BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Pawan Gupta" <pawan.kumar.gupta@linux.intel.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH 6.18.y 3/6] bpf: Restrict JIT predictor flush to cBPF
Date: Tue, 14 Jul 2026 01:24:52 +0000	[thread overview]
Message-ID: <20260714012452.EC7E61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260713-cbpf-jit-spray-hardening-6-18-y-v1-3-755f60c55705@linux.intel.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Bypass of Spectre v2 / Branch History Injection (BHI) mitigation for unprivileged native eBPF programs.
--

--- Patch [3]: [PATCH 6.18.y 3/6] bpf: Restrict JIT predictor flush to cBPF ---
commit 33a895ebe7da61c93f5b498141c865b22c5d29e7
Author: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>

bpf: Restrict JIT predictor flush to cBPF

This commit modifies the BPF JIT allocator to only perform predictor flushes
on memory reuse for cBPF programs. It skips the flush for eBPF allocations
under the assumption that only cBPF programs can be loaded by unprivileged
users.

> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c

[ ... ]

> @@ -939,7 +939,7 @@ void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns)
>  		 * safe because cBPF programs (the unprivileged attack surface)
>  		 * are bounded well below a pack size.
>  		 */
> -		if (static_branch_unlikely(&bpf_pred_flush_enabled))
> +		if (was_classic && static_branch_unlikely(&bpf_pred_flush_enabled))

[Severity: High]
Does this inadvertently suppress the warning when unprivileged eBPF is
enabled?

If an administrator sets kernel.unprivileged_bpf_disabled = 0, unprivileged
users can load native eBPF programs (like BPF_PROG_TYPE_SOCKET_FILTER). For
these native eBPF programs, was_classic evaluates to false, which seems to
improperly suppress this warning for large allocations.

>  			pr_warn_once("BPF: Predictors not flushed for allocations greater than BPF_PROG_PACK_SIZE\n");
>  		size = round_up(size, PAGE_SIZE);
>  		ptr = bpf_jit_alloc_exec(size);
> @@ -971,7 +971,9 @@ void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns)
>  	pos = 0;
>  
>  found_free_area:
> -	static_call_cond(bpf_arch_pred_flush)();
> +	/* Flush only for cBPF as it may contain a crafted gadget */
> +	if (static_branch_unlikely(&bpf_pred_flush_enabled) && was_classic)
> +		static_call_cond(bpf_arch_pred_flush)();

[Severity: High]
Can an unprivileged attacker use JIT spraying in native eBPF to execute a
speculative execution attack (Spectre v2 / BHI) here?

Since native eBPF programs loaded by an unprivileged user (when
kernel.unprivileged_bpf_disabled = 0) will have was_classic == false, the
predictor flush is entirely skipped. This appears to leave unprivileged
native eBPF exposed to JIT spraying attacks, as the mitigation is completely
bypassed.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260713-cbpf-jit-spray-hardening-6-18-y-v1-0-755f60c55705@linux.intel.com?part=3

  reply	other threads:[~2026-07-14  1:24 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-14  1:11 [PATCH 6.18.y 0/6] cBPF JIT spray hardening Pawan Gupta
2026-07-14  1:11 ` [PATCH 6.18.y 1/6] bpf: Support for hardening against JIT spraying Pawan Gupta
2026-07-14  1:23   ` sashiko-bot
2026-07-14  1:11 ` [PATCH 6.18.y 2/6] x86/bugs: Enable IBPB flush on BPF JIT allocation Pawan Gupta
2026-07-14  1:24   ` sashiko-bot
2026-07-14  1:12 ` [PATCH 6.18.y 3/6] bpf: Restrict JIT predictor flush to cBPF Pawan Gupta
2026-07-14  1:24   ` sashiko-bot [this message]
2026-07-14  1:12 ` [PATCH 6.18.y 4/6] bpf: Skip redundant IBPB in pack allocator Pawan Gupta
2026-07-14  1:12 ` [PATCH 6.18.y 5/6] bpf: Prefer packs that won't trigger an IBPB flush on allocation Pawan Gupta
2026-07-14  1:12 ` [PATCH 6.18.y 6/6] bpf: Prefer dirty packs for eBPF allocations Pawan Gupta

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260714012452.EC7E61F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=pawan.kumar.gupta@linux.intel.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox