emit ENDBR/BTI instructions for indirect jump targets#11380
Open
kernel-patches-daemon-bpf[bot] wants to merge 5 commits intobpf-next_basefrom
Open
emit ENDBR/BTI instructions for indirect jump targets#11380kernel-patches-daemon-bpf[bot] wants to merge 5 commits intobpf-next_basefrom
kernel-patches-daemon-bpf[bot] wants to merge 5 commits intobpf-next_basefrom
Conversation
Author
|
Upstream branch: ca0f39a |
AI reviewed your patch. Please fix the bug or email reply why it's not a bug. In-Reply-To-Subject: |
Author
|
Forwarding comment 4048736540 via email |
Author
|
Upstream branch: ca0f39a |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/1065775=>bpf-next
branch
from
d9f42d4 to
7ebd35b
Compare
Author
|
Upstream branch: ca0f39a |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/1065775=>bpf-next
branch
from
7ebd35b to
444082c
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
15b24d7 to
43a1b48
Compare
During the JIT stage, constants blinding rewrites instructions but only rewrites the private instruction copy of the JITed subprog, leaving the global instructions and insn_aux_data unchanged. This causes a mismatch between subprog instructions and the global state, making it difficult to look up the global insn_aux_data in the JIT. To avoid this mismatch, and given that all arch-specific JITs already support constants blinding, move it to the generic verifier code, and switch to rewrite the global env->insnsi with the global states adjusted, as other rewrites in the verifier do. This removes the constants blinding calls in each JIT, which are largely duplicated code across architectures. Since constants blinding is only required for JIT, and there are two entry functions for JIT, jit_subprogs() and bpf_prog_select_runtime(), move the constants blinding invocation into the two functions. If constants blinding fails, or if it succeeds but the subsequent JIT compilation fails, kernel falls back to running the BPF program with interpreter. To ensure a correct rollback, the program cloning before instruction rewriting in the constants blinding is preserved. During the blinding process, only the cloned instructions are patched, leaving the original program untouched. Since bpf_patch_insn_data() is chosen for the constants blinding in the verifier path, and it adjusts the global auxiliary data in the verifier state, a key question is whether this auxiliary data should be restored when JIT fails? Besides instructions, bpf_patch_insn_data() adjusts env->insn_aux_data, env->subprog_info, prog->aux->poke_tab and env->insn_array_maps. env-> insn_aux_data and env->subprog_info are no longer used after JIT failure and are freed at the end of bpf_check(). prog->aux->poke_tab is only used by JIT. And when the JIT fails, programs using insn_array would be rejected by bpf_insn_array_ready() function since no JITed addresses available. This means env->insn_array_maps is only useful for JIT. Therefore, all the auxiliary data adjusted does not need to be restored. For classic BPF programs, constants blinding works as before since it is still invoked from bpf_prog_select_runtime(). Reviewed-by: Anton Protopopov <[email protected]> Signed-off-by: Xu Kuohai <[email protected]> Reviewed-by: Hari Bathini <[email protected]> Reviewed-by: Pu Lehui <[email protected]> # riscv
Author
|
Upstream branch: bb41fce |
added 4 commits
March 13, 2026 19:13
Pass bpf_verifier_env to bpf_int_jit_compile(). The follow-up patch will use env->insn_aux_data in the JIT stage to detect indirect jump targets. Since bpf_prog_select_runtime() can be called by cbpf and lib/test_bpf.c code without verifier, introduce helper __bpf_prog_select_runtime() to accept the env parameter. Remove the call to bpf_prog_select_runtime() in bpf_prog_load(), and switch to call __bpf_prog_select_runtime() in the verifier, with env variable passed. The original bpf_prog_select_runtime() is preserved for cbpf and lib/test_bpf.c, where env is NULL. Now all constants blinding calls are moved into the verifier, except the cbpf and lib/test_bpf.c cases. The instructions arrays are adjusted by bpf_patch_insn_data() function for normal cases, so there is no need to call adjust_insn_arrays() in bpf_jit_blind_constants(). Remove it. Reviewed-by: Anton Protopopov <[email protected]> Signed-off-by: Xu Kuohai <[email protected]>
Introduce helper bpf_insn_is_indirect_target to check whether a BPF instruction is an indirect jump target. Since the verifier knows which instructions are indirect jump targets, add a new flag indirect_target to struct bpf_insn_aux_data to mark them. The verifier sets this flag when verifing an indirect jump target instruction, and the helper checks the flag to determine whether an instruction is an indirect jump target. Reviewed-by: Anton Protopopov <[email protected]> Signed-off-by: Xu Kuohai <[email protected]>
On CPUs that support CET/IBT, the indirect jump selftest triggers a kernel panic because the indirect jump targets lack ENDBR instructions. To fix it, emit an ENDBR instruction to each indirect jump target. Since the ENDBR instruction shifts the position of original jited instructions, fix the instruction address calculation wherever the addresses are used. For reference, below is a sample panic log. Missing ENDBR: bpf_prog_2e5f1c71c13ac3e0_big_jump_table+0x97/0xe1 ------------[ cut here ]------------ kernel BUG at arch/x86/kernel/cet.c:133! Oops: invalid opcode: 0000 [#1] SMP NOPTI ... ? 0xffffffffc00fb258 ? bpf_prog_2e5f1c71c13ac3e0_big_jump_table+0x97/0xe1 bpf_prog_test_run_syscall+0x110/0x2f0 ? fdget+0xba/0xe0 __sys_bpf+0xe4b/0x2590 ? __kmalloc_node_track_caller_noprof+0x1c7/0x680 ? bpf_prog_test_run_syscall+0x215/0x2f0 __x64_sys_bpf+0x21/0x30 do_syscall_64+0x85/0x620 ? bpf_prog_test_run_syscall+0x1e2/0x2f0 Fixes: 493d9e0 ("bpf, x86: add support for indirect jumps") Reviewed-by: Anton Protopopov <[email protected]> Signed-off-by: Xu Kuohai <[email protected]>
On CPUs that support BTI, the indirect jump selftest triggers a kernel panic because there is no BTI instructions at the indirect jump targets. Fix it by emitting a BTI instruction for each indirect jump target. For reference, below is a sample panic log. Internal error: Oops - BTI: 0000000036000003 [#1] SMP ... Call trace: bpf_prog_2e5f1c71c13ac3e0_big_jump_table+0x54/0xf8 (P) bpf_prog_run_pin_on_cpu+0x140/0x468 bpf_prog_test_run_syscall+0x280/0x3b8 bpf_prog_test_run+0x22c/0x2c0 Fixes: f4a66cf ("bpf: arm64: Add support for indirect jumps") Reviewed-by: Anton Protopopov <[email protected]> Signed-off-by: Xu Kuohai <[email protected]>
kernel-patches-daemon-bpf
bot
force-pushed
the
series/1065775=>bpf-next
branch
from
444082c to
318b8e4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: emit ENDBR/BTI instructions for indirect jump targets
version: 9
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1065775