Linux Perf
bpf-prologue.c
Go to the documentation of this file.
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * bpf-prologue.c
4  *
5  * Copyright (C) 2015 He Kuang <hekuang@huawei.com>
6  * Copyright (C) 2015 Wang Nan <wangnan0@huawei.com>
7  * Copyright (C) 2015 Huawei Inc.
8  */
9 
10 #include <bpf/libbpf.h>
11 #include "perf.h"
12 #include "debug.h"
13 #include "bpf-loader.h"
14 #include "bpf-prologue.h"
15 #include "probe-finder.h"
16 #include <errno.h>
17 #include <dwarf-regs.h>
18 #include <linux/filter.h>
19 
20 #define BPF_REG_SIZE 8
21 
22 #define JMP_TO_ERROR_CODE -1
23 #define JMP_TO_SUCCESS_CODE -2
24 #define JMP_TO_USER_CODE -3
25 
26 struct bpf_insn_pos {
27  struct bpf_insn *begin;
28  struct bpf_insn *end;
29  struct bpf_insn *pos;
30 };
31 
32 static inline int
34 {
35  return pos->pos - pos->begin;
36 }
37 
38 static int
39 append_insn(struct bpf_insn new_insn, struct bpf_insn_pos *pos)
40 {
41  if (!pos->pos)
43 
44  if (pos->pos + 1 >= pos->end) {
45  pr_err("bpf prologue: prologue too long\n");
46  pos->pos = NULL;
48  }
49 
50  *(pos->pos)++ = new_insn;
51  return 0;
52 }
53 
54 static int
56 {
57  if (!pos->pos || pos->pos >= pos->end)
59  return 0;
60 }
61 
62 /*
63  * Convert type string (u8/u16/u32/u64/s8/s16/s32/s64 ..., see
64  * Documentation/trace/kprobetrace.txt) to size field of BPF_LDX_MEM
65  * instruction (BPF_{B,H,W,DW}).
66  */
67 static int
68 argtype_to_ldx_size(const char *type)
69 {
70  int arg_size = type ? atoi(&type[1]) : 64;
71 
72  switch (arg_size) {
73  case 8:
74  return BPF_B;
75  case 16:
76  return BPF_H;
77  case 32:
78  return BPF_W;
79  case 64:
80  default:
81  return BPF_DW;
82  }
83 }
84 
85 static const char *
86 insn_sz_to_str(int insn_sz)
87 {
88  switch (insn_sz) {
89  case BPF_B:
90  return "BPF_B";
91  case BPF_H:
92  return "BPF_H";
93  case BPF_W:
94  return "BPF_W";
95  case BPF_DW:
96  return "BPF_DW";
97  default:
98  return "UNKNOWN";
99  }
100 }
101 
102 /* Give it a shorter name */
103 #define ins(i, p) append_insn((i), (p))
104 
105 /*
106  * Give a register name (in 'reg'), generate instruction to
107  * load register into an eBPF register rd:
108  * 'ldd target_reg, offset(ctx_reg)', where:
109  * ctx_reg is pre initialized to pointer of 'struct pt_regs'.
110  */
111 static int
112 gen_ldx_reg_from_ctx(struct bpf_insn_pos *pos, int ctx_reg,
113  const char *reg, int target_reg)
114 {
115  int offset = regs_query_register_offset(reg);
116 
117  if (offset < 0) {
118  pr_err("bpf: prologue: failed to get register %s\n",
119  reg);
120  return offset;
121  }
122  ins(BPF_LDX_MEM(BPF_DW, target_reg, ctx_reg, offset), pos);
123 
124  return check_pos(pos);
125 }
126 
127 /*
128  * Generate a BPF_FUNC_probe_read function call.
129  *
130  * src_base_addr_reg is a register holding base address,
131  * dst_addr_reg is a register holding dest address (on stack),
132  * result is:
133  *
134  * *[dst_addr_reg] = *([src_base_addr_reg] + offset)
135  *
136  * Arguments of BPF_FUNC_probe_read:
137  * ARG1: ptr to stack (dest)
138  * ARG2: size (8)
139  * ARG3: unsafe ptr (src)
140  */
141 static int
143  int src_base_addr_reg,
144  int dst_addr_reg,
145  long offset)
146 {
147  /* mov arg3, src_base_addr_reg */
148  if (src_base_addr_reg != BPF_REG_ARG3)
149  ins(BPF_MOV64_REG(BPF_REG_ARG3, src_base_addr_reg), pos);
150  /* add arg3, #offset */
151  if (offset)
152  ins(BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, offset), pos);
153 
154  /* mov arg2, #reg_size */
155  ins(BPF_ALU64_IMM(BPF_MOV, BPF_REG_ARG2, BPF_REG_SIZE), pos);
156 
157  /* mov arg1, dst_addr_reg */
158  if (dst_addr_reg != BPF_REG_ARG1)
159  ins(BPF_MOV64_REG(BPF_REG_ARG1, dst_addr_reg), pos);
160 
161  /* Call probe_read */
162  ins(BPF_EMIT_CALL(BPF_FUNC_probe_read), pos);
163  /*
164  * Error processing: if read fail, goto error code,
165  * will be relocated. Target should be the start of
166  * error processing code.
167  */
168  ins(BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, JMP_TO_ERROR_CODE),
169  pos);
170 
171  return check_pos(pos);
172 }
173 
174 /*
175  * Each arg should be bare register. Fetch and save them into argument
176  * registers (r3 - r5).
177  *
178  * BPF_REG_1 should have been initialized with pointer to
179  * 'struct pt_regs'.
180  */
181 static int
183  struct probe_trace_arg *args, int nargs)
184 {
185  int i, err = 0;
186 
187  for (i = 0; i < nargs; i++) {
188  err = gen_ldx_reg_from_ctx(pos, BPF_REG_1, args[i].value,
190  if (err)
191  goto errout;
192  }
193 
194  return check_pos(pos);
195 errout:
196  return err;
197 }
198 
199 /*
200  * Slow path:
201  * At least one argument has the form of 'offset($rx)'.
202  *
203  * Following code first stores them into stack, then loads all of then
204  * to r2 - r5.
205  * Before final loading, the final result should be:
206  *
207  * low address
208  * BPF_REG_FP - 24 ARG3
209  * BPF_REG_FP - 16 ARG2
210  * BPF_REG_FP - 8 ARG1
211  * BPF_REG_FP
212  * high address
213  *
214  * For each argument (described as: offn(...off2(off1(reg)))),
215  * generates following code:
216  *
217  * r7 <- fp
218  * r7 <- r7 - stack_offset // Ideal code should initialize r7 using
219  * // fp before generating args. However,
220  * // eBPF won't regard r7 as stack pointer
221  * // if it is generated by minus 8 from
222  * // another stack pointer except fp.
223  * // This is why we have to set r7
224  * // to fp for each variable.
225  * r3 <- value of 'reg'-> generated using gen_ldx_reg_from_ctx()
226  * (r7) <- r3 // skip following instructions for bare reg
227  * r3 <- r3 + off1 . // skip if off1 == 0
228  * r2 <- 8 \
229  * r1 <- r7 |-> generated by gen_read_mem()
230  * call probe_read /
231  * jnei r0, 0, err ./
232  * r3 <- (r7)
233  * r3 <- r3 + off2 . // skip if off2 == 0
234  * r2 <- 8 \ // r2 may be broken by probe_read, so set again
235  * r1 <- r7 |-> generated by gen_read_mem()
236  * call probe_read /
237  * jnei r0, 0, err ./
238  * ...
239  */
240 static int
242  struct probe_trace_arg *args, int nargs)
243 {
244  int err, i;
245 
246  for (i = 0; i < nargs; i++) {
247  struct probe_trace_arg *arg = &args[i];
248  const char *reg = arg->value;
249  struct probe_trace_arg_ref *ref = NULL;
250  int stack_offset = (i + 1) * -8;
251 
252  pr_debug("prologue: fetch arg %d, base reg is %s\n",
253  i, reg);
254 
255  /* value of base register is stored into ARG3 */
256  err = gen_ldx_reg_from_ctx(pos, BPF_REG_CTX, reg,
257  BPF_REG_ARG3);
258  if (err) {
259  pr_err("prologue: failed to get offset of register %s\n",
260  reg);
261  goto errout;
262  }
263 
264  /* Make r7 the stack pointer. */
265  ins(BPF_MOV64_REG(BPF_REG_7, BPF_REG_FP), pos);
266  /* r7 += -8 */
267  ins(BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, stack_offset), pos);
268  /*
269  * Store r3 (base register) onto stack
270  * Ensure fp[offset] is set.
271  * fp is the only valid base register when storing
272  * into stack. We are not allowed to use r7 as base
273  * register here.
274  */
275  ins(BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3,
276  stack_offset), pos);
277 
278  ref = arg->ref;
279  while (ref) {
280  pr_debug("prologue: arg %d: offset %ld\n",
281  i, ref->offset);
282  err = gen_read_mem(pos, BPF_REG_3, BPF_REG_7,
283  ref->offset);
284  if (err) {
285  pr_err("prologue: failed to generate probe_read function call\n");
286  goto errout;
287  }
288 
289  ref = ref->next;
290  /*
291  * Load previous result into ARG3. Use
292  * BPF_REG_FP instead of r7 because verifier
293  * allows FP based addressing only.
294  */
295  if (ref)
296  ins(BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3,
297  BPF_REG_FP, stack_offset), pos);
298  }
299  }
300 
301  /* Final pass: read to registers */
302  for (i = 0; i < nargs; i++) {
303  int insn_sz = (args[i].ref) ? argtype_to_ldx_size(args[i].type) : BPF_DW;
304 
305  pr_debug("prologue: load arg %d, insn_sz is %s\n",
306  i, insn_sz_to_str(insn_sz));
307  ins(BPF_LDX_MEM(insn_sz, BPF_PROLOGUE_START_ARG_REG + i,
308  BPF_REG_FP, -BPF_REG_SIZE * (i + 1)), pos);
309  }
310 
311  ins(BPF_JMP_IMM(BPF_JA, BPF_REG_0, 0, JMP_TO_SUCCESS_CODE), pos);
312 
313  return check_pos(pos);
314 errout:
315  return err;
316 }
317 
318 static int
319 prologue_relocate(struct bpf_insn_pos *pos, struct bpf_insn *error_code,
320  struct bpf_insn *success_code, struct bpf_insn *user_code)
321 {
322  struct bpf_insn *insn;
323 
324  if (check_pos(pos))
326 
327  for (insn = pos->begin; insn < pos->pos; insn++) {
328  struct bpf_insn *target;
329  u8 class = BPF_CLASS(insn->code);
330  u8 opcode;
331 
332  if (class != BPF_JMP)
333  continue;
334  opcode = BPF_OP(insn->code);
335  if (opcode == BPF_CALL)
336  continue;
337 
338  switch (insn->off) {
339  case JMP_TO_ERROR_CODE:
340  target = error_code;
341  break;
342  case JMP_TO_SUCCESS_CODE:
343  target = success_code;
344  break;
345  case JMP_TO_USER_CODE:
346  target = user_code;
347  break;
348  default:
349  pr_err("bpf prologue: internal error: relocation failed\n");
351  }
352 
353  insn->off = target - (insn + 1);
354  }
355  return 0;
356 }
357 
358 int bpf__gen_prologue(struct probe_trace_arg *args, int nargs,
359  struct bpf_insn *new_prog, size_t *new_cnt,
360  size_t cnt_space)
361 {
362  struct bpf_insn *success_code = NULL;
363  struct bpf_insn *error_code = NULL;
364  struct bpf_insn *user_code = NULL;
365  struct bpf_insn_pos pos;
366  bool fastpath = true;
367  int err = 0, i;
368 
369  if (!new_prog || !new_cnt)
370  return -EINVAL;
371 
372  if (cnt_space > BPF_MAXINSNS)
373  cnt_space = BPF_MAXINSNS;
374 
375  pos.begin = new_prog;
376  pos.end = new_prog + cnt_space;
377  pos.pos = new_prog;
378 
379  if (!nargs) {
380  ins(BPF_ALU64_IMM(BPF_MOV, BPF_PROLOGUE_FETCH_RESULT_REG, 0),
381  &pos);
382 
383  if (check_pos(&pos))
384  goto errout;
385 
386  *new_cnt = pos_get_cnt(&pos);
387  return 0;
388  }
389 
390  if (nargs > BPF_PROLOGUE_MAX_ARGS) {
391  pr_warning("bpf: prologue: %d arguments are dropped\n",
392  nargs - BPF_PROLOGUE_MAX_ARGS);
393  nargs = BPF_PROLOGUE_MAX_ARGS;
394  }
395 
396  /* First pass: validation */
397  for (i = 0; i < nargs; i++) {
398  struct probe_trace_arg_ref *ref = args[i].ref;
399 
400  if (args[i].value[0] == '@') {
401  /* TODO: fetch global variable */
402  pr_err("bpf: prologue: global %s%+ld not support\n",
403  args[i].value, ref ? ref->offset : 0);
404  return -ENOTSUP;
405  }
406 
407  while (ref) {
408  /* fastpath is true if all args has ref == NULL */
409  fastpath = false;
410 
411  /*
412  * Instruction encodes immediate value using
413  * s32, ref->offset is long. On systems which
414  * can't fill long in s32, refuse to process if
415  * ref->offset too large (or small).
416  */
417 #ifdef __LP64__
418 #define OFFSET_MAX ((1LL << 31) - 1)
419 #define OFFSET_MIN ((1LL << 31) * -1)
420  if (ref->offset > OFFSET_MAX ||
421  ref->offset < OFFSET_MIN) {
422  pr_err("bpf: prologue: offset out of bound: %ld\n",
423  ref->offset);
425  }
426 #endif
427  ref = ref->next;
428  }
429  }
430  pr_debug("prologue: pass validation\n");
431 
432  if (fastpath) {
433  /* If all variables are registers... */
434  pr_debug("prologue: fast path\n");
435  err = gen_prologue_fastpath(&pos, args, nargs);
436  if (err)
437  goto errout;
438  } else {
439  pr_debug("prologue: slow path\n");
440 
441  /* Initialization: move ctx to a callee saved register. */
442  ins(BPF_MOV64_REG(BPF_REG_CTX, BPF_REG_ARG1), &pos);
443 
444  err = gen_prologue_slowpath(&pos, args, nargs);
445  if (err)
446  goto errout;
447  /*
448  * start of ERROR_CODE (only slow pass needs error code)
449  * mov r2 <- 1 // r2 is error number
450  * mov r3 <- 0 // r3, r4... should be touched or
451  * // verifier would complain
452  * mov r4 <- 0
453  * ...
454  * goto usercode
455  */
456  error_code = pos.pos;
457  ins(BPF_ALU64_IMM(BPF_MOV, BPF_PROLOGUE_FETCH_RESULT_REG, 1),
458  &pos);
459 
460  for (i = 0; i < nargs; i++)
461  ins(BPF_ALU64_IMM(BPF_MOV,
463  0),
464  &pos);
465  ins(BPF_JMP_IMM(BPF_JA, BPF_REG_0, 0, JMP_TO_USER_CODE),
466  &pos);
467  }
468 
469  /*
470  * start of SUCCESS_CODE:
471  * mov r2 <- 0
472  * goto usercode // skip
473  */
474  success_code = pos.pos;
475  ins(BPF_ALU64_IMM(BPF_MOV, BPF_PROLOGUE_FETCH_RESULT_REG, 0), &pos);
476 
477  /*
478  * start of USER_CODE:
479  * Restore ctx to r1
480  */
481  user_code = pos.pos;
482  if (!fastpath) {
483  /*
484  * Only slow path needs restoring of ctx. In fast path,
485  * register are loaded directly from r1.
486  */
487  ins(BPF_MOV64_REG(BPF_REG_ARG1, BPF_REG_CTX), &pos);
488  err = prologue_relocate(&pos, error_code, success_code,
489  user_code);
490  if (err)
491  goto errout;
492  }
493 
494  err = check_pos(&pos);
495  if (err)
496  goto errout;
497 
498  *new_cnt = pos_get_cnt(&pos);
499  return 0;
500 errout:
501  return err;
502 }
static const char * insn_sz_to_str(int insn_sz)
Definition: bpf-prologue.c:86
Definition: insn.h:36
#define BPF_PROLOGUE_START_ARG_REG
Definition: bpf-prologue.h:14
int value
Definition: python.c:1143
static int gen_prologue_fastpath(struct bpf_insn_pos *pos, struct probe_trace_arg *args, int nargs)
Definition: bpf-prologue.c:182
static int gen_ldx_reg_from_ctx(struct bpf_insn_pos *pos, int ctx_reg, const char *reg, int target_reg)
Definition: bpf-prologue.c:112
struct bpf_insn * pos
Definition: bpf-prologue.c:29
#define JMP_TO_USER_CODE
Definition: bpf-prologue.c:24
static int gen_prologue_slowpath(struct bpf_insn_pos *pos, struct probe_trace_arg *args, int nargs)
Definition: bpf-prologue.c:241
int int err
Definition: 5sec.c:44
int regs_query_register_offset(const char *name)
Definition: dwarf-regs.c:88
#define BPF_PROLOGUE_MAX_ARGS
Definition: bpf-prologue.h:13
#define pr_err(fmt,...)
Definition: json.h:21
static int append_insn(struct bpf_insn new_insn, struct bpf_insn_pos *pos)
Definition: bpf-prologue.c:39
struct probe_trace_arg_ref * next
Definition: probe-event.h:36
#define JMP_TO_ERROR_CODE
Definition: bpf-prologue.c:22
#define pr_debug(fmt,...)
Definition: json.h:27
#define JMP_TO_SUCCESS_CODE
Definition: bpf-prologue.c:23
struct bpf_insn * end
Definition: bpf-prologue.c:28
static int pos_get_cnt(struct bpf_insn_pos *pos)
Definition: bpf-prologue.c:33
static int gen_read_mem(struct bpf_insn_pos *pos, int src_base_addr_reg, int dst_addr_reg, long offset)
Definition: bpf-prologue.c:142
int bpf__gen_prologue(struct probe_trace_arg *args, int nargs, struct bpf_insn *new_prog, size_t *new_cnt, size_t cnt_space)
Definition: bpf-prologue.c:358
static int check_pos(struct bpf_insn_pos *pos)
Definition: bpf-prologue.c:55
#define ins(i, p)
Definition: bpf-prologue.c:103
static int prologue_relocate(struct bpf_insn_pos *pos, struct bpf_insn *error_code, struct bpf_insn *success_code, struct bpf_insn *user_code)
Definition: bpf-prologue.c:319
#define BPF_REG_SIZE
Definition: bpf-prologue.c:20
struct bpf_insn * begin
Definition: bpf-prologue.c:27
#define BPF_PROLOGUE_FETCH_RESULT_REG
Definition: bpf-prologue.h:15
#define pr_warning(fmt,...)
Definition: debug.h:25
char * target
Definition: builtin-probe.c:59
static int argtype_to_ldx_size(const char *type)
Definition: bpf-prologue.c:68
struct probe_trace_arg_ref * ref
Definition: probe-event.h:45