All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Pawan Gupta" <pawan.kumar.gupta@linux.intel.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH 6.6.y 3/6] bpf: Restrict JIT predictor flush to cBPF
Date: Fri, 17 Jul 2026 17:20:30 +0000	[thread overview]
Message-ID: <20260717172031.061111F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260717-cbpf-jit-spray-hardening-6-6-y-v1-3-e04f1b2893de@linux.intel.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Spectre v2 mitigation bypass in BPF JIT allocator due to restricted predictor flush.
--

--- Patch [3]: [PATCH 6.6.y 3/6] bpf: Restrict JIT predictor flush to cBPF ---
commit 8a65f5d94c81da9af1257fa2e8b48ff8c73c9963
Author: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>

bpf: Restrict JIT predictor flush to cBPF

This commit restricts the predictor flush on memory reuse for BPF JIT
allocations to only cBPF programs. It adds a was_classic parameter to
bpf_prog_pack_alloc to determine if the flush is necessary, assuming eBPF
allocations do not require the overhead of flushing predictors on reuse.

> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> index 0d8008711629c..509f1b9c2b2e2 100644
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
[ ... ]
> @@ -951,7 +951,9 @@ void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns)
>  	pos = 0;
>  
>  found_free_area:
> -	static_call_cond(bpf_arch_pred_flush)();
> +	/* Flush only for cBPF as it may contain a crafted gadget */
> +	if (static_branch_unlikely(&bpf_pred_flush_enabled) && was_classic)
> +		static_call_cond(bpf_arch_pred_flush)();

[Severity: High]
Does skipping the flush for eBPF allocations leave the branch predictor
vulnerable if the memory was previously used by a cBPF program?

If an attacker loads a cBPF program, trains the CPU branch predictor to
target a specific offset, and then frees it, could a subsequent eBPF program
allocated in the same memory chunk skip the flush because was_classic is
false? This might allow an attacker to trigger a kernel indirect branch that
mispredicts into the newly loaded eBPF program at the trained offset.

Also, if kernel.unprivileged_bpf_disabled=0, couldn't an attacker directly
use unprivileged eBPF programs to bypass the flush completely, since their
type is not BPF_PROG_TYPE_UNSPEC?

>  	bitmap_set(pack->bitmap, pos, nbits);
>  	ptr = (void *)(pack->ptr) + (pos << BPF_PROG_CHUNK_SHIFT);
[ ... ]
> diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c
> index fa3e9225aedc0..b3f164e31c6bb 100644
> --- a/kernel/bpf/dispatcher.c
> +++ b/kernel/bpf/dispatcher.c
> @@ -145,7 +145,7 @@ void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from,
>  
>  	mutex_lock(&d->mutex);
>  	if (!d->image) {
> -		d->image = bpf_prog_pack_alloc(PAGE_SIZE, bpf_jit_fill_hole_with_zero);
> +		d->image = bpf_prog_pack_alloc(PAGE_SIZE, bpf_jit_fill_hole_with_zero, false);

[Severity: High]
Similarly, does explicitly passing false here for the dispatcher skip the
flush, leaving it vulnerable to unintentional gadget exploitation via
leftover branch predictions?

>  		if (!d->image)
>  			goto out;
>  		d->rw_image = bpf_jit_alloc_exec(PAGE_SIZE);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260717-cbpf-jit-spray-hardening-6-6-y-v1-0-e04f1b2893de@linux.intel.com?part=3

  reply	other threads:[~2026-07-17 17:20 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-17 17:05 [PATCH 6.6.y 0/6] cBPF JIT spray hardening Pawan Gupta
2026-07-17 17:05 ` Pawan Gupta
2026-07-17 17:05 ` [PATCH 6.6.y 1/6] bpf: Support for hardening against JIT spraying Pawan Gupta
2026-07-17 17:05   ` Pawan Gupta
2026-07-17 17:06 ` [PATCH 6.6.y 2/6] x86/bugs: Enable IBPB flush on BPF JIT allocation Pawan Gupta
2026-07-17 17:06   ` Pawan Gupta
2026-07-17 17:06 ` [PATCH 6.6.y 3/6] bpf: Restrict JIT predictor flush to cBPF Pawan Gupta
2026-07-17 17:06   ` Pawan Gupta
2026-07-17 17:20   ` sashiko-bot [this message]
2026-07-17 17:06 ` [PATCH 6.6.y 4/6] bpf: Skip redundant IBPB in pack allocator Pawan Gupta
2026-07-17 17:06   ` Pawan Gupta
2026-07-17 17:06 ` [PATCH 6.6.y 5/6] bpf: Prefer packs that won't trigger an IBPB flush on allocation Pawan Gupta
2026-07-17 17:06   ` Pawan Gupta
2026-07-17 17:07 ` [PATCH 6.6.y 6/6] bpf: Prefer dirty packs for eBPF allocations Pawan Gupta
2026-07-17 17:07   ` Pawan Gupta
2026-07-17 17:31   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260717172031.061111F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=pawan.kumar.gupta@linux.intel.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.