The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [PATCH bpf-next v3 0/2] bpf: Enforce gotox targets against subprog bounds
@ 2026-06-28 13:59 Nuoqi Gui
  2026-06-28 13:59 ` [PATCH bpf-next v3 1/2] " Nuoqi Gui
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Nuoqi Gui @ 2026-06-28 13:59 UTC (permalink / raw)
  To: bpf, John Fastabend, Kumar Kartikeya Dwivedi, Martin KaFai Lau,
	Song Liu, Yonghong Song, Jiri Olsa, Emil Tsalapatis
  Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Eduard Zingerman, Anton Protopopov, Shuah Khan, linux-kselftest,
	linux-kernel, Nuoqi Gui

For gotox, CFG construction models the indirect-jump target set in
insn_aux_data->jt, while do_check() later follows targets from the runtime
PTR_TO_INSN register's own INSN_ARRAY map. If the same gotox can be
reached with PTR_TO_INSN values from different maps, do_check() can accept
a target outside the calling subprog.

The observed x86 JIT case can then enter another subprog without a matching
BPF call frame and crash when the program is run.

Fix this by rejecting gotox map targets outside the current gotox subprog.
Add a regression test covering the two-map cross-subprog case.

v1 -> v2:
  - Validate gotox runtime targets against the current subprog bounds instead
    of scanning the CFG jump table.
  - Fix the selftest expected error from -EACCES to -EINVAL.

v2 -> v3:
  - Drop the Validation section from the cover letter.
  - Clarify that the crash was observed through the x86 JIT path while the
    verifier invariant is generic.
  - Simplify the cover letter and commit message.
  - Remove the unused skel argument from the raw-insn selftest.
  - Move the raw-insn selftest to the end of test_bpf_gotox().

v1:
  https://lore.kernel.org/bpf/20260609-f01-03-gotox-bpf-next-v1-0-b441d63a1559@mails.tsinghua.edu.cn/

v2:
  https://lore.kernel.org/bpf/20260613-f01-03-gotox-bpf-next-v2-send-v2-0-7c883b43f3c3@mails.tsinghua.edu.cn/

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
Nuoqi Gui (2):
      bpf: Enforce gotox targets against subprog bounds
      selftests/bpf: Add cross-subprog gotox target coverage

 kernel/bpf/verifier.c                              | 19 ++++++
 tools/testing/selftests/bpf/prog_tests/bpf_gotox.c | 73 ++++++++++++++++++++++
 2 files changed, 92 insertions(+)
---
base-commit: 7bfb93e3475be9de894f1cecd3a727d3e1649b03
change-id: 20260628-f01-03-gotox-bpf-next-1a7af91d2c82

Best regards,
--  
Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH bpf-next v3 1/2] bpf: Enforce gotox targets against subprog bounds
  2026-06-28 13:59 [PATCH bpf-next v3 0/2] bpf: Enforce gotox targets against subprog bounds Nuoqi Gui
@ 2026-06-28 13:59 ` Nuoqi Gui
  2026-06-30 18:42   ` Anton Protopopov
  2026-06-28 13:59 ` [PATCH bpf-next v3 2/2] selftests/bpf: Add cross-subprog gotox target coverage Nuoqi Gui
  2026-06-30 18:21 ` [PATCH bpf-next v3 0/2] bpf: Enforce gotox targets against subprog bounds Anton Protopopov
  2 siblings, 1 reply; 6+ messages in thread
From: Nuoqi Gui @ 2026-06-28 13:59 UTC (permalink / raw)
  To: bpf, John Fastabend, Kumar Kartikeya Dwivedi, Martin KaFai Lau,
	Song Liu, Yonghong Song, Jiri Olsa, Emil Tsalapatis
  Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Eduard Zingerman, Anton Protopopov, Shuah Khan, linux-kselftest,
	linux-kernel, Nuoqi Gui

During CFG construction, the verifier records the modeled gotox target set
in insn_aux_data->jt. Later, check_indirect_jump() follows targets from
the runtime PTR_TO_INSN register's actual INSN_ARRAY map.

This lets one gotox instruction observe different INSN_ARRAY maps on
different paths and accept a target outside the calling subprog. The
observed x86 JIT case can then enter another subprog without a matching
BPF call frame and crash when executed.

Reject every target copied from the actual PTR_TO_INSN map if it is
outside the calling subprog.

Fixes: 493d9e0d6083 ("bpf, x86: add support for indirect jumps")
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 kernel/bpf/verifier.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index eb46a81a8c51..05a996a5ecdd 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -17145,9 +17145,11 @@ static int indirect_jump_min_max_index(struct bpf_verifier_env *env,
 static int check_indirect_jump(struct bpf_verifier_env *env, struct bpf_insn *insn)
 {
 	struct bpf_verifier_state *other_branch;
+	struct bpf_subprog_info *subprog;
 	struct bpf_reg_state *dst_reg;
 	struct bpf_map *map;
 	u32 min_index, max_index;
+	int subprog_start, subprog_end;
 	int err = 0;
 	int n;
 	int i;
@@ -17188,6 +17190,23 @@ static int check_indirect_jump(struct bpf_verifier_env *env, struct bpf_insn *in
 		return -EINVAL;
 	}
 
+	subprog = bpf_find_containing_subprog(env, env->insn_idx);
+	if (verifier_bug_if(!subprog, env,
+			    "gotox insn %d is outside subprog bounds\n",
+			    env->insn_idx))
+		return -EFAULT;
+	subprog_start = subprog->start;
+	subprog_end = (subprog + 1)->start;
+
+	for (i = 0; i < n; i++) {
+		u32 target = env->gotox_tmp_buf->items[i];
+
+		if (target < subprog_start || target >= subprog_end) {
+			verbose(env, "gotox target %u outside subprog\n", target);
+			return -EINVAL;
+		}
+	}
+
 	for (i = 0; i < n - 1; i++) {
 		mark_indirect_target(env, env->gotox_tmp_buf->items[i]);
 		other_branch = push_stack(env, env->gotox_tmp_buf->items[i],

-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH bpf-next v3 2/2] selftests/bpf: Add cross-subprog gotox target coverage
  2026-06-28 13:59 [PATCH bpf-next v3 0/2] bpf: Enforce gotox targets against subprog bounds Nuoqi Gui
  2026-06-28 13:59 ` [PATCH bpf-next v3 1/2] " Nuoqi Gui
@ 2026-06-28 13:59 ` Nuoqi Gui
  2026-06-30 18:49   ` Anton Protopopov
  2026-06-30 18:21 ` [PATCH bpf-next v3 0/2] bpf: Enforce gotox targets against subprog bounds Anton Protopopov
  2 siblings, 1 reply; 6+ messages in thread
From: Nuoqi Gui @ 2026-06-28 13:59 UTC (permalink / raw)
  To: bpf, John Fastabend, Kumar Kartikeya Dwivedi, Martin KaFai Lau,
	Song Liu, Yonghong Song, Jiri Olsa, Emil Tsalapatis
  Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Eduard Zingerman, Anton Protopopov, Shuah Khan, linux-kselftest,
	linux-kernel, Nuoqi Gui

Add a gotox regression test with two one-entry INSN_ARRAY maps. CFG can
model a map whose target stays in the main subprog, while the verified path
can load a different map whose target is the first instruction of another
subprog.

That second target is outside the subprog that contains this gotox
instruction, so program load must be rejected with -EINVAL.

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 tools/testing/selftests/bpf/prog_tests/bpf_gotox.c | 73 ++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c b/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c
index 73dc63882b7d..997724c61c8b 100644
--- a/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c
+++ b/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c
@@ -255,6 +255,30 @@ static int create_jt_map(__u32 max_entries)
 			      key_size, value_size, max_entries, NULL);
 }
 
+static int create_jt_map_with_target(__u32 target)
+{
+	struct bpf_insn_array_value val = { .orig_off = target };
+	__u32 key = 0;
+	int map_fd;
+
+	map_fd = create_jt_map(1);
+	if (!ASSERT_GE(map_fd, 0, "create_jt_map"))
+		return -1;
+
+	if (!ASSERT_EQ(bpf_map_update_elem(map_fd, &key, &val, 0),
+		       0, "bpf_map_update_elem")) {
+		close(map_fd);
+		return -1;
+	}
+
+	if (!ASSERT_EQ(bpf_map_freeze(map_fd), 0, "bpf_map_freeze")) {
+		close(map_fd);
+		return -1;
+	}
+
+	return map_fd;
+}
+
 static int prog_load(struct bpf_insn *insns, __u32 insn_cnt)
 {
 	return bpf_prog_load(BPF_PROG_TYPE_RAW_TRACEPOINT, NULL, "GPL", insns, insn_cnt, NULL);
@@ -393,6 +417,52 @@ reject_offsets(struct bpf_insn *insns, __u32 insn_cnt, int off1, int off2, int o
 		close(prog_fd);
 }
 
+static void
+check_cross_subprog_gotox_target(void)
+{
+	struct bpf_insn insns[] = {
+		/* main subprog [0,14) */
+		BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
+		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_CALL, 0, 12),
+		BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, 0),
+		BPF_JMP_IMM(BPF_JEQ, BPF_REG_7, 0, 4),
+		BPF_LD_IMM64_RAW(BPF_REG_2, BPF_PSEUDO_MAP_VALUE, 0),
+		BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, 0),
+		BPF_JMP_A(3),
+		BPF_LD_IMM64_RAW(BPF_REG_2, BPF_PSEUDO_MAP_VALUE, 0),
+		BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, 0),
+		BPF_RAW_INSN(BPF_JMP | BPF_JA | BPF_X, BPF_REG_2, 0, 0, 0),
+		BPF_MOV64_IMM(BPF_REG_0, 1),
+		BPF_EXIT_INSN(),
+
+		/* static subprog [14,16) */
+		BPF_MOV64_IMM(BPF_REG_0, 42),
+		BPF_EXIT_INSN(),
+	};
+	int good_fd, bad_fd, prog_fd;
+
+	good_fd = create_jt_map_with_target(12);
+	if (!ASSERT_GE(good_fd, 0, "create_good_jt_map"))
+		return;
+
+	bad_fd = create_jt_map_with_target(14);
+	if (!ASSERT_GE(bad_fd, 0, "create_bad_jt_map")) {
+		close(good_fd);
+		return;
+	}
+
+	insns[4].imm = bad_fd;
+	insns[8].imm = good_fd;
+
+	prog_fd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, NULL, "GPL",
+				insns, ARRAY_SIZE(insns), NULL);
+	if (!ASSERT_EQ(prog_fd, -EINVAL, "cross_subprog_gotox_prog_load"))
+		close(prog_fd);
+
+	close(bad_fd);
+	close(good_fd);
+}
+
 /*
  * Verify a bit more complex programs which include indirect jumps
  * and with jump tables loaded with a non-zero offset
@@ -541,5 +611,8 @@ void test_bpf_gotox(void)
 	if (test__start_subtest("check-ldimm64-off-gotox-llvm"))
 		__subtest(skel, check_ldimm64_off_gotox_llvm);
 
+	if (test__start_subtest("check-cross-subprog-gotox-target"))
+		check_cross_subprog_gotox_target();
+
 	bpf_gotox__destroy(skel);
 }

-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH bpf-next v3 0/2] bpf: Enforce gotox targets against subprog bounds
  2026-06-28 13:59 [PATCH bpf-next v3 0/2] bpf: Enforce gotox targets against subprog bounds Nuoqi Gui
  2026-06-28 13:59 ` [PATCH bpf-next v3 1/2] " Nuoqi Gui
  2026-06-28 13:59 ` [PATCH bpf-next v3 2/2] selftests/bpf: Add cross-subprog gotox target coverage Nuoqi Gui
@ 2026-06-30 18:21 ` Anton Protopopov
  2 siblings, 0 replies; 6+ messages in thread
From: Anton Protopopov @ 2026-06-30 18:21 UTC (permalink / raw)
  To: Nuoqi Gui
  Cc: bpf, John Fastabend, Kumar Kartikeya Dwivedi, Martin KaFai Lau,
	Song Liu, Yonghong Song, Jiri Olsa, Emil Tsalapatis,
	Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Eduard Zingerman, Shuah Khan, linux-kselftest, linux-kernel

On 26/06/28 09:59PM, Nuoqi Gui wrote:
> For gotox, CFG construction models the indirect-jump target set in
> insn_aux_data->jt, while do_check() later follows targets from the runtime
> PTR_TO_INSN register's own INSN_ARRAY map. If the same gotox can be
> reached with PTR_TO_INSN values from different maps, do_check() can accept
> a target outside the calling subprog.

Can we use some human-readable description here? Please just explain that maps
considered during the config stage must be a super-set of maps checked runtime.

> The observed x86 JIT case can then enter another subprog without a matching
> BPF call frame and crash when the program is run.

Sorry, but why the x86 is still here?

> 
> Fix this by rejecting gotox map targets outside the current gotox subprog.
> Add a regression test covering the two-map cross-subprog case.
> 
> v1 -> v2:
>   - Validate gotox runtime targets against the current subprog bounds instead
>     of scanning the CFG jump table.
>   - Fix the selftest expected error from -EACCES to -EINVAL.
> 
> v2 -> v3:
>   - Drop the Validation section from the cover letter.
>   - Clarify that the crash was observed through the x86 JIT path while the
>     verifier invariant is generic.
>   - Simplify the cover letter and commit message.
>   - Remove the unused skel argument from the raw-insn selftest.
>   - Move the raw-insn selftest to the end of test_bpf_gotox().
> 
> v1:
>   https://lore.kernel.org/bpf/20260609-f01-03-gotox-bpf-next-v1-0-b441d63a1559@mails.tsinghua.edu.cn/
> 
> v2:
>   https://lore.kernel.org/bpf/20260613-f01-03-gotox-bpf-next-v2-send-v2-0-7c883b43f3c3@mails.tsinghua.edu.cn/
> 
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> ---
> Nuoqi Gui (2):
>       bpf: Enforce gotox targets against subprog bounds
>       selftests/bpf: Add cross-subprog gotox target coverage
> 
>  kernel/bpf/verifier.c                              | 19 ++++++
>  tools/testing/selftests/bpf/prog_tests/bpf_gotox.c | 73 ++++++++++++++++++++++
>  2 files changed, 92 insertions(+)
> ---
> base-commit: 7bfb93e3475be9de894f1cecd3a727d3e1649b03
> change-id: 20260628-f01-03-gotox-bpf-next-1a7af91d2c82
> 
> Best regards,
> --  
> Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH bpf-next v3 1/2] bpf: Enforce gotox targets against subprog bounds
  2026-06-28 13:59 ` [PATCH bpf-next v3 1/2] " Nuoqi Gui
@ 2026-06-30 18:42   ` Anton Protopopov
  0 siblings, 0 replies; 6+ messages in thread
From: Anton Protopopov @ 2026-06-30 18:42 UTC (permalink / raw)
  To: Nuoqi Gui
  Cc: bpf, John Fastabend, Kumar Kartikeya Dwivedi, Martin KaFai Lau,
	Song Liu, Yonghong Song, Jiri Olsa, Emil Tsalapatis,
	Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Eduard Zingerman, Shuah Khan, linux-kselftest, linux-kernel

On 26/06/28 09:59PM, Nuoqi Gui wrote:
> During CFG construction, the verifier records the modeled gotox target set
> in insn_aux_data->jt. Later, check_indirect_jump() follows targets from
> the runtime PTR_TO_INSN register's actual INSN_ARRAY map.
> 
> This lets one gotox instruction observe different INSN_ARRAY maps on
> different paths and accept a target outside the calling subprog. The
> observed x86 JIT case can then enter another subprog without a matching
> BPF call frame and crash when executed.
> 
> Reject every target copied from the actual PTR_TO_INSN map if it is
> outside the calling subprog.
> 
> Fixes: 493d9e0d6083 ("bpf, x86: add support for indirect jumps")
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> ---
>  kernel/bpf/verifier.c | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index eb46a81a8c51..05a996a5ecdd 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -17145,9 +17145,11 @@ static int indirect_jump_min_max_index(struct bpf_verifier_env *env,
>  static int check_indirect_jump(struct bpf_verifier_env *env, struct bpf_insn *insn)
>  {
>  	struct bpf_verifier_state *other_branch;
> +	struct bpf_subprog_info *subprog;
>  	struct bpf_reg_state *dst_reg;
>  	struct bpf_map *map;
>  	u32 min_index, max_index;
> +	int subprog_start, subprog_end;
>  	int err = 0;
>  	int n;
>  	int i;
> @@ -17188,6 +17190,23 @@ static int check_indirect_jump(struct bpf_verifier_env *env, struct bpf_insn *in
>  		return -EINVAL;
>  	}
>  
> +	subprog = bpf_find_containing_subprog(env, env->insn_idx);
> +	if (verifier_bug_if(!subprog, env,
> +			    "gotox insn %d is outside subprog bounds\n",
> +			    env->insn_idx))

Can this actually happen?

> +		return -EFAULT;
> +	subprog_start = subprog->start;
> +	subprog_end = (subprog + 1)->start;
> +
> +	for (i = 0; i < n; i++) {
> +		u32 target = env->gotox_tmp_buf->items[i];
> +
> +		if (target < subprog_start || target >= subprog_end) {
> +			verbose(env, "gotox target %u outside subprog\n", target);

In the previous patch there was more info printed (at least, subprog
boundaries looked ok, not 100% sure about map id).

> +			return -EINVAL;
> +		}
> +	}
> +
>  	for (i = 0; i < n - 1; i++) {
>  		mark_indirect_target(env, env->gotox_tmp_buf->items[i]);
>  		other_branch = push_stack(env, env->gotox_tmp_buf->items[i],
> 
> -- 
> 2.34.1
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH bpf-next v3 2/2] selftests/bpf: Add cross-subprog gotox target coverage
  2026-06-28 13:59 ` [PATCH bpf-next v3 2/2] selftests/bpf: Add cross-subprog gotox target coverage Nuoqi Gui
@ 2026-06-30 18:49   ` Anton Protopopov
  0 siblings, 0 replies; 6+ messages in thread
From: Anton Protopopov @ 2026-06-30 18:49 UTC (permalink / raw)
  To: Nuoqi Gui
  Cc: bpf, John Fastabend, Kumar Kartikeya Dwivedi, Martin KaFai Lau,
	Song Liu, Yonghong Song, Jiri Olsa, Emil Tsalapatis,
	Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Eduard Zingerman, Shuah Khan, linux-kselftest, linux-kernel

On 26/06/28 09:59PM, Nuoqi Gui wrote:
> Add a gotox regression test with two one-entry INSN_ARRAY maps. CFG can
> model a map whose target stays in the main subprog, while the verified path
> can load a different map whose target is the first instruction of another
> subprog.
> 
> That second target is outside the subprog that contains this gotox
> instruction, so program load must be rejected with -EINVAL.
> 
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> ---
>  tools/testing/selftests/bpf/prog_tests/bpf_gotox.c | 73 ++++++++++++++++++++++
>  1 file changed, 73 insertions(+)
> 
> diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c b/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c
> index 73dc63882b7d..997724c61c8b 100644
> --- a/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c
> +++ b/tools/testing/selftests/bpf/prog_tests/bpf_gotox.c
> @@ -255,6 +255,30 @@ static int create_jt_map(__u32 max_entries)
>  			      key_size, value_size, max_entries, NULL);
>  }
>  
> +static int create_jt_map_with_target(__u32 target)
> +{
> +	struct bpf_insn_array_value val = { .orig_off = target };
> +	__u32 key = 0;
> +	int map_fd;
> +
> +	map_fd = create_jt_map(1);
> +	if (!ASSERT_GE(map_fd, 0, "create_jt_map"))
> +		return -1;
> +
> +	if (!ASSERT_EQ(bpf_map_update_elem(map_fd, &key, &val, 0),
> +		       0, "bpf_map_update_elem")) {
> +		close(map_fd);
> +		return -1;
> +	}
> +
> +	if (!ASSERT_EQ(bpf_map_freeze(map_fd), 0, "bpf_map_freeze")) {
> +		close(map_fd);
> +		return -1;
> +	}
> +
> +	return map_fd;
> +}
> +
>  static int prog_load(struct bpf_insn *insns, __u32 insn_cnt)
>  {
>  	return bpf_prog_load(BPF_PROG_TYPE_RAW_TRACEPOINT, NULL, "GPL", insns, insn_cnt, NULL);
> @@ -393,6 +417,52 @@ reject_offsets(struct bpf_insn *insns, __u32 insn_cnt, int off1, int off2, int o
>  		close(prog_fd);
>  }
>  
> +static void
> +check_cross_subprog_gotox_target(void)
> +{
> +	struct bpf_insn insns[] = {
> +		/* main subprog [0,14) */
> +		BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
> +		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_CALL, 0, 12),
> +		BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, 0),
> +		BPF_JMP_IMM(BPF_JEQ, BPF_REG_7, 0, 4),
> +		BPF_LD_IMM64_RAW(BPF_REG_2, BPF_PSEUDO_MAP_VALUE, 0),
> +		BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, 0),
> +		BPF_JMP_A(3),
> +		BPF_LD_IMM64_RAW(BPF_REG_2, BPF_PSEUDO_MAP_VALUE, 0),
> +		BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, 0),
> +		BPF_RAW_INSN(BPF_JMP | BPF_JA | BPF_X, BPF_REG_2, 0, 0, 0),
> +		BPF_MOV64_IMM(BPF_REG_0, 1),
> +		BPF_EXIT_INSN(),
> +
> +		/* static subprog [14,16) */
> +		BPF_MOV64_IMM(BPF_REG_0, 42),
> +		BPF_EXIT_INSN(),
> +	};
> +	int good_fd, bad_fd, prog_fd;
> +
> +	good_fd = create_jt_map_with_target(12);
> +	if (!ASSERT_GE(good_fd, 0, "create_good_jt_map"))
> +		return;
> +
> +	bad_fd = create_jt_map_with_target(14);
> +	if (!ASSERT_GE(bad_fd, 0, "create_bad_jt_map")) {
> +		close(good_fd);
> +		return;
> +	}
> +
> +	insns[4].imm = bad_fd;
> +	insns[8].imm = good_fd;
> +
> +	prog_fd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, NULL, "GPL",
> +				insns, ARRAY_SIZE(insns), NULL);
> +	if (!ASSERT_EQ(prog_fd, -EINVAL, "cross_subprog_gotox_prog_load"))
> +		close(prog_fd);
> +
> +	close(bad_fd);
> +	close(good_fd);
> +}
> +
>  /*
>   * Verify a bit more complex programs which include indirect jumps
>   * and with jump tables loaded with a non-zero offset
> @@ -541,5 +611,8 @@ void test_bpf_gotox(void)
>  	if (test__start_subtest("check-ldimm64-off-gotox-llvm"))
>  		__subtest(skel, check_ldimm64_off_gotox_llvm);
>  
> +	if (test__start_subtest("check-cross-subprog-gotox-target"))
> +		check_cross_subprog_gotox_target();
> +
>  	bpf_gotox__destroy(skel);
>  }

LGTM now. Please add another selftests as was mentioned in the main patch.

Also, v3 lost the ack from Yonghong Song for this patch.

> -- 
> 2.34.1
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-06-30 18:39 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-28 13:59 [PATCH bpf-next v3 0/2] bpf: Enforce gotox targets against subprog bounds Nuoqi Gui
2026-06-28 13:59 ` [PATCH bpf-next v3 1/2] " Nuoqi Gui
2026-06-30 18:42   ` Anton Protopopov
2026-06-28 13:59 ` [PATCH bpf-next v3 2/2] selftests/bpf: Add cross-subprog gotox target coverage Nuoqi Gui
2026-06-30 18:49   ` Anton Protopopov
2026-06-30 18:21 ` [PATCH bpf-next v3 0/2] bpf: Enforce gotox targets against subprog bounds Anton Protopopov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox