Re: [RFC PATCH bpf-next 11/12] bpf, x86: Add JIT support SDT for probe

[bot+bpf-ci]

> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index 054e043ffcd2..262f1bd74d53 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
> @@ -2797,6 +2797,16 @@ st:			insn_off = insn->off;
>  		}
>
>  		if (!jmp_offset) {
> +			int index = bpf_prog->aux->subprog_start + i - 1;
> +
> +			/*
> +			 * Emit a 5-byte NOP for SDT probe site, so it can be patched to
> +			 * a CALL instruction when observer program is attached.
> +			 */
> +			if (env->insn_aux_data[index].sdt_entry) {
> +				emit_nops(&prog, X86_PATCH_SIZE);
> +				break;
> +			}
>  			/*
>  			 * If jmp_padding is enabled, the extra nops will
>  			 * be inserted. Otherwise, optimize out nop jumps.

Can this dereference env when it's NULL?  The do_jit() function can be
invoked with env == NULL. The call path from bpf_prog_select_runtime() in
kernel/bpf/core.c goes through __bpf_prog_select_runtime(NULL, fp, err)
to bpf_prog_jit_compile(NULL, prog) and ultimately to
bpf_int_jit_compile(NULL, prog) -> do_jit(NULL, prog, ...) in
arch/x86/net/bpf_jit_comp.c.

This path is used by classic-BPF socket filters (net/core/filter.c in
bpf_prog_create), seccomp, and other internally-built programs that are
JITed without running the verifier. The code at line 2806 sits inside
the generic BPF_JMP|BPF_JA / BPF_JMP32|BPF_JA handling, reached whenever
a jump resolves to zero displacement (jmp_offset == 0):

net/core/filter.c:bpf_prog_create() {
    ...
    fp = bpf_prog_alloc(bpf_prog_size(new_len), 0);
    ...
    old_prog = bpf_migrate_filter(old_prog);
    ...
    *pfp = bpf_prog_select_runtime(fp, &err);
    ...
}

kernel/bpf/core.c:bpf_prog_select_runtime() {
    struct bpf_prog *err;
    err = __bpf_prog_select_runtime(NULL, fp, err);
    ...
}

cBPF->eBPF conversion emits BPF_JMP|BPF_JA instructions (net/core/filter.c),
so a program reaching do_jit with env==NULL can hit this branch and crash
the kernel.

The same function guards other env accesses against NULL: bpf_out_stack_arg_cnt(env, ...)
at line 1703 returns 0 if !env, and bpf_insn_is_indirect_target(env, ...) at line 1830
returns false if !env (kernel/bpf/core.c).

Also, when i==0 and subprog_start==0 for the main program, index becomes -1,
which is an out-of-bounds access into insn_aux_data[].

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/28292842584