From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 4/8] bpf, x86: refactor BPF_ST management in do_jit
Date: Thu, 04 Jun 2026 20:57:43 +0000 [thread overview]
Message-ID: <20260604205744.3B5411F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604-kasan-v2-4-c066e627fda8@bootlin.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Improper break scope in nested switch causes JIT to emit malformed instructions for BPF_ST with BPF_DW targeting the 6th argument.
--
commit 4f81840cd1222105beefd9a592e593df3c32c344
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
bpf, x86: refactor BPF_ST management in do_jit
This commit refactors BPF_ST instruction generation in the x86 JIT by
grouping memory access operations under a single fall-through block and
utilizing an inner switch on the BPF instruction size. This prepares the
code for adding KASAN checks.
> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index 0981791014eb3..943a0f315cf2b 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
[ ... ]
> @@ -2300,41 +2300,50 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
[ ... ]
> case BPF_ST | BPF_MEM | BPF_DW:
> - if (dst_reg == BPF_REG_PARAMS && insn->off == -8) {
> - /* Arg 6: store immediate in r9 register */
> - emit_mov_imm64(&prog, X86_REG_R9, imm32 >> 31, (u32)imm32);
> + switch (BPF_SIZE(insn->code)) {
[ ... ]
> + case BPF_DW:
> + if (dst_reg == BPF_REG_PARAMS &&
> + insn->off == -8) {
> + /* Arg 6: store immediate in r9 register */
> + emit_mov_imm64(&prog, X86_REG_R9,
> + imm32 >> 31, (u32)imm32);
> + break;
[Severity: Critical]
Does this break statement now only exit the newly introduced inner switch
rather than the outer switch?
In the original code, this break would exit the outer switch entirely and
skip the remainder of the BPF_ST logic. Now that it only breaks the inner
switch, execution appears to fall through to the common suffix below:
insn_off = insn->off;
...
EMIT(imm32, bpf_size_to_x86_bytes(BPF_SIZE(insn->code)));
Could this cause the JIT to incorrectly emit the user-controlled imm32 value
directly into the executable instruction stream as raw x86 instructions,
potentially leading to a kernel crash or arbitrary code execution?
> + }
> + EMIT2(add_1mod(0x48, dst_reg), 0xC7);
> break;
> }
>
> -st: insn_off = insn->off;
> + insn_off = insn->off;
> if (dst_reg == BPF_REG_PARAMS) {
> /*
> * Args 7+: reverse BPF negative offsets to
> * x86 positive rsp offsets.
> * BPF off=-16 → [rsp+0], off=-24 → [rsp+8], ...
> */
> - insn_off = outgoing_arg_base - outgoing_rsp - insn_off - 16;
> + insn_off = outgoing_arg_base - outgoing_rsp -
> + insn_off - 16;
> dst_reg = BPF_REG_FP;
> }
> if (is_imm8(insn_off))
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604-kasan-v2-0-c066e627fda8@bootlin.com?part=4
next prev parent reply other threads:[~2026-06-04 20:57 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 20:21 [PATCH bpf-next v2 0/8] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 20:21 ` [PATCH bpf-next v2 1/8] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-06-04 20:36 ` sashiko-bot
2026-06-04 21:13 ` bot+bpf-ci
2026-06-05 23:20 ` Alexei Starovoitov
2026-06-04 20:22 ` [PATCH bpf-next v2 2/8] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:13 ` bot+bpf-ci
2026-06-04 20:22 ` [PATCH bpf-next v2 3/8] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-06-04 20:50 ` sashiko-bot
2026-06-04 20:22 ` [PATCH bpf-next v2 4/8] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-06-04 20:57 ` sashiko-bot [this message]
2026-06-04 21:13 ` bot+bpf-ci
2026-06-05 23:22 ` Alexei Starovoitov
2026-06-04 20:22 ` [PATCH bpf-next v2 5/8] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:08 ` sashiko-bot
2026-06-05 14:54 ` Yonghong Song
2026-06-05 15:50 ` Alexis Lothoré
2026-06-04 20:22 ` [PATCH bpf-next v2 6/8] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-06-04 21:21 ` sashiko-bot
2026-06-04 20:22 ` [PATCH bpf-next v2 7/8] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-06-04 20:22 ` [PATCH bpf-next v2 8/8] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-06-04 21:42 ` sashiko-bot
2026-06-04 21:45 ` bot+bpf-ci
2026-06-05 15:47 ` Yonghong Song
2026-06-05 16:01 ` Alexis Lothoré
2026-06-05 17:20 ` Yonghong Song
2026-06-05 20:55 ` Alexis Lothoré
2026-06-06 4:09 ` Yonghong Song
2026-06-06 8:51 ` Alexis Lothoré
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604205744.3B5411F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.