Re: [PATCH bpf-next v4 17/25] bpf,x86: Implement JIT support for stack arguments

[Yonghong Song <yonghong.song@linux.dev>]

On 5/15/26 8:02 AM, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [Critical] When a BPF program with an exception boundary calls a function with more than 5 arguments, unwinding an exception via bpf_throw() restores callee-saved registers from the wrong stack offset, corrupting kernel registers.
> --
>
> commit 86dff956386bae1d3e030c84363f5b56f2e023a7
> Author: Yonghong Song <yonghong.song@linux.dev>
>
> bpf,x86: Implement JIT support for stack arguments
>
> This commit implements x86_64 JIT support for BPF functions and kfuncs with
> more than 5 arguments. The extra arguments are passed on the stack, maintaining
> compatibility with the x86-64 calling convention. It introduces logic to handle
> pushing outgoing arguments to the stack area below the callee-saved registers.
>
>> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
>> index ea9e707e8abff..ceefefb4da217 100644
>> --- a/arch/x86/net/bpf_jit_comp.c
>> +++ b/arch/x86/net/bpf_jit_comp.c
> [ ... ]
>
>> @@ -1700,6 +1755,42 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
>>   			push_r12(&prog);
>>   		push_callee_regs(&prog, callee_regs_used);
>>   	}
>> +
>> +	/* Compute callee-saved register area size. */
>> +	callee_saved_size = 0;
> [ ... ]
>
>> +	/*
>> +	 * Allocate outgoing stack arg area for args 7+ only.
>> +	 * Arg 6 goes into r9 register, not on stack.
>> +	 */
>> +	outgoing_rsp = out_stack_arg_cnt > 1 ? (out_stack_arg_cnt - 1) * 8 : 0;
>> +	emit_sub_rsp(&prog, outgoing_rsp);
> Does allocating the outgoing stack arguments area (outgoing_rsp) after pushing
> the callee-saved registers cause an issue when unwinding an exception via
> bpf_throw()?

Yes, this is indeed an issue, we need to restore 'rsp' between

         if (is_exception_cb) {
                 EMIT3(0x48, 0x89, 0xF4); /* mov rsp, rsi */
                 EMIT3(0x48, 0x89, 0xD5); /* mov rbp, rdx */

and

                 /* The main frame must have exception_boundary as true, so we
                  * first restore those callee-saved regs from stack, before
                  * reusing the stack frame.
                  */
                 pop_callee_regs(&prog, all_callee_regs_used);
                 pop_r12(&prog);
                 /* Reset the stack frame. */
                 EMIT3(0x48, 0x89, 0xEC); /* mov rsp, rbp */
	}

due to stack argument.

But I would like to know whether we want to support this
exception + stack_args combination or not.

>
> When bpf_throw() is called, the stack unwinder (arch_bpf_stack_walk()) captures
> the current stack pointer (sp) of the BPF frame, which points to the bottom of
> this outgoing_rsp area.
>
> bpf_throw() passes this shifted sp to the exception callback in the rsi
> register.
>
> The JIT-generated exception callback executes mov rsp, rsi followed by
> pop_callee_regs(). Because rsp is offset by outgoing_rsp bytes below the actual
> saved registers, the pop instructions will read from the outgoing arguments area
> instead of the saved registers.
>
> Could returning to the kernel with corrupted callee-saved registers cause
> unpredictable behavior or panics?
>