From: sashiko-bot@kernel.org
To: "Yazhou Tang" <tangyazhou@zju.edu.cn>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v7 2/3] bpf: Fix s16 truncation for large bpf-to-bpf call offsets
Date: Tue, 21 Apr 2026 20:46:48 +0000 [thread overview]
Message-ID: <20260421204648.B573FC2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260421144504.823756-3-tangyazhou@zju.edu.cn>
Sashiko AI review found 1 potential issue(s):
- [Medium] bpftool's control-flow graph generator (cfg.c) was not updated to reflect the `insn->off` and `insn->imm` swap for BPF_PSEUDO_CALL, which will break visual dumps.
--
commit bbf026d16d77a3e1debc60ea3a7b2fef7d7def5e
Author: Yazhou Tang <tangyazhou518@outlook.com>
bpf: Fix s16 truncation for large bpf-to-bpf call offsets
This commit fixes an s16 truncation issue for large bpf-to-bpf call
offsets when JIT is disabled or falls back to the interpreter.
It does this by using the off field to store the interpreter function
index and the imm field to pass the original offset.
The related dumper code was also updated to adapt to this change.
> diff --git a/kernel/bpf/fixups.c b/kernel/bpf/fixups.c
> index 300e4e2519318..8947ef74f6a88 100644
> --- a/kernel/bpf/fixups.c
> +++ b/kernel/bpf/fixups.c
> @@ -1250,9 +1250,9 @@ static int jit_subprogs(struct bpf_verifier_env *env)
> }
> if (!bpf_pseudo_call(insn))
> continue;
> - insn->off = env->insn_aux_data[i].call_imm;
> - subprog = bpf_find_subprog(env, i + insn->off + 1);
> - insn->imm = subprog;
> + insn->imm = env->insn_aux_data[i].call_imm;
> + subprog = bpf_find_subprog(env, i + insn->imm + 1);
> + insn->off = subprog;
> }
Since insn->imm and insn->off are now swapped for exported translated
programs, should tools/bpf/bpftool/cfg.c also be updated?
It looks like cfg_partition_funcs() currently relies on cur->off to
calculate the target subprogram start when generating the control-flow
graph:
tools/bpf/bpftool/cfg.c:cfg_partition_funcs() {
...
for (; cur < end; cur++) {
if (cur->code != (BPF_JMP | BPF_CALL))
continue;
if (cur->src_reg != BPF_PSEUDO_CALL)
continue;
func = cfg_append_func(cfg, cur + cur->off + 1);
if (!func)
return true;
}
...
}
Because cur->off now holds the subprogram index instead of the jump offset,
could this point to the wrong instruction and cause a corrupted graph or
out-of-bounds memory access during bpftool prog dump xlated visual?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260421144504.823756-1-tangyazhou@zju.edu.cn?part=2
next prev parent reply other threads:[~2026-04-21 20:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-21 14:45 [PATCH bpf-next v7 0/3] bpf: Fix call offset truncation and OOB read in bpf_patch_call_args() Yazhou Tang
2026-04-21 14:45 ` [PATCH bpf-next v7 1/3] bpf: Fix out-of-bounds " Yazhou Tang
2026-04-21 15:29 ` bot+bpf-ci
2026-04-21 14:45 ` [PATCH bpf-next v7 2/3] bpf: Fix s16 truncation for large bpf-to-bpf call offsets Yazhou Tang
2026-04-21 15:29 ` bot+bpf-ci
2026-04-22 16:05 ` Yazhou Tang
2026-04-21 20:46 ` sashiko-bot [this message]
2026-04-22 15:33 ` Yazhou Tang
2026-04-21 14:45 ` [PATCH bpf-next v7 3/3] selftests/bpf: Add test for large offset bpf-to-bpf call Yazhou Tang
2026-04-21 21:02 ` sashiko-bot
2026-04-22 15:47 ` Yazhou Tang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260421204648.B573FC2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
--cc=tangyazhou@zju.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox