On Wed, 2024-08-21 at 17:22 -0700, Alexei Starovoitov wrote:
[...]
> > + if (ops->gen_epilogue) {
> > + epilogue_cnt = ops->gen_epilogue(epilogue_buf, env->prog,
> > + -(subprogs[0].stack_depth + 8));
> > + if (epilogue_cnt >= ARRAY_SIZE(epilogue_buf)) {
> > + verbose(env, "bpf verifier is misconfigured\n");
> > + return -EINVAL;
> > + } else if (epilogue_cnt) {
> > + /* Save the ARG_PTR_TO_CTX for the epilogue to use */
> > + cnt = 0;
> > + subprogs[0].stack_depth += 8;
> > + insn_buf[cnt++] = BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_1,
> > + -subprogs[0].stack_depth);
> > + insn_buf[cnt++] = env->prog->insnsi[0];
> > + new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt);
> > + if (!new_prog)
> > + return -ENOMEM;
> > + env->prog = new_prog;
> > + delta += cnt - 1;
>
> I suspect this is buggy.
> See commit 5337ac4c9b80 ("bpf: Fix the corner case with may_goto and
> jump to the 1st insn.")
Actually, I was unable to figure out a counter example for this case,
patching math seems to be correct, jump targets are just moved down.
But let's see, maybe Martin can come up with something.
[...]
