Cc-ing bpf list. On Fri, Dec 06, 2024 at 11:03:19AM -0800, Howard Chu wrote: > Forgot to mention clang-13 gave unbounded memory access too: > > ffffffff,var_off=(0x0; 0xffffffff)) > R9=scalar(id=14,smin=umin=umin32=2,smax=umax=0xffffffff,var_off=(0x0; > 0xffffffff)) > 90: (85) call bpf_probe_read_user#112 > R2 unbounded memory access, use 'var &= const' or 'if (var < const)' > processed 490 insns (limit 1000000) max_states_per_insn 2 total_states > 23 peak_states 23 mark_read 15 > -- END PROG LOAD LOG -- > libbpf: prog 'sys_enter': failed to load: -13 > libbpf: failed to load object 'augmented_raw_syscalls_bpf' > libbpf: failed to load BPF skeleton 'augmented_raw_syscalls_bpf': -13 > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > (was it created?) > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > (was it created?) > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > (was it created?) > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > (was it created?) > Not enough memory to run! > > Kernel: > > perf $ uname -r > 6.11.0-061100-generic > > Thanks, > Howard > > On Fri, Dec 6, 2024 at 10:36 AM Howard Chu <howardchu95@xxxxxxxxx> wrote: > > > > Hi Qiao, Namhyung, and Arnaldo, > > > > Apologies. I observed the same issue and tested perf with trace BPF > > skel generated by clang-13 to clang-18, turns out BPF skelw generated > > by clang version <= clang-16 are not loadable, with clang-15 and -16 > > showing the same error as yours. Additionally, the BPF verifier is > > running longer than usual to process the instructions. > > > > perf $ ./perf trace -e write --max-events=1 > > libbpf: prog 'sys_enter': BPF program load failed: Argument list too long > > libbpf: prog 'sys_enter': -- BEGIN PROG LOAD LOG -- > > 0: R1=ctx() R10=fp0 > > ; int sys_enter(struct syscall_enter_args *args) @ > > augmented_raw_syscalls.bpf.c:527 > > 0: (bf) r7 = r1 ; R1=ctx() R7_w=ctx() > > ; return bpf_get_current_pid_tgid(); @ augmented_raw_syscalls.bpf.c:423 > > ... > > 140: (79) r7 = *(u64 *)(r10 -48) ; R7_w=ctx() R10=fp0 fp-48=ctx() > > 141: (79) r0 = *(u64 *)(r10 -56) > > BPF program is too large. Processed 1000001 insn > > processed 1000001 insns (limit 1000000) max_states_per_insn 28 > > total_states 37670 peak_states 330 mark_read 16 > > -- END PROG LOAD LOG -- > > libbpf: prog 'sys_enter': failed to load: -7 > > libbpf: failed to load object 'augmented_raw_syscalls_bpf' > > libbpf: failed to load BPF skeleton 'augmented_raw_syscalls_bpf': -7 > > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > > (was it created?) > > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > > (was it created?) > > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > > (was it created?) > > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > > (was it created?) > > Not enough memory to run! > > > > For clang-14 however, I encountered an unbounded memory access: > > > > perf $ ./perf trace -e write --max-events=1 > > libbpf: prog 'sys_enter': BPF program load failed: Permission denied > > libbpf: prog 'sys_enter': -- BEGIN PROG LOAD LOG -- > > 0: R1=ctx() R10=fp0 > > ; int sys_enter(struct syscall_enter_args *args) @ > > augmented_raw_syscalls.bpf.c:527 > > 0: (bf) r7 = r1 ; R1=ctx() R7_w=ctx() > > ; return bpf_get_current_pid_tgid(); @ augmented_raw_syscalls.bpf.c:423 > > 1: (85) call bpf_get_current_pid_tgid#14 ; R0_w=scalar() > > 2: (63) *(u32 *)(r10 -4) = r0 ; R0_w=scalar() R10=fp0 fp-8=mmmm???? > > 88: (79) r1 = *(u64 *)(r10 -16) ; > > R1_w=map_value(map=beauty_payload_,ks=4,vs=24688,off=112) R10=fp0 > > fp-16=map_value(map=beauty_payload_,ks=4,vs=24688,off=112) > > 89: (bf) r2 = r9 ; > > R2_w=scalar(id=14,smin=umin=umin32=2,smax=umax=0xffffffff,var_off=(0x0; > > 0xffffffff)) R9=scalar(id=14,smin=umin=umin32=2,smax=umax=0xffffffff,var_off=(0x0; > > 0xffffffff)) > > 90: (85) call bpf_probe_read_user#112 > > R2 unbounded memory access, use 'var &= const' or 'if (var < const)' > > processed 490 insns (limit 1000000) max_states_per_insn 2 total_states > > 23 peak_states 23 mark_read 15 > > -- END PROG LOAD LOG -- > > libbpf: prog 'sys_enter': failed to load: -13 > > libbpf: failed to load object 'augmented_raw_syscalls_bpf' > > libbpf: failed to load BPF skeleton 'augmented_raw_syscalls_bpf': -13 > > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > > (was it created?) > > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > > (was it created?) > > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > > (was it created?) > > libbpf: map '__augmented_syscalls__': can't use BPF map without FD > > (was it created?) > > Not enough memory to run! > > > > I thought I had tested them, but apparently I didn’t. My apologies > > again, and fixes are on the way. > > > > Thanks, > > Howard