Re: [PATCH bpf-next v9 2/3] bpf: Fix s16 truncation for large bpf-to-bpf call offsets

[Yazhou Tang <tangyazhou@zju.edu.cn>]

On 4/30/26 05:10, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [Medium] Unprivileged users will see broken control flow graphs and `call pc+0` in BPF-to-BPF pseudo calls.
> --
> 
> commit c7ae76817147356f188b1975260698d1d9dcd44a
> Author: Yazhou Tang <tangyazhou518@outlook.com>
> 
> bpf: Fix s16 truncation for large bpf-to-bpf call offsets
> 
> This commit fixes s16 truncation for large BPF-to-BPF call offsets by keeping
> the relative offset in the 32-bit imm field instead of downcasting it to the
> 16-bit off field. It updates the JIT, interpreter, and related dumper code to
> swap the usages of imm and off for BPF pseudo calls.
> 
>> diff --git a/kernel/bpf/fixups.c b/kernel/bpf/fixups.c
>> index 300e4e251931..8947ef74f6a8 100644
>> --- a/kernel/bpf/fixups.c
>> +++ b/kernel/bpf/fixups.c
>> @@ -1250,9 +1250,9 @@ static int jit_subprogs(struct bpf_verifier_env *env)
>>   		}
>>   		if (!bpf_pseudo_call(insn))
>>   			continue;
>> -		insn->off = env->insn_aux_data[i].call_imm;
>> -		subprog = bpf_find_subprog(env, i + insn->off + 1);
>> -		insn->imm = subprog;
>> +		insn->imm = env->insn_aux_data[i].call_imm;
>> +		subprog = bpf_find_subprog(env, i + insn->imm + 1);
>> +		insn->off = subprog;
>>   	}
> 
> Because this patch swaps the usage of insn->imm and insn->off for BPF pseudo
> calls, will this cause a regression for unprivileged users dumping programs?
> 
> In kernel/bpf/syscall.c:bpf_insn_prepare_dump(), the kernel zeroes insn->imm
> for all BPF_CALL instructions when the user lacks privileges:
> 
>      if (code == (BPF_JMP | BPF_CALL)) {
>          insns[i].imm = 0;
>          ...
> 
> Previously, this only hid the subprogram index. Now that insn->imm holds the
> actual relative offset, zeroing it means tools like bpftool will receive an
> offset of 0.
> 
> Could this regression cause bpftool prog dump xlated to output call pc+0 and
> break the control flow graph generation for unprivileged users?
> 

OK, this problem is confirmed.

As root user, executing "sysctl -w kernel.kptr_restrict=2" before "bpftool
prog dump xlated" will indeed demonstrate the bug. I will change the
bpf_insn_prepare_dump() function in v10.