From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7230263C8F for ; Sat, 2 May 2026 20:36:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.19 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777754200; cv=none; b=U6XtIzuh8IvHw02tg2bQqBsdaPH8qwRkvxdAKdxcBdFyqbxpZB/mTDCL9a1O7thgK8f4x72B1z/1/b5DvzYSP12jwukyaD6VafAMtoNehEqRv96wqZvFcrjLtGoVaf8n3GOysmF7jnjNSMhg6f8XdBKFFsce95JGI89CZWHr5WA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777754200; c=relaxed/simple; bh=2pbNRtpbUvX3CV8CduiIpH6NiT1H746TOr+taG6W8vs=; h=Date:From:To:Cc:Subject:Message-ID; b=Xrtk9c7YxhC6Q6TCh3wN3R8YyOoAWy4gclceYQu8paynzdLxdoFiC5N7vl+s4418IV8H5tLdyBe1WAUDMg+pd8AqcxxAEE3V/JqKs4c0MW+qDHGdmuNVy9WY32Zx4nVvYZnVhtwyS0lofzi2M+T3jXg+s/T1vakYp6JbRXL7oJ8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=kskABFmf; arc=none smtp.client-ip=192.198.163.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="kskABFmf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1777754198; x=1809290198; h=date:from:to:cc:subject:message-id; bh=2pbNRtpbUvX3CV8CduiIpH6NiT1H746TOr+taG6W8vs=; b=kskABFmfajH3aHTw4fClIOt9vjDwCw11E6D30RJYlIlpFnEO9zjjQpNI 3HpXA7ZUhNXP1Fnj07MRhIsNft9hJBwnRvvs60pzunuhThXpo62zGcz4V 1tyFA9uoIiQrn6caOxFtgqvYpIG/I/jCMk2ha09i3F1nDa+UIU2XIqS9x HNjHq+pGaogo65WNS/PbAFYkUKXAAHP1bYl+LlXMEJJhCjzOCIZOSe0qZ ukg240C6kBu6ZuWlr55FL8JmU9EhNBsx3jgkHoE4whbb0iCI/c+fagnEK e02kbxoqE+09iaSsrotbEesNgL1hQ/DwZzEq/MzidwnUDE9Ndhaidiv+J A==; X-CSE-ConnectionGUID: iso2mqvbS2CZzJlwvwsTZQ== X-CSE-MsgGUID: bODtZbdnRQazA1d1/TnmVQ== X-IronPort-AV: E=McAfee;i="6800,10657,11774"; a="77695866" X-IronPort-AV: E=Sophos;i="6.23,212,1770624000"; d="scan'208";a="77695866" Received: from fmviesa010.fm.intel.com ([10.60.135.150]) by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 May 2026 13:36:37 -0700 X-CSE-ConnectionGUID: DaYDmr1qST6n0bR7OUEQzg== X-CSE-MsgGUID: dBvGQJP4RhWdewuOaOfvZQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,212,1770624000"; d="scan'208";a="230791452" Received: from lkp-server01.sh.intel.com (HELO 781826d00641) ([10.239.97.150]) by fmviesa010.fm.intel.com with ESMTP; 02 May 2026 13:36:36 -0700 Received: from kbuild by 781826d00641 with local (Exim 4.98.2) (envelope-from ) id 1wJH4j-000000001nP-2Q4g; Sat, 02 May 2026 20:36:33 +0000 Date: Sun, 03 May 2026 04:36:00 +0800 From: kernel test robot To: oe-kbuild@lists.linux.dev Cc: lkp@intel.com, Dan Carpenter Subject: kernel/bpf/fixups.c:808 bpf_convert_ctx_accesses() error: __memcpy() 'insn_buf' too small (256 vs u32max) Message-ID: <202605030449.R5oG8dfD-lkp@intel.com> User-Agent: s-nail v14.9.25 Precedence: bulk X-Mailing-List: oe-kbuild@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: BCC: lkp@intel.com CC: oe-kbuild-all@lists.linux.dev CC: linux-kernel@vger.kernel.org TO: Alexei Starovoitov Hi Alexei, FYI, the error/warning was bisected to this commit, please ignore it if it's irrelevant. tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: f1a5e78a55ebf2b05777fd5eb738038ddae609d6 commit: 449f08fa59dda5da40317b6976604b877c4ecd63 bpf: Move fixup/post-processing logic from verifier.c into fixups.c date: 3 weeks ago :::::: branch date: 21 hours ago :::::: commit date: 3 weeks ago config: arm-randconfig-r071-20260502 (https://download.01.org/0day-ci/archive/20260503/202605030449.R5oG8dfD-lkp@intel.com/config) compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project 5bac06718f502014fade905512f1d26d578a18f3) smatch: v0.5.0-9065-ge9cc34fd If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Fixes: 449f08fa59dd ("bpf: Move fixup/post-processing logic from verifier.c into fixups.c") | Reported-by: kernel test robot | Reported-by: Dan Carpenter | Closes: https://lore.kernel.org/r/202605030449.R5oG8dfD-lkp@intel.com/ smatch warnings: kernel/bpf/fixups.c:808 bpf_convert_ctx_accesses() error: __memcpy() 'insn_buf' too small (256 vs u32max) kernel/bpf/fixups.c:808 bpf_convert_ctx_accesses() error: __memcpy() 'epilogue_buf' too small (256 vs u32max) vim +/insn_buf +808 kernel/bpf/fixups.c 449f08fa59dda5d Alexei Starovoitov 2026-04-12 670 449f08fa59dda5d Alexei Starovoitov 2026-04-12 671 /* convert load instructions that access fields of a context type into a 449f08fa59dda5d Alexei Starovoitov 2026-04-12 672 * sequence of instructions that access fields of the underlying structure: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 673 * struct __sk_buff -> struct sk_buff 449f08fa59dda5d Alexei Starovoitov 2026-04-12 674 * struct bpf_sock_ops -> struct sock 449f08fa59dda5d Alexei Starovoitov 2026-04-12 675 */ 449f08fa59dda5d Alexei Starovoitov 2026-04-12 676 int bpf_convert_ctx_accesses(struct bpf_verifier_env *env) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 677 { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 678 struct bpf_subprog_info *subprogs = env->subprog_info; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 679 const struct bpf_verifier_ops *ops = env->ops; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 680 int i, cnt, size, ctx_field_size, ret, delta = 0, epilogue_cnt = 0; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 681 const int insn_cnt = env->prog->len; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 682 struct bpf_insn *epilogue_buf = env->epilogue_buf; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 683 struct bpf_insn *insn_buf = env->insn_buf; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 684 struct bpf_insn *insn; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 685 u32 target_size, size_default, off; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 686 struct bpf_prog *new_prog; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 687 enum bpf_access_type type; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 688 bool is_narrower_load; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 689 int epilogue_idx = 0; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 690 449f08fa59dda5d Alexei Starovoitov 2026-04-12 691 if (ops->gen_epilogue) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 692 epilogue_cnt = ops->gen_epilogue(epilogue_buf, env->prog, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 693 -(subprogs[0].stack_depth + 8)); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 694 if (epilogue_cnt >= INSN_BUF_SIZE) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 695 verifier_bug(env, "epilogue is too long"); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 696 return -EFAULT; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 697 } else if (epilogue_cnt) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 698 /* Save the ARG_PTR_TO_CTX for the epilogue to use */ 449f08fa59dda5d Alexei Starovoitov 2026-04-12 699 cnt = 0; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 700 subprogs[0].stack_depth += 8; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 701 insn_buf[cnt++] = BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_1, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 702 -subprogs[0].stack_depth); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 703 insn_buf[cnt++] = env->prog->insnsi[0]; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 704 new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 705 if (!new_prog) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 706 return -ENOMEM; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 707 env->prog = new_prog; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 708 delta += cnt - 1; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 709 449f08fa59dda5d Alexei Starovoitov 2026-04-12 710 ret = add_kfunc_in_insns(env, epilogue_buf, epilogue_cnt - 1); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 711 if (ret < 0) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 712 return ret; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 713 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 714 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 715 449f08fa59dda5d Alexei Starovoitov 2026-04-12 716 if (ops->gen_prologue || env->seen_direct_write) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 717 if (!ops->gen_prologue) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 718 verifier_bug(env, "gen_prologue is null"); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 719 return -EFAULT; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 720 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 721 cnt = ops->gen_prologue(insn_buf, env->seen_direct_write, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 722 env->prog); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 723 if (cnt >= INSN_BUF_SIZE) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 724 verifier_bug(env, "prologue is too long"); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 725 return -EFAULT; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 726 } else if (cnt) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 727 new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 728 if (!new_prog) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 729 return -ENOMEM; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 730 449f08fa59dda5d Alexei Starovoitov 2026-04-12 731 env->prog = new_prog; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 732 delta += cnt - 1; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 733 449f08fa59dda5d Alexei Starovoitov 2026-04-12 734 ret = add_kfunc_in_insns(env, insn_buf, cnt - 1); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 735 if (ret < 0) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 736 return ret; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 737 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 738 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 739 449f08fa59dda5d Alexei Starovoitov 2026-04-12 740 if (delta) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 741 WARN_ON(adjust_jmp_off(env->prog, 0, delta)); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 742 449f08fa59dda5d Alexei Starovoitov 2026-04-12 743 if (bpf_prog_is_offloaded(env->prog->aux)) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 744 return 0; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 745 449f08fa59dda5d Alexei Starovoitov 2026-04-12 746 insn = env->prog->insnsi + delta; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 747 449f08fa59dda5d Alexei Starovoitov 2026-04-12 748 for (i = 0; i < insn_cnt; i++, insn++) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 749 bpf_convert_ctx_access_t convert_ctx_access; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 750 u8 mode; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 751 449f08fa59dda5d Alexei Starovoitov 2026-04-12 752 if (env->insn_aux_data[i + delta].nospec) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 753 WARN_ON_ONCE(env->insn_aux_data[i + delta].alu_state); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 754 struct bpf_insn *patch = insn_buf; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 755 449f08fa59dda5d Alexei Starovoitov 2026-04-12 756 *patch++ = BPF_ST_NOSPEC(); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 757 *patch++ = *insn; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 758 cnt = patch - insn_buf; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 759 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 760 if (!new_prog) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 761 return -ENOMEM; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 762 449f08fa59dda5d Alexei Starovoitov 2026-04-12 763 delta += cnt - 1; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 764 env->prog = new_prog; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 765 insn = new_prog->insnsi + i + delta; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 766 /* This can not be easily merged with the 449f08fa59dda5d Alexei Starovoitov 2026-04-12 767 * nospec_result-case, because an insn may require a 449f08fa59dda5d Alexei Starovoitov 2026-04-12 768 * nospec before and after itself. Therefore also do not 449f08fa59dda5d Alexei Starovoitov 2026-04-12 769 * 'continue' here but potentially apply further 449f08fa59dda5d Alexei Starovoitov 2026-04-12 770 * patching to insn. *insn should equal patch[1] now. 449f08fa59dda5d Alexei Starovoitov 2026-04-12 771 */ 449f08fa59dda5d Alexei Starovoitov 2026-04-12 772 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 773 449f08fa59dda5d Alexei Starovoitov 2026-04-12 774 if (insn->code == (BPF_LDX | BPF_MEM | BPF_B) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 775 insn->code == (BPF_LDX | BPF_MEM | BPF_H) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 776 insn->code == (BPF_LDX | BPF_MEM | BPF_W) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 777 insn->code == (BPF_LDX | BPF_MEM | BPF_DW) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 778 insn->code == (BPF_LDX | BPF_MEMSX | BPF_B) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 779 insn->code == (BPF_LDX | BPF_MEMSX | BPF_H) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 780 insn->code == (BPF_LDX | BPF_MEMSX | BPF_W)) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 781 type = BPF_READ; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 782 } else if (insn->code == (BPF_STX | BPF_MEM | BPF_B) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 783 insn->code == (BPF_STX | BPF_MEM | BPF_H) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 784 insn->code == (BPF_STX | BPF_MEM | BPF_W) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 785 insn->code == (BPF_STX | BPF_MEM | BPF_DW) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 786 insn->code == (BPF_ST | BPF_MEM | BPF_B) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 787 insn->code == (BPF_ST | BPF_MEM | BPF_H) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 788 insn->code == (BPF_ST | BPF_MEM | BPF_W) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 789 insn->code == (BPF_ST | BPF_MEM | BPF_DW)) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 790 type = BPF_WRITE; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 791 } else if ((insn->code == (BPF_STX | BPF_ATOMIC | BPF_B) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 792 insn->code == (BPF_STX | BPF_ATOMIC | BPF_H) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 793 insn->code == (BPF_STX | BPF_ATOMIC | BPF_W) || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 794 insn->code == (BPF_STX | BPF_ATOMIC | BPF_DW)) && 449f08fa59dda5d Alexei Starovoitov 2026-04-12 795 env->insn_aux_data[i + delta].ptr_type == PTR_TO_ARENA) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 796 insn->code = BPF_STX | BPF_PROBE_ATOMIC | BPF_SIZE(insn->code); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 797 env->prog->aux->num_exentries++; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 798 continue; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 799 } else if (insn->code == (BPF_JMP | BPF_EXIT) && 449f08fa59dda5d Alexei Starovoitov 2026-04-12 800 epilogue_cnt && 449f08fa59dda5d Alexei Starovoitov 2026-04-12 801 i + delta < subprogs[1].start) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 802 /* Generate epilogue for the main prog */ 449f08fa59dda5d Alexei Starovoitov 2026-04-12 803 if (epilogue_idx) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 804 /* jump back to the earlier generated epilogue */ 449f08fa59dda5d Alexei Starovoitov 2026-04-12 805 insn_buf[0] = BPF_JMP32_A(epilogue_idx - i - delta - 1); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 806 cnt = 1; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 807 } else { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 @808 memcpy(insn_buf, epilogue_buf, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 809 epilogue_cnt * sizeof(*epilogue_buf)); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 810 cnt = epilogue_cnt; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 811 /* epilogue_idx cannot be 0. It must have at 449f08fa59dda5d Alexei Starovoitov 2026-04-12 812 * least one ctx ptr saving insn before the 449f08fa59dda5d Alexei Starovoitov 2026-04-12 813 * epilogue. 449f08fa59dda5d Alexei Starovoitov 2026-04-12 814 */ 449f08fa59dda5d Alexei Starovoitov 2026-04-12 815 epilogue_idx = i + delta; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 816 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 817 goto patch_insn_buf; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 818 } else { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 819 continue; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 820 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 821 449f08fa59dda5d Alexei Starovoitov 2026-04-12 822 if (type == BPF_WRITE && 449f08fa59dda5d Alexei Starovoitov 2026-04-12 823 env->insn_aux_data[i + delta].nospec_result) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 824 /* nospec_result is only used to mitigate Spectre v4 and 449f08fa59dda5d Alexei Starovoitov 2026-04-12 825 * to limit verification-time for Spectre v1. 449f08fa59dda5d Alexei Starovoitov 2026-04-12 826 */ 449f08fa59dda5d Alexei Starovoitov 2026-04-12 827 struct bpf_insn *patch = insn_buf; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 828 449f08fa59dda5d Alexei Starovoitov 2026-04-12 829 *patch++ = *insn; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 830 *patch++ = BPF_ST_NOSPEC(); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 831 cnt = patch - insn_buf; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 832 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 833 if (!new_prog) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 834 return -ENOMEM; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 835 449f08fa59dda5d Alexei Starovoitov 2026-04-12 836 delta += cnt - 1; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 837 env->prog = new_prog; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 838 insn = new_prog->insnsi + i + delta; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 839 continue; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 840 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 841 449f08fa59dda5d Alexei Starovoitov 2026-04-12 842 switch ((int)env->insn_aux_data[i + delta].ptr_type) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 843 case PTR_TO_CTX: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 844 if (!ops->convert_ctx_access) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 845 continue; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 846 convert_ctx_access = ops->convert_ctx_access; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 847 break; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 848 case PTR_TO_SOCKET: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 849 case PTR_TO_SOCK_COMMON: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 850 convert_ctx_access = bpf_sock_convert_ctx_access; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 851 break; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 852 case PTR_TO_TCP_SOCK: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 853 convert_ctx_access = bpf_tcp_sock_convert_ctx_access; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 854 break; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 855 case PTR_TO_XDP_SOCK: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 856 convert_ctx_access = bpf_xdp_sock_convert_ctx_access; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 857 break; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 858 case PTR_TO_BTF_ID: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 859 case PTR_TO_BTF_ID | PTR_UNTRUSTED: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 860 /* PTR_TO_BTF_ID | MEM_ALLOC always has a valid lifetime, unlike 449f08fa59dda5d Alexei Starovoitov 2026-04-12 861 * PTR_TO_BTF_ID, and an active ref_obj_id, but the same cannot 449f08fa59dda5d Alexei Starovoitov 2026-04-12 862 * be said once it is marked PTR_UNTRUSTED, hence we must handle 449f08fa59dda5d Alexei Starovoitov 2026-04-12 863 * any faults for loads into such types. BPF_WRITE is disallowed 449f08fa59dda5d Alexei Starovoitov 2026-04-12 864 * for this case. 449f08fa59dda5d Alexei Starovoitov 2026-04-12 865 */ 449f08fa59dda5d Alexei Starovoitov 2026-04-12 866 case PTR_TO_BTF_ID | MEM_ALLOC | PTR_UNTRUSTED: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 867 case PTR_TO_MEM | MEM_RDONLY | PTR_UNTRUSTED: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 868 if (type == BPF_READ) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 869 if (BPF_MODE(insn->code) == BPF_MEM) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 870 insn->code = BPF_LDX | BPF_PROBE_MEM | 449f08fa59dda5d Alexei Starovoitov 2026-04-12 871 BPF_SIZE((insn)->code); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 872 else 449f08fa59dda5d Alexei Starovoitov 2026-04-12 873 insn->code = BPF_LDX | BPF_PROBE_MEMSX | 449f08fa59dda5d Alexei Starovoitov 2026-04-12 874 BPF_SIZE((insn)->code); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 875 env->prog->aux->num_exentries++; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 876 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 877 continue; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 878 case PTR_TO_ARENA: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 879 if (BPF_MODE(insn->code) == BPF_MEMSX) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 880 if (!bpf_jit_supports_insn(insn, true)) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 881 verbose(env, "sign extending loads from arena are not supported yet\n"); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 882 return -EOPNOTSUPP; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 883 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 884 insn->code = BPF_CLASS(insn->code) | BPF_PROBE_MEM32SX | BPF_SIZE(insn->code); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 885 } else { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 886 insn->code = BPF_CLASS(insn->code) | BPF_PROBE_MEM32 | BPF_SIZE(insn->code); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 887 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 888 env->prog->aux->num_exentries++; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 889 continue; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 890 default: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 891 continue; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 892 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 893 449f08fa59dda5d Alexei Starovoitov 2026-04-12 894 ctx_field_size = env->insn_aux_data[i + delta].ctx_field_size; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 895 size = BPF_LDST_BYTES(insn); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 896 mode = BPF_MODE(insn->code); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 897 449f08fa59dda5d Alexei Starovoitov 2026-04-12 898 /* If the read access is a narrower load of the field, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 899 * convert to a 4/8-byte load, to minimum program type specific 449f08fa59dda5d Alexei Starovoitov 2026-04-12 900 * convert_ctx_access changes. If conversion is successful, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 901 * we will apply proper mask to the result. 449f08fa59dda5d Alexei Starovoitov 2026-04-12 902 */ 449f08fa59dda5d Alexei Starovoitov 2026-04-12 903 is_narrower_load = size < ctx_field_size; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 904 size_default = bpf_ctx_off_adjust_machine(ctx_field_size); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 905 off = insn->off; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 906 if (is_narrower_load) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 907 u8 size_code; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 908 449f08fa59dda5d Alexei Starovoitov 2026-04-12 909 if (type == BPF_WRITE) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 910 verifier_bug(env, "narrow ctx access misconfigured"); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 911 return -EFAULT; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 912 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 913 449f08fa59dda5d Alexei Starovoitov 2026-04-12 914 size_code = BPF_H; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 915 if (ctx_field_size == 4) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 916 size_code = BPF_W; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 917 else if (ctx_field_size == 8) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 918 size_code = BPF_DW; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 919 449f08fa59dda5d Alexei Starovoitov 2026-04-12 920 insn->off = off & ~(size_default - 1); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 921 insn->code = BPF_LDX | BPF_MEM | size_code; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 922 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 923 449f08fa59dda5d Alexei Starovoitov 2026-04-12 924 target_size = 0; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 925 cnt = convert_ctx_access(type, insn, insn_buf, env->prog, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 926 &target_size); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 927 if (cnt == 0 || cnt >= INSN_BUF_SIZE || 449f08fa59dda5d Alexei Starovoitov 2026-04-12 928 (ctx_field_size && !target_size)) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 929 verifier_bug(env, "error during ctx access conversion (%d)", cnt); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 930 return -EFAULT; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 931 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 932 449f08fa59dda5d Alexei Starovoitov 2026-04-12 933 if (is_narrower_load && size < target_size) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 934 u8 shift = bpf_ctx_narrow_access_offset( 449f08fa59dda5d Alexei Starovoitov 2026-04-12 935 off, size, size_default) * 8; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 936 if (shift && cnt + 1 >= INSN_BUF_SIZE) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 937 verifier_bug(env, "narrow ctx load misconfigured"); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 938 return -EFAULT; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 939 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 940 if (ctx_field_size <= 4) { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 941 if (shift) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 942 insn_buf[cnt++] = BPF_ALU32_IMM(BPF_RSH, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 943 insn->dst_reg, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 944 shift); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 945 insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 946 (1 << size * 8) - 1); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 947 } else { 449f08fa59dda5d Alexei Starovoitov 2026-04-12 948 if (shift) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 949 insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 950 insn->dst_reg, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 951 shift); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 952 insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 953 (1ULL << size * 8) - 1); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 954 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 955 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 956 if (mode == BPF_MEMSX) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 957 insn_buf[cnt++] = BPF_RAW_INSN(BPF_ALU64 | BPF_MOV | BPF_X, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 958 insn->dst_reg, insn->dst_reg, 449f08fa59dda5d Alexei Starovoitov 2026-04-12 959 size * 8, 0); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 960 449f08fa59dda5d Alexei Starovoitov 2026-04-12 961 patch_insn_buf: 449f08fa59dda5d Alexei Starovoitov 2026-04-12 962 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); 449f08fa59dda5d Alexei Starovoitov 2026-04-12 963 if (!new_prog) 449f08fa59dda5d Alexei Starovoitov 2026-04-12 964 return -ENOMEM; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 965 449f08fa59dda5d Alexei Starovoitov 2026-04-12 966 delta += cnt - 1; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 967 449f08fa59dda5d Alexei Starovoitov 2026-04-12 968 /* keep walking new program and skip insns we just inserted */ 449f08fa59dda5d Alexei Starovoitov 2026-04-12 969 env->prog = new_prog; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 970 insn = new_prog->insnsi + i + delta; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 971 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 972 449f08fa59dda5d Alexei Starovoitov 2026-04-12 973 return 0; 449f08fa59dda5d Alexei Starovoitov 2026-04-12 974 } 449f08fa59dda5d Alexei Starovoitov 2026-04-12 975 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki