From: sashiko-bot@kernel.org
To: "Leon Hwang" <leon.hwang@linux.dev>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v8 2/9] bpf: Introduce global percpu data
Date: Mon, 29 Jun 2026 15:50:20 +0000 [thread overview]
Message-ID: <20260629155020.AF8D01F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629152406.52582-3-leon.hwang@linux.dev>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Interpreter fallback vulnerability due to missing BPF_MOV64_PERCPU_REG support
--
commit a68c25810c5f3ada3bbae32b3967070021ca8848
Author: Leon Hwang <leon.hwang@linux.dev>
bpf: Introduce global percpu data
This commit introduces global percpu data support for BPF, allowing
definition of global percpu variables similar to DEFINE_PER_CPU(). This
enables tools to simplify their BPF code by avoiding percpu_array maps
and manual CPU ID lookups.
Links:
[1] https://github.com/anakryiko/retsnoop
[2] https://github.com/bpfsnoop/bpfsnoop
> diff --git a/kernel/bpf/fixups.c b/kernel/bpf/fixups.c
> index 3cf2cc6e3ab66..4f84d087ca69e 100644
> --- a/kernel/bpf/fixups.c
> +++ b/kernel/bpf/fixups.c
[ ... ]
> @@ -1819,6 +1819,38 @@ int bpf_do_misc_fixups(struct bpf_verifier_env *env)
> goto next_insn;
> }
>
> + if (env->prog->jit_requested &&
> + bpf_jit_supports_percpu_insn() &&
> + insn->code == (BPF_LD | BPF_IMM | BPF_DW) &&
> + (insn->src_reg == BPF_PSEUDO_MAP_VALUE ||
> + insn->src_reg == BPF_PSEUDO_MAP_IDX_VALUE)) {
> + struct bpf_map *map;
> +
> + aux = &env->insn_aux_data[i + delta];
> + map = env->used_maps[aux->map_index];
> + if (map->map_type != BPF_MAP_TYPE_PERCPU_ARRAY)
> + goto next_insn;
> +
> + /*
> + * Reuse the original ld_imm64 insn, and add one
> + * mov64_percpu_reg insn.
> + */
> +
> + insn_buf[0] = insn[1];
> + insn_buf[1] = BPF_MOV64_PERCPU_REG(insn->dst_reg, insn->dst_reg);
[Severity: High]
This is a pre-existing issue, but does the BPF interpreter properly handle
BPF_MOV64_PERCPU_REG?
The verifier correctly checks bpf_jit_supports_percpu_insn() before inserting
this instruction. However, if JIT compilation fails later (e.g., due to memory
limits) and the system falls back to the interpreter, what happens to this
instruction?
Looking at ___bpf_prog_run() in kernel/bpf/core.c:
ALU64_MOV_X:
switch (OFF) {
case 0:
DST = SRC;
break;
The interpreter appears to silently ignore OFF == BPF_ADDR_PERCPU, essentially
treating it as a no-op or standard move.
Would this leak the raw __percpu pointer (which is often a small integer
offset on architectures like x86) into subsequent memory access instructions?
While this patch didn't introduce the interpreter fallback behavior, it seems
to expand the surface area by allowing direct read/write accesses to arbitrary
percpu arrays. Could this lead to out-of-bounds memory accesses if JIT fails?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629152406.52582-1-leon.hwang@linux.dev?part=2
next prev parent reply other threads:[~2026-06-29 15:50 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 15:23 [PATCH bpf-next v8 0/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 1/9] bpf: Drop duplicate blank lines in verifier Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 2/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:50 ` sashiko-bot [this message]
2026-06-30 5:50 ` Leon Hwang
2026-07-01 19:31 ` Andrii Nakryiko
2026-07-02 6:15 ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 3/9] libbpf: Probe percpu data feature Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data Leon Hwang
2026-06-29 15:40 ` sashiko-bot
2026-06-30 5:54 ` Leon Hwang
2026-07-01 19:31 ` Andrii Nakryiko
2026-07-02 6:23 ` Leon Hwang
2026-07-01 19:32 ` Andrii Nakryiko
2026-07-02 6:16 ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 5/9] bpftool: Generate skeleton " Leon Hwang
2026-07-01 16:49 ` Quentin Monnet
2026-07-01 19:32 ` Andrii Nakryiko
2026-07-02 6:24 ` Leon Hwang
2026-07-02 10:14 ` Quentin Monnet
2026-07-02 14:08 ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 6/9] selftests/bpf: Add tests to verify " Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 7/9] selftests/bpf: Test direct reading/writing read-only percpu_array map Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 8/9] selftests/bpf: Test verifier log for global percpu data Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 9/9] selftests/bpf: Verify bpf_iter " Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629155020.AF8D01F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=leon.hwang@linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox