From: KaFai Wan <kafai.wan@linux.dev>
To: Leon Hwang <leon.hwang@linux.dev>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Jiri Olsa <jolsa@kernel.org>,
Emil Tsalapatis <emil@etsalapatis.com>,
Andrew Morton <akpm@linux-foundation.org>,
Shuah Khan <shuah@kernel.org>,
Puranjay Mohan <puranjay@kernel.org>,
Anton Protopopov <a.s.protopopov@gmail.com>,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [RFC PATCH bpf 1/6] bpf: Disallow interpreter fallback for user BPF_ADDR_SPACE_CAST insn
Date: Tue, 30 Jun 2026 22:29:21 +0800 [thread overview]
Message-ID: <e279c9a7ca6b16e52dc261560513b0eafdd70f87.camel@linux.dev> (raw)
In-Reply-To: <20260626154330.33619-2-leon.hwang@linux.dev>
On Fri, 2026-06-26 at 23:43 +0800, Leon Hwang wrote:
> The interpreter is unable to handle the user BPF_ADDR_SPACE_CAST insn,
> whose '->off' is 1:
>
> static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
> {
> ALU64_MOV_X:
> switch (OFF) {
> case 0:
> DST = SRC;
> break;
> case 8:
> DST = (s8) SRC;
> break;
> case 16:
> DST = (s16) SRC;
> break;
> case 32:
> DST = (s32) SRC;
> break;
> }
> CONT;
> }
>
> On the fallback path from JIT in __bpf_prog_select_runtime(), reject
> the insn to avoid being ignored by interpreter.
>
> Fixes: 142fd4d2dcf5 ("bpf: Add x86-64 JIT support for bpf_addr_space_cast instruction.")
> Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
> ---
> kernel/bpf/core.c | 29 +++++++++++++++++++++++------
> 1 file changed, 23 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> index 0db6e55bad52..e92eb8b7f945 100644
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -2608,23 +2608,37 @@ static struct bpf_prog *bpf_prog_jit_compile(struct bpf_verifier_env *env,
> struc
> return prog;
> }
>
> +static bool bpf_insn_requires_jit(struct bpf_insn *insn)
> +{
> + if (insn_is_cast_user(insn))
> + return true;
> +
> + return false;
> +}
> +
> /* Fix up helper call offsets on JIT fallback path. */
> -static void bpf_fixup_fallback_helpers(struct bpf_verifier_env *env, struct bpf_prog *fp)
> +static int bpf_fixup_fallback_helpers(struct bpf_verifier_env *env, struct bpf_prog *fp)
> {
> struct bpf_insn *insn = fp->insnsi;
> const struct bpf_func_proto *fn;
> int i;
>
> - if (!env || !env->ops->get_func_proto)
> - return;
> + if (!env)
> + return 0;
>
> for (i = 0; i < fp->len; i++, insn++) {
> - if (bpf_helper_call(insn) && bpf_jit_inlines_helper_call(insn->imm)) {
> + if (env->ops->get_func_proto && bpf_helper_call(insn) &&
> + bpf_jit_inlines_helper_call(insn->imm)) {
> fn = env->ops->get_func_proto(insn->imm, env->prog);
> if (fn && fn->func)
> insn->imm = fn->func - __bpf_call_base;
It might be better to use the BPF_CALL_IMM macro. insn->imm = BPF_CALL_IMM(fn->func);
> }
> +
> + if (bpf_insn_requires_jit(insn))
> + return -EOPNOTSUPP;
> }
> +
> + return 0;
> }
>
> struct bpf_prog *__bpf_prog_select_runtime(struct bpf_verifier_env *env, struct bpf_prog *fp,
> @@ -2663,8 +2677,11 @@ struct bpf_prog *__bpf_prog_select_runtime(struct bpf_verifier_env *env,
> struct
> return fp;
> }
>
> - if (!fp->jited)
> - bpf_fixup_fallback_helpers(env, fp);
> + if (!fp->jited) {
> + *err = bpf_fixup_fallback_helpers(env, fp);
> + if (*err)
> + return fp;
> + }
> } else {
> *err = bpf_prog_offload_compile(fp);
> if (*err)
--
Thanks,
KaFai
next prev parent reply other threads:[~2026-06-30 14:29 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 15:43 [RFC PATCH bpf 0/6] bpf: Disallow interpreter fallback for interpreter-unsupported insns Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 1/6] bpf: Disallow interpreter fallback for user BPF_ADDR_SPACE_CAST insn Leon Hwang
2026-06-30 14:29 ` KaFai Wan [this message]
2026-06-30 14:36 ` Leon Hwang
2026-07-01 1:26 ` Tiezhu Yang
2026-07-01 6:21 ` Leon Hwang
2026-07-01 6:49 ` Tiezhu Yang
2026-07-01 7:02 ` Leon Hwang
2026-07-01 7:29 ` Tiezhu Yang
2026-07-01 8:04 ` Leon Huang Fu
2026-07-01 9:07 ` Tiezhu Yang
2026-06-26 15:43 ` [RFC PATCH bpf 2/6] bpf: Disallow interpreter fallback for arena insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 3/6] bpf: Disallow interpreter fallback for BPF_MOV64_PERCPU_REG insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 4/6] bpf: Disallow interpreter fallback for internal BPF_PROBE_ATOMIC insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 5/6] bpf: Disallow interpreter fallback for gotox insn Leon Hwang
2026-06-26 15:43 ` [RFC PATCH bpf 6/6] lib/test_bpf: Add interpreter-fallback tests Leon Hwang
2026-06-26 16:11 ` [RFC PATCH bpf 0/6] bpf: Disallow interpreter fallback for interpreter-unsupported insns Leon Hwang
2026-06-30 23:12 ` Alexei Starovoitov
2026-07-01 2:59 ` Leon Hwang
2026-07-01 3:05 ` Leon Hwang
2026-07-01 5:50 ` Alexei Starovoitov
2026-07-01 6:20 ` Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e279c9a7ca6b16e52dc261560513b0eafdd70f87.camel@linux.dev \
--to=kafai.wan@linux.dev \
--cc=a.s.protopopov@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=leon.hwang@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=puranjay@kernel.org \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox