[v3,bpf-next,15/18] bpf: Support attaching tracing BPF program to other BPF programs

Allow FENTRY/FEXIT BPF programs to attach to other BPF programs of any type
including their subprograms. This feature allows snooping on input and output
packets in XDP, TC programs including their return values. In order to do that
the verifier needs to track types not only of vmlinux, but types of other BPF
programs as well. The verifier also needs to translate uapi/linux/bpf.h types
used by networking programs into kernel internal BTF types used by FENTRY/FEXIT
BPF programs. In some cases LLVM optimizations can remove arguments from BPF
subprograms without adjusting BTF info that LLVM backend knows. When BTF info
disagrees with actual types that the verifiers sees the BPF trampoline has to
fallback to conservative and treat all arguments as u64. The FENTRY/FEXIT
program can still attach to such subprograms, but won't be able to recognize
pointer types like 'struct sk_buff *' into won't be able to pass them to
bpf_skb_output() for dumping to user space.

The BPF_PROG_LOAD command is extended with attach_prog_fd field. When it's set
to zero the attach_btf_id is one vmlinux BTF type ids. When attach_prog_fd
points to previously loaded BPF program the attach_btf_id is BTF type id of
main function or one of its subprograms.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
 arch/x86/net/bpf_jit_comp.c |  3 +-
 include/linux/bpf.h         |  2 +
 include/linux/btf.h         |  1 +
 include/uapi/linux/bpf.h    |  1 +
 kernel/bpf/btf.c            | 58 +++++++++++++++++++---
 kernel/bpf/core.c           |  2 +
 kernel/bpf/syscall.c        | 19 +++++--
 kernel/bpf/verifier.c       | 98 +++++++++++++++++++++++++++++--------
 kernel/trace/bpf_trace.c    |  2 -
 9 files changed, 151 insertions(+), 35 deletions(-)

> On Nov 7, 2019, at 10:40 PM, Alexei Starovoitov <ast@kernel.org> wrote:
> 
> Allow FENTRY/FEXIT BPF programs to attach to other BPF programs of any type
> including their subprograms. This feature allows snooping on input and output
> packets in XDP, TC programs including their return values. In order to do that
> the verifier needs to track types not only of vmlinux, but types of other BPF
> programs as well. The verifier also needs to translate uapi/linux/bpf.h types
> used by networking programs into kernel internal BTF types used by FENTRY/FEXIT
> BPF programs. In some cases LLVM optimizations can remove arguments from BPF
> subprograms without adjusting BTF info that LLVM backend knows. When BTF info
> disagrees with actual types that the verifiers sees the BPF trampoline has to
> fallback to conservative and treat all arguments as u64. The FENTRY/FEXIT
> program can still attach to such subprograms, but won't be able to recognize
> pointer types like 'struct sk_buff *' into won't be able to pass them to
					^^^^^ these few words are confusing
> bpf_skb_output() for dumping to user space.
> 
> The BPF_PROG_LOAD command is extended with attach_prog_fd field. When it's set
> to zero the attach_btf_id is one vmlinux BTF type ids. When attach_prog_fd
> points to previously loaded BPF program the attach_btf_id is BTF type id of
> main function or one of its subprograms.
> 
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> 

[...]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index cd9a9395c4b5..f385c4043594 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -9390,13 +9390,17 @@ static void print_verification_stats(struct bpf_verifier_env *env)
> static int check_attach_btf_id(struct bpf_verifier_env *env)
> {
> 	struct bpf_prog *prog = env->prog;
> +	struct bpf_prog *tgt_prog = prog->aux->linked_prog;
> 	u32 btf_id = prog->aux->attach_btf_id;
> 	const char prefix[] = "btf_trace_";
> 	struct bpf_trampoline *tr;
> 	const struct btf_type *t;
> +	int ret, subprog = -1, i;
> +	bool conservative = true;
> 	const char *tname;
> +	struct btf *btf;
> 	long addr;
> -	int ret;
> +	u64 key;
> 
> 	if (prog->type != BPF_PROG_TYPE_TRACING)
> 		return 0;
> @@ -9405,19 +9409,42 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
> 		verbose(env, "Tracing programs must provide btf_id\n");
> 		return -EINVAL;
> 	}
> -	t = btf_type_by_id(btf_vmlinux, btf_id);
> +	btf = bpf_prog_get_target_btf(prog);

btf could be NULL here, so we need to check it?


[...]

On 11/8/19 10:49 AM, Song Liu wrote:
> 
> 
>> On Nov 7, 2019, at 10:40 PM, Alexei Starovoitov <ast@kernel.org> wrote:
>>
>> Allow FENTRY/FEXIT BPF programs to attach to other BPF programs of any type
>> including their subprograms. This feature allows snooping on input and output
>> packets in XDP, TC programs including their return values. In order to do that
>> the verifier needs to track types not only of vmlinux, but types of other BPF
>> programs as well. The verifier also needs to translate uapi/linux/bpf.h types
>> used by networking programs into kernel internal BTF types used by FENTRY/FEXIT
>> BPF programs. In some cases LLVM optimizations can remove arguments from BPF
>> subprograms without adjusting BTF info that LLVM backend knows. When BTF info
>> disagrees with actual types that the verifiers sees the BPF trampoline has to
>> fallback to conservative and treat all arguments as u64. The FENTRY/FEXIT
>> program can still attach to such subprograms, but won't be able to recognize
>> pointer types like 'struct sk_buff *' into won't be able to pass them to
> 					^^^^^ these few words are confusing

yep. will fix.

>> bpf_skb_output() for dumping to user space.
>>
>> The BPF_PROG_LOAD command is extended with attach_prog_fd field. When it's set
>> to zero the attach_btf_id is one vmlinux BTF type ids. When attach_prog_fd
>> points to previously loaded BPF program the attach_btf_id is BTF type id of
>> main function or one of its subprograms.
>>
>> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
>>
> 
> [...]
> 
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index cd9a9395c4b5..f385c4043594 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -9390,13 +9390,17 @@ static void print_verification_stats(struct bpf_verifier_env *env)
>> static int check_attach_btf_id(struct bpf_verifier_env *env)
>> {
>> 	struct bpf_prog *prog = env->prog;
>> +	struct bpf_prog *tgt_prog = prog->aux->linked_prog;
>> 	u32 btf_id = prog->aux->attach_btf_id;
>> 	const char prefix[] = "btf_trace_";
>> 	struct bpf_trampoline *tr;
>> 	const struct btf_type *t;
>> +	int ret, subprog = -1, i;
>> +	bool conservative = true;
>> 	const char *tname;
>> +	struct btf *btf;
>> 	long addr;
>> -	int ret;
>> +	u64 key;
>>
>> 	if (prog->type != BPF_PROG_TYPE_TRACING)
>> 		return 0;
>> @@ -9405,19 +9409,42 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
>> 		verbose(env, "Tracing programs must provide btf_id\n");
>> 		return -EINVAL;
>> 	}
>> -	t = btf_type_by_id(btf_vmlinux, btf_id);
>> +	btf = bpf_prog_get_target_btf(prog);
> 
> btf could be NULL here, so we need to check it?

yep. will fix.

Alexei Starovoitov <ast@kernel.org> writes:

> Allow FENTRY/FEXIT BPF programs to attach to other BPF programs of any type
> including their subprograms. This feature allows snooping on input and output
> packets in XDP, TC programs including their return values. In order to do that
> the verifier needs to track types not only of vmlinux, but types of other BPF
> programs as well. The verifier also needs to translate uapi/linux/bpf.h types
> used by networking programs into kernel internal BTF types used by FENTRY/FEXIT
> BPF programs. In some cases LLVM optimizations can remove arguments from BPF
> subprograms without adjusting BTF info that LLVM backend knows. When BTF info
> disagrees with actual types that the verifiers sees the BPF trampoline has to
> fallback to conservative and treat all arguments as u64. The FENTRY/FEXIT
> program can still attach to such subprograms, but won't be able to recognize
> pointer types like 'struct sk_buff *' into won't be able to pass them to
> bpf_skb_output() for dumping to user space.
>
> The BPF_PROG_LOAD command is extended with attach_prog_fd field. When it's set
> to zero the attach_btf_id is one vmlinux BTF type ids. When attach_prog_fd
> points to previously loaded BPF program the attach_btf_id is BTF type id of
> main function or one of its subprograms.
>
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>

This is cool! Certainly solves the xdpdump use case; thanks!

I do have a few questions (thinking about whether it can also be used
for running multiple XDP programs):

- Can a FEXIT function loaded this way only *observe* the return code of
  the BPF program it attaches to, or can it also change it?

- Is it possible to attach multiple FENTRY/FEXIT programs to the same
  XDP program and/or to recursively attach FENTRY/FEXIT programs to each
  other?

- Could it be possible for an FENTRY/FEXIT program to call into another
  XDP program (i.e., one that has the regular XDP program type)?

-Toke

On Fri, Nov 08, 2019 at 09:17:12PM +0100, Toke Høiland-Jørgensen wrote:
> Alexei Starovoitov <ast@kernel.org> writes:
> 
> > Allow FENTRY/FEXIT BPF programs to attach to other BPF programs of any type
> > including their subprograms. This feature allows snooping on input and output
> > packets in XDP, TC programs including their return values. In order to do that
> > the verifier needs to track types not only of vmlinux, but types of other BPF
> > programs as well. The verifier also needs to translate uapi/linux/bpf.h types
> > used by networking programs into kernel internal BTF types used by FENTRY/FEXIT
> > BPF programs. In some cases LLVM optimizations can remove arguments from BPF
> > subprograms without adjusting BTF info that LLVM backend knows. When BTF info
> > disagrees with actual types that the verifiers sees the BPF trampoline has to
> > fallback to conservative and treat all arguments as u64. The FENTRY/FEXIT
> > program can still attach to such subprograms, but won't be able to recognize
> > pointer types like 'struct sk_buff *' into won't be able to pass them to
> > bpf_skb_output() for dumping to user space.
> >
> > The BPF_PROG_LOAD command is extended with attach_prog_fd field. When it's set
> > to zero the attach_btf_id is one vmlinux BTF type ids. When attach_prog_fd
> > points to previously loaded BPF program the attach_btf_id is BTF type id of
> > main function or one of its subprograms.
> >
> > Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> 
> This is cool! Certainly solves the xdpdump use case; thanks!
> 
> I do have a few questions (thinking about whether it can also be used
> for running multiple XDP programs):

excellent questions.

> - Can a FEXIT function loaded this way only *observe* the return code of
>   the BPF program it attaches to, or can it also change it?

yes. the verifier can be taught to support that for certain class of programs.
That needs careful thinking to make sure it's safe.

> - Is it possible to attach multiple FENTRY/FEXIT programs to the same
>   XDP program 

Yes. Already possible. See fexit_stress.c that attaches 40 progs to the same
kernel function. Same thing when attaching fexit BPF to any XDP program.
Since all of them are read only tracing prog all progs have access to skb on
input and ouput along with unmodified return value.

> and/or to recursively attach FENTRY/FEXIT programs to each
>   other?

Not right now to avoid complex logic of detecting cycles. See simple bit:
   if (tgt_prog->type == BPF_PROG_TYPE_TRACING) {
           /* prevent cycles */
           verbose(env, "Cannot recursively attach\n");

> - Could it be possible for an FENTRY/FEXIT program to call into another
>   XDP program (i.e., one that has the regular XDP program type)?

It's possible to teach verifier to do that, but we probably shouldn't take that
route. Instead I've started exploring the idea of dynamic linking. The
trampoline logic will be used to replace existing BPF program or subprogram
instead of attaching read-only to it. If types match the new program can
replace existing one. The concept allows to build any kind of callchain
programmatically. Pretty much what Ed proposed with static linking, but doing
it dynamically. I'll start a separate email thread explaining details.

Alexei Starovoitov <alexei.starovoitov@gmail.com> writes:

> On Fri, Nov 08, 2019 at 09:17:12PM +0100, Toke Høiland-Jørgensen wrote:
>> Alexei Starovoitov <ast@kernel.org> writes:
>> 
>> > Allow FENTRY/FEXIT BPF programs to attach to other BPF programs of any type
>> > including their subprograms. This feature allows snooping on input and output
>> > packets in XDP, TC programs including their return values. In order to do that
>> > the verifier needs to track types not only of vmlinux, but types of other BPF
>> > programs as well. The verifier also needs to translate uapi/linux/bpf.h types
>> > used by networking programs into kernel internal BTF types used by FENTRY/FEXIT
>> > BPF programs. In some cases LLVM optimizations can remove arguments from BPF
>> > subprograms without adjusting BTF info that LLVM backend knows. When BTF info
>> > disagrees with actual types that the verifiers sees the BPF trampoline has to
>> > fallback to conservative and treat all arguments as u64. The FENTRY/FEXIT
>> > program can still attach to such subprograms, but won't be able to recognize
>> > pointer types like 'struct sk_buff *' into won't be able to pass them to
>> > bpf_skb_output() for dumping to user space.
>> >
>> > The BPF_PROG_LOAD command is extended with attach_prog_fd field. When it's set
>> > to zero the attach_btf_id is one vmlinux BTF type ids. When attach_prog_fd
>> > points to previously loaded BPF program the attach_btf_id is BTF type id of
>> > main function or one of its subprograms.
>> >
>> > Signed-off-by: Alexei Starovoitov <ast@kernel.org>
>> 
>> This is cool! Certainly solves the xdpdump use case; thanks!
>> 
>> I do have a few questions (thinking about whether it can also be used
>> for running multiple XDP programs):
>
> excellent questions.
>
>> - Can a FEXIT function loaded this way only *observe* the return code of
>>   the BPF program it attaches to, or can it also change it?
>
> yes. the verifier can be taught to support that for certain class of programs.
> That needs careful thinking to make sure it's safe.

OK. I think this could potentially be useful to have for XDP (for
instance, to have xdpdump "steal" any packets it is observing by
changing the return code to XDP_DROP).

>> - Is it possible to attach multiple FENTRY/FEXIT programs to the same
>>   XDP program 
>
> Yes. Already possible. See fexit_stress.c that attaches 40 progs to the same
> kernel function. Same thing when attaching fexit BPF to any XDP program.
> Since all of them are read only tracing prog all progs have access to skb on
> input and ouput along with unmodified return value.

Right, cool.

>> and/or to recursively attach FENTRY/FEXIT programs to each
>>   other?
>
> Not right now to avoid complex logic of detecting cycles. See simple bit:
>    if (tgt_prog->type == BPF_PROG_TYPE_TRACING) {
>            /* prevent cycles */
>            verbose(env, "Cannot recursively attach\n");

OK, that is probably a reasonable tradeoff.

>> - Could it be possible for an FENTRY/FEXIT program to call into another
>>   XDP program (i.e., one that has the regular XDP program type)?
>
> It's possible to teach verifier to do that, but we probably shouldn't take that
> route. Instead I've started exploring the idea of dynamic linking. The
> trampoline logic will be used to replace existing BPF program or subprogram
> instead of attaching read-only to it. If types match the new program can
> replace existing one. The concept allows to build any kind of callchain
> programmatically. Pretty much what Ed proposed with static linking, but doing
> it dynamically. I'll start a separate email thread explaining details.

SGTM; will wait for the sequel, then :)

-Toke

On Thu, Nov 7, 2019 at 10:41 PM Alexei Starovoitov <ast@kernel.org> wrote:
>
> Allow FENTRY/FEXIT BPF programs to attach to other BPF programs of any type
> including their subprograms. This feature allows snooping on input and output
> packets in XDP, TC programs including their return values. In order to do that
> the verifier needs to track types not only of vmlinux, but types of other BPF
> programs as well. The verifier also needs to translate uapi/linux/bpf.h types
> used by networking programs into kernel internal BTF types used by FENTRY/FEXIT
> BPF programs. In some cases LLVM optimizations can remove arguments from BPF
> subprograms without adjusting BTF info that LLVM backend knows. When BTF info
> disagrees with actual types that the verifiers sees the BPF trampoline has to
> fallback to conservative and treat all arguments as u64. The FENTRY/FEXIT
> program can still attach to such subprograms, but won't be able to recognize
> pointer types like 'struct sk_buff *' into won't be able to pass them to
> bpf_skb_output() for dumping to user space.
>
> The BPF_PROG_LOAD command is extended with attach_prog_fd field. When it's set
> to zero the attach_btf_id is one vmlinux BTF type ids. When attach_prog_fd
> points to previously loaded BPF program the attach_btf_id is BTF type id of
> main function or one of its subprograms.
>
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> ---
>  arch/x86/net/bpf_jit_comp.c |  3 +-
>  include/linux/bpf.h         |  2 +
>  include/linux/btf.h         |  1 +
>  include/uapi/linux/bpf.h    |  1 +
>  kernel/bpf/btf.c            | 58 +++++++++++++++++++---
>  kernel/bpf/core.c           |  2 +
>  kernel/bpf/syscall.c        | 19 +++++--
>  kernel/bpf/verifier.c       | 98 +++++++++++++++++++++++++++++--------
>  kernel/trace/bpf_trace.c    |  2 -
>  9 files changed, 151 insertions(+), 35 deletions(-)
>

[...]

> +
> +static bool btf_translate_to_vmlinux(struct bpf_verifier_log *log,
> +                                    struct btf *btf,
> +                                    const struct btf_type *t,
> +                                    struct bpf_insn_access_aux *info)
> +{
> +       const char *tname = __btf_name_by_offset(btf, t->name_off);
> +       int btf_id;
> +
> +       if (!tname) {
> +               bpf_log(log, "Program's type doesn't have a name\n");
> +               return false;
> +       }
> +       if (strcmp(tname, "__sk_buff") == 0) {

might be a good idea to ensure that t's type is also a struct?

> +               btf_id = btf_resolve_helper_id(log, &bpf_skb_output_proto, 0);

This is kind of ugly and high-maintenance. Have you considered having
something like this, to do this mapping:

struct bpf_ctx_mapping {
    struct sk_buff *__sk_buff;
    struct xdp_buff *xdp_md;
};

So field name is a name you are trying to match, while field type is
actual type you are mapping to? You won't need to find special
function protos (like bpf_skb_output_proto), it will be easy to
extend, you'll have real vmlinux types automatically captured for you
(you'll just have to initially find bpf_ctx_mapping's btf_id).


> +               if (btf_id < 0)
> +                       return false;
> +               info->btf_id = btf_id;
> +               return true;
> +       }
> +       return false;
> +}
>

[...]

> +               if (tgt_prog && conservative) {
> +                       struct btf_func_model *m = &tr->func.model;
> +
> +                       /* BTF function prototype doesn't match the verifier types.
> +                        * Fall back to 5 u64 args.
> +                        */
> +                       for (i = 0; i < 5; i++)
> +                               m->arg_size[i] = 8;
> +                       m->ret_size = 8;
> +                       m->nr_args = 5;
> +                       prog->aux->attach_func_proto = NULL;
> +               } else {
> +                       ret = btf_distill_func_proto(&env->log, btf, t,
> +                                                    tname, &tr->func.model);

there is nothing preventing some parallel thread to modify
tr->func.model in parallel, right? Should these modifications be
either locked or at least WRITE_ONCE, similar to
btf_resolve_helper_id?


> +                       if (ret < 0)
> +                               goto out;
> +               }

[...]

On Sat, Nov 09, 2019 at 11:17:37PM -0800, Andrii Nakryiko wrote:
> On Thu, Nov 7, 2019 at 10:41 PM Alexei Starovoitov <ast@kernel.org> wrote:
> >
> > Allow FENTRY/FEXIT BPF programs to attach to other BPF programs of any type
> > including their subprograms. This feature allows snooping on input and output
> > packets in XDP, TC programs including their return values. In order to do that
> > the verifier needs to track types not only of vmlinux, but types of other BPF
> > programs as well. The verifier also needs to translate uapi/linux/bpf.h types
> > used by networking programs into kernel internal BTF types used by FENTRY/FEXIT
> > BPF programs. In some cases LLVM optimizations can remove arguments from BPF
> > subprograms without adjusting BTF info that LLVM backend knows. When BTF info
> > disagrees with actual types that the verifiers sees the BPF trampoline has to
> > fallback to conservative and treat all arguments as u64. The FENTRY/FEXIT
> > program can still attach to such subprograms, but won't be able to recognize
> > pointer types like 'struct sk_buff *' into won't be able to pass them to
> > bpf_skb_output() for dumping to user space.
> >
> > The BPF_PROG_LOAD command is extended with attach_prog_fd field. When it's set
> > to zero the attach_btf_id is one vmlinux BTF type ids. When attach_prog_fd
> > points to previously loaded BPF program the attach_btf_id is BTF type id of
> > main function or one of its subprograms.
> >
> > Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> > ---
> >  arch/x86/net/bpf_jit_comp.c |  3 +-
> >  include/linux/bpf.h         |  2 +
> >  include/linux/btf.h         |  1 +
> >  include/uapi/linux/bpf.h    |  1 +
> >  kernel/bpf/btf.c            | 58 +++++++++++++++++++---
> >  kernel/bpf/core.c           |  2 +
> >  kernel/bpf/syscall.c        | 19 +++++--
> >  kernel/bpf/verifier.c       | 98 +++++++++++++++++++++++++++++--------
> >  kernel/trace/bpf_trace.c    |  2 -
> >  9 files changed, 151 insertions(+), 35 deletions(-)
> >
> 
> [...]
> 
> > +
> > +static bool btf_translate_to_vmlinux(struct bpf_verifier_log *log,
> > +                                    struct btf *btf,
> > +                                    const struct btf_type *t,
> > +                                    struct bpf_insn_access_aux *info)
> > +{
> > +       const char *tname = __btf_name_by_offset(btf, t->name_off);
> > +       int btf_id;
> > +
> > +       if (!tname) {
> > +               bpf_log(log, "Program's type doesn't have a name\n");
> > +               return false;
> > +       }
> > +       if (strcmp(tname, "__sk_buff") == 0) {
> 
> might be a good idea to ensure that t's type is also a struct?
> 
> > +               btf_id = btf_resolve_helper_id(log, &bpf_skb_output_proto, 0);
> 
> This is kind of ugly and high-maintenance. Have you considered having
> something like this, to do this mapping:
> 
> struct bpf_ctx_mapping {
>     struct sk_buff *__sk_buff;
>     struct xdp_buff *xdp_md;
> };
> 
> So field name is a name you are trying to match, while field type is
> actual type you are mapping to? You won't need to find special
> function protos (like bpf_skb_output_proto), it will be easy to
> extend, you'll have real vmlinux types automatically captured for you
> (you'll just have to initially find bpf_ctx_mapping's btf_id).

I was thinking something along these lines.
The problem with single struct like above is that it's centralized.
convert_ctx_access callbacks are all over the place.
So I'm thinking to add macro like this to bpf.h
+#define BPF_RECORD_CTX_CONVERSION(user_type, kernel_type) \
+       ({typedef kernel_type (*bpf_ctx_convert)(user_type); \
+        (void) (bpf_ctx_convert) (void *) 0;})

and then do
BPF_RECORD_CTX_CONVERSION(struct bpf_xdp_sock, struct xdp_sock);
inside convert_ctx_access functions (like bpf_xdp_sock_convert_ctx_access).
There will be several typedefs with 'bpf_ctx_convert' name. The
btf_translate_to_vmlinux() will iterate over them. Speed is not criticial here,
but long term we probably need to merge prog's BTF with vmlinux's BTF, so most
of the type comparison is done during prog load. It probably should reduce the
size of prog's BTF too. Renumbering of prog's BTF will be annoying though.
Something to consider long term.

> 
> > +               if (btf_id < 0)
> > +                       return false;
> > +               info->btf_id = btf_id;
> > +               return true;
> > +       }
> > +       return false;
> > +}
> >
> 
> [...]
> 
> > +               if (tgt_prog && conservative) {
> > +                       struct btf_func_model *m = &tr->func.model;
> > +
> > +                       /* BTF function prototype doesn't match the verifier types.
> > +                        * Fall back to 5 u64 args.
> > +                        */
> > +                       for (i = 0; i < 5; i++)
> > +                               m->arg_size[i] = 8;
> > +                       m->ret_size = 8;
> > +                       m->nr_args = 5;
> > +                       prog->aux->attach_func_proto = NULL;
> > +               } else {
> > +                       ret = btf_distill_func_proto(&env->log, btf, t,
> > +                                                    tname, &tr->func.model);
> 
> there is nothing preventing some parallel thread to modify
> tr->func.model in parallel, right? Should these modifications be
> either locked or at least WRITE_ONCE, similar to
> btf_resolve_helper_id?

hmm. Right. There is a race with bpf_trampoline_lookup. One thread could have
just created the trampoline and still doing distill, while another thread is
trying to use it after getting it from bpf_trampoline_lookup. The fix choices
are not pretty. Either to add a mutex to check_attach_btf_id() or do
bpf_trampoline_lookup_or_create() with extra callback that does
btf_distill_func_proto while bpf_trampoline_lookup_or_create is holding
trampoline_mutex or move most of the check_attach_btf_id() logic into
bpf_trampoline_lookup_or_create().
I tried to keep trampoline as abstract concept, but with callback or move
the verifer and btf logic will bleed into trampoline. Hmm.

On Mon, Nov 11, 2019 at 3:04 PM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Sat, Nov 09, 2019 at 11:17:37PM -0800, Andrii Nakryiko wrote:
> > On Thu, Nov 7, 2019 at 10:41 PM Alexei Starovoitov <ast@kernel.org> wrote:
> > >
> > > Allow FENTRY/FEXIT BPF programs to attach to other BPF programs of any type
> > > including their subprograms. This feature allows snooping on input and output
> > > packets in XDP, TC programs including their return values. In order to do that
> > > the verifier needs to track types not only of vmlinux, but types of other BPF
> > > programs as well. The verifier also needs to translate uapi/linux/bpf.h types
> > > used by networking programs into kernel internal BTF types used by FENTRY/FEXIT
> > > BPF programs. In some cases LLVM optimizations can remove arguments from BPF
> > > subprograms without adjusting BTF info that LLVM backend knows. When BTF info
> > > disagrees with actual types that the verifiers sees the BPF trampoline has to
> > > fallback to conservative and treat all arguments as u64. The FENTRY/FEXIT
> > > program can still attach to such subprograms, but won't be able to recognize
> > > pointer types like 'struct sk_buff *' into won't be able to pass them to
> > > bpf_skb_output() for dumping to user space.
> > >
> > > The BPF_PROG_LOAD command is extended with attach_prog_fd field. When it's set
> > > to zero the attach_btf_id is one vmlinux BTF type ids. When attach_prog_fd
> > > points to previously loaded BPF program the attach_btf_id is BTF type id of
> > > main function or one of its subprograms.
> > >
> > > Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> > > ---
> > >  arch/x86/net/bpf_jit_comp.c |  3 +-
> > >  include/linux/bpf.h         |  2 +
> > >  include/linux/btf.h         |  1 +
> > >  include/uapi/linux/bpf.h    |  1 +
> > >  kernel/bpf/btf.c            | 58 +++++++++++++++++++---
> > >  kernel/bpf/core.c           |  2 +
> > >  kernel/bpf/syscall.c        | 19 +++++--
> > >  kernel/bpf/verifier.c       | 98 +++++++++++++++++++++++++++++--------
> > >  kernel/trace/bpf_trace.c    |  2 -
> > >  9 files changed, 151 insertions(+), 35 deletions(-)
> > >
> >
> > [...]
> >
> > > +
> > > +static bool btf_translate_to_vmlinux(struct bpf_verifier_log *log,
> > > +                                    struct btf *btf,
> > > +                                    const struct btf_type *t,
> > > +                                    struct bpf_insn_access_aux *info)
> > > +{
> > > +       const char *tname = __btf_name_by_offset(btf, t->name_off);
> > > +       int btf_id;
> > > +
> > > +       if (!tname) {
> > > +               bpf_log(log, "Program's type doesn't have a name\n");
> > > +               return false;
> > > +       }
> > > +       if (strcmp(tname, "__sk_buff") == 0) {
> >
> > might be a good idea to ensure that t's type is also a struct?
> >
> > > +               btf_id = btf_resolve_helper_id(log, &bpf_skb_output_proto, 0);
> >
> > This is kind of ugly and high-maintenance. Have you considered having
> > something like this, to do this mapping:
> >
> > struct bpf_ctx_mapping {
> >     struct sk_buff *__sk_buff;
> >     struct xdp_buff *xdp_md;
> > };
> >
> > So field name is a name you are trying to match, while field type is
> > actual type you are mapping to? You won't need to find special
> > function protos (like bpf_skb_output_proto), it will be easy to
> > extend, you'll have real vmlinux types automatically captured for you
> > (you'll just have to initially find bpf_ctx_mapping's btf_id).
>
> I was thinking something along these lines.
> The problem with single struct like above is that it's centralized.
> convert_ctx_access callbacks are all over the place.
> So I'm thinking to add macro like this to bpf.h
> +#define BPF_RECORD_CTX_CONVERSION(user_type, kernel_type) \
> +       ({typedef kernel_type (*bpf_ctx_convert)(user_type); \
> +        (void) (bpf_ctx_convert) (void *) 0;})
>
> and then do
> BPF_RECORD_CTX_CONVERSION(struct bpf_xdp_sock, struct xdp_sock);
> inside convert_ctx_access functions (like bpf_xdp_sock_convert_ctx_access).
> There will be several typedefs with 'bpf_ctx_convert' name. The
> btf_translate_to_vmlinux() will iterate over them. Speed is not criticial here,

I guess that works as well. Please leave a comment explaining the idea
behind this distributed mapping :)

> but long term we probably need to merge prog's BTF with vmlinux's BTF, so most
> of the type comparison is done during prog load. It probably should reduce the
> size of prog's BTF too. Renumbering of prog's BTF will be annoying though.
> Something to consider long term.
>
> >
> > > +               if (btf_id < 0)
> > > +                       return false;
> > > +               info->btf_id = btf_id;
> > > +               return true;
> > > +       }
> > > +       return false;
> > > +}
> > >
> >
> > [...]
> >
> > > +               if (tgt_prog && conservative) {
> > > +                       struct btf_func_model *m = &tr->func.model;
> > > +
> > > +                       /* BTF function prototype doesn't match the verifier types.
> > > +                        * Fall back to 5 u64 args.
> > > +                        */
> > > +                       for (i = 0; i < 5; i++)
> > > +                               m->arg_size[i] = 8;
> > > +                       m->ret_size = 8;
> > > +                       m->nr_args = 5;
> > > +                       prog->aux->attach_func_proto = NULL;
> > > +               } else {
> > > +                       ret = btf_distill_func_proto(&env->log, btf, t,
> > > +                                                    tname, &tr->func.model);
> >
> > there is nothing preventing some parallel thread to modify
> > tr->func.model in parallel, right? Should these modifications be
> > either locked or at least WRITE_ONCE, similar to
> > btf_resolve_helper_id?
>
> hmm. Right. There is a race with bpf_trampoline_lookup. One thread could have
> just created the trampoline and still doing distill, while another thread is
> trying to use it after getting it from bpf_trampoline_lookup. The fix choices
> are not pretty. Either to add a mutex to check_attach_btf_id() or do
> bpf_trampoline_lookup_or_create() with extra callback that does
> btf_distill_func_proto while bpf_trampoline_lookup_or_create is holding
> trampoline_mutex or move most of the check_attach_btf_id() logic into
> bpf_trampoline_lookup_or_create().
> I tried to keep trampoline as abstract concept, but with callback or move
> the verifer and btf logic will bleed into trampoline. Hmm.

yeah, that sounds too intrusive. I'd change btf_distill_func_proto to
accept struct btf_func_model **m, allocate model dynamically, and then
compare_exchange the final constructed model pointer.

Similarly for "fallback to conservative" case.

>

On 11/11/19 8:38 PM, Andrii Nakryiko wrote:
> On Mon, Nov 11, 2019 at 3:04 PM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
>>
>> On Sat, Nov 09, 2019 at 11:17:37PM -0800, Andrii Nakryiko wrote:
>>> On Thu, Nov 7, 2019 at 10:41 PM Alexei Starovoitov <ast@kernel.org> wrote:
>>>>
>>>> Allow FENTRY/FEXIT BPF programs to attach to other BPF programs of any type
>>>> including their subprograms. This feature allows snooping on input and output
>>>> packets in XDP, TC programs including their return values. In order to do that
>>>> the verifier needs to track types not only of vmlinux, but types of other BPF
>>>> programs as well. The verifier also needs to translate uapi/linux/bpf.h types
>>>> used by networking programs into kernel internal BTF types used by FENTRY/FEXIT
>>>> BPF programs. In some cases LLVM optimizations can remove arguments from BPF
>>>> subprograms without adjusting BTF info that LLVM backend knows. When BTF info
>>>> disagrees with actual types that the verifiers sees the BPF trampoline has to
>>>> fallback to conservative and treat all arguments as u64. The FENTRY/FEXIT
>>>> program can still attach to such subprograms, but won't be able to recognize
>>>> pointer types like 'struct sk_buff *' into won't be able to pass them to
>>>> bpf_skb_output() for dumping to user space.
>>>>
>>>> The BPF_PROG_LOAD command is extended with attach_prog_fd field. When it's set
>>>> to zero the attach_btf_id is one vmlinux BTF type ids. When attach_prog_fd
>>>> points to previously loaded BPF program the attach_btf_id is BTF type id of
>>>> main function or one of its subprograms.
>>>>
>>>> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
>>>> ---
>>>>   arch/x86/net/bpf_jit_comp.c |  3 +-
>>>>   include/linux/bpf.h         |  2 +
>>>>   include/linux/btf.h         |  1 +
>>>>   include/uapi/linux/bpf.h    |  1 +
>>>>   kernel/bpf/btf.c            | 58 +++++++++++++++++++---
>>>>   kernel/bpf/core.c           |  2 +
>>>>   kernel/bpf/syscall.c        | 19 +++++--
>>>>   kernel/bpf/verifier.c       | 98 +++++++++++++++++++++++++++++--------
>>>>   kernel/trace/bpf_trace.c    |  2 -
>>>>   9 files changed, 151 insertions(+), 35 deletions(-)
>>>>
>>>
>>> [...]
>>>
>>>> +
>>>> +static bool btf_translate_to_vmlinux(struct bpf_verifier_log *log,
>>>> +                                    struct btf *btf,
>>>> +                                    const struct btf_type *t,
>>>> +                                    struct bpf_insn_access_aux *info)
>>>> +{
>>>> +       const char *tname = __btf_name_by_offset(btf, t->name_off);
>>>> +       int btf_id;
>>>> +
>>>> +       if (!tname) {
>>>> +               bpf_log(log, "Program's type doesn't have a name\n");
>>>> +               return false;
>>>> +       }
>>>> +       if (strcmp(tname, "__sk_buff") == 0) {
>>>
>>> might be a good idea to ensure that t's type is also a struct?
>>>
>>>> +               btf_id = btf_resolve_helper_id(log, &bpf_skb_output_proto, 0);
>>>
>>> This is kind of ugly and high-maintenance. Have you considered having
>>> something like this, to do this mapping:
>>>
>>> struct bpf_ctx_mapping {
>>>      struct sk_buff *__sk_buff;
>>>      struct xdp_buff *xdp_md;
>>> };
>>>
>>> So field name is a name you are trying to match, while field type is
>>> actual type you are mapping to? You won't need to find special
>>> function protos (like bpf_skb_output_proto), it will be easy to
>>> extend, you'll have real vmlinux types automatically captured for you
>>> (you'll just have to initially find bpf_ctx_mapping's btf_id).
>>
>> I was thinking something along these lines.
>> The problem with single struct like above is that it's centralized.
>> convert_ctx_access callbacks are all over the place.
>> So I'm thinking to add macro like this to bpf.h
>> +#define BPF_RECORD_CTX_CONVERSION(user_type, kernel_type) \
>> +       ({typedef kernel_type (*bpf_ctx_convert)(user_type); \
>> +        (void) (bpf_ctx_convert) (void *) 0;})
>>
>> and then do
>> BPF_RECORD_CTX_CONVERSION(struct bpf_xdp_sock, struct xdp_sock);
>> inside convert_ctx_access functions (like bpf_xdp_sock_convert_ctx_access).
>> There will be several typedefs with 'bpf_ctx_convert' name. The
>> btf_translate_to_vmlinux() will iterate over them. Speed is not criticial here,
> 
> I guess that works as well. Please leave a comment explaining the idea
> behind this distributed mapping :)
> 
>> but long term we probably need to merge prog's BTF with vmlinux's BTF, so most
>> of the type comparison is done during prog load. It probably should reduce the
>> size of prog's BTF too. Renumbering of prog's BTF will be annoying though.
>> Something to consider long term.
>>
>>>
>>>> +               if (btf_id < 0)
>>>> +                       return false;
>>>> +               info->btf_id = btf_id;
>>>> +               return true;
>>>> +       }
>>>> +       return false;
>>>> +}
>>>>
>>>
>>> [...]
>>>
>>>> +               if (tgt_prog && conservative) {
>>>> +                       struct btf_func_model *m = &tr->func.model;
>>>> +
>>>> +                       /* BTF function prototype doesn't match the verifier types.
>>>> +                        * Fall back to 5 u64 args.
>>>> +                        */
>>>> +                       for (i = 0; i < 5; i++)
>>>> +                               m->arg_size[i] = 8;
>>>> +                       m->ret_size = 8;
>>>> +                       m->nr_args = 5;
>>>> +                       prog->aux->attach_func_proto = NULL;
>>>> +               } else {
>>>> +                       ret = btf_distill_func_proto(&env->log, btf, t,
>>>> +                                                    tname, &tr->func.model);
>>>
>>> there is nothing preventing some parallel thread to modify
>>> tr->func.model in parallel, right? Should these modifications be
>>> either locked or at least WRITE_ONCE, similar to
>>> btf_resolve_helper_id?
>>
>> hmm. Right. There is a race with bpf_trampoline_lookup. One thread could have
>> just created the trampoline and still doing distill, while another thread is
>> trying to use it after getting it from bpf_trampoline_lookup. The fix choices
>> are not pretty. Either to add a mutex to check_attach_btf_id() or do
>> bpf_trampoline_lookup_or_create() with extra callback that does
>> btf_distill_func_proto while bpf_trampoline_lookup_or_create is holding
>> trampoline_mutex or move most of the check_attach_btf_id() logic into
>> bpf_trampoline_lookup_or_create().
>> I tried to keep trampoline as abstract concept, but with callback or move
>> the verifer and btf logic will bleed into trampoline. Hmm.
> 
> yeah, that sounds too intrusive. I'd change btf_distill_func_proto to
> accept struct btf_func_model **m, allocate model dynamically, and then
> compare_exchange the final constructed model pointer.

cmpxchg is too ugly and also not covering all other fields that may need 
to have serialized access in the future. I went with simpler model of
additional mutex per trampoline. It also helped to avoid global mutex
for link/unlink.