From: sashiko-bot@kernel.org
To: adubey@linux.ibm.com
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v4 5/5] selftest/bpf: Add tailcall verifier selftest for powerpc64
Date: Sun, 17 May 2026 19:14:50 +0000 [thread overview]
Message-ID: <20260517191450.85AE6C2BCB8@smtp.kernel.org> (raw)
In-Reply-To: <20260517214043.12975-6-adubey@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] This problem wasn't introduced by this patch, but the selftest enforces the use of a 32-bit comparison (`cmplwi`) for distinguishing 64-bit pointers from scalar values, codifying a tail-call limit bypass vulnerability.
- [Medium] The expected powerpc64 JIT disassembly hardcodes config-dependent instructions and offsets, causing test failures on kernels with `CONFIG_PPC_KERNEL_PCREL` enabled.
--
commit 9136278f4ffaab3858500dc94c8a08d981e53500
Author: Abhishek Dubey <adubey@linux.ibm.com>
selftest/bpf: Add tailcall verifier selftest for powerpc64
This commit adds a verifier tailcall test case specifically for the powerpc64
architecture. It verifies the JIT compiler's code generation for BPF tail
calls by matching expected instructions.
> diff --git a/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c b/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
> index 8d60c634a114f..17475ecb3207a 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_tailcall_jit.c
> @@ -90,6 +90,75 @@ __jited(" popq %rax")
> __jited(" jmp {{.*}}") /* jump to tail call tgt */
> __jited("L0: leave")
> __jited(" {{(retq|jmp 0x)}}") /* return or jump to rethunk */
> +__arch_powerpc64
> +/* program entry for main(), regular function prologue */
> +__jited(" nop")
> +__jited(" ld 2, 16(13)")
Are we sure this load is always emitted?
On modern PowerPC configurations where CONFIG_PPC_KERNEL_PCREL is enabled,
the TOC load might be omitted by the JIT compiler.
Could this use wildcards to prevent test failures on kernels with PC-relative
addressing enabled?
[ ... ]
> +/* tail call prologue for subprogram */
> +__jited(" ld 10, 0(1)")
> +__jited(" ld 9, -8(10)")
> +__jited(" cmplwi 9, 33")
This isn't a bug introduced by this patch, but does the use of cmplwi here
codify a vulnerability in the JIT compiler?
Since tail_call_info can contain either a scalar counter value or a 64-bit
pointer to the counter, using a 32-bit compare (cmplwi) only checks the lower
32 bits.
If a 64-bit pointer's lower 32 bits happen to be <= 33 (for example, a stack
pointer near a 4GB boundary), it might incorrectly bypass the tail call limit
and cause an infinite loop leading to a CPU hard lockup.
Should the JIT (and this selftest) be using cmpldi instead to properly handle
the 64-bit comparison?
[ ... ]
> +/* bpf_tail_call implementation */
> +__jited(" ld 9, -8(1)")
> +__jited(" cmplwi 9, 33")
> +__jited(" bf {{.*}}, {{.*}}")
> +__jited(" ld 9, 0(9)")
> +__jited(" cmplwi 9, 33")
(Same question here regarding the use of cmplwi instead of cmpldi)
[ ... ]
> +__jited(" ld 10, {{.*}}(10)")
> +__jited(" cmpldi 10, 0")
> +__jited(" bt {{.*}}, {{.*}}")
> +__jited(" ld 10, {{.*}}(10)")
> +__jited(" addi 10, 10, 16")
Does this instruction offset also depend on the kernel configuration?
It looks like the prologue size calculation that produces this offset depends
on !IS_ENABLED(CONFIG_PPC_KERNEL_PCREL).
Could this fail on configurations where PC-relative addressing is enabled, and
would wildcards be more appropriate here as well?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260517214043.12975-1-adubey@linux.ibm.com?part=5
next prev parent reply other threads:[~2026-05-17 19:14 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 21:40 [PATCH v4 0/5] powerpc/bpf: Add support for verifier selftest adubey
2026-05-17 21:40 ` [PATCH v4 1/5] powerpc/bpf: fix alignment of long branch trampoline address adubey
2026-05-17 18:02 ` sashiko-bot
2026-05-17 18:30 ` bot+bpf-ci
2026-05-18 7:18 ` Hari Bathini
2026-05-17 21:40 ` [PATCH v4 2/5] powerpc/bpf: Move out dummy_tramp_addr after Long branch stub adubey
2026-05-17 18:23 ` sashiko-bot
2026-05-17 18:30 ` bot+bpf-ci
2026-05-18 7:25 ` Hari Bathini
2026-05-18 7:53 ` Hari Bathini
2026-05-17 21:40 ` [PATCH v4 3/5] selftest/bpf: Fixing powerpc JIT disassembly failure adubey
2026-05-17 18:18 ` bot+bpf-ci
2026-05-17 18:38 ` sashiko-bot
2026-05-17 21:40 ` [PATCH v4 4/5] selftest/bpf: Enable verifier selftest for powerpc64 adubey
2026-05-17 18:18 ` bot+bpf-ci
2026-05-17 21:40 ` [PATCH v4 5/5] selftest/bpf: Add tailcall " adubey
2026-05-17 19:14 ` sashiko-bot [this message]
2026-05-18 11:44 ` [PATCH v4 0/5] powerpc/bpf: Add support for verifier selftest Christophe Leroy (CS GROUP)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260517191450.85AE6C2BCB8@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=adubey@linux.ibm.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.