTUGwQPXIk=; b=3OF7t+xR5EF4rIY1uTn0fh6fYHfGawSlDD5xi0RsFQovJA5lVDWklTpLhfiTbqU1w7 DZkwJed6/bMzwiSYMpQzxF52GBGN/JzwwMM08jK/cMbGAEyazVwddR2e6Ol/fBvYkvsO 2gGUpE2qcwY02D8aw/iGYS+vfybjEat4mU/tXlYrVIqorp3fvxTyRQD3BZJvD1vRGZbR U2saOyBLbecdWoJrjgTvcsfii/Bfa7EF2kpHMgj2/ay3no7UUC5FBFhOQssoESquteqw vB7AljyezMrahq9NZFv2fP2twRA8j7MxCvz7bO9bof7I6LSgo78kAjn3xCBB+tUtWUuk KfbQ== X-Gm-Message-State: AOAM533PVB+UOc21iHGqE5MWfMcQ/pVwxMHGcS8VOmObQP1sfPpUgyyD hlpMMZmwxwHuFlA8/u1bVGg= X-Received: by 2002:a05:6a00:1894:b0:4f7:288:9844 with SMTP id x20-20020a056a00189400b004f702889844mr32841290pfh.28.1647429165675; Wed, 16 Mar 2022 04:12:45 -0700 (PDT) Received: from localhost ([157.51.0.106]) by smtp.gmail.com with ESMTPSA id y32-20020a056a001ca000b004fa201a613fsm2368084pfw.196.2022.03.16.04.12.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Mar 2022 04:12:45 -0700 (PDT) Date: Wed, 16 Mar 2022 16:42:41 +0530 From: Kumar Kartikeya Dwivedi To: Peter Zijlstra Cc: Alexei Starovoitov , X86 ML , joao@overdrivepizza.com, hjl.tools@gmail.com, Josh Poimboeuf , Andrew Cooper , LKML , Nick Desaulniers , Kees Cook , Sami Tolvanen , Mark Rutland , alyssa.milburn@intel.com, Miroslav Benes , Steven Rostedt , Masami Hiramatsu , Daniel Borkmann , Andrii Nakryiko , bpf Subject: Re: [PATCH v4 00/45] x86: Kernel IBT Message-ID: <20220316111241.ru77bmspycbar7dx@apollo> References: <20220312154407.GF28057@worktop.programming.kicks-ass.net> <20220314204402.rpd5hqzzev4ugtdt@apollo> <20220315090043.GB8939@worktop.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 16, 2022 at 03:05:38PM IST, Peter Zijlstra wrote: > On Tue, Mar 15, 2022 at 10:00:43AM +0100, Peter Zijlstra wrote: > > On Tue, Mar 15, 2022 at 02:14:02AM +0530, Kumar Kartikeya Dwivedi wrote: > > > > > [ Note: I have no experience with trampoline code or IBT so what follows might > > > be incorrect. ] > > > > > > In case of fexit and fmod_ret, we call original function (but skip > > > X86_PATCH_SIZE bytes), with ENDBR we must also skip those 4 bytes, but in some > > > cases like bpf_fentry_test1, for which this test has fmod_ret prog, compiler > > > (gcc 11) emits endbr64, but not for do_init_module, for which we do fexit. > > > > > > This means for do_init_module module, orig_call += X86_PATCH_SIZE + > > > ENDBR_INSN_SIZE would skip more bytes than needed to emit call to original > > > function, which explains why I was seeing crash in the middle of > > > 'mov edx, 0x10' instruction. > > > > > > The diff below fixes the problem for me, and allows the test to pass. > > > > > > diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c > > > index b98e1c95bcc4..760c9a3c075f 100644 > > > --- a/arch/x86/net/bpf_jit_comp.c > > > +++ b/arch/x86/net/bpf_jit_comp.c > > > @@ -2031,11 +2031,14 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, void *i > > > > > > ip_off = stack_size; > > > > > > - if (flags & BPF_TRAMP_F_SKIP_FRAME) > > > + if (flags & BPF_TRAMP_F_SKIP_FRAME) { > > > /* skip patched call instruction and point orig_call to actual > > > * body of the kernel function. > > > */ > > > - orig_call += X86_PATCH_SIZE + ENDBR_INSN_SIZE; > > > + if (is_endbr(*(u32 *)orig_call)) > > > + orig_call += ENDBR_INSN_SIZE; > > > + orig_call += X86_PATCH_SIZE; > > > + } > > > > > > prog = image; > > > > Hmm, so I was under the impression that this was targeting the NOP from > > emit_prologue(), and that has an unconditional ENDBR. If this is instead > > targeting the 'start of random kernel function' then yes, what you > > propose will work. > > Can you confirm that orig_call can be any kernel function? Because if > so, I'm thinking it will still do the wrong thing for a notrace > function, that will not have a __fentry__ site, so unconditionally > skipping those 5 bytes will place you somewhere non-sensible. > It fails for notrace functions, e.g. considering fentry prog, when bpf_trampoline_link_prog -> bpf_trampoline_update eventually calls register_fentry -> bpf_arch_text_poke, old_addr is NULL, so nop_insn is copied to old_insn, and then that memcmp(ip, old_insn, X86_PATCH_SIZE) should fail, so it would return -EBUSY. If you consider modify_fentry case, then register_fentry for earlier prog must have succeeded, so it must not be notrace function. The orig_call adjustment is only done for fexit and fmod_ret (they set CALL_ORIG and SKIP_FRAME flags), because in case of just fentry we just continue after ret, instead of emitting call to original function in trampoline, for those too the bpf_arch_text_poke should fail, for the same reason as above. > This would not be a new issue; but perhaps it should be clarified and or > fixed. Based on my inspection it looks fine, others can correct me if I'm wrong. -- Kartikeya