Re: [PATCH bpf-next v2 15/23] bpf,x86: Implement JIT support for stack arguments

[Yonghong Song <yonghong.song@linux.dev>]

On 5/7/26 12:26 AM, bot+bpf-ci@kernel.org wrote:
>> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
>> index ea9e707e8abf..67c2f4a3b9cc 100644
>> --- a/arch/x86/net/bpf_jit_comp.c
>> +++ b/arch/x86/net/bpf_jit_comp.c
> [ ... ]
>
>> @@ -1664,16 +1692,45 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
>>   	int i, excnt = 0;
>>   	int ilen, proglen = 0;
>>   	u8 *ip, *prog = temp;
>> +	u16 stack_arg_depth, incoming_stack_arg_depth, outgoing_stack_arg_depth; /* in bytes */
>> +	u16 outgoing_rsp;
>>   	u32 stack_depth;
>> +	int callee_saved_size;
>> +	s32 outgoing_arg_base;
>>   	int err;
>>
>>   	stack_depth = bpf_prog->aux->stack_depth;
>> +	stack_arg_depth = bpf_prog->aux->stack_arg_cnt * 8;
>> +	incoming_stack_arg_depth = bpf_prog->aux->incoming_stack_arg_cnt * 8;
>> +	outgoing_stack_arg_depth = stack_arg_depth - incoming_stack_arg_depth;
> Can this u16 subtraction underflow for leaf subprograms? When a leaf

The maximum number of stack arguments in 7. The total depth is 56,
so underflow is not possible.

> function receives stack arguments but makes no calls with stack arguments,
> incoming_stack_arg_depth would be non-zero (e.g., 16 bytes for 2 args),
> but stack_arg_depth would be zero since the verifier never updates it
> for functions that don't make calls.
>
> The subtraction would wrap around modulo 65536:
>    outgoing_stack_arg_depth = 0 - 16 = 0xFFF0 (about 65520 bytes)

This is fixed in this patch set. sub->stack_arg_cnt is set in
bpf_prepare_func_args(), which captures the number of incoming arg's.

>
> Later in do_jit():
>
>> @@ -1700,6 +1757,42 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
>>   		push_r12(&prog);
>>   	push_callee_regs(&prog, callee_regs_used);
>>   }
>> +
>> +	/* Compute callee-saved register area size. */
> [ ... ]
>
>> +	/*
>> +	 * Allocate outgoing stack arg area for args 7+ only.
>> +	 * Arg 6 goes into r9 register, not on stack.
>> +	 */
>> +	outgoing_rsp = outgoing_stack_arg_depth > 8 ? outgoing_stack_arg_depth - 8 : 0;
>> +	emit_sub_rsp(&prog, outgoing_rsp);
> This would compute outgoing_rsp = 0xFFF0 - 8 = 0xFFE8 (about 65512 bytes),
> and emit_sub_rsp() would generate:
>    sub rsp, 0xFFE8
>
> allocating a 65 KB stack frame that overflows the kernel stack
> (THREAD_SIZE is only 16 KB on x86_64).
>
> This issue was identified by bot+bpf-ci@kernel.org in v1 (Fri, 24 Apr
> 2026 18:00:42 +0000) at
> https://lore.kernel.org/bpf/e1b7281b2a52b18ae2a9f7d41091994eec0bba81e96e64adbe4c072d915acfc2@mail.kernel.org/
>
> The author acknowledged this bug and promised to fix it with a selftest
> in the next revision, but the current code still contains the vulnerable
> subtraction without underflow protection.
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/25523765323