linux/arch
Yonghong Song c8831bdbfb bpf, x64: Fix a jit convergence issue
Daniel Hodges reported a jit error when playing with a sched-ext program.
The error message is:
  unexpected jmp_cond padding: -4 bytes

But further investigation shows the error is actual due to failed
convergence. The following are some analysis:

  ...
  pass4, final_proglen=4391:
    ...
    20e:    48 85 ff                test   rdi,rdi
    211:    74 7d                   je     0x290
    213:    48 8b 77 00             mov    rsi,QWORD PTR [rdi+0x0]
    ...
    289:    48 85 ff                test   rdi,rdi
    28c:    74 17                   je     0x2a5
    28e:    e9 7f ff ff ff          jmp    0x212
    293:    bf 03 00 00 00          mov    edi,0x3

Note that insn at 0x211 is 2-byte cond jump insn for offset 0x7d (-125)
and insn at 0x28e is 5-byte jmp insn with offset -129.

  pass5, final_proglen=4392:
    ...
    20e:    48 85 ff                test   rdi,rdi
    211:    0f 84 80 00 00 00       je     0x297
    217:    48 8b 77 00             mov    rsi,QWORD PTR [rdi+0x0]
    ...
    28d:    48 85 ff                test   rdi,rdi
    290:    74 1a                   je     0x2ac
    292:    eb 84                   jmp    0x218
    294:    bf 03 00 00 00          mov    edi,0x3

Note that insn at 0x211 is 6-byte cond jump insn now since its offset
becomes 0x80 based on previous round (0x293 - 0x213 = 0x80). At the same
time, insn at 0x292 is a 2-byte insn since its offset is -124.

pass6 will repeat the same code as in pass4. pass7 will repeat the same
code as in pass5, and so on. This will prevent eventual convergence.

Passes 1-14 are with padding = 0. At pass15, padding is 1 and related
insn looks like:

    211:    0f 84 80 00 00 00       je     0x297
    217:    48 8b 77 00             mov    rsi,QWORD PTR [rdi+0x0]
    ...
    24d:    48 85 d2                test   rdx,rdx

The similar code in pass14:
    211:    74 7d                   je     0x290
    213:    48 8b 77 00             mov    rsi,QWORD PTR [rdi+0x0]
    ...
    249:    48 85 d2                test   rdx,rdx
    24c:    74 21                   je     0x26f
    24e:    48 01 f7                add    rdi,rsi
    ...

Before generating the following insn,
  250:    74 21                   je     0x273
"padding = 1" enables some checking to ensure nops is either 0 or 4
where
  #define INSN_SZ_DIFF (((addrs[i] - addrs[i - 1]) - (prog - temp)))
  nops = INSN_SZ_DIFF - 2

In this specific case,
  addrs[i] = 0x24e // from pass14
  addrs[i-1] = 0x24d // from pass15
  prog - temp = 3 // from 'test rdx,rdx' in pass15
so
  nops = -4
and this triggers the failure.

To fix the issue, we need to break cycles of je <-> jmp. For example,
in the above case, we have
  211:    74 7d                   je     0x290
the offset is 0x7d. If 2-byte je insn is generated only if
the offset is less than 0x7d (<= 0x7c), the cycle can be
break and we can achieve the convergence.

I did some study on other cases like je <-> je, jmp <-> je and
jmp <-> jmp which may cause cycles. Those cases are not from actual
reproducible cases since it is pretty hard to construct a test case
for them. the results show that the offset <= 0x7b (0x7b = 123) should
be enough to cover all cases. This patch added a new helper to generate 8-bit
cond/uncond jmp insns only if the offset range is [-128, 123].

Reported-by: Daniel Hodges <hodgesd@meta.com>
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20240904221251.37109-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2024-09-04 16:46:22 -07:00
..
alpha alpha: fix ioread64be()/iowrite64be() helpers 2024-08-01 15:48:03 +02:00
arc arc: convert to generic syscall table 2024-07-10 14:23:38 +02:00
arm ARM: riscpc: ecard: Fix the build 2024-08-13 11:34:52 +02:00
arm64 bpf, arm64: Jit BPF_CALL to direct call when possible 2024-09-04 11:51:06 -07:00
csky ftrace: Rewrite of function graph tracer 2024-07-18 13:36:33 -07:00
hexagon hexagon: use new system call table 2024-07-10 14:23:38 +02:00
loongarch LoongArch: KVM: Remove undefined a6 argument comment for kvm_hypercall() 2024-08-07 17:37:14 +08:00
m68k Kbuild updates for v6.11 2024-07-23 14:32:21 -07:00
microblaze syscalls: mmap(): use unsigned offset type consistently 2024-06-25 15:57:38 +02:00
mips mips: sgi-ip22: Fix the build 2024-08-13 11:34:55 +02:00
nios2 Kbuild updates for v6.11 2024-07-23 14:32:21 -07:00
openrisc openrisc: convert to generic syscall table 2024-07-10 14:23:38 +02:00
parisc parisc: fix a possible DMA corruption 2024-07-29 16:19:07 +02:00
powerpc powerpc/topology: Check if a core is online 2024-08-13 10:32:17 +10:00
riscv Merge patch series "RISC-V: hwprobe: Misaligned scalar perf fix and rename" 2024-08-15 13:12:21 -07:00
s390 s390/uv: Panic for set and remove shared access UVC errors 2024-08-07 11:04:43 +00:00
sh sh updates for v6.11 2024-07-23 11:57:52 -07:00
sparc Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
um minmax: make generic MIN() and MAX() macros available everywhere 2024-07-28 15:49:18 -07:00
x86 bpf, x64: Fix a jit convergence issue 2024-09-04 16:46:22 -07:00
xtensa - 875fa64577 ("mm/hugetlb_vmemmap: fix race with speculative PFN 2024-07-21 17:15:46 -07:00
.gitignore
Kconfig Revert "mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default" 2024-06-17 12:57:03 -07:00