From: Menglong Dong <menglong.dong@linux.dev>
To: Menglong Dong <menglong8.dong@gmail.com>,
schwab@linux-m68k.org, Pu Lehui <pulehui@huawei.com>,
andrii@kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me,
haoluo@google.com, jolsa@kernel.org, bjorn@kernel.org,
puranjay@kernel.org, pjw@kernel.org, palmer@dabbelt.com,
aou@eecs.berkeley.edu, alex@ghiti.fr, bpf@vger.kernel.org,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf v2] riscv, bpf: fix incorrect usage of BPF_TRAMP_F_ORIG_STACK
Date: Sat, 20 Dec 2025 15:33:58 +0800 [thread overview]
Message-ID: <8619181.T7Z3S40VBb@7950hx> (raw)
In-Reply-To: <33977244-1266-4590-af38-e3be3e46d7f4@huawei.com>
On 2025/12/20 10:59, Pu Lehui wrote:
>
> On 2025/12/19 22:29, Menglong Dong wrote:
> > The usage of BPF_TRAMP_F_ORIG_STACK in __arch_prepare_bpf_trampoline() is
> > wrong, and it should be BPF_TRAMP_F_CALL_ORIG, which caused crash as
> > Andreas reported:
> >
> > Insufficient stack space to handle exception!
> > Task stack: [0xff20000000010000..0xff20000000014000]
> > Overflow stack: [0xff600000ffdad070..0xff600000ffdae070]
> > CPU: 1 UID: 0 PID: 1 Comm: systemd Not tainted 6.18.0-rc5+ #15 PREEMPT(voluntary)
> > Hardware name: riscv-virtio qemu/qemu, BIOS 2025.10 10/01/2025
> > epc : copy_from_kernel_nofault+0xa/0x198
> > ra : bpf_probe_read_kernel+0x20/0x60
> > epc : ffffffff802b732a ra : ffffffff801e6070 sp : ff2000000000ffe0
> > gp : ffffffff82262ed0 tp : 0000000000000000 t0 : ffffffff80022320
> > t1 : ffffffff801e6056 t2 : 0000000000000000 s0 : ff20000000010040
> > s1 : 0000000000000008 a0 : ff20000000010050 a1 : ff60000083b3d320
> > a2 : 0000000000000008 a3 : 0000000000000097 a4 : 0000000000000000
> > a5 : 0000000000000000 a6 : 0000000000000021 a7 : 0000000000000003
> > s2 : ff20000000010050 s3 : ff6000008459fc18 s4 : ff60000083b3d340
> > s5 : ff20000000010060 s6 : 0000000000000000 s7 : ff20000000013aa8
> > s8 : 0000000000000000 s9 : 0000000000008000 s10: 000000000058dcb0
> > s11: 000000000058dca7 t3 : 000000006925116d t4 : ff6000008090f026
> > t5 : 00007fff9b0cbaa8 t6 : 0000000000000016
> > status: 0000000200000120 badaddr: 0000000000000000 cause: 8000000000000005
> > Kernel panic - not syncing: Kernel stack overflow
> > CPU: 1 UID: 0 PID: 1 Comm: systemd Not tainted 6.18.0-rc5+ #15 PREEMPT(voluntary)
> > Hardware name: riscv-virtio qemu/qemu, BIOS 2025.10 10/01/2025
> > Call Trace:
> > [<ffffffff8001a1f8>] dump_backtrace+0x28/0x38
> > [<ffffffff80002502>] show_stack+0x3a/0x50
> > [<ffffffff800122be>] dump_stack_lvl+0x56/0x80
> > [<ffffffff80012300>] dump_stack+0x18/0x22
> > [<ffffffff80002abe>] vpanic+0xf6/0x328
> > [<ffffffff80002d2e>] panic+0x3e/0x40
> > [<ffffffff80019ef0>] handle_bad_stack+0x98/0xa0
> > [<ffffffff801e6070>] bpf_probe_read_kernel+0x20/0x60
> >
> > Just fix it.
> >
> > Fixes: 47c9214dcbea ("bpf: fix the usage of BPF_TRAMP_F_SKIP_FRAME")
> > Reported-by: Andreas Schwab <schwab@linux-m68k.org>
> > Closes: https://lore.kernel.org/bpf/874ipnkfvt.fsf@igel.home/
> > Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
> > ---
> > v2:
> > - merge the code
> > ---
> > arch/riscv/net/bpf_jit_comp64.c | 6 ++----
> > 1 file changed, 2 insertions(+), 4 deletions(-)
> >
> > diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
> > index 5f9457e910e8..37888abee70c 100644
> > --- a/arch/riscv/net/bpf_jit_comp64.c
> > +++ b/arch/riscv/net/bpf_jit_comp64.c
> > @@ -1133,10 +1133,6 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im,
> >
> > store_args(nr_arg_slots, args_off, ctx);
> >
> > - /* skip to actual body of traced function */
> > - if (flags & BPF_TRAMP_F_ORIG_STACK)
>
> Oh, how did this weird flags get in here...
It's my fault. I wanted to use BPF_TRAMP_F_CALL_ORIG here, and
a copy-paste mistake happen. They look a little similar :(
>
> > - orig_call += RV_FENTRY_NINSNS * 4;
> > -
> > if (flags & BPF_TRAMP_F_CALL_ORIG) {
> > emit_imm(RV_REG_A0, ctx->insns ? (const s64)im : RV_MAX_COUNT_IMM, ctx);
> > ret = emit_call((const u64)__bpf_tramp_enter, true, ctx);
> > @@ -1171,6 +1167,8 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im,
> > }
> >
> > if (flags & BPF_TRAMP_F_CALL_ORIG) {
> > + /* skip to actual body of traced function */
> > + orig_call += RV_FENTRY_NINSNS * 4;
>
>
> LGTM, let's revert it.
>
> Reviewed-by: Pu Lehui <pulehui@huawei.com>
>
> > restore_args(min_t(int, nr_arg_slots, RV_MAX_REG_ARGS), args_off, ctx);
> > restore_stack_args(nr_arg_slots - RV_MAX_REG_ARGS, args_off, stk_arg_off, ctx);
> > ret = emit_call((const u64)orig_call, true, ctx);
Andreas suggested that we remove the variable "orig_call" and use
"func_addr + RV_FENTRY_NINSNS * 4" directly here. But I saw the V2
is already applied. Hmm...I think it doesn't matter.
Thanks!
Menglong Dong
>
>
WARNING: multiple messages have this Message-ID (diff)
From: Menglong Dong <menglong.dong@linux.dev>
To: Menglong Dong <menglong8.dong@gmail.com>,
schwab@linux-m68k.org, Pu Lehui <pulehui@huawei.com>,
andrii@kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me,
haoluo@google.com, jolsa@kernel.org, bjorn@kernel.org,
puranjay@kernel.org, pjw@kernel.org, palmer@dabbelt.com,
aou@eecs.berkeley.edu, alex@ghiti.fr, bpf@vger.kernel.org,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf v2] riscv, bpf: fix incorrect usage of BPF_TRAMP_F_ORIG_STACK
Date: Sat, 20 Dec 2025 15:33:58 +0800 [thread overview]
Message-ID: <8619181.T7Z3S40VBb@7950hx> (raw)
In-Reply-To: <33977244-1266-4590-af38-e3be3e46d7f4@huawei.com>
On 2025/12/20 10:59, Pu Lehui wrote:
>
> On 2025/12/19 22:29, Menglong Dong wrote:
> > The usage of BPF_TRAMP_F_ORIG_STACK in __arch_prepare_bpf_trampoline() is
> > wrong, and it should be BPF_TRAMP_F_CALL_ORIG, which caused crash as
> > Andreas reported:
> >
> > Insufficient stack space to handle exception!
> > Task stack: [0xff20000000010000..0xff20000000014000]
> > Overflow stack: [0xff600000ffdad070..0xff600000ffdae070]
> > CPU: 1 UID: 0 PID: 1 Comm: systemd Not tainted 6.18.0-rc5+ #15 PREEMPT(voluntary)
> > Hardware name: riscv-virtio qemu/qemu, BIOS 2025.10 10/01/2025
> > epc : copy_from_kernel_nofault+0xa/0x198
> > ra : bpf_probe_read_kernel+0x20/0x60
> > epc : ffffffff802b732a ra : ffffffff801e6070 sp : ff2000000000ffe0
> > gp : ffffffff82262ed0 tp : 0000000000000000 t0 : ffffffff80022320
> > t1 : ffffffff801e6056 t2 : 0000000000000000 s0 : ff20000000010040
> > s1 : 0000000000000008 a0 : ff20000000010050 a1 : ff60000083b3d320
> > a2 : 0000000000000008 a3 : 0000000000000097 a4 : 0000000000000000
> > a5 : 0000000000000000 a6 : 0000000000000021 a7 : 0000000000000003
> > s2 : ff20000000010050 s3 : ff6000008459fc18 s4 : ff60000083b3d340
> > s5 : ff20000000010060 s6 : 0000000000000000 s7 : ff20000000013aa8
> > s8 : 0000000000000000 s9 : 0000000000008000 s10: 000000000058dcb0
> > s11: 000000000058dca7 t3 : 000000006925116d t4 : ff6000008090f026
> > t5 : 00007fff9b0cbaa8 t6 : 0000000000000016
> > status: 0000000200000120 badaddr: 0000000000000000 cause: 8000000000000005
> > Kernel panic - not syncing: Kernel stack overflow
> > CPU: 1 UID: 0 PID: 1 Comm: systemd Not tainted 6.18.0-rc5+ #15 PREEMPT(voluntary)
> > Hardware name: riscv-virtio qemu/qemu, BIOS 2025.10 10/01/2025
> > Call Trace:
> > [<ffffffff8001a1f8>] dump_backtrace+0x28/0x38
> > [<ffffffff80002502>] show_stack+0x3a/0x50
> > [<ffffffff800122be>] dump_stack_lvl+0x56/0x80
> > [<ffffffff80012300>] dump_stack+0x18/0x22
> > [<ffffffff80002abe>] vpanic+0xf6/0x328
> > [<ffffffff80002d2e>] panic+0x3e/0x40
> > [<ffffffff80019ef0>] handle_bad_stack+0x98/0xa0
> > [<ffffffff801e6070>] bpf_probe_read_kernel+0x20/0x60
> >
> > Just fix it.
> >
> > Fixes: 47c9214dcbea ("bpf: fix the usage of BPF_TRAMP_F_SKIP_FRAME")
> > Reported-by: Andreas Schwab <schwab@linux-m68k.org>
> > Closes: https://lore.kernel.org/bpf/874ipnkfvt.fsf@igel.home/
> > Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
> > ---
> > v2:
> > - merge the code
> > ---
> > arch/riscv/net/bpf_jit_comp64.c | 6 ++----
> > 1 file changed, 2 insertions(+), 4 deletions(-)
> >
> > diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
> > index 5f9457e910e8..37888abee70c 100644
> > --- a/arch/riscv/net/bpf_jit_comp64.c
> > +++ b/arch/riscv/net/bpf_jit_comp64.c
> > @@ -1133,10 +1133,6 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im,
> >
> > store_args(nr_arg_slots, args_off, ctx);
> >
> > - /* skip to actual body of traced function */
> > - if (flags & BPF_TRAMP_F_ORIG_STACK)
>
> Oh, how did this weird flags get in here...
It's my fault. I wanted to use BPF_TRAMP_F_CALL_ORIG here, and
a copy-paste mistake happen. They look a little similar :(
>
> > - orig_call += RV_FENTRY_NINSNS * 4;
> > -
> > if (flags & BPF_TRAMP_F_CALL_ORIG) {
> > emit_imm(RV_REG_A0, ctx->insns ? (const s64)im : RV_MAX_COUNT_IMM, ctx);
> > ret = emit_call((const u64)__bpf_tramp_enter, true, ctx);
> > @@ -1171,6 +1167,8 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im,
> > }
> >
> > if (flags & BPF_TRAMP_F_CALL_ORIG) {
> > + /* skip to actual body of traced function */
> > + orig_call += RV_FENTRY_NINSNS * 4;
>
>
> LGTM, let's revert it.
>
> Reviewed-by: Pu Lehui <pulehui@huawei.com>
>
> > restore_args(min_t(int, nr_arg_slots, RV_MAX_REG_ARGS), args_off, ctx);
> > restore_stack_args(nr_arg_slots - RV_MAX_REG_ARGS, args_off, stk_arg_off, ctx);
> > ret = emit_call((const u64)orig_call, true, ctx);
Andreas suggested that we remove the variable "orig_call" and use
"func_addr + RV_FENTRY_NINSNS * 4" directly here. But I saw the V2
is already applied. Hmm...I think it doesn't matter.
Thanks!
Menglong Dong
>
>
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2025-12-20 7:34 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-19 14:29 [PATCH bpf v2] riscv, bpf: fix incorrect usage of BPF_TRAMP_F_ORIG_STACK Menglong Dong
2025-12-19 14:29 ` Menglong Dong
2025-12-19 20:10 ` patchwork-bot+netdevbpf
2025-12-19 20:10 ` patchwork-bot+netdevbpf
2025-12-20 2:59 ` Pu Lehui
2025-12-20 2:59 ` Pu Lehui
2025-12-20 7:33 ` Menglong Dong [this message]
2025-12-20 7:33 ` Menglong Dong
2025-12-20 8:12 ` Pu Lehui
2025-12-20 8:12 ` Pu Lehui
2026-01-12 10:47 ` Andreas Schwab
2026-01-12 10:47 ` Andreas Schwab
[not found] ` <6964d168.050a0220.57989.2241SMTPIN_ADDED_BROKEN@mx.google.com>
2026-01-12 17:01 ` Alexei Starovoitov
2026-01-12 17:01 ` Alexei Starovoitov
2026-01-26 4:21 ` patchwork-bot+linux-riscv
2026-01-26 4:21 ` patchwork-bot+linux-riscv
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8619181.T7Z3S40VBb@7950hx \
--to=menglong.dong@linux.dev \
--cc=alex@ghiti.fr \
--cc=andrii@kernel.org \
--cc=aou@eecs.berkeley.edu \
--cc=ast@kernel.org \
--cc=bjorn@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=martin.lau@linux.dev \
--cc=menglong8.dong@gmail.com \
--cc=palmer@dabbelt.com \
--cc=pjw@kernel.org \
--cc=pulehui@huawei.com \
--cc=puranjay@kernel.org \
--cc=schwab@linux-m68k.org \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.