From: sashiko-bot@kernel.org
To: "Pu Lehui" <pulehui@huaweicloud.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v4 2/6] riscv, bpf: Remove redundant ctx->offset initialization
Date: Mon, 29 Jun 2026 14:08:39 +0000 [thread overview]
Message-ID: <20260629140839.D2DE71F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260629140048.733346-3-pulehui@huaweicloud.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Buffer Overflow / JIT Convergence Failure due to violated monotonic shrinking guarantee
--
commit 1c7e15d4942628f7431314e8bb5d6ca1fb3134f1
Author: Pu Lehui <pulehui@huawei.com>
riscv, bpf: Remove redundant ctx->offset initialization
This commit removes the loop initializing ctx->offset and prev_ninsns in
bpf_int_jit_compile, operating under the assumption that the implicit
zero-initialization is sufficient and the manual setup is redundant.
> diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c
> --- a/arch/riscv/net/bpf_jit_core.c
> +++ b/arch/riscv/net/bpf_jit_core.c
> @@ -79,11 +79,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_verifier_env *env, struct bpf_pr
> if (build_body(ctx, extra_pass, NULL))
> goto out_offset;
>
> - for (i = 0; i < prog->len; i++) {
> - prev_ninsns += 32;
> - ctx->offset[i] = prev_ninsns;
> - }
> -
[Severity: Critical]
Could removing this worst-case initialization loop cause a regression by
breaking the monotonic shrinking guarantee of the JIT convergence algorithm?
When ctx->offset is simply zero-initialized, forward branches will initially
evaluate to a zero or negative distance in the first pass. This causes the
JIT to emit short branch instructions. As targets resolve to their actual
positive offsets in subsequent passes, these branch distances increase,
which forces the JIT to expand the branch instructions.
Can this lead to a situation where a branch expands while another shrinks
by the same amount, resulting in a net zero size change for that pass?
If the JIT falsely detects convergence because ctx->ninsns equals
prev_ninsns, it allocates a fixed-size executable buffer based on that
length. In the final emission pass, if internal offsets shift again and
cause a branch to expand unexpectedly, would this result in an out-of-bounds
write past the allocated buffer?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629140048.733346-1-pulehui@huaweicloud.com?part=2
next prev parent reply other threads:[~2026-06-29 14:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 14:00 [PATCH bpf-next v4 0/6] Mixing bpf2bpf and tailcalls for RV64 Pu Lehui
2026-06-29 14:00 ` [PATCH bpf-next v4 1/6] bpf: Extract the is_struct_ops_tramp helper Pu Lehui
2026-06-29 14:00 ` [PATCH bpf-next v4 2/6] riscv, bpf: Remove redundant ctx->offset initialization Pu Lehui
2026-06-29 14:08 ` sashiko-bot [this message]
2026-06-29 14:00 ` [PATCH bpf-next v4 3/6] riscv, bpf: Using kvzalloc_objs to allocate cache buffer Pu Lehui
2026-06-29 14:00 ` [PATCH bpf-next v4 4/6] riscv, bpf: Add RV_TAILCALL_OFFSET macro to format tailcall offset Pu Lehui
2026-06-29 14:10 ` sashiko-bot
2026-06-29 14:00 ` [PATCH bpf-next v4 5/6] riscv, bpf: Mixing bpf2bpf and tailcalls Pu Lehui
2026-06-29 14:06 ` sashiko-bot
2026-06-29 14:00 ` [PATCH bpf-next v4 6/6] selftests/bpf: Remove tailcalls tests from DENYLIST.riscv64 Pu Lehui
2026-06-29 16:19 ` bot+bpf-ci
2026-06-29 14:21 ` [PATCH bpf-next v4 0/6] Mixing bpf2bpf and tailcalls for RV64 Björn Töpel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629140839.D2DE71F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=pulehui@huaweicloud.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox