From: Yonghong Song <yonghong.song@linux.dev>
To: sashiko@lists.linux.dev
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 11/23] bpf: Prepare architecture JIT support for stack arguments
Date: Sun, 10 May 2026 10:05:31 -0700 [thread overview]
Message-ID: <a4851c0b-d735-4bde-a09c-74de9aec11a0@linux.dev> (raw)
In-Reply-To: <20260509021940.680C0C2BCB0@smtp.kernel.org>
On 5/9/26 4:19 AM, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
> - [Critical] Static functions with more than 5 parameters are not actually rejected when the JIT does not support stack arguments. This bypasses verifier stack initialization checks and allows the program to run, leading to arbitrary kernel memory access at runtime.
> - [Low] The patch returns the kernel-internal error code -ENOTSUPP instead of the standard -EOPNOTSUPP, causing generic 'Unknown error 524' messages in user-space.
> --
>
> commit e571d76e56fcb6ad5c6cc343d3221d66e6aec024
> Author: Yonghong Song <yonghong.song@linux.dev>
>
> bpf: Prepare architecture JIT support for stack arguments
>
> This commit introduces a weak function bpf_jit_supports_stack_args() to allow
> architectures to indicate support for BPF stack arguments. It also updates
> the BTF preparation code to reject functions with more than 5 arguments if
> the JIT does not support stack arguments.
>
>> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
>> index ec3fb8c8f4eef..bf83b737d55cb 100644
>> --- a/kernel/bpf/btf.c
>> +++ b/kernel/bpf/btf.c
> [ ... ]
>> @@ -7886,8 +7886,14 @@ int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog)
>> MAX_BPF_FUNC_ARGS, tname, nargs);
>> return -EFAULT;
>> }
>> - if (nargs > MAX_BPF_FUNC_REG_ARGS)
>> + if (nargs > MAX_BPF_FUNC_REG_ARGS) {
>> + if (!bpf_jit_supports_stack_args()) {
>> + bpf_log(log, "JIT does not support function %s() with %d args\n",
>> + tname, nargs);
>> + return -ENOTSUPP;
> Should this return -EOPNOTSUPP instead of -ENOTSUPP?
>
> -ENOTSUPP is a kernel-internal error code (524). If this error bubbles up
> to user-space (for example, when loading a global BPF program), it might
> result in a confusing "Unknown error 524" message rather than a standard
> error.
>
> Also, does returning an error here actually reject static functions with
> more than 5 arguments?
>
> Looking at the code just above this diff, sub->arg_cnt is set to nargs
> before the check:
>
> kernel/bpf/btf.c:btf_prepare_func_args() {
> ...
> sub->arg_cnt = nargs;
> ...
> if (nargs > MAX_BPF_FUNC_REG_ARGS) {
> if (!bpf_jit_supports_stack_args()) {
> ...
> return -ENOTSUPP;
> }
> ...
> }
>
> If this returns -ENOTSUPP, it propagates to btf_check_subprog_call(),
> which returns the error. However, check_func_call() ignores non-EFAULT
> errors for static functions:
>
> kernel/bpf/verifier.c:check_func_call() {
> ...
> err = btf_check_subprog_call(env, subprog, caller, ...);
> if (err == -EFAULT)
> return err;
> ...
> }
>
> Since the error is ignored, verification continues without rejecting the
> program. Because the error was returned early, btf_check_func_arg_match()
> skips check_outgoing_stack_args(), meaning the caller is never forced to
> properly initialize the stack slots according to BTF types.
I will use -EFAULT error code, so the prog with potential stack arguments
will be rejected due to -EFAULT. This applies to below analysis where
they will not really work as -EFAULT will prevent that.
>
> Since sub->arg_cnt was already set to nargs, bpf_in_stack_arg_cnt() will
> calculate that the function takes stack arguments. If the caller manually
> initializes the stack argument slots by writing to r11, the verifier tracks
> the register types and might accept the program.
>
> At runtime, since the JIT does not support stack arguments, BPF_REG_PARAMS
> (r11) is likely missing from the JIT's register translation maps.
> Uninitialized entries default to 0, which often maps to the return value
> register (like rax on x86 or x0 on arm64).
>
> Could this cause reads or writes against r11 + offset to be translated
> into memory operations against rax/x0 + offset? Since the return register
> is easily controllable by the BPF program, might this allow arbitrary
> kernel memory reads and writes?
>
>> + }
>> sub->stack_arg_cnt = nargs - MAX_BPF_FUNC_REG_ARGS;
>> + }
>>
>> if (is_global && nargs > MAX_BPF_FUNC_REG_ARGS) {
>> bpf_log(log, "global function %s has %d > %d args, stack args not supported\n",
next prev parent reply other threads:[~2026-05-10 17:05 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 21:29 [PATCH bpf-next v2 00/23] bpf: Support stack arguments for BPF functions and kfuncs Yonghong Song
2026-05-07 21:29 ` [PATCH bpf-next v2 01/23] bpf: Convert bpf_get_spilled_reg macro to static inline function Yonghong Song
2026-05-07 21:29 ` [PATCH bpf-next v2 02/23] bpf: Remove copy_register_state wrapper function Yonghong Song
2026-05-07 21:29 ` [PATCH bpf-next v2 03/23] bpf: Add helper functions for r11-based stack argument insns Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 04/23] bpf: Set sub->arg_cnt earlier in btf_prepare_func_args() Yonghong Song
2026-05-07 22:11 ` bot+bpf-ci
2026-05-09 13:05 ` Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 05/23] bpf: Support stack arguments for bpf functions Yonghong Song
2026-05-07 22:26 ` bot+bpf-ci
2026-05-09 12:52 ` Yonghong Song
2026-05-08 18:00 ` Alexei Starovoitov
2026-05-09 12:55 ` Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 06/23] bpf: Refactor jmp history to use dedicated spi/frame fields Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 07/23] bpf: Add precision marking and backtracking for stack argument slots Yonghong Song
2026-05-07 22:11 ` bot+bpf-ci
2026-05-09 13:08 ` Yonghong Song
2026-05-09 4:05 ` sashiko-bot
2026-05-10 16:41 ` Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 08/23] bpf: Refactor record_call_access() to extract per-arg logic Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 09/23] bpf: Extend liveness analysis to track stack argument slots Yonghong Song
2026-05-07 22:11 ` bot+bpf-ci
2026-05-09 13:29 ` Yonghong Song
2026-05-09 0:59 ` sashiko-bot
2026-05-10 16:47 ` Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 10/23] bpf: Reject stack arguments in non-JITed programs Yonghong Song
2026-05-07 22:11 ` bot+bpf-ci
2026-05-09 2:10 ` sashiko-bot
2026-05-10 16:59 ` Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 11/23] bpf: Prepare architecture JIT support for stack arguments Yonghong Song
2026-05-09 2:19 ` sashiko-bot
2026-05-10 17:05 ` Yonghong Song [this message]
2026-05-07 21:30 ` [PATCH bpf-next v2 12/23] bpf: Enable r11 based insns Yonghong Song
2026-05-09 2:59 ` sashiko-bot
2026-05-10 17:11 ` Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 13/23] bpf: Support stack arguments for kfunc calls Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 14/23] bpf: Reject stack arguments if tail call reachable Yonghong Song
2026-05-07 22:11 ` bot+bpf-ci
2026-05-09 1:42 ` sashiko-bot
2026-05-10 17:15 ` Yonghong Song
2026-05-07 21:30 ` [PATCH bpf-next v2 15/23] bpf,x86: Implement JIT support for stack arguments Yonghong Song
2026-05-07 22:26 ` bot+bpf-ci
2026-05-10 17:21 ` Yonghong Song
2026-05-09 2:21 ` sashiko-bot
2026-05-10 17:22 ` Yonghong Song
2026-05-07 21:31 ` [PATCH bpf-next v2 16/23] selftests/bpf: Add tests for BPF function " Yonghong Song
2026-05-07 21:31 ` [PATCH bpf-next v2 17/23] selftests/bpf: Add tests for stack argument validation Yonghong Song
2026-05-09 1:30 ` sashiko-bot
2026-05-10 17:23 ` Yonghong Song
2026-05-07 21:31 ` [PATCH bpf-next v2 18/23] selftests/bpf: Add BTF fixup for __naked subprog parameter names Yonghong Song
2026-05-09 1:40 ` sashiko-bot
2026-05-10 17:24 ` Yonghong Song
2026-05-07 21:31 ` [PATCH bpf-next v2 19/23] selftests/bpf: Add verifier tests for stack argument validation Yonghong Song
2026-05-07 22:11 ` bot+bpf-ci
2026-05-10 17:27 ` Yonghong Song
2026-05-09 1:38 ` sashiko-bot
2026-05-10 17:27 ` Yonghong Song
2026-05-07 21:31 ` [PATCH bpf-next v2 20/23] selftests/bpf: Add precision backtracking test for stack arguments Yonghong Song
2026-05-09 1:52 ` sashiko-bot
2026-05-10 17:31 ` Yonghong Song
2026-05-07 21:31 ` [PATCH bpf-next v2 21/23] bpf, arm64: Map BPF_REG_0 to x8 instead of x7 Yonghong Song
2026-05-08 18:01 ` Alexei Starovoitov
2026-05-09 13:44 ` Yonghong Song
2026-05-07 21:32 ` [PATCH bpf-next v2 22/23] bpf, arm64: Add JIT support for stack arguments Yonghong Song
2026-05-09 2:15 ` sashiko-bot
2026-05-10 17:32 ` Yonghong Song
2026-05-07 21:32 ` [PATCH bpf-next v2 23/23] selftests/bpf: Enable stack argument tests for arm64 Yonghong Song
2026-05-08 18:06 ` [PATCH bpf-next v2 00/23] bpf: Support stack arguments for BPF functions and kfuncs Alexei Starovoitov
2026-05-09 13:43 ` Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a4851c0b-d735-4bde-a09c-74de9aec11a0@linux.dev \
--to=yonghong.song@linux.dev \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox