From: Sasha Levin <sashal@kernel•org>
To: linux-kernel@vger•kernel.org, stable@vger•kernel.org
Cc: Andrii Nakryiko <andriin@fb•com>,
Alexei Starovoitov <ast@kernel•org>, Yonghong Song <yhs@fb•com>,
Sasha Levin <sashal@kernel•org>,
netdev@vger•kernel.org, bpf@vger•kernel.org,
linux-kselftest@vger•kernel.org
Subject: [PATCH AUTOSEL 5.4 327/350] libbpf: Fix call relocation offset calculation bug
Date: Tue, 10 Dec 2019 16:07:12 -0500 [thread overview]
Message-ID: <20191210210735.9077-288-sashal@kernel.org> (raw)
In-Reply-To: <20191210210735.9077-1-sashal@kernel.org>
From: Andrii Nakryiko <andriin@fb•com>
[ Upstream commit a0d7da26ce86a25e97ae191cb90574ada6daea98 ]
When relocating subprogram call, libbpf doesn't take into account
relo->text_off, which comes from symbol's value. This generally works fine for
subprograms implemented as static functions, but breaks for global functions.
Taking a simplified test_pkt_access.c as an example:
__attribute__ ((noinline))
static int test_pkt_access_subprog1(volatile struct __sk_buff *skb)
{
return skb->len * 2;
}
__attribute__ ((noinline))
static int test_pkt_access_subprog2(int val, volatile struct __sk_buff *skb)
{
return skb->len + val;
}
SEC("classifier/test_pkt_access")
int test_pkt_access(struct __sk_buff *skb)
{
if (test_pkt_access_subprog1(skb) != skb->len * 2)
return TC_ACT_SHOT;
if (test_pkt_access_subprog2(2, skb) != skb->len + 2)
return TC_ACT_SHOT;
return TC_ACT_UNSPEC;
}
When compiled, we get two relocations, pointing to '.text' symbol. .text has
st_value set to 0 (it points to the beginning of .text section):
0000000000000008 000000050000000a R_BPF_64_32 0000000000000000 .text
0000000000000040 000000050000000a R_BPF_64_32 0000000000000000 .text
test_pkt_access_subprog1 and test_pkt_access_subprog2 offsets (targets of two
calls) are encoded within call instruction's imm32 part as -1 and 2,
respectively:
0000000000000000 test_pkt_access_subprog1:
0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0)
1: 64 00 00 00 01 00 00 00 w0 <<= 1
2: 95 00 00 00 00 00 00 00 exit
0000000000000018 test_pkt_access_subprog2:
3: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0)
4: 04 00 00 00 02 00 00 00 w0 += 2
5: 95 00 00 00 00 00 00 00 exit
0000000000000000 test_pkt_access:
0: bf 16 00 00 00 00 00 00 r6 = r1
===> 1: 85 10 00 00 ff ff ff ff call -1
2: bc 01 00 00 00 00 00 00 w1 = w0
3: b4 00 00 00 02 00 00 00 w0 = 2
4: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0)
5: 64 02 00 00 01 00 00 00 w2 <<= 1
6: 5e 21 08 00 00 00 00 00 if w1 != w2 goto +8 <LBB0_3>
7: bf 61 00 00 00 00 00 00 r1 = r6
===> 8: 85 10 00 00 02 00 00 00 call 2
9: bc 01 00 00 00 00 00 00 w1 = w0
10: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0)
11: 04 02 00 00 02 00 00 00 w2 += 2
12: b4 00 00 00 ff ff ff ff w0 = -1
13: 1e 21 01 00 00 00 00 00 if w1 == w2 goto +1 <LBB0_3>
14: b4 00 00 00 02 00 00 00 w0 = 2
0000000000000078 LBB0_3:
15: 95 00 00 00 00 00 00 00 exit
Now, if we compile example with global functions, the setup changes.
Relocations are now against specifically test_pkt_access_subprog1 and
test_pkt_access_subprog2 symbols, with test_pkt_access_subprog2 pointing 24
bytes into its respective section (.text), i.e., 3 instructions in:
0000000000000008 000000070000000a R_BPF_64_32 0000000000000000 test_pkt_access_subprog1
0000000000000048 000000080000000a R_BPF_64_32 0000000000000018 test_pkt_access_subprog2
Calls instructions now encode offsets relative to function symbols and are both
set ot -1:
0000000000000000 test_pkt_access_subprog1:
0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0)
1: 64 00 00 00 01 00 00 00 w0 <<= 1
2: 95 00 00 00 00 00 00 00 exit
0000000000000018 test_pkt_access_subprog2:
3: 61 20 00 00 00 00 00 00 r0 = *(u32 *)(r2 + 0)
4: 0c 10 00 00 00 00 00 00 w0 += w1
5: 95 00 00 00 00 00 00 00 exit
0000000000000000 test_pkt_access:
0: bf 16 00 00 00 00 00 00 r6 = r1
===> 1: 85 10 00 00 ff ff ff ff call -1
2: bc 01 00 00 00 00 00 00 w1 = w0
3: b4 00 00 00 02 00 00 00 w0 = 2
4: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0)
5: 64 02 00 00 01 00 00 00 w2 <<= 1
6: 5e 21 09 00 00 00 00 00 if w1 != w2 goto +9 <LBB2_3>
7: b4 01 00 00 02 00 00 00 w1 = 2
8: bf 62 00 00 00 00 00 00 r2 = r6
===> 9: 85 10 00 00 ff ff ff ff call -1
10: bc 01 00 00 00 00 00 00 w1 = w0
11: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0)
12: 04 02 00 00 02 00 00 00 w2 += 2
13: b4 00 00 00 ff ff ff ff w0 = -1
14: 1e 21 01 00 00 00 00 00 if w1 == w2 goto +1 <LBB2_3>
15: b4 00 00 00 02 00 00 00 w0 = 2
0000000000000080 LBB2_3:
16: 95 00 00 00 00 00 00 00 exit
Thus the right formula to calculate target call offset after relocation should
take into account relocation's target symbol value (offset within section),
call instruction's imm32 offset, and (subtracting, to get relative instruction
offset) instruction index of call instruction itself. All that is shifted by
number of instructions in main program, given all sub-programs are copied over
after main program.
Convert few selftests relying on bpf-to-bpf calls to use global functions
instead of static ones.
Fixes: 48cca7e44f9f ("libbpf: add support for bpf_call")
Reported-by: Alexei Starovoitov <ast@kernel•org>
Signed-off-by: Andrii Nakryiko <andriin@fb•com>
Acked-by: Yonghong Song <yhs@fb•com>
Signed-off-by: Alexei Starovoitov <ast@kernel•org>
Link: https://lore.kernel.org/bpf/20191119224447.3781271-1-andriin@fb.com
Signed-off-by: Sasha Levin <sashal@kernel•org>
---
tools/lib/bpf/libbpf.c | 8 ++++++--
tools/testing/selftests/bpf/progs/test_btf_haskv.c | 4 ++--
tools/testing/selftests/bpf/progs/test_btf_newkv.c | 4 ++--
tools/testing/selftests/bpf/progs/test_btf_nokv.c | 4 ++--
4 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index a267cd0c0ce28..6a87ff9936d7b 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -1791,9 +1791,13 @@ bpf_program__collect_reloc(struct bpf_program *prog, GElf_Shdr *shdr,
pr_warning("incorrect bpf_call opcode\n");
return -LIBBPF_ERRNO__RELOC;
}
+ if (sym.st_value % 8) {
+ pr_warn("bad call relo offset: %lu\n", sym.st_value);
+ return -LIBBPF_ERRNO__RELOC;
+ }
prog->reloc_desc[i].type = RELO_CALL;
prog->reloc_desc[i].insn_idx = insn_idx;
- prog->reloc_desc[i].text_off = sym.st_value;
+ prog->reloc_desc[i].text_off = sym.st_value / 8;
obj->has_pseudo_calls = true;
continue;
}
@@ -3239,7 +3243,7 @@ bpf_program__reloc_text(struct bpf_program *prog, struct bpf_object *obj,
prog->section_name);
}
insn = &prog->insns[relo->insn_idx];
- insn->imm += prog->main_prog_cnt - relo->insn_idx;
+ insn->imm += relo->text_off + prog->main_prog_cnt - relo->insn_idx;
return 0;
}
diff --git a/tools/testing/selftests/bpf/progs/test_btf_haskv.c b/tools/testing/selftests/bpf/progs/test_btf_haskv.c
index e5c79fe0ffdb2..d65c61e64df2f 100644
--- a/tools/testing/selftests/bpf/progs/test_btf_haskv.c
+++ b/tools/testing/selftests/bpf/progs/test_btf_haskv.c
@@ -25,7 +25,7 @@ struct dummy_tracepoint_args {
};
__attribute__((noinline))
-static int test_long_fname_2(struct dummy_tracepoint_args *arg)
+int test_long_fname_2(struct dummy_tracepoint_args *arg)
{
struct ipv_counts *counts;
int key = 0;
@@ -43,7 +43,7 @@ static int test_long_fname_2(struct dummy_tracepoint_args *arg)
}
__attribute__((noinline))
-static int test_long_fname_1(struct dummy_tracepoint_args *arg)
+int test_long_fname_1(struct dummy_tracepoint_args *arg)
{
return test_long_fname_2(arg);
}
diff --git a/tools/testing/selftests/bpf/progs/test_btf_newkv.c b/tools/testing/selftests/bpf/progs/test_btf_newkv.c
index 5ee3622ddebb6..8e83317db841f 100644
--- a/tools/testing/selftests/bpf/progs/test_btf_newkv.c
+++ b/tools/testing/selftests/bpf/progs/test_btf_newkv.c
@@ -33,7 +33,7 @@ struct dummy_tracepoint_args {
};
__attribute__((noinline))
-static int test_long_fname_2(struct dummy_tracepoint_args *arg)
+int test_long_fname_2(struct dummy_tracepoint_args *arg)
{
struct ipv_counts *counts;
int key = 0;
@@ -56,7 +56,7 @@ static int test_long_fname_2(struct dummy_tracepoint_args *arg)
}
__attribute__((noinline))
-static int test_long_fname_1(struct dummy_tracepoint_args *arg)
+int test_long_fname_1(struct dummy_tracepoint_args *arg)
{
return test_long_fname_2(arg);
}
diff --git a/tools/testing/selftests/bpf/progs/test_btf_nokv.c b/tools/testing/selftests/bpf/progs/test_btf_nokv.c
index 434188c377743..3f44220447594 100644
--- a/tools/testing/selftests/bpf/progs/test_btf_nokv.c
+++ b/tools/testing/selftests/bpf/progs/test_btf_nokv.c
@@ -23,7 +23,7 @@ struct dummy_tracepoint_args {
};
__attribute__((noinline))
-static int test_long_fname_2(struct dummy_tracepoint_args *arg)
+int test_long_fname_2(struct dummy_tracepoint_args *arg)
{
struct ipv_counts *counts;
int key = 0;
@@ -41,7 +41,7 @@ static int test_long_fname_2(struct dummy_tracepoint_args *arg)
}
__attribute__((noinline))
-static int test_long_fname_1(struct dummy_tracepoint_args *arg)
+int test_long_fname_1(struct dummy_tracepoint_args *arg)
{
return test_long_fname_2(arg);
}
--
2.20.1
next prev parent reply other threads:[~2019-12-10 21:15 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191210210735.9077-1-sashal@kernel.org>
2019-12-10 21:02 ` [PATCH AUTOSEL 5.4 048/350] ath10k: fix offchannel tx failure when no ath10k_mac_tx_frm_has_freq Sasha Levin
2019-12-10 21:02 ` [PATCH AUTOSEL 5.4 056/350] selftests/bpf: Correct path to include msg + path Sasha Levin
2019-12-10 21:02 ` [PATCH AUTOSEL 5.4 059/350] rtw88: fix NSS of hw_cap Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 077/350] mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 079/350] selftests/bpf: Fix btf_dump padding test case Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 080/350] libbpf: Fix struct end padding in btf_dump Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 081/350] libbpf: Fix passing uninitialized bytes to setsockopt Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 082/350] net/smc: increase device refcount for added link group Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 083/350] team: call RCU read lock when walking the port_list Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 106/350] ath10k: Correct error handling of dma_map_single() Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 107/350] rtw88: coex: Set 4 slot mode for A2DP Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 119/350] Bluetooth: missed cpu_to_le16 conversion in hci_init4_req Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 120/350] Bluetooth: Workaround directed advertising bug in Broadcom controllers Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 121/350] Bluetooth: hci_core: fix init for HCI_USER_CHANNEL Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 123/350] bpf/stackmap: Fix deadlock with rq_lock in bpf_get_stack() Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 132/350] selftests/bpf: Make a copy of subtest name Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 134/350] net: hns3: log and clear hardware error after reset complete Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 139/350] rtl8xxxu: fix RTL8723BU connection failure issue after warm reboot Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 161/350] i40e: initialize ITRN registers with correct values Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 163/350] i40e: Wrong 'Advertised FEC modes' after set FEC to AUTO Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 164/350] net: phy: dp83867: enable robust auto-mdix Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 178/350] net: dsa: LAN9303: select REGMAP when LAN9303 enable Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 185/350] net: hns3: add struct netdev_queue debug info for TX timeout Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 189/350] net/mlx5e: Verify that rule has at least one fwd/drop action Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 193/350] libbpf: Fix error handling in bpf_map__reuse_fd() Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 194/350] Bluetooth: Fix advertising duplicated flags Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 200/350] ixgbe: protect TX timestamping from API misuse Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 211/350] rfkill: allocate static minor Sasha Levin
2019-12-11 7:51 ` Greg Kroah-Hartman
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 212/350] bnx2x: Fix PF-VF communication over multi-cos queues Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 217/350] rtlwifi: fix memory leak in rtl92c_set_fw_rsvdpagepkt() Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 229/350] perf tools: Splice events onto evlist even on error Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 233/350] ice: Check for null pointer dereference when setting rings Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 235/350] perf parse: If pmu configuration fails free terms Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 237/350] net: avoid potential false sharing in neighbor related code Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 242/350] libbpf: Fix negative FD close() in xsk_setup_xdp_prog() Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 243/350] s390/bpf: Use kvcalloc for addrs array Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 248/350] ath10k: fix get invalid tx rate for Mesh metric Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 250/350] selftests: net: Fix printf format warnings on arm Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 255/350] ice: delay less Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 267/350] bpf, testing: Workaround a verifier failure for test_progs Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 270/350] net: dsa: sja1105: Disallow management xmit during switch reset Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 271/350] r8169: respect EEE user setting when restarting network Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 274/350] net: ethernet: ti: Add dependency for TI_DAVINCI_EMAC Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 276/350] net: bcmgenet: Add RGMII_RXID support Sasha Levin
2019-12-10 21:49 ` Florian Fainelli
2019-12-19 22:26 ` Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 281/350] qtnfmac: fix debugfs support for multiple cards Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 282/350] qtnfmac: fix invalid channel information output Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 284/350] qtnfmac: fix using skb after free Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 291/350] iwlwifi: mvm: fix unaligned read of rx_pkt_status Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 295/350] tun: fix data-race in gro_normal_list() Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 306/350] selftests, bpf: Fix test_tc_tunnel hanging Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 307/350] selftests, bpf: Workaround an alu32 sub-register spilling issue Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 308/350] bnxt_en: Return proper error code for non-existent NVM variable Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 309/350] net: phy: avoid matching all-ones clause 45 PHY IDs Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 313/350] net-af_xdp: Use correct number of channels from ethtool Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 314/350] brcmfmac: remove monitor interface when detaching Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 319/350] bnxt_en: Improve RX buffer error handling Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 320/350] iwlwifi: check kasprintf() return value Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 323/350] net: ethernet: ti: ale: clean ale tbl on init and intf restart Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 324/350] mt76: fix possible out-of-bound access in mt7615_fill_txs/mt7603_fill_txs Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 326/350] bpf: Switch bpf_map ref counter to atomic64_t so bpf_map_inc() never fails Sasha Levin
2019-12-10 21:28 ` [oss-drivers] " Jakub Kicinski
2019-12-12 16:25 ` Daniel Borkmann
2019-12-19 23:25 ` Sasha Levin
2019-12-10 21:07 ` Sasha Levin [this message]
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 332/350] mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 338/350] ice: Only disable VF state when freeing each VF resources Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 339/350] ice: Fix setting coalesce to handle DCB configuration Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 342/350] net: phy: initialise phydev speed and duplex sanely Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 343/350] tools, bpf: Fix build for 'make -s tools/bpf O=<dir>' Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 346/350] bpf: Provide better register bounds after jmp32 instructions Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 348/350] ibmvnic: Fix completion structure initialization Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 349/350] net: wireless: intel: iwlwifi: fix GRO_NORMAL packet stalling Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191210210735.9077-288-sashal@kernel.org \
--to=sashal@kernel$(echo .)org \
--cc=andriin@fb$(echo .)com \
--cc=ast@kernel$(echo .)org \
--cc=bpf@vger$(echo .)kernel.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-kselftest@vger$(echo .)kernel.org \
--cc=netdev@vger$(echo .)kernel.org \
--cc=stable@vger$(echo .)kernel.org \
--cc=yhs@fb$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox