From: Leon Hwang <leon.hwang@linux.dev>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Jiri Olsa <jolsa@kernel.org>,
Emil Tsalapatis <emil@etsalapatis.com>,
Andrew Morton <akpm@linux-foundation.org>,
Shuah Khan <shuah@kernel.org>,
Puranjay Mohan <puranjay@kernel.org>,
Anton Protopopov <a.s.protopopov@gmail.com>,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
Leon Hwang <leon.hwang@linux.dev>
Subject: [RFC PATCH bpf 1/6] bpf: Disallow interpreter fallback for user BPF_ADDR_SPACE_CAST insn
Date: Fri, 26 Jun 2026 23:43:25 +0800 [thread overview]
Message-ID: <20260626154330.33619-2-leon.hwang@linux.dev> (raw)
In-Reply-To: <20260626154330.33619-1-leon.hwang@linux.dev>
The interpreter is unable to handle the user BPF_ADDR_SPACE_CAST insn,
whose '->off' is 1:
static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
{
ALU64_MOV_X:
switch (OFF) {
case 0:
DST = SRC;
break;
case 8:
DST = (s8) SRC;
break;
case 16:
DST = (s16) SRC;
break;
case 32:
DST = (s32) SRC;
break;
}
CONT;
}
On the fallback path from JIT in __bpf_prog_select_runtime(), reject
the insn to avoid being ignored by interpreter.
Fixes: 142fd4d2dcf5 ("bpf: Add x86-64 JIT support for bpf_addr_space_cast instruction.")
Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
---
kernel/bpf/core.c | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 0db6e55bad52..e92eb8b7f945 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2608,23 +2608,37 @@ static struct bpf_prog *bpf_prog_jit_compile(struct bpf_verifier_env *env, struc
return prog;
}
+static bool bpf_insn_requires_jit(struct bpf_insn *insn)
+{
+ if (insn_is_cast_user(insn))
+ return true;
+
+ return false;
+}
+
/* Fix up helper call offsets on JIT fallback path. */
-static void bpf_fixup_fallback_helpers(struct bpf_verifier_env *env, struct bpf_prog *fp)
+static int bpf_fixup_fallback_helpers(struct bpf_verifier_env *env, struct bpf_prog *fp)
{
struct bpf_insn *insn = fp->insnsi;
const struct bpf_func_proto *fn;
int i;
- if (!env || !env->ops->get_func_proto)
- return;
+ if (!env)
+ return 0;
for (i = 0; i < fp->len; i++, insn++) {
- if (bpf_helper_call(insn) && bpf_jit_inlines_helper_call(insn->imm)) {
+ if (env->ops->get_func_proto && bpf_helper_call(insn) &&
+ bpf_jit_inlines_helper_call(insn->imm)) {
fn = env->ops->get_func_proto(insn->imm, env->prog);
if (fn && fn->func)
insn->imm = fn->func - __bpf_call_base;
}
+
+ if (bpf_insn_requires_jit(insn))
+ return -EOPNOTSUPP;
}
+
+ return 0;
}
struct bpf_prog *__bpf_prog_select_runtime(struct bpf_verifier_env *env, struct bpf_prog *fp,
@@ -2663,8 +2677,11 @@ struct bpf_prog *__bpf_prog_select_runtime(struct bpf_verifier_env *env, struct
return fp;
}
- if (!fp->jited)
- bpf_fixup_fallback_helpers(env, fp);
+ if (!fp->jited) {
+ *err = bpf_fixup_fallback_helpers(env, fp);
+ if (*err)
+ return fp;
+ }
} else {
*err = bpf_prog_offload_compile(fp);
if (*err)
--
2.54.0
next prev parent reply other threads:[~2026-06-26 15:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 15:43 [RFC PATCH bpf 0/6] bpf: Disallow interpreter fallback for interpreter-unsupported insns Leon Hwang
2026-06-26 15:43 ` Leon Hwang [this message]
2026-06-26 15:43 ` [RFC PATCH bpf 2/6] bpf: Disallow interpreter fallback for arena insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 3/6] bpf: Disallow interpreter fallback for BPF_MOV64_PERCPU_REG insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 4/6] bpf: Disallow interpreter fallback for internal BPF_PROBE_ATOMIC insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 5/6] bpf: Disallow interpreter fallback for gotox insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 6/6] lib/test_bpf: Add interpreter-fallback tests Leon Hwang
2026-06-26 16:11 ` [RFC PATCH bpf 0/6] bpf: Disallow interpreter fallback for interpreter-unsupported insns Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626154330.33619-2-leon.hwang@linux.dev \
--to=leon.hwang@linux.dev \
--cc=a.s.protopopov@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=puranjay@kernel.org \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.