Sashiko reported two potential issues about interpreter fallback [1] [2]. After verifying them by patch #7, I think they are real issues. With LLM assistance, the interpreter does not support the internal BPF_PROBE_ATOMIC insn and the gotox insn (used for indirect jumps), either.
1) the user BPF_ADDR_SPACE_CAST insn the interpreter just ignores it. 2) the arena ST/STX/LDX insn the interpreter could hit the BUG_ON() in ___bpf_prog_run(). 3) the BPF_MOV64_PERCPU_REG insn the interpreter could hit page fault, due to loading memory from invalid __percpu pointer. 4) the internal BPF_PROBE_ATOMIC insn the interpreter could hit the BUG_ON() in ___bpf_prog_run(). 5) the gotox insn used for indirect jumps the interpreter could hit the BUG_ON() in ___bpf_prog_run(), too. Reject these insns on interpreter fallback path in __bpf_prog_select_runtime(). This series is built on "bpf: Fix unaligned interpreter panic on JIT fallback path" [3]. The patch #7 is also able to verify the issue of un-JITed helper. However, The patch #7 aims to verify the issues. I think it is not proper to be applied to upstream, because it adds a stub 'bpf_jit_test_fail_task' to bpf_prog_jit_compile() for the tests. I'd like to drop the patch #7 in the next revision. Link: [1] https://lore.kernel.org/bpf/[email protected]/ [2] https://lore.kernel.org/bpf/[email protected]/ [3] https://lore.kernel.org/bpf/[email protected]/ Leon Hwang (6): bpf: Disallow interpreter fallback for user BPF_ADDR_SPACE_CAST insn bpf: Disallow interpreter fallback for arena insn bpf: Disallow interpreter fallback for BPF_MOV64_PERCPU_REG insn bpf: Disallow interpreter fallback for internal BPF_PROBE_ATOMIC insn bpf: Disallow interpreter fallback for gotox insn lib/test_bpf: Add interpreter-fallback tests include/linux/bpf.h | 1 + include/linux/filter.h | 4 + kernel/bpf/core.c | 69 +- lib/test_bpf.c | 800 ++++++++++++++++++++++- tools/lib/bpf/skel_internal.h | 2 + tools/testing/selftests/bpf/test_kmod.sh | 39 +- 6 files changed, 903 insertions(+), 12 deletions(-) -- 2.54.0
