Jakub Kicinski <jakub.kicinski@xxxxxxxxxxxxx> writes: > On Sat, 05 Oct 2019 12:29:14 +0200, Toke Høiland-Jørgensen wrote: >> >> +static int bpf_inject_chain_calls(struct bpf_verifier_env *env) >> >> +{ >> >> + struct bpf_prog *prog = env->prog; >> >> + struct bpf_insn *insn = prog->insnsi; >> >> + int i, cnt, delta = 0, ret = -ENOMEM; >> >> + const int insn_cnt = prog->len; >> >> + struct bpf_array *prog_array; >> >> + struct bpf_prog *new_prog; >> >> + size_t array_size; >> >> + >> >> + struct bpf_insn call_next[] = { >> >> + BPF_LD_IMM64(BPF_REG_2, 0), >> >> + /* Save real return value for later */ >> >> + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), >> >> + /* First try tail call with index ret+1 */ >> >> + BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), >> > >> > Don't we need to check against the max here, and spectre-proofing >> > here? >> >> No, I don't think so. This is just setting up the arguments for the >> BPF_TAIL_CALL instruction below. The JIT will do its thing with that and >> emit the range check and the retpoline stuff... > > Sorry, wrong CPU bug, I meant Meltdown :) > > https://elixir.bootlin.com/linux/v5.4-rc1/source/kernel/bpf/verifier.c#L9029 Ah, right. Well, it only adds those extra instructions if bpf_map_ptr_unpriv() returns true. So I figured that since we're injecting a pointer here that is not from a userspace map, it was not needed. Though I must admit I didn't look too closely at exactly which conditions would make bpf_map_ptr_unpriv() return true... :) -Toke