lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAADnVQL6PTN2PN9ngV2PSXb=csX1KX+D-BZGzDDNtvQvtGkSkA@mail.gmail.com>
Date: Tue, 30 Dec 2025 18:16:46 -0800
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Xu Kuohai <xukuohai@...weicloud.com>
Cc: bpf <bpf@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, 
	Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, 
	Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, 
	Eduard Zingerman <eddyz87@...il.com>, Yonghong Song <yonghong.song@...ux.dev>, 
	Puranjay Mohan <puranjay@...nel.org>, Anton Protopopov <a.s.protopopov@...il.com>, 
	Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>
Subject: Re: [PATCH bpf-next v3] bpf: arm64: Fix panic due to missing BTI at
 indirect jump targets

On Tue, Dec 30, 2025 at 6:05 PM Xu Kuohai <xukuohai@...weicloud.com> wrote:
>
> On 12/31/2025 2:20 AM, Alexei Starovoitov wrote:
> > On Fri, Dec 26, 2025 at 11:49 PM Xu Kuohai <xukuohai@...weicloud.com> wrote:
> >>
> >> From: Xu Kuohai <xukuohai@...wei.com>
> >>
> >> When BTI is enabled, the indirect jump selftest triggers BTI exception:
> >>
> >> Internal error: Oops - BTI: 0000000036000003 [#1]  SMP
> >> ...
> >> Call trace:
> >>   bpf_prog_2e5f1c71c13ac3e0_big_jump_table+0x54/0xf8 (P)
> >>   bpf_prog_run_pin_on_cpu+0x140/0x464
> >>   bpf_prog_test_run_syscall+0x274/0x3ac
> >>   bpf_prog_test_run+0x224/0x2b0
> >>   __sys_bpf+0x4cc/0x5c8
> >>   __arm64_sys_bpf+0x7c/0x94
> >>   invoke_syscall+0x78/0x20c
> >>   el0_svc_common+0x11c/0x1c0
> >>   do_el0_svc+0x48/0x58
> >>   el0_svc+0x54/0x19c
> >>   el0t_64_sync_handler+0x84/0x12c
> >>   el0t_64_sync+0x198/0x19c
> >>
> >> This happens because no BTI instruction is generated by the JIT for
> >> indirect jump targets.
> >>
> >> Fix it by emitting BTI instruction for every possible indirect jump
> >> targets when BTI is enabled. The targets are identified by traversing
> >> all instruction arrays of jump table type used by the BPF program,
> >> since indirect jump targets can only be read from instruction arrays
> >> of jump table type.
> >
> > earlier you said:
> >
> >> As Anton noted, even though jump tables are currently the only type
> >> of instruction array, users may still create insn_arrays that are not
> >> used as jump tables. In such cases, there is no need to emit BTIs.
> >
> > yes, but it's not worth it to make this micro optimization in JIT.
> > If it's in insn_array just emit BTI unconditionally.
> > No need to do this filtering.
> >
>
> Hmm, that is what the v1 version does. Please take a look. If it’s okay,
> I’ll resend a rebased version.
>
> v1: https://lore.kernel.org/bpf/20251127140318.3944249-1-xukuohai@huaweicloud.com/

I don't think you need bitmap and bpf_prog_collect_indirect_targets().
Just look up each insn in the insn_array one at a time.
It's slower, but array is sorted, so binary search should work.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ