features: make HaveProgramHelper more accurate

Parse the verifier output to figure out whether a helper call is really not supported. This makes the result more reliable and allows us to get rid of asm.BuiltinFunc.Max(). Signed-off-by: Lorenz Bauer <[email protected]>
cilium · Jan 8, 2025 · 1afe479 · 1afe479
1 parent b805828
commit 1afe479
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 18 deletions.
diff --git a/asm/func.go b/asm/func.go
@@ -5,10 +5,6 @@ package asm
 // BuiltinFunc is a built-in eBPF function.
 type BuiltinFunc int32
 
-func (_ BuiltinFunc) Max() BuiltinFunc {
-	return maxBuiltinFunc - 1
-}
-
 // eBPF built-in functions
 //
 // You can regenerate this list using the following gawk script:
@@ -237,8 +233,6 @@ const (
 	FnUserRingbufDrain
 	FnCgrpStorageGet
 	FnCgrpStorageDelete
-
-	maxBuiltinFunc
 )
 
 // Call emits a function call.

diff --git a/asm/func_string.go b/asm/func_string.go
diff --git a/features/prog.go b/features/prog.go
@@ -3,7 +3,7 @@ package features
 import (
 	"errors"
 	"fmt"
-	"os"
+	"strings"
 
 	"github.com/cilium/ebpf"
 	"github.com/cilium/ebpf/asm"
@@ -229,10 +229,6 @@ var helperCache = internal.NewFeatureCache(func(key helperKey) *internal.Feature
 //
 // Probe results are cached and persist throughout any process capability changes.
 func HaveProgramHelper(pt ebpf.ProgramType, helper asm.BuiltinFunc) error {
-	if helper > helper.Max() {
-		return os.ErrInvalid
-	}
-
 	return helperCache.Result(helperKey{pt, helper})
 }
 
@@ -267,30 +263,64 @@ func haveProgramHelper(pt ebpf.ProgramType, helper asm.BuiltinFunc) error {
 	}
 
 	prog, err := ebpf.NewProgramWithOptions(spec, ebpf.ProgramOptions{
-		LogDisabled: true,
+		LogLevel: 1,
 	})
 	if err == nil {
 		prog.Close()
 	}
 
+	var verr *ebpf.VerifierError
+	if !errors.As(err, &verr) {
+		return err
+	}
+
+	helperTag := fmt.Sprintf("#%d", helper)
+
 	switch {
 	// EACCES occurs when attempting to create a program probe with a helper
 	// while the register args when calling this helper aren't set up properly.
 	// We interpret this as the helper being available, because the verifier
 	// returns EINVAL if the helper is not supported by the running kernel.
 	case errors.Is(err, unix.EACCES):
-		// TODO: possibly we need to check verifier output here to be sure
 		err = nil
 
 	// EINVAL occurs when attempting to create a program with an unknown helper.
 	case errors.Is(err, unix.EINVAL):
-		// TODO: possibly we need to check verifier output here to be sure
-		err = ebpf.ErrNotSupported
+		// https://github.com/torvalds/linux/blob/09a0fa92e5b45e99cf435b2fbf5ebcf889cf8780/kernel/bpf/verifier.c#L10663
+		if logContainsAll(verr.Log, "invalid func", helperTag) {
+			return ebpf.ErrNotSupported
+		}
+
+		// https://github.com/torvalds/linux/blob/09a0fa92e5b45e99cf435b2fbf5ebcf889cf8780/kernel/bpf/verifier.c#L10668
+		if logContainsAll(verr.Log, "program of this type cannot use helper", helperTag) {
+			return ebpf.ErrNotSupported
+		}
+
+		// https://github.com/torvalds/linux/blob/59b418c7063d30e0a3e1f592d47df096db83185c/kernel/bpf/verifier.c#L10204
+		if logContainsAll(verr.Log, "unknown func", helperTag) {
+			return ebpf.ErrNotSupported
+		}
 	}
 
 	return err
 }
 
+func logContainsAll(log []string, needles ...string) bool {
+	first := max(len(log)-5, 0) // Check last 5 lines.
+nextLine:
+	for _, line := range log[first:] {
+		for _, needle := range needles {
+			if !strings.Contains(line, needle) {
+				continue nextLine
+			}
+		}
+
+		return true
+	}
+
+	return false
+}
+
 func helperProbeNotImplemented(pt ebpf.ProgramType) bool {
 	switch pt {
 	case ebpf.Extension, ebpf.LSM, ebpf.StructOps, ebpf.Tracing: