selftests/bpf: Add test for early update in prog_array_map_poke_run

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Adding test that tries to trigger the BUG_IN during early map update
in prog_array_map_poke_run function.

The idea is to share prog array map between thread that constantly
updates it and another one loading a program that uses that prog
array.

Eventually we will hit a place where the program is ok to be updated
(poke->tailcall_target_stable check) but the address is still not
registered in kallsyms, so the bpf_arch_text_poke returns -EINVAL
and cause imbalance for the next tail call update check, which will
fail with -EBUSY in bpf_arch_text_poke as described in previous fix.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Link: https://lore.kernel.org/bpf/20231206083041.1306660-3-jolsa@kernel.org

authored by

Jiri Olsa and committed by

Daniel Borkmann 2 years ago ffed24ef 4b7de801

+116

2 changed files

expand all

tools

testing

selftests

bpf

prog_tests

tailcalls.c

progs

tailcall_poke.c

+84

tools/testing/selftests/bpf/prog_tests/tailcalls.c

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 + #include <unistd.h> 2 3 #include <test_progs.h> 3 4 #include <network_helpers.h> 5 + #include "tailcall_poke.skel.h" 6 + 4 7 5 8 /* test_tailcall_1 checks basic functionality by patching multiple locations 6 9 * in a single program for a single tail call slot with nop->jmp, jmp->nop ··· 1108 1105 bpf_object__close(tgt_obj); 1109 1106 } 1110 1107 1108 + #define JMP_TABLE "/sys/fs/bpf/jmp_table" 1109 + 1110 + static int poke_thread_exit; 1111 + 1112 + static void *poke_update(void *arg) 1113 + { 1114 + __u32 zero = 0, prog1_fd, prog2_fd, map_fd; 1115 + struct tailcall_poke *call = arg; 1116 + 1117 + map_fd = bpf_map__fd(call->maps.jmp_table); 1118 + prog1_fd = bpf_program__fd(call->progs.call1); 1119 + prog2_fd = bpf_program__fd(call->progs.call2); 1120 + 1121 + while (!poke_thread_exit) { 1122 + bpf_map_update_elem(map_fd, &zero, &prog1_fd, BPF_ANY); 1123 + bpf_map_update_elem(map_fd, &zero, &prog2_fd, BPF_ANY); 1124 + } 1125 + 1126 + return NULL; 1127 + } 1128 + 1129 + /* 1130 + * We are trying to hit prog array update during another program load 1131 + * that shares the same prog array map. 1132 + * 1133 + * For that we share the jmp_table map between two skeleton instances 1134 + * by pinning the jmp_table to same path. Then first skeleton instance 1135 + * periodically updates jmp_table in 'poke update' thread while we load 1136 + * the second skeleton instance in the main thread. 1137 + */ 1138 + static void test_tailcall_poke(void) 1139 + { 1140 + struct tailcall_poke *call, *test; 1141 + int err, cnt = 10; 1142 + pthread_t thread; 1143 + 1144 + unlink(JMP_TABLE); 1145 + 1146 + call = tailcall_poke__open_and_load(); 1147 + if (!ASSERT_OK_PTR(call, "tailcall_poke__open")) 1148 + return; 1149 + 1150 + err = bpf_map__pin(call->maps.jmp_table, JMP_TABLE); 1151 + if (!ASSERT_OK(err, "bpf_map__pin")) 1152 + goto out; 1153 + 1154 + err = pthread_create(&thread, NULL, poke_update, call); 1155 + if (!ASSERT_OK(err, "new toggler")) 1156 + goto out; 1157 + 1158 + while (cnt--) { 1159 + test = tailcall_poke__open(); 1160 + if (!ASSERT_OK_PTR(test, "tailcall_poke__open")) 1161 + break; 1162 + 1163 + err = bpf_map__set_pin_path(test->maps.jmp_table, JMP_TABLE); 1164 + if (!ASSERT_OK(err, "bpf_map__pin")) { 1165 + tailcall_poke__destroy(test); 1166 + break; 1167 + } 1168 + 1169 + bpf_program__set_autoload(test->progs.test, true); 1170 + bpf_program__set_autoload(test->progs.call1, false); 1171 + bpf_program__set_autoload(test->progs.call2, false); 1172 + 1173 + err = tailcall_poke__load(test); 1174 + tailcall_poke__destroy(test); 1175 + if (!ASSERT_OK(err, "tailcall_poke__load")) 1176 + break; 1177 + } 1178 + 1179 + poke_thread_exit = 1; 1180 + ASSERT_OK(pthread_join(thread, NULL), "pthread_join"); 1181 + 1182 + out: 1183 + bpf_map__unpin(call->maps.jmp_table, JMP_TABLE); 1184 + tailcall_poke__destroy(call); 1185 + } 1186 + 1111 1187 void test_tailcalls(void) 1112 1188 { 1113 1189 if (test__start_subtest("tailcall_1")) ··· 1221 1139 test_tailcall_bpf2bpf_fentry_fexit(); 1222 1140 if (test__start_subtest("tailcall_bpf2bpf_fentry_entry")) 1223 1141 test_tailcall_bpf2bpf_fentry_entry(); 1142 + if (test__start_subtest("tailcall_poke")) 1143 + test_tailcall_poke(); 1224 1144 }

+32

tools/testing/selftests/bpf/progs/tailcall_poke.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + #include <linux/bpf.h> 3 + #include <bpf/bpf_helpers.h> 4 + #include <bpf/bpf_tracing.h> 5 + 6 + char _license[] SEC("license") = "GPL"; 7 + 8 + struct { 9 + __uint(type, BPF_MAP_TYPE_PROG_ARRAY); 10 + __uint(max_entries, 1); 11 + __uint(key_size, sizeof(__u32)); 12 + __uint(value_size, sizeof(__u32)); 13 + } jmp_table SEC(".maps"); 14 + 15 + SEC("?fentry/bpf_fentry_test1") 16 + int BPF_PROG(test, int a) 17 + { 18 + bpf_tail_call_static(ctx, &jmp_table, 0); 19 + return 0; 20 + } 21 + 22 + SEC("fentry/bpf_fentry_test1") 23 + int BPF_PROG(call1, int a) 24 + { 25 + return 0; 26 + } 27 + 28 + SEC("fentry/bpf_fentry_test1") 29 + int BPF_PROG(call2, int a) 30 + { 31 + return 0; 32 + }