Begin reporting may_goto timeouts to BPF program's stderr stream.
Make sure that we don't end up spamming too many errors if the
program keeps failing repeatedly and filling up the stream, hence
emit at most 512 error messages from the kernel for a given stream.
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
---
include/linux/bpf.h | 21 ++++++++++++++-------
kernel/bpf/core.c | 17 ++++++++++++++++-
kernel/bpf/stream.c | 5 +++++
3 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 46ce05aad0ed..daf95333be78 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -1667,6 +1667,7 @@ struct bpf_prog_aux {
struct rcu_head rcu;
};
struct bpf_stream stream[2];
+ atomic_t stream_error_cnt;
};
struct bpf_prog {
@@ -3589,6 +3590,8 @@ void bpf_bprintf_cleanup(struct bpf_bprintf_data *data);
int bpf_try_get_buffers(struct bpf_bprintf_buffers **bufs);
void bpf_put_buffers(void);
+#define BPF_PROG_STREAM_ERROR_CNT 512
+
void bpf_prog_stream_init(struct bpf_prog *prog);
void bpf_prog_stream_free(struct bpf_prog *prog);
@@ -3600,16 +3603,20 @@ int bpf_stream_stage_commit(struct bpf_stream_stage *ss, struct bpf_prog *prog,
enum bpf_stream_id stream_id);
int bpf_stream_stage_dump_stack(struct bpf_stream_stage *ss);
+bool bpf_prog_stream_error_limit(struct bpf_prog *prog);
+
#define bpf_stream_printk(...) bpf_stream_stage_printk(&__ss, __VA_ARGS__)
#define bpf_stream_dump_stack() bpf_stream_stage_dump_stack(&__ss)
-#define bpf_stream_stage(prog, stream_id, expr) \
- ({ \
- struct bpf_stream_stage __ss; \
- bpf_stream_stage_init(&__ss); \
- (expr); \
- bpf_stream_stage_commit(&__ss, prog, stream_id); \
- bpf_stream_stage_free(&__ss); \
+#define bpf_stream_stage(prog, stream_id, expr) \
+ ({ \
+ struct bpf_stream_stage __ss; \
+ if (!bpf_prog_stream_error_limit(prog)) { \
+ bpf_stream_stage_init(&__ss); \
+ (expr); \
+ bpf_stream_stage_commit(&__ss, prog, stream_id); \
+ bpf_stream_stage_free(&__ss); \
+ } \
})
#ifdef CONFIG_BPF_LSM
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index dcb665bff22f..d21c304fe829 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -3156,6 +3156,19 @@ u64 __weak arch_bpf_timed_may_goto(void)
return 0;
}
+static noinline void bpf_prog_report_may_goto_violation(void)
+{
+ struct bpf_prog *prog;
+
+ prog = bpf_prog_find_from_stack();
+ if (!prog)
+ return;
+ bpf_stream_stage(prog, BPF_STDERR, ({
+ bpf_stream_printk("ERROR: Timeout detected for may_goto instruction\n");
+ bpf_stream_dump_stack();
+ }));
+}
+
u64 bpf_check_timed_may_goto(struct bpf_timed_may_goto *p)
{
u64 time = ktime_get_mono_fast_ns();
@@ -3166,8 +3179,10 @@ u64 bpf_check_timed_may_goto(struct bpf_timed_may_goto *p)
return BPF_MAX_TIMED_LOOPS;
}
/* Check if we've exhausted our time slice, and zero count. */
- if (time - p->timestamp >= (NSEC_PER_SEC / 4))
+ if (unlikely(time - p->timestamp >= (NSEC_PER_SEC / 4))) {
+ bpf_prog_report_may_goto_violation();
return 0;
+ }
/* Refresh the count for the stack frame. */
return BPF_MAX_TIMED_LOOPS;
}
diff --git a/kernel/bpf/stream.c b/kernel/bpf/stream.c
index a921fb1de319..eaf0574866b1 100644
--- a/kernel/bpf/stream.c
+++ b/kernel/bpf/stream.c
@@ -539,3 +539,8 @@ int bpf_stream_stage_dump_stack(struct bpf_stream_stage *ss)
ret = ret ?: ctx.err;
return ret ?: bpf_stream_stage_printk(ss, "\n");
}
+
+bool bpf_prog_stream_error_limit(struct bpf_prog *prog)
+{
+ return atomic_fetch_add(1, &prog->aux->stream_error_cnt) >= BPF_PROG_STREAM_ERROR_CNT;
+}
--
2.47.1
