Re: [PATCH] bpftool: fix control flow graph segfault during edge creation

christoph.werle@xxxxxxxxxx · Fri, 10 Jan 2025 13:57:06 +0100 (CET)

Hello Quentin,

> Thanks for this! It looks OK, would you have a minimal reproducer by any
> chance?

here's a small example based on libbpf-bootstrap:

------------- reprex_edge_segfault.bpf.c
// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause

#include "vmlinux.h"
#include <bpf/bpf_helpers.h>

char LICENSE[] SEC("license") = "Dual BSD/GPL";

int __attribute__ ((noinline)) do_barf()
{
	bpf_printk("We're doomed\n");
	return 0;
}

SEC("tp/sched/sched_process_exec")
int handle__sched_process_exec(struct trace_event_raw_sched_process_exec *ctx)
{
    if (ctx->pid > 1000)
	    do_barf();

    return 0;
}

------------- reprex_edge_segfault.c
// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)

#include <unistd.h>
#include <bpf/libbpf.h>
#include <bpf/bpf.h>
#include "reprex_edge_segfault.skel.h"

int main(int argc, char **argv)
{
	struct reprex_edge_segfault_bpf *skel;
	int err=0;

	skel = reprex_edge_segfault_bpf__open();
	err = reprex_edge_segfault_bpf__load(skel);
	err = reprex_edge_segfault_bpf__attach(skel);

	while (true)
	    sleep(1);

	reprex_edge_segfault_bpf__destroy(skel);
	return -err;
}
--------------

Then just add reprex_edge_segfault to APPS variable in examples/c/Makefile.

Kind regards,
 Christoph

> Quentin Monnet <qmo@xxxxxxxxxx> hat am 09.01.2025 19:19 CET geschrieben:
> 
>  
> On 08/01/2025 22:09, Christoph Werle wrote:
> > If the last instruction of a control flow graph building block is a
> > BPF_CALL, an incorrect edge with e->dst set to NULL is created and
> > results in a segfault during graph output.
> > 
> > Ensure that BPF_CALL as last instruction of a building block is handled
> > correctly and only generates a single edge unlike actual BPF_JUMP*
> > instructions.
> > 
> > Signed-off-by: Christoph Werle <christoph.werle@xxxxxxxxxx>
> 
> 
> Fixes: 0824611f9b38 ("tools: bpftool: partition basic-block for each function in the CFG")
> 
> 
> > ---
> >  tools/bpf/bpftool/cfg.c | 1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/tools/bpf/bpftool/cfg.c b/tools/bpf/bpftool/cfg.c
> > index eec437cca2ea..e3785f9a697d 100644
> > --- a/tools/bpf/bpftool/cfg.c
> > +++ b/tools/bpf/bpftool/cfg.c
> > @@ -302,6 +302,7 @@ static bool func_add_bb_edges(struct func_node *func)
> >  
> >  		insn = bb->tail;
> >  		if (!is_jmp_insn(insn->code) ||
> > +		    BPF_OP(insn->code) == BPF_CALL ||
> >  		    BPF_OP(insn->code) == BPF_EXIT) {
> >  			e->dst = bb_next(bb);
> >  			e->flags |= EDGE_FLAG_FALLTHROUGH;
> 
> 
> Thanks for this! It looks OK, would you have a minimal reproducer by any
> chance?
> 
> Quentin