Re: [RFC PATCH bpf 0/6] bpf: Disallow interpreter fallback for interpreter-unsupported insns

[Leon Hwang]

On 2026/6/26 23:43, Leon Hwang wrote:
> Sashiko reported two potential issues about interpreter fallback [1]
> [2].
> 
> After verifying them by patch #7, I think they are real issues. With

Sorry, it should be the patch #6.

> LLM assistance, the interpreter does not support the internal
> BPF_PROBE_ATOMIC insn and the gotox insn (used for indirect jumps),
> either.
> 
> 1) the user BPF_ADDR_SPACE_CAST insn
>    the interpreter just ignores it.
> 
> 2) the arena ST/STX/LDX insn
>    the interpreter could hit the BUG_ON() in ___bpf_prog_run().
> 
> 3) the BPF_MOV64_PERCPU_REG insn
>    the interpreter could hit page fault, due to loading memory from
>    invalid __percpu pointer.
> 
> 4) the internal BPF_PROBE_ATOMIC insn
>    the interpreter could hit the BUG_ON() in ___bpf_prog_run().
> 
> 5) the gotox insn used for indirect jumps
>    the interpreter could hit the BUG_ON() in ___bpf_prog_run(), too.
> 
> Reject these insns on interpreter fallback path in
> __bpf_prog_select_runtime().
> 
> This series is built on
> "bpf: Fix unaligned interpreter panic on JIT fallback path" [3]. The
> patch #7 is also able to verify the issue of un-JITed helper.
^ patch #6
> 
> However, The patch #7 aims to verify the issues. I think it is not
             ^ patch #6

> proper to be applied to upstream, because it adds a stub
> 'bpf_jit_test_fail_task' to bpf_prog_jit_compile() for the tests.
> 
> I'd like to drop the patch #7 in the next revision.
                      ^ patch #6

Thanks,
Leon

> 
> Link:
> [1] https://lore.kernel.org/bpf/20260608151347.2C77D1F00893@xxxxxxxxxxxxxxx/
> [2] https://lore.kernel.org/bpf/20260622150759.EC9071F000E9@xxxxxxxxxxxxxxx/
> [3] https://lore.kernel.org/bpf/20260615025316.24429-1-yangtiezhu@xxxxxxxxxxx/
> 
> Leon Hwang (6):
>   bpf: Disallow interpreter fallback for user BPF_ADDR_SPACE_CAST insn
>   bpf: Disallow interpreter fallback for arena insn
>   bpf: Disallow interpreter fallback for BPF_MOV64_PERCPU_REG insn
>   bpf: Disallow interpreter fallback for internal BPF_PROBE_ATOMIC insn
>   bpf: Disallow interpreter fallback for gotox insn
>   lib/test_bpf: Add interpreter-fallback tests
> 
>  include/linux/bpf.h                      |   1 +
>  include/linux/filter.h                   |   4 +
>  kernel/bpf/core.c                        |  69 +-
>  lib/test_bpf.c                           | 800 ++++++++++++++++++++++-
>  tools/lib/bpf/skel_internal.h            |   2 +
>  tools/testing/selftests/bpf/test_kmod.sh |  39 +-
>  6 files changed, 903 insertions(+), 12 deletions(-)
> 
> --
> 2.54.0