Re: [PATCH bpf-next 1/2] bpf: Pass the same orig_call value to trampoline functions

[Ilya Leoshkevich <iii@linux.ibm.com>]

On Wed, 2025-05-14 at 14:26 -0700, Martin KaFai Lau wrote:
> On 5/12/25 1:57 PM, Ilya Leoshkevich wrote:
> > There is currently some confusion in the s390x JIT regarding
> > whether
> > orig_call can be NULL and what that means. Originally the NULL
> > value
> > was used to distinguish the struct_ops case, but this was
> > superseded by
> > BPF_TRAMP_F_INDIRECT (see commit 0c970ed2f87c ("s390/bpf: Fix
> > indirect
> > trampoline generation").
> > 
> > The remaining reason to have this check is that NULL can actually
> > be
> > passed to the arch_bpf_trampoline_size() call - but not to the
> > respective arch_prepare_bpf_trampoline()! call - by
> > bpf_struct_ops_prepare_trampoline().
> > 
> > Remove this asymmetry by passing stub_func to both functions, so
> > that
> > JITs may rely on orig_call never being NULL.
> > 
> > Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
> > ---
> >   kernel/bpf/bpf_struct_ops.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/kernel/bpf/bpf_struct_ops.c
> > b/kernel/bpf/bpf_struct_ops.c
> > index db13ee70d94d..96113633e391 100644
> > --- a/kernel/bpf/bpf_struct_ops.c
> > +++ b/kernel/bpf/bpf_struct_ops.c
> > @@ -601,7 +601,7 @@ int bpf_struct_ops_prepare_trampoline(struct
> > bpf_tramp_links *tlinks,
> >   	if (model->ret_size > 0)
> >   		flags |= BPF_TRAMP_F_RET_FENTRY_RET;
> >   
> > -	size = arch_bpf_trampoline_size(model, flags, tlinks,
> > NULL);
> > +	size = arch_bpf_trampoline_size(model, flags, tlinks,
> > stub_func);
> 
> The change looks ok but not sure why it is needed.
> 
> I can see why stub_func is needed to generate the final image in 
> arch_prepare_bpf_trampoline() in x86. The
> "arch_bpf_trampoline_size()" here is 
> generating a temporary image, so NULL or not doesn't seem to matter.
> 
> Does the s390 jit need to use the actual stub_func address somewhere
> in the 
> temporary and/or final image?

Not right now, however, in the future I would like to check whether
orig_call points to a BPF prog. I have explained the rationale behind
this in the series description.

Purely practical issues aside, currently it's unclear what
orig_func == NULL means. It had meaning in the past, but not anymore.
I think it would be good to remove this uncertainty and state that
today orig_func is never NULL.

Furthermore, a hypothetical JIT may produce different instruction
sequences for loading certain constants. Suppose we wanted to load
the value of orig_call into a register. Then in the NULL case a JIT
could generate:

  xgr %r1,%r1

and in the non-NULL case:

  llihf %r1,<high>
  oilf %r1,<low>

As you mentioned, arch_bpf_trampoline_size() generates a temporary
image, and in this case it would have a different size. So this
asymmetry can be a potential footgun.