From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 42BE3347524 for ; Tue, 30 Jun 2026 18:11:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.52 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782843085; cv=none; b=W/x5/musGy5VZYCL8rNVmH5vsVDrzpEatV9fYgb7CItxJPFj6P1Vxjt8OLIofnvZ394FQatoxnmKmGO6HuAMkUu/e2Rwx9Tb27bNhsUiXZJdvA+yUB+zc7luorjMH/HkEOAwGFdL774ix4dl5LmX0FGw03NUIH6lWPVXvnY4omM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782843085; c=relaxed/simple; bh=GmiSEyyNB7x0aLtv4lpKAHOSN/63+9+ZgW63VVm+7/o=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=i9Qyxzs9Fa2lNYatJrkjULCY6+iAg8KZ9wUCZvMnWOTQ6ASw0L8en8pmDePtwAws0X49HgX/t8iQveiKlQqWvnodtgQO9R2lXstmFPGTVxotMCXd32CECLGLKzOY/E0IXiuJMjf8km/18ZvSjLeaU6cd5EWyUULo3ji2pVa/1oo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CBHuX4I/; arc=none smtp.client-ip=209.85.128.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CBHuX4I/" Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-493be1b9682so2245255e9.2 for ; Tue, 30 Jun 2026 11:11:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782843083; x=1783447883; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=tkvmyfnD6mRHr9hwmtmQjGJkaKe6zFgifbRb8CeRxNc=; b=CBHuX4I/Y6/XEbcw2lE8Utt+ncjgKRcBEpOkTbNHApttQiimI73cUQ5E8s+FMGTnam 0QNo+u5CGinuvmEBOGyNHmNvdEKHrfkJsRNhYilTAEtwEMrXzKd7aak+p8xvGlGFzfT2 aEJ/tqBMtJZrwEOq2nCUgZQz6dWpEIKK0m89cx/5SgYJ1beHV/XWM/vIQU+7+bM+rnD0 4+cPwU9Ptduh+uvIiMf8LbKj/p2DVY/dP/hX2inG0cw59CYLq8Bhri6Awyg5beHgHh5U fJZyJHlLU6s1S1Ogs/fsgghh4AF37+dys1yCNxWjSG8qsZ5UFBP6B10M6jQhXMQ5zJxZ glww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782843083; x=1783447883; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tkvmyfnD6mRHr9hwmtmQjGJkaKe6zFgifbRb8CeRxNc=; b=aTiDd0xT6GxlS0EA65RZH/mexFhJKsxHh9uCD9tM3hvIC1xs3m1MmpAMSI5+ObzOOg Lwslp+6J/Ne1mwD1z2Z0sfRCvEQxnkPC7L8zudzLKW82+41STfLst0MJEiA7xHG1iffI 0OFRZifrq+Vzk2o+osKga6Mrp2YasakTuzBO/SlIxr6JrjDn0PYEJzMAajK1BO5ubyX5 2nv9FrJ8SY5qoSYSBR6TbqGl52PNejQyV2Q7eZWy0WBWlW82nI78WNeeb6etsyT+FicF jgQDGFvzSVe5b7XjViYUzX7PBAvS5VWJhfY1h7AdQ+io6unHTKZEKSybnlldhDCV6nX0 l72w== X-Forwarded-Encrypted: i=1; AFNElJ+rzgT+4yCa2BRkWR8NvpKU6pHxVhykCEqWkoNjA5TgSjHoc2K0N7UuSvz8p41lqyJey57ftbcjdiaIWwQ=@vger.kernel.org X-Gm-Message-State: AOJu0YwaqLeJXoudim0ctDpXWtRVUwEt8ejwxokxstec9rLFfxy8oyro 1cDW64tnmUi5Mse+DNK6k8duiEia2bv+hENr6I35qtEaTFTLU/e76lrH X-Gm-Gg: AfdE7ckIa5uxeV8iBu2CukX7/8u7falSJ0yqXdFnEmGoFm2nlBOYa4HRJc+GXE9q+y3 z0RHjS2b+Hg6V6IL/kidt+R+6XLpWyjLTPvB2/iXv2BBInrxoVteaYfDqvUAoXygk6rz8u1Z1Sq dBmJAJEM1aIUCY+St0YQK4YWyyTlxSu2ZRCPaq1LOFFXKl9SL5PRqHAZoAYlWrhR8eprmKVzUhN cMy2EUOQmN/BDnQFGwx8UeGPcSVJqkq8C/UjrNzmg5hnKccpmG3ltIPWfLR55TbxhWfJPLpwndj aTneAcjso18Kfzmf2orv/Y9L+scKnhL2X3iAJoZLMNOIoJkBBAb8o3BmvbivJXHI+YqXVyU72kU A0D1ePr2U5Sp4mS40fgXrgYdQZA16Fv8iFgS0jW9UiVbslw4GYnQY1tYNf5FconD1IWC2xHbVu3 zStifxKEoMTYvpP0THRPt0mDN+KRAXA4hY X-Received: by 2002:a05:600c:6994:b0:493:bb6b:5bda with SMTP id 5b1f17b1804b1-493bb6b6372mr47286425e9.29.1782843082488; Tue, 30 Jun 2026 11:11:22 -0700 (PDT) Received: from mail.gmail.com ([2a04:ee41:4:b2de:1ac0:4dff:fe0f:3782]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493bef248b7sm2760925e9.2.2026.06.30.11.11.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jun 2026 11:11:21 -0700 (PDT) Date: Tue, 30 Jun 2026 18:21:22 +0000 From: Anton Protopopov To: Nuoqi Gui Cc: bpf@vger.kernel.org, John Fastabend , Kumar Kartikeya Dwivedi , Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , Emil Tsalapatis , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Shuah Khan , linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH bpf-next v3 0/2] bpf: Enforce gotox targets against subprog bounds Message-ID: References: <20260628-f01-03-gotox-bpf-next-v3-0-b744432e1361@mails.tsinghua.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260628-f01-03-gotox-bpf-next-v3-0-b744432e1361@mails.tsinghua.edu.cn> On 26/06/28 09:59PM, Nuoqi Gui wrote: > For gotox, CFG construction models the indirect-jump target set in > insn_aux_data->jt, while do_check() later follows targets from the runtime > PTR_TO_INSN register's own INSN_ARRAY map. If the same gotox can be > reached with PTR_TO_INSN values from different maps, do_check() can accept > a target outside the calling subprog. Can we use some human-readable description here? Please just explain that maps considered during the config stage must be a super-set of maps checked runtime. > The observed x86 JIT case can then enter another subprog without a matching > BPF call frame and crash when the program is run. Sorry, but why the x86 is still here? > > Fix this by rejecting gotox map targets outside the current gotox subprog. > Add a regression test covering the two-map cross-subprog case. > > v1 -> v2: > - Validate gotox runtime targets against the current subprog bounds instead > of scanning the CFG jump table. > - Fix the selftest expected error from -EACCES to -EINVAL. > > v2 -> v3: > - Drop the Validation section from the cover letter. > - Clarify that the crash was observed through the x86 JIT path while the > verifier invariant is generic. > - Simplify the cover letter and commit message. > - Remove the unused skel argument from the raw-insn selftest. > - Move the raw-insn selftest to the end of test_bpf_gotox(). > > v1: > https://lore.kernel.org/bpf/20260609-f01-03-gotox-bpf-next-v1-0-b441d63a1559@mails.tsinghua.edu.cn/ > > v2: > https://lore.kernel.org/bpf/20260613-f01-03-gotox-bpf-next-v2-send-v2-0-7c883b43f3c3@mails.tsinghua.edu.cn/ > > Signed-off-by: Nuoqi Gui > --- > Nuoqi Gui (2): > bpf: Enforce gotox targets against subprog bounds > selftests/bpf: Add cross-subprog gotox target coverage > > kernel/bpf/verifier.c | 19 ++++++ > tools/testing/selftests/bpf/prog_tests/bpf_gotox.c | 73 ++++++++++++++++++++++ > 2 files changed, 92 insertions(+) > --- > base-commit: 7bfb93e3475be9de894f1cecd3a727d3e1649b03 > change-id: 20260628-f01-03-gotox-bpf-next-1a7af91d2c82 > > Best regards, > -- > Nuoqi Gui >