This removes the following warning issued by checkpatch
WARNING: suspect code indent for conditional statements (8, 8)
+ } else
+ if (display->regwidth == 8 && display->buswidth == 9 && par->spi) {
Signed-off-by: Luis Gerhorst
Acked-by: Jonny Schaefer
Acked
The Linux kernel coding style states that braces should only be used
when necessary.
This fixes the checkpatch warning
WARNING: line over 80 characters
+ } else if (display->regwidth == 8 && display->buswidth == 9 &&
par->spi) {
introduced by patch #1.
Sig
Signed-off-by: Luis Gerhorst
Acked-by: Jonny Schaefer
Acked-by: Alexander Wuerstlein
---
drivers/staging/fbtft/fbtft-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/fbtft/fbtft-core.c
b/drivers/staging/fbtft/fbtft-core.c
index 34b1c81..566f89c
Eduard Zingerman writes:
> I think it would be good to have some tests checking that nospec
> instructions are inserted in expected locations.
> Could you please take look at use of __xlated tag in e.g.
> tools/testing/selftests/bpf/progs/verifier_sdiv.c ?
That looks very promising, I will look i
Eduard Zingerman writes:
> Could you please point me to a location, where exact error code
> returned by updated push_stack() matters?
> I checked push_stack() callgraph (in the attachment), but can't find
> anything.
Only with the final patch 11 ("bpf: Fall back to nospec for spec path
verifica
Alexei Starovoitov writes:
> On Thu, Mar 13, 2025 at 10:57 AM Luis Gerhorst wrote:
>> With increased limits this allows applying mitigations to large BPF
>> progs such as the Parca Continuous Profiler's prog. However, this
>> requires a jump-seq limit of 256k. In an
Eduard Zingerman writes:
> On Thu, 2025-03-13 at 18:21 +0100, Luis Gerhorst wrote:
>> +err = do_check_insn(env, insn, pop_log, &do_print_state, regs,
>> state,
>> +&prev_insn_idx);
>
> - `regs` remains declared in
Kumar Kartikeya Dwivedi writes:
> Back when all of this surfaced, compiler folks came up with another
> solution, to rely on Intel's guarantee that conditional moves are not
> predicted.
>
> if (condition) {
>mask = !condition ? 0UL : ~0UL; // CMOVcc
>ptr &= mask;
>x = *ptr;
> }
>
> I
alternative would be -EFAULT, which is
also returned for some of the other cases where push_stack() fails, but
this is more frequently used for verifier-internal bugs.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c
to include v1 barrier
- discuss potential security (archs that do not impl. BPF nospec) and
performance (only PowerPC) regressions
- Link to RFC:
https://lore.kernel.org/bpf/20250224203619.594724-1-luis.gerho...@fau.de/
Luis Gerhorst (11):
selftests/bpf: Fix caps for __xlated/jited_
seems
that this change does not interfere with libbpf.
[1]
https://lore.kernel.org/all/785b4531ce3b44a84059a4feb4ba458c68fce719.ca...@gmail.com/
Signed-off-by: Luis Gerhorst
Reviewed-by: Eduard Zingerman
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c
This prevents us from trying to recover from these on speculative paths
in the future.
Signed-off-by: Luis Gerhorst
Reviewed-by: Eduard Zingerman
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 6 +++---
1 file changed, 3 insertions(+), 3
unexpected
conflicts between the insns when combined like this. Individual v1/v4
barriers were already emitted elsewhere.
[1]
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=29b74545531f6afbee9fc38c267524326dbfbedf
("MIPS: Add speculation_barrier support")
[2] https://githu
ec_v1() and _v4() according to
commit a6f6a95f2580 ("LoongArch, bpf: Fix jit to skip speculation
barrier opcode"). This is omitted here as I am unable to do any testing
for LoongArch.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
arch/arm64/ne
check whether a
speculation barrier was inserted in the correct location.
Signed-off-by: Luis Gerhorst
Fixes: 9c9f73391310 ("selftests/bpf: allow checking xlated programs in
verifier_* tests")
Fixes: 7d743e4c759c ("selftests/bpf: __jited test tag to check disassembly
after jit"
do_print_state = " with "*do_print_state = "
[1]
https://lore.kernel.org/all/293dbe3950a782b8eb3b87b71d7a967e120191fd.ca...@gmail.com/
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 426 +++
/overwrites pointers on the BPF stack,
they are already a problem for fixed-offset stack accesses and should be
subject to Spectre v4 sanitization.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 24
1 file
This is made to clarify that this flag will cause a nospec to be added
after this insn and can therefore be relied upon to reduce speculative
path analysis.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
include/linux/bpf_verifier.h | 2 +-
kernel
F")
[2] https://arxiv.org/pdf/2405.00078 ("VeriFence: Lightweight and
Precise Spectre Defenses for Untrusted Linux Kernel Extensions")
[3]
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/runtime-speculative-
This is based on the gadget from the description of commit 9183671af6db
("bpf: Fix leakage under speculation on mispredicted branches").
Signed-off-by: Luis Gerhorst
---
.../selftests/bpf/progs/verifier_unpriv.c | 57 +++
1 file changed, 57 insertions(+)
diff --g
Eduard Zingerman writes:
> On Thu, 2025-05-01 at 09:35 +0200, Luis Gerhorst wrote:
>
>> +dst_reg_type = cur_regs(env)[insn->dst_reg].type;
>
> Implicitly relying on `insn == &env->prog->insnsi[env->cur_idx]`
> is weird. Still think that `
kernel test robot writes:
> All errors (new ones prefixed by >>):
>
>arch/powerpc/net/bpf_jit_comp64.c: In function 'bpf_jit_build_body':
>>> arch/powerpc/net/bpf_jit_comp64.c:814:4: error: a label can only be part of
>>> a statement and a declaration is not a statement
> 814 |bool
unexpected
conflicts between the insns when combined like this. Individual v1/v4
barriers were already emitted elsewhere.
[1]
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=29b74545531f6afbee9fc38c267524326dbfbedf
("MIPS: Add speculation_barrier support")
[2] https://githu
seems
that this change does not interfere with libbpf.
[1]
https://lore.kernel.org/all/785b4531ce3b44a84059a4feb4ba458c68fce719.ca...@gmail.com/
Signed-off-by: Luis Gerhorst
Reviewed-by: Eduard Zingerman
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c
check whether a
speculation barrier was inserted in the correct location.
Signed-off-by: Luis Gerhorst
Fixes: 9c9f73391310 ("selftests/bpf: allow checking xlated programs in
verifier_* tests")
Fixes: 7d743e4c759c ("selftests/bpf: __jited test tag to check disassembly
after jit"
This prevents us from trying to recover from these on speculative paths
in the future.
Signed-off-by: Luis Gerhorst
Reviewed-by: Eduard Zingerman
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 6 +++---
1 file changed, 3 insertions(+), 3
/overwrites pointers on the BPF stack,
they are already a problem for fixed-offset stack accesses and should be
subject to Spectre v4 sanitization.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 24
1 file
alternative would be -EFAULT, which is
also returned for some of the other cases where push_stack() fails, but
this is more frequently used for verifier-internal bugs.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c
This is made to clarify that this flag will cause a nospec to be added
after this insn and can therefore be relied upon to reduce speculative
path analysis.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
include/linux/bpf_verifier.h | 2 +-
kernel
F")
[2] https://arxiv.org/pdf/2405.00078 ("VeriFence: Lightweight and
Precise Spectre Defenses for Untrusted Linux Kernel Extensions")
[3]
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/runtime-speculative-
This is based on the gadget from the description of commit 9183671af6db
("bpf: Fix leakage under speculation on mispredicted branches").
Signed-off-by: Luis Gerhorst
---
.../selftests/bpf/progs/verifier_unpriv.c | 57 +++
1 file changed, 57 insertions(+)
diff --g
kernel test robot writes:
> All warnings (new ones prefixed by >>):
>
>>> kernel/bpf/core.c:3037:13: warning: no previous prototype for
>>> 'bpf_jit_bypass_spec_v1' [-Wmissing-prototypes]
> 3037 | bool __weak bpf_jit_bypass_spec_v1(void)
> | ^~
>>> ke
l security (archs that do not impl. BPF nospec) and
performance (only PowerPC) regressions
- Linkt to RFC:
https://lore.kernel.org/bpf/20250224203619.594724-1-luis.gerho...@fau.de/
Luis Gerhorst (11):
selftests/bpf: Fix caps for __xlated/jited_unpriv
bpf: Move insn if/else into do_check_insn()
bpf: Ret
ec_v1() and _v4() according to
commit a6f6a95f2580 ("LoongArch, bpf: Fix jit to skip speculation
barrier opcode"). This is omitted here as I am unable to do any testing
for LoongArch.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
arch/arm64/ne
do_print_state = " with "*do_print_state = "
[1]
https://lore.kernel.org/all/293dbe3950a782b8eb3b87b71d7a967e120191fd.ca...@gmail.com/
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 425 +++
On 24/02/2025 21:47, Luis Gerhorst wrote:
> + } else if (error_recoverable_with_nospec(err) &&
> state->speculative)
> {
> + WARN_ON_ONCE(env->bypass_spec_v1);
> + WARN_ON_ONCE(env->cur_state != state);
> +
back to nospec directly for the remaining sanitization errs even if
we are not on a speculative path.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 85 ++-
.../selftests/bpf/progs
ate = " with "*do_print_state = "
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 426 ++
1 file changed, 224 insertions(+), 202 deletions(-)
diff --git a/kern
Mark these cases as non-recoverable to later prevent them from being
cought when they occur during speculative path verification.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 36
ec_v1() and _v4() according to
commit a6f6a95f2580 ("LoongArch, bpf: Fix jit to skip speculation
barrier opcode"). This is omitted here as I am unable to do any testing
for LoongArch.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
arch/arm64/ne
This prevents us from trying to recover from these on speculative paths
in the future.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf
This is made to clarify that this flag will cause a nospec to be added
after this insn and can therefore be relied upon to reduce speculative
path analysis.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
include/linux/bpf_verifier.h | 2 +-
kernel
F nospec) and
performance (only PowerPC) regressions
RFC: https://lore.kernel.org/bpf/20250224203619.594724-1-luis.gerho...@fau.de/
Luis Gerhorst (11):
bpf: Move insn if/else into do_check_insn()
bpf: Return -EFAULT on misconfigurations
bpf: Return -EFAULT on internal errors
bpf, arm64, pow
unexpected
conflicts between the insns when combined like this. Individual v1/v4
barriers were already emitted elsewhere.
[1]
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=29b74545531f6afbee9fc38c267524326dbfbedf
("MIPS: Add speculation_barrier support")
[2] https://github.com/kerne
efenses for Untrusted Linux Kernel Extensions")
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
include/linux/bpf_verifier.h | 1 +
kernel/bpf/verifier.c | 68 +--
.../selftests/bpf/prog
Insert a nospec before the access to prevent it from ever using an index
that is subject to speculative scalar-confusion.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 24
1 file changed, 12
Main reason is, that it will later allow us to fall back to a nospec for
certain errors in push_stack().
This changes the sanitization-case to returning -ENOMEM. However, this
is more fitting as -EFAULT would indicate a verifier-internal bug.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette
")
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 03af82f52a02..49c7e2608ccd 100644
--- a/kernel
, that it requires us to introduce an output parameter for
the state.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 71 +--
1 file changed, 42 insertions(+), 29 deletions(-)
diff
, the same principle
should apply to smaller programs therefore include it even if the limit
stays at 8k for now. Most programs in "VeriFence: Lightweight and
Precise Spectre Defenses for Untrusted Linux Kernel
Extensions" (https://arxiv.org/pdf/2405.00078) only require a limit of
32k.
Sign
-access from using the result of the alu op speculatively. Therefore,
insert a nospec after the alu insn.
The latter requires us to modify the nospec_result patching code to work
not only for write-type insns.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan
nospec should be inserted (as comment) and modify the error message if
the nospec is able to mitigate a problem that previously shadowed
another problem.
Briefly went through all the occurrences of EPERM, EINVAL, and EACCESS
in the verifier in order to validate that catching them like this makes
sense.
Insert a nospec before the access to prevent it from ever using a index
that is subject to speculative scalar-confusion.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 15 ---
1 file changed, 8 insertions
complexity
of Spectre v1 verification.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
arch/arm64/net/bpf_jit_comp.c | 10 +-
include/linux/bpf.h | 14 +-
include/linux/bpf_verifier.h | 2 +-
kernel/bpf/verifier.c
h "*do_print_state = ",
and "goto process_bpf_exit" / fallthrough with "return process_bpf_exit()".
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 528 +++-
This prevents us from trying to recover from these on speculative paths
in the future.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf
Mark these cases as non-recoverable, even when they only occur during
speculative path verification.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 37 +++--
1 file changed, 19
ually emit arm64 barrier
* fix unexpected_load_success from test_progs for "bpf: Fall back to nospec for
sanitization-failures"
* use bpf-next as base commit
Luis Gerhorst (9):
bpf/arm64: Unset bypass_spec_v4() instead of ignoring BPF_NOSPEC
bpf: Refactor do_check() if/else into do_check_insn()
Kumar Kartikeya Dwivedi writes:
(including relevant part from other message)
> On Thu, 1 May 2025 at 04:00, Luis Gerhorst wrote:
>
>> +static bool error_recoverable_with_nospec(int err)
>> +{
>> + /* Should only return true for non-fatal errors that are allowe
noble-ppc64el.tar.zst \
-- ./test_progs -t verifier_array_access
Does not include a DENYLIST or support for KVM for now.
[1] https://github.com/libbpf/ci
Signed-off-by: Luis Gerhorst
---
tools/testing/selftests/bpf/config.ppc64el | 93 ++
tools/testing/selftests/bpf/vmte
64: emit speculation barrier
- powerpc: change nospec to include v1 barrier
- discuss potential security (archs that do not impl. BPF nospec) and
performance (only PowerPC) regressions
- Link to RFC:
https://lore.kernel.org/bpf/20250224203619.594724-1-luis.gerho...@fau.de/
Luis Gerhor
seems
that this change does not interfere with libbpf.
[1]
https://lore.kernel.org/all/785b4531ce3b44a84059a4feb4ba458c68fce719.ca...@gmail.com/
Signed-off-by: Luis Gerhorst
Reviewed-by: Eduard Zingerman
Acked-by: Kumar Kartikeya Dwivedi
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan St
This prevents us from trying to recover from these on speculative paths
in the future.
Signed-off-by: Luis Gerhorst
Reviewed-by: Eduard Zingerman
Acked-by: Kumar Kartikeya Dwivedi
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 6 +++---
1 file
Kumar Kartikeya Dwivedi writes:
> Hmm, while reading related code, I noticed that sanitize_check_bounds
> returns 0 in case the type is not map_value or stack.
> It seems like it should be returning an error, cannot check right now
> but I'm pretty sure these are not the two pointer types unprivi
* "goto process_bpf_exit_full" with "return process_bpf_exit_full()"
* "do_print_state = " with "*do_print_state = "
[1]
https://lore.kernel.org/all/293dbe3950a782b8eb3b87b71d7a967e120191fd.ca...@gmail.com/
Signed-off-by: Luis Gerhorst
Acked-by: Kumar Kartikeya Dwivedi
ec_v1() and _v4() according to
commit a6f6a95f2580 ("LoongArch, bpf: Fix jit to skip speculation
barrier opcode"). This is omitted here as I am unable to do any testing
for LoongArch.
Hari's ack concerns the PowerPC part only.
Signed-off-by: Luis Gerhorst
Acked-by: Hari Bathini
Cc: Henrie
e are no unexpected
conflicts between the insns when combined like this. Individual v1/v4
barriers were already emitted elsewhere.
Hari's ack is for the PowerPC changes only.
[1]
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=29b74545531f6afbee9fc38c267524326dbfbedf
("MIPS: Add sp
This is made to clarify that this flag will cause a nospec to be added
after this insn and can therefore be relied upon to reduce speculative
path analysis.
Signed-off-by: Luis Gerhorst
Acked-by: Kumar Kartikeya Dwivedi
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
include
9.2.1 of Book
III")
[8]
https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/40332.pdf
("AMD64 Architecture Programmer’s Manual Volumes 1–5 - Revision 4.08
- April 2024 - 7.6.4 Serializing Instructions")
Signe
This is based on the gadget from the description of commit 9183671af6db
("bpf: Fix leakage under speculation on mispredicted branches").
Signed-off-by: Luis Gerhorst
Acked-by: Kumar Kartikeya Dwivedi
---
.../selftests/bpf/progs/verifier_unpriv.c | 57 +++
1 file c
alternative would be -EFAULT, which is
also returned for some of the other cases where push_stack() fails, but
this is more frequently used for verifier-internal bugs.
Signed-off-by: Luis Gerhorst
Acked-by: Kumar Kartikeya Dwivedi
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
to check instruction is BPF_JMP[32] as suggested by
Eduard
- RFC: https://lore.kernel.org/bpf/8734bmoemx....@fau.de/
Luis Gerhorst (2):
bpf: Fix aux usage after do_check_insn()
selftests/bpf: Add Spectre v4 tests
kernel/bpf/verifier.c | 19 ++-
tools/testing/selfte
+dc27c5fb8388e38d2...@syzkaller.appspotmail.com
Link: https://lore.kernel.org/bpf/685b3c1b.050a0220.2303ee.0010@google.com/
Link:
https://lore.kernel.org/bpf/4266fd5de04092aa4971cbef14f1b4b96961f432.ca...@gmail.com/
Suggested-by: Eduard Zingerman
Signed-off-by: Luis Gerhorst
---
kernel/b
nospec_result is only
used after insns that increment insn_idx by 1 (i.e., stack writes).
[1]
https://lore.kernel.org/bpf/4266fd5de04092aa4971cbef14f1b4b96961f432.ca...@gmail.com/
[2] https://lore.kernel.org/bpf/685b3c1b.050a0220.2303ee.0010@google.com/
Signed-off-by: Luis Gerhorst
Eduard Zingerman writes:
> On Sat, 2025-06-28 at 16:50 +0200, Luis Gerhorst wrote:
>
> [...]
>
>> @@ -19955,11 +19960,11 @@ static int do_check(struct bpf_verifier_env *env)
>> /* Prevent this speculative path from ever reaching the
>>
o be seen from the -O0 call graph for push_jmp_history()
[1].
[1]
https://sys.cs.fau.de/extern/person/gerhorst/25-06_d69baf_push_jmp_history_O0_callgraph.png
Signed-off-by: Luis Gerhorst
---
kernel/bpf/verifier.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/k
Change WARN_ON_ONCE() to verifier_bug_if() as suggested by Alexei
- Change assertion to check instruction is BPF_JMP[32] as suggested by
Eduard
- RFC: https://lore.kernel.org/bpf/8734bmoemx....@fau.de/
Luis Gerhorst (3):
bpf: Update env->prev_insn_idx after do_check_insn()
bpf: Fix au
Paul Chaignon
Reported-by: Eduard Zingerman
Reported-by: syzbot+dc27c5fb8388e38d2...@syzkaller.appspotmail.com
Link: https://lore.kernel.org/bpf/685b3c1b.050a0220.2303ee.0010@google.com/
Link:
https://lore.kernel.org/bpf/4266fd5de04092aa4971cbef14f1b4b96961f432.ca...@gmail.com/
Signed-off-by:
nospec_result is only
used after insns that increment insn_idx by 1 (i.e., stack writes).
[1]
https://lore.kernel.org/bpf/4266fd5de04092aa4971cbef14f1b4b96961f432.ca...@gmail.com/
[2] https://lore.kernel.org/bpf/685b3c1b.050a0220.2303ee.0010@google.com/
Signed-off-by: Luis Gerhorst
ernel.org/bpf/8734bmoemx....@fau.de/
Luis Gerhorst (3):
bpf: Update env->prev_insn_idx after do_check_insn()
bpf: Fix aux usage after do_check_insn()
selftests/bpf: Add Spectre v4 tests
kernel/bpf/verifier.c | 30 ++--
tools/testing/selftests/bpf/progs/bpf_misc.h | 4
o be seen from the -O0 call graph for push_jmp_history()
[1].
[1]
https://sys.cs.fau.de/extern/person/gerhorst/25-06_d69baf_push_jmp_history_O0_callgraph.png
Signed-off-by: Luis Gerhorst
---
kernel/bpf/verifier.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/k
Paul Chaignon
Reported-by: Eduard Zingerman
Reported-by: syzbot+dc27c5fb8388e38d2...@syzkaller.appspotmail.com
Link: https://lore.kernel.org/bpf/685b3c1b.050a0220.2303ee.0010@google.com/
Link:
https://lore.kernel.org/bpf/4266fd5de04092aa4971cbef14f1b4b96961f432.ca...@gmail.com/
Signed-off-by:
nospec_result is only
used after insns that increment insn_idx by 1 (i.e., stack writes).
[1]
https://lore.kernel.org/bpf/4266fd5de04092aa4971cbef14f1b4b96961f432.ca...@gmail.com/
[2] https://lore.kernel.org/bpf/685b3c1b.050a0220.2303ee.0010@google.com/
Signed-off-by: Luis Gerhorst
83 matches
Mail list logo
