Re: bpf, powerpc: fix jit for seccomp_data access
On Tue, 2018-02-20 at 19:49:20 UTC, Mark Lord wrote: > I am using SECCOMP to filter syscalls on a ppc32 platform, > and noticed that the JIT compiler was failing on the BPF > even though the interpreter was working fine. > > The issue was that the compiler was missing one of the instructions > used by SECCOMP, so here is a patch to enable JIT for that instruction. > > Signed-Off-By: Mark Lord > > --- old/arch/powerpc/net/bpf_jit_comp.c 2018-02-16 14:07:01.0 -0500 > +++ linux/arch/powerpc/net/bpf_jit_comp.c 2018-02-20 14:41:20.805227494 > -0500 > @@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf > BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); > PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, > len)); > break; > + case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data > + K)); */ > + PPC_LWZ_OFFS(r_A, r_skb, K); > + break; > case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ > PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, > len)); > break; Applied to powerpc fixes, thanks. https://git.kernel.org/powerpc/c/083b20907185b076f21c265b30fe5b cheers
Re: [PATCH] bpf, powerpc: fix jit for seccomp_data access
"Naveen N. Rao" writes: > Mark Lord wrote: >> On 18-02-21 07:52 AM, Mark Lord wrote: >>> On 18-02-21 03:35 AM, Naveen N. Rao wrote: >> .. Looks good to me, but I am not able to apply this patch. There seems to be whitespace damage. >>> >>> Here (attached) is a clean copy. >> >> Again, this time with the commit message included! > > Thanks. However... > I am able to apply this using 'patch', but not with 'git am' since the > headers are missing. FWIW, the usual workflow is to make the changes and > commit it into your repository using 'git commit' and then use 'git > format-patch' to generate a patch file that you can then post. > > I'll defer to Michael on whether he is ok to process this as it is. The main thing is that it's caught by patchwork[1], otherwise I tend to miss it. In this case the initial patch was caught by patchwork, so that's fine. I fixed up the white space and other issues before applying. In general I'm happy to do that for new/infrequent committers, not so much for people who send lots of patches and/or are paid to do so :) cheers 1: http://patchwork.ozlabs.org/patch/875890/
Re: [PATCH] bpf, powerpc: fix jit for seccomp_data access
Daniel Borkmann writes: > On 02/21/2018 01:33 AM, Michael Ellerman wrote: >> Mark Lord writes: >> >>> I am using SECCOMP to filter syscalls on a ppc32 platform, >>> and noticed that the JIT compiler was failing on the BPF >>> even though the interpreter was working fine. >>> >>> The issue was that the compiler was missing one of the instructions >>> used by SECCOMP, so here is a patch to enable JIT for that instruction. >>> >>> Signed-Off-By: Mark Lord >> >> Thanks. >> >> What is the failure mode without this patch? I assume when you have the >> JIT enabled the seccomp filter fails to load entirely? Or do we have >> logic to fall back to the interpreter? > > The logic for all JITs is that once a BPF insn cannot be JITed then it falls > back to BPF interpreter. Here, since ppc32 is cBPF the path is: cBPF insn -> > cBPF JIT -> fail -> migrate cBPF to eBPF -> run in eBPF interpreter. In the > case where interpreter is compiled out (CONFIG_BPF_JIT_ALWAYS_ON), then the > filter is rejected. OK thanks. >> Either way we should probably back port to stable. I assume this has >> been broken since we originally added 32-bit support, so: > > Note that arm32 before it was converted to be an eBPF JIT (eBPF JITs do handle > seccomp BPF in any case) was the only cBPF JIT that had it 'JIT-able', so > currently, other cBPF ones like sparc32 or mips32 don't translate it either. > Meaning, it would be nice to have as feature; I wouldn't necessarily frame > it as a bug though (or at least a stable-urgent one, imho, but I leave that > to you, of course). OK, I'll just add the Fixes tag for our reference and we can always back port it to stable later if we want to. cheers
Re: [PATCH] bpf, powerpc: fix jit for seccomp_data access
Mark Lord wrote: On 18-02-21 07:52 AM, Mark Lord wrote: On 18-02-21 03:35 AM, Naveen N. Rao wrote: .. Looks good to me, but I am not able to apply this patch. There seems to be whitespace damage. Here (attached) is a clean copy. Again, this time with the commit message included! Thanks. However... I am able to apply this using 'patch', but not with 'git am' since the headers are missing. FWIW, the usual workflow is to make the changes and commit it into your repository using 'git commit' and then use 'git format-patch' to generate a patch file that you can then post. I'll defer to Michael on whether he is ok to process this as it is. I am using SECCOMP to filter syscalls on a ppc32 platform, and noticed that the JIT compiler was failing on the BPF even though the interpreter was working fine. The issue was that the compiler was missing one of the instructions used by SECCOMP, so here is a patch to enable JIT for that instruction. Signed-Off-By: Mark Lord Minot nit: The correct (TM) tag to use is: Signed-off-by: (note the case) --- old/arch/powerpc/net/bpf_jit_comp.c 2018-02-16 14:07:01.0 -0500 +++ linux/arch/powerpc/net/bpf_jit_comp.c 2018-02-20 14:41:20.805227494 -0500 @@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len)); break; + case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */ + PPC_LWZ_OFFS(r_A, r_skb, K); + break; case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len)); break; Apart from those aspects, for this patch: Acked-by: Naveen N. Rao - Naveen
Re: [PATCH] bpf, powerpc: fix jit for seccomp_data access
On 18-02-21 07:52 AM, Mark Lord wrote: > On 18-02-21 03:35 AM, Naveen N. Rao wrote: .. >> Looks good to me, but I am not able to apply this patch. There seems to be >> whitespace damage. > > Here (attached) is a clean copy. Again, this time with the commit message included! I am using SECCOMP to filter syscalls on a ppc32 platform, and noticed that the JIT compiler was failing on the BPF even though the interpreter was working fine. The issue was that the compiler was missing one of the instructions used by SECCOMP, so here is a patch to enable JIT for that instruction. Signed-Off-By: Mark Lord --- old/arch/powerpc/net/bpf_jit_comp.c 2018-02-16 14:07:01.0 -0500 +++ linux/arch/powerpc/net/bpf_jit_comp.c 2018-02-20 14:41:20.805227494 -0500 @@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len)); break; + case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */ + PPC_LWZ_OFFS(r_A, r_skb, K); + break; case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len)); break; -- Mark Lord Real-Time Remedies Inc. ml...@pobox.com I am using SECCOMP to filter syscalls on a ppc32 platform, and noticed that the JIT compiler was failing on the BPF even though the interpreter was working fine. The issue was that the compiler was missing one of the instructions used by SECCOMP, so here is a patch to enable JIT for that instruction. Signed-Off-By: Mark Lord --- old/arch/powerpc/net/bpf_jit_comp.c 2018-02-16 14:07:01.0 -0500 +++ linux/arch/powerpc/net/bpf_jit_comp.c 2018-02-20 14:41:20.805227494 -0500 @@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len)); break; + case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */ + PPC_LWZ_OFFS(r_A, r_skb, K); + break; case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len)); break;
Re: [PATCH] bpf, powerpc: fix jit for seccomp_data access
On 18-02-21 03:35 AM, Naveen N. Rao wrote: > Mark Lord wrote: >> I am using SECCOMP to filter syscalls on a ppc32 platform, >> and noticed that the JIT compiler was failing on the BPF >> even though the interpreter was working fine. >> >> The issue was that the compiler was missing one of the instructions >> used by SECCOMP, so here is a patch to enable JIT for that instruction. >> >> Signed-Off-By: Mark Lord >> >> --- old/arch/powerpc/net/bpf_jit_comp.c 2018-02-16 14:07:01.0 -0500 >> +++ linux/arch/powerpc/net/bpf_jit_comp.c 2018-02-20 >> 14:41:20.805227494 -0500 >> @@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf >> BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); >> PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, >> len)); >> break; >> + case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 >> *)(seccomp_data + K)); */ >> + PPC_LWZ_OFFS(r_A, r_skb, K); >> + break; > > Looks good to me, but I am not able to apply this patch. There seems to be > whitespace damage. Here (attached) is a clean copy. -- Mark Lord Real-Time Remedies Inc. ml...@pobox.com --- old/arch/powerpc/net/bpf_jit_comp.c 2018-02-16 14:07:01.0 -0500 +++ linux/arch/powerpc/net/bpf_jit_comp.c 2018-02-20 14:41:20.805227494 -0500 @@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len)); break; + case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */ + PPC_LWZ_OFFS(r_A, r_skb, K); + break; case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len)); break;
Re: [PATCH] bpf, powerpc: fix jit for seccomp_data access
Mark Lord wrote: I am using SECCOMP to filter syscalls on a ppc32 platform, and noticed that the JIT compiler was failing on the BPF even though the interpreter was working fine. The issue was that the compiler was missing one of the instructions used by SECCOMP, so here is a patch to enable JIT for that instruction. Signed-Off-By: Mark Lord --- old/arch/powerpc/net/bpf_jit_comp.c 2018-02-16 14:07:01.0 -0500 +++ linux/arch/powerpc/net/bpf_jit_comp.c 2018-02-20 14:41:20.805227494 -0500 @@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len)); break; + case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */ + PPC_LWZ_OFFS(r_A, r_skb, K); + break; Looks good to me, but I am not able to apply this patch. There seems to be whitespace damage. Please resend the patch considering the steps here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/email-clients.rst Thanks, Naveen
Re: [PATCH] bpf, powerpc: fix jit for seccomp_data access
On 02/21/2018 01:33 AM, Michael Ellerman wrote: > Mark Lord writes: > >> I am using SECCOMP to filter syscalls on a ppc32 platform, >> and noticed that the JIT compiler was failing on the BPF >> even though the interpreter was working fine. >> >> The issue was that the compiler was missing one of the instructions >> used by SECCOMP, so here is a patch to enable JIT for that instruction. >> >> Signed-Off-By: Mark Lord > > Thanks. > > What is the failure mode without this patch? I assume when you have the > JIT enabled the seccomp filter fails to load entirely? Or do we have > logic to fall back to the interpreter? The logic for all JITs is that once a BPF insn cannot be JITed then it falls back to BPF interpreter. Here, since ppc32 is cBPF the path is: cBPF insn -> cBPF JIT -> fail -> migrate cBPF to eBPF -> run in eBPF interpreter. In the case where interpreter is compiled out (CONFIG_BPF_JIT_ALWAYS_ON), then the filter is rejected. > Either way we should probably back port to stable. I assume this has > been broken since we originally added 32-bit support, so: Note that arm32 before it was converted to be an eBPF JIT (eBPF JITs do handle seccomp BPF in any case) was the only cBPF JIT that had it 'JIT-able', so currently, other cBPF ones like sparc32 or mips32 don't translate it either. Meaning, it would be nice to have as feature; I wouldn't necessarily frame it as a bug though (or at least a stable-urgent one, imho, but I leave that to you, of course). > Fixes: eb84bab0fb38 ("ppc: Kconfig: Enable BPF JIT on ppc32") > Cc: sta...@vger.kernel.org # v4.1+ > > cheers > > >> --- old/arch/powerpc/net/bpf_jit_comp.c 2018-02-16 14:07:01.0 -0500 >> +++ linux/arch/powerpc/net/bpf_jit_comp.c 2018-02-20 >> 14:41:20.805227494 -0500 >> @@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf >> BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); >> PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, >> len)); >> break; >> + case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 >> *)(seccomp_data + K)); */ >> + PPC_LWZ_OFFS(r_A, r_skb, K); >> + break; >> case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ >> PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, >> len)); >> break; >> -- >> Mark Lord >> Real-Time Remedies Inc. >> ml...@pobox.com
Re: [PATCH] bpf, powerpc: fix jit for seccomp_data access
Mark Lord writes: > I am using SECCOMP to filter syscalls on a ppc32 platform, > and noticed that the JIT compiler was failing on the BPF > even though the interpreter was working fine. > > The issue was that the compiler was missing one of the instructions > used by SECCOMP, so here is a patch to enable JIT for that instruction. > > Signed-Off-By: Mark Lord Thanks. What is the failure mode without this patch? I assume when you have the JIT enabled the seccomp filter fails to load entirely? Or do we have logic to fall back to the interpreter? Either way we should probably back port to stable. I assume this has been broken since we originally added 32-bit support, so: Fixes: eb84bab0fb38 ("ppc: Kconfig: Enable BPF JIT on ppc32") Cc: sta...@vger.kernel.org # v4.1+ cheers > --- old/arch/powerpc/net/bpf_jit_comp.c 2018-02-16 14:07:01.0 -0500 > +++ linux/arch/powerpc/net/bpf_jit_comp.c 2018-02-20 14:41:20.805227494 > -0500 > @@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf > BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); > PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, > len)); > break; > + case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data > + K)); */ > + PPC_LWZ_OFFS(r_A, r_skb, K); > + break; > case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ > PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, > len)); > break; > -- > Mark Lord > Real-Time Remedies Inc. > ml...@pobox.com
[PATCH] bpf, powerpc: fix jit for seccomp_data access
I am using SECCOMP to filter syscalls on a ppc32 platform, and noticed that the JIT compiler was failing on the BPF even though the interpreter was working fine. The issue was that the compiler was missing one of the instructions used by SECCOMP, so here is a patch to enable JIT for that instruction. Signed-Off-By: Mark Lord --- old/arch/powerpc/net/bpf_jit_comp.c 2018-02-16 14:07:01.0 -0500 +++ linux/arch/powerpc/net/bpf_jit_comp.c 2018-02-20 14:41:20.805227494 -0500 @@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len)); break; + case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */ + PPC_LWZ_OFFS(r_A, r_skb, K); + break; case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len)); break; -- Mark Lord Real-Time Remedies Inc. ml...@pobox.com