AF_XDP: 从堆栈间接读取无效
AF_XDP: invalid indirect read from stack
我试图实现我在这个post中谈到的映射:AF_XDP: map `(SRC-IP, DST-IP, DST-Port)` to index to `BPF_MAP_TYPE_XSKMAP`
我的内核程序有这张地图:
struct bpf_map_def SEC("maps") xdp_packet_mapping = {
.type = BPF_MAP_TYPE_HASH,
.key_size = sizeof(struct pckt_raw_idntfy),
.value_size = sizeof(int),
.max_entries = sizeof(int)
};
和
struct pckt_raw_idntfy {
int src_ip;
int dst_ip;
uint16_t dst_port;
};
在 AF-XDP 程序中,我创建了一个 pckt_raw_idntfy-struct,其中包含当前作为键处理的数据包的相应值:
const struct pckt_raw_idntfy raw = {
.src_ip = iph->saddr,
.dst_ip = iph->daddr,
.dst_port = udh->dest
};
然后我在 xdp_packet_mapping 中查找值并将数据包重定向到 user-space 以防该值存在:
void *ret = bpf_map_lookup_elem(&xdp_packet_mapping, &raw);
if(ret) {
const int *idx = (int*)(ret);
if (bpf_map_lookup_elem(&xsks_map, idx)) {
return bpf_redirect_map(&xsks_map, *idx, 0);
}
}
在 user-space 中,我像这样填充地图:
int find_map_fd(struct bpf_object *bpf_obj, const char *mapname) {
struct bpf_map *map;
int map_fd = -1;
map = bpf_object__find_map_by_name(bpf_obj, mapname);
if (!map) {
fprintf(stderr, "ERR: cannot find map by name: %s\n", mapname);
exit(1);
} else {
map_fd = bpf_map__fd(map);
}
return map_fd;
}
void populate_packet_mapping(struct bpf_object *bpf_obj) {
const int xdp_packet_map_fd = find_map_fd(bpf_obj, "xdp_packet_mapping");
for(uint16_t i = 0; i < ip_addrs_size; i++) {
const struct pckt_idntfy *pck_triple = ip_addrs[i];
struct pckt_raw_idntfy *raw;
pckt_idntfy_to_raw(pck_triple, raw);
int ret = bpf_map_update_elem(xdp_packet_map_fd, raw, &i, 0);
if(ret == 0) {
;
} else {
fprintf(stderr, "Lookup elem for key %u failed!\n", i);
}
}
}
编译工作正常,但如果我尝试执行程序(在程序启动后立即加载 AF-XDP 内核程序),我会收到此错误:
libbpf: load bpf program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
libbpf:
0: (b7) r6 = 2
1: (61) r2 = *(u32 *)(r1 +4)
2: (61) r1 = *(u32 *)(r1 +0)
3: (bf) r3 = r1
4: (07) r3 += 196
5: (2d) if r3 > r2 goto pc+49
R1_w=pkt(id=0,off=0,r=196,imm=0) R2_w=pkt_end(id=0,off=0,imm=0) R3_w=pkt(id=0,off=196,r=196,imm=0) R6_w=inv2 R10=fp0
6: (71) r3 = *(u8 *)(r1 +12)
7: (71) r4 = *(u8 *)(r1 +13)
8: (67) r4 <<= 8
9: (4f) r4 |= r3
10: (55) if r4 != 0x8 goto pc+44
R1_w=pkt(id=0,off=0,r=196,imm=0) R2_w=pkt_end(id=0,off=0,imm=0) R3_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4_w=inv8 R6_w=inv2 R10=fp0
11: (bf) r3 = r1
12: (07) r3 += 414
13: (2d) if r3 > r2 goto pc+41
R1=pkt(id=0,off=0,r=414,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3=pkt(id=0,off=414,r=414,imm=0) R4=inv8 R6=inv2 R10=fp0
14: (71) r3 = *(u8 *)(r1 +23)
15: (55) if r3 != 0x11 goto pc+39
R1=pkt(id=0,off=0,r=414,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3_w=inv17 R4=inv8 R6=inv2 R10=fp0
16: (bf) r3 = r1
17: (07) r3 += 14
18: (71) r4 = *(u8 *)(r3 +0)
19: (67) r4 <<= 2
20: (57) r4 &= 60
21: (bf) r5 = r4
22: (27) r5 *= 20
23: (bf) r0 = r3
24: (0f) r0 += r5
last_idx 24 first_idx 13
regs=20 stack=0 before 23: (bf) r0 = r3
regs=20 stack=0 before 22: (27) r5 *= 20
regs=20 stack=0 before 21: (bf) r5 = r4
regs=10 stack=0 before 20: (57) r4 &= 60
regs=10 stack=0 before 19: (67) r4 <<= 2
regs=10 stack=0 before 18: (71) r4 = *(u8 *)(r3 +0)
25: (2d) if r0 > r2 goto pc+29
R0=pkt(id=1,off=14,r=14,umax_value=1200,var_off=(0x0; 0x7f0)) R1=pkt(id=0,off=0,r=414,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3=pkt(id=0,off=14,r=414,imm=0) R4=inv(id=0,umax_value=60,var_off=(0x0; 0x3c)) R5=invP(id=0,umax_value=1200,var_off=(0x0; 0x7f0)) R6=inv2 R10=fp0
26: (0f) r3 += r4
last_idx 26 first_idx 25
regs=10 stack=0 before 25: (2d) if r0 > r2 goto pc+29
R0_rw=pkt(id=1,off=14,r=0,umax_value=1200,var_off=(0x0; 0x7f0)) R1=pkt(id=0,off=0,r=414,imm=0) R2_r=pkt_end(id=0,off=0,imm=0) R3_rw=pkt(id=0,off=14,r=414,imm=0) R4_rw=invP(id=0,umax_value=60,var_off=(0x0; 0x3c)) R5_w=invP(id=0,umax_value=1200,var_off=(0x0; 0x7f0)) R6=inv2 R10=fp0
parent didn't have regs=10 stack=0 marks
last_idx 24 first_idx 13
regs=10 stack=0 before 24: (0f) r0 += r5
regs=10 stack=0 before 23: (bf) r0 = r3
regs=10 stack=0 before 22: (27) r5 *= 20
regs=10 stack=0 before 21: (bf) r5 = r4
regs=10 stack=0 before 20: (57) r4 &= 60
regs=10 stack=0 before 19: (67) r4 <<= 2
regs=10 stack=0 before 18: (71) r4 = *(u8 *)(r3 +0)
27: (bf) r4 = r3
28: (07) r4 += 64
29: (2d) if r4 > r2 goto pc+25
R0=pkt(id=1,off=14,r=14,umax_value=1200,var_off=(0x0; 0x7f0)) R1=pkt(id=0,off=0,r=414,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3_w=pkt(id=2,off=14,r=78,umax_value=60,var_off=(0x0; 0x3c)) R4_w=pkt(id=2,off=78,r=78,umax_value=60,var_off=(0x0; 0x3c)) R5=invP(id=0,umax_value=1200,var_off=(0x0; 0x7f0)) R6=inv2 R10=fp0
30: (61) r2 = *(u32 *)(r1 +26)
31: (63) *(u32 *)(r10 -16) = r2
32: (61) r1 = *(u32 *)(r1 +30)
33: (63) *(u32 *)(r10 -12) = r1
34: (69) r1 = *(u16 *)(r3 +2)
35: (6b) *(u16 *)(r10 -8) = r1
36: (bf) r2 = r10
37: (07) r2 += -16
38: (18) r1 = 0xffff915728bba000
40: (85) call bpf_map_lookup_elem#1
invalid indirect read from stack off -16+10 size 12
processed 40 insns (limit 1000000) max_states_per_insn 0 total_states 2 peak_states 2 mark_read 1
libbpf: -- END LOG --
知道我做错了什么吗?
编辑:感谢 Qeole,用填充定义结构解决了问题:
struct pckt_raw_idntfy {
int src_ip;
int dst_ip;
uint16_t dst_port;
uint16_t pad;
};
Cilium 的 BPF and XDP Reference Guide 对这个问题有很好的解释。
简而言之,这是因为编译器会在调用地图更新助手之前自动向您的键添加一些填充并将其移动到堆栈。但是当这个程序被检查时,验证者意识到有一些它不知道的未初始化字节,并拒绝了这个程序。
您可以通过打包您的结构来修复它,尽管这也有一些缺点。 推荐的解决方案是手动填充您的密钥以使其适合四个字节的倍数。来自 OP 的编辑:
struct pckt_raw_idntfy {
int src_ip; /* 4 bytes */
int dst_ip; /* 4 bytes */
uint16_t dst_port; /* 2 bytes */
uint16_t pad; /* adding 2 bytes of padding here */
};
更多详情请参阅指南(grep for indirect)。
另一种解决方案,如 here 所建议,您可以强制编译器删除填充:
__builtin_memset(&raw, 0, sizeof(struct pckt_raw_idntfy));
void *ret = bpf_map_lookup_elem(&xdp_packet_mapping, &raw);
但是,这取决于编译器的实现。如果正在寻找更便携的解决方案,我建议您遵循@Qeole 的回答:manually pad.
我试图实现我在这个post中谈到的映射:AF_XDP: map `(SRC-IP, DST-IP, DST-Port)` to index to `BPF_MAP_TYPE_XSKMAP`
我的内核程序有这张地图:
struct bpf_map_def SEC("maps") xdp_packet_mapping = {
.type = BPF_MAP_TYPE_HASH,
.key_size = sizeof(struct pckt_raw_idntfy),
.value_size = sizeof(int),
.max_entries = sizeof(int)
};
和
struct pckt_raw_idntfy {
int src_ip;
int dst_ip;
uint16_t dst_port;
};
在 AF-XDP 程序中,我创建了一个 pckt_raw_idntfy-struct,其中包含当前作为键处理的数据包的相应值:
const struct pckt_raw_idntfy raw = {
.src_ip = iph->saddr,
.dst_ip = iph->daddr,
.dst_port = udh->dest
};
然后我在 xdp_packet_mapping 中查找值并将数据包重定向到 user-space 以防该值存在:
void *ret = bpf_map_lookup_elem(&xdp_packet_mapping, &raw);
if(ret) {
const int *idx = (int*)(ret);
if (bpf_map_lookup_elem(&xsks_map, idx)) {
return bpf_redirect_map(&xsks_map, *idx, 0);
}
}
在 user-space 中,我像这样填充地图:
int find_map_fd(struct bpf_object *bpf_obj, const char *mapname) {
struct bpf_map *map;
int map_fd = -1;
map = bpf_object__find_map_by_name(bpf_obj, mapname);
if (!map) {
fprintf(stderr, "ERR: cannot find map by name: %s\n", mapname);
exit(1);
} else {
map_fd = bpf_map__fd(map);
}
return map_fd;
}
void populate_packet_mapping(struct bpf_object *bpf_obj) {
const int xdp_packet_map_fd = find_map_fd(bpf_obj, "xdp_packet_mapping");
for(uint16_t i = 0; i < ip_addrs_size; i++) {
const struct pckt_idntfy *pck_triple = ip_addrs[i];
struct pckt_raw_idntfy *raw;
pckt_idntfy_to_raw(pck_triple, raw);
int ret = bpf_map_update_elem(xdp_packet_map_fd, raw, &i, 0);
if(ret == 0) {
;
} else {
fprintf(stderr, "Lookup elem for key %u failed!\n", i);
}
}
}
编译工作正常,但如果我尝试执行程序(在程序启动后立即加载 AF-XDP 内核程序),我会收到此错误:
libbpf: load bpf program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
libbpf:
0: (b7) r6 = 2
1: (61) r2 = *(u32 *)(r1 +4)
2: (61) r1 = *(u32 *)(r1 +0)
3: (bf) r3 = r1
4: (07) r3 += 196
5: (2d) if r3 > r2 goto pc+49
R1_w=pkt(id=0,off=0,r=196,imm=0) R2_w=pkt_end(id=0,off=0,imm=0) R3_w=pkt(id=0,off=196,r=196,imm=0) R6_w=inv2 R10=fp0
6: (71) r3 = *(u8 *)(r1 +12)
7: (71) r4 = *(u8 *)(r1 +13)
8: (67) r4 <<= 8
9: (4f) r4 |= r3
10: (55) if r4 != 0x8 goto pc+44
R1_w=pkt(id=0,off=0,r=196,imm=0) R2_w=pkt_end(id=0,off=0,imm=0) R3_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4_w=inv8 R6_w=inv2 R10=fp0
11: (bf) r3 = r1
12: (07) r3 += 414
13: (2d) if r3 > r2 goto pc+41
R1=pkt(id=0,off=0,r=414,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3=pkt(id=0,off=414,r=414,imm=0) R4=inv8 R6=inv2 R10=fp0
14: (71) r3 = *(u8 *)(r1 +23)
15: (55) if r3 != 0x11 goto pc+39
R1=pkt(id=0,off=0,r=414,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3_w=inv17 R4=inv8 R6=inv2 R10=fp0
16: (bf) r3 = r1
17: (07) r3 += 14
18: (71) r4 = *(u8 *)(r3 +0)
19: (67) r4 <<= 2
20: (57) r4 &= 60
21: (bf) r5 = r4
22: (27) r5 *= 20
23: (bf) r0 = r3
24: (0f) r0 += r5
last_idx 24 first_idx 13
regs=20 stack=0 before 23: (bf) r0 = r3
regs=20 stack=0 before 22: (27) r5 *= 20
regs=20 stack=0 before 21: (bf) r5 = r4
regs=10 stack=0 before 20: (57) r4 &= 60
regs=10 stack=0 before 19: (67) r4 <<= 2
regs=10 stack=0 before 18: (71) r4 = *(u8 *)(r3 +0)
25: (2d) if r0 > r2 goto pc+29
R0=pkt(id=1,off=14,r=14,umax_value=1200,var_off=(0x0; 0x7f0)) R1=pkt(id=0,off=0,r=414,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3=pkt(id=0,off=14,r=414,imm=0) R4=inv(id=0,umax_value=60,var_off=(0x0; 0x3c)) R5=invP(id=0,umax_value=1200,var_off=(0x0; 0x7f0)) R6=inv2 R10=fp0
26: (0f) r3 += r4
last_idx 26 first_idx 25
regs=10 stack=0 before 25: (2d) if r0 > r2 goto pc+29
R0_rw=pkt(id=1,off=14,r=0,umax_value=1200,var_off=(0x0; 0x7f0)) R1=pkt(id=0,off=0,r=414,imm=0) R2_r=pkt_end(id=0,off=0,imm=0) R3_rw=pkt(id=0,off=14,r=414,imm=0) R4_rw=invP(id=0,umax_value=60,var_off=(0x0; 0x3c)) R5_w=invP(id=0,umax_value=1200,var_off=(0x0; 0x7f0)) R6=inv2 R10=fp0
parent didn't have regs=10 stack=0 marks
last_idx 24 first_idx 13
regs=10 stack=0 before 24: (0f) r0 += r5
regs=10 stack=0 before 23: (bf) r0 = r3
regs=10 stack=0 before 22: (27) r5 *= 20
regs=10 stack=0 before 21: (bf) r5 = r4
regs=10 stack=0 before 20: (57) r4 &= 60
regs=10 stack=0 before 19: (67) r4 <<= 2
regs=10 stack=0 before 18: (71) r4 = *(u8 *)(r3 +0)
27: (bf) r4 = r3
28: (07) r4 += 64
29: (2d) if r4 > r2 goto pc+25
R0=pkt(id=1,off=14,r=14,umax_value=1200,var_off=(0x0; 0x7f0)) R1=pkt(id=0,off=0,r=414,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3_w=pkt(id=2,off=14,r=78,umax_value=60,var_off=(0x0; 0x3c)) R4_w=pkt(id=2,off=78,r=78,umax_value=60,var_off=(0x0; 0x3c)) R5=invP(id=0,umax_value=1200,var_off=(0x0; 0x7f0)) R6=inv2 R10=fp0
30: (61) r2 = *(u32 *)(r1 +26)
31: (63) *(u32 *)(r10 -16) = r2
32: (61) r1 = *(u32 *)(r1 +30)
33: (63) *(u32 *)(r10 -12) = r1
34: (69) r1 = *(u16 *)(r3 +2)
35: (6b) *(u16 *)(r10 -8) = r1
36: (bf) r2 = r10
37: (07) r2 += -16
38: (18) r1 = 0xffff915728bba000
40: (85) call bpf_map_lookup_elem#1
invalid indirect read from stack off -16+10 size 12
processed 40 insns (limit 1000000) max_states_per_insn 0 total_states 2 peak_states 2 mark_read 1
libbpf: -- END LOG --
知道我做错了什么吗?
编辑:感谢 Qeole,用填充定义结构解决了问题:
struct pckt_raw_idntfy {
int src_ip;
int dst_ip;
uint16_t dst_port;
uint16_t pad;
};
Cilium 的 BPF and XDP Reference Guide 对这个问题有很好的解释。
简而言之,这是因为编译器会在调用地图更新助手之前自动向您的键添加一些填充并将其移动到堆栈。但是当这个程序被检查时,验证者意识到有一些它不知道的未初始化字节,并拒绝了这个程序。
您可以通过打包您的结构来修复它,尽管这也有一些缺点。 推荐的解决方案是手动填充您的密钥以使其适合四个字节的倍数。来自 OP 的编辑:
struct pckt_raw_idntfy {
int src_ip; /* 4 bytes */
int dst_ip; /* 4 bytes */
uint16_t dst_port; /* 2 bytes */
uint16_t pad; /* adding 2 bytes of padding here */
};
更多详情请参阅指南(grep for indirect)。
另一种解决方案,如 here 所建议,您可以强制编译器删除填充:
__builtin_memset(&raw, 0, sizeof(struct pckt_raw_idntfy));
void *ret = bpf_map_lookup_elem(&xdp_packet_mapping, &raw);
但是,这取决于编译器的实现。如果正在寻找更便携的解决方案,我建议您遵循@Qeole 的回答:manually pad.