Re: [PATCH bpf-next 1/2] s390/bpf: Write back the tail call counter for BPF_CALL

bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Ilya Leoshkevich <iii@linux.ibm.com>
To: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>
Cc: bpf@vger.kernel.org, Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Alexander Gordeev <agordeev@linux.ibm.com>
Subject: Re: [PATCH bpf-next 1/2] s390/bpf: Write back the tail call counter for BPF_CALL
Date: Tue, 12 Aug 2025 18:00:26 +0200	[thread overview]
Message-ID: <c5ba6c4a7cd7cdbf869fc5ea88be1302018d7e21.camel@linux.ibm.com> (raw)
In-Reply-To: <20250812141217.144551-2-iii@linux.ibm.com>

On Tue, 2025-08-12 at 16:07 +0200, Ilya Leoshkevich wrote:
> The tailcall_bpf2bpf_hierarchy_1 test hangs on s390. Its call graph
> is
> as follows:
> 
>   entry()
>     subprog_tail()
>       bpf_tail_call_static(0) -> entry + tail_call_start
>     subprog_tail()
>       bpf_tail_call_static(0) -> entry + tail_call_start
> 
> entry() copies its tail call counter to the subprog_tail()'s frame,
> which then increments it. However, the incremented result is
> discarded,
> leading to an astronomically large number of tail calls.
> 
> Fix by writing the incremented counter back to the entry()'s frame.
> 
> Fixes: dd691e847d28 ("s390/bpf: Implement
> bpf_jit_supports_subprog_tailcalls()")
> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
> ---
>  arch/s390/net/bpf_jit_comp.c | 20 +++++++++++++-------
>  1 file changed, 13 insertions(+), 7 deletions(-)
> 
> diff --git a/arch/s390/net/bpf_jit_comp.c
> b/arch/s390/net/bpf_jit_comp.c
> index bb17efe29d65..85695576df6c 100644
> --- a/arch/s390/net/bpf_jit_comp.c
> +++ b/arch/s390/net/bpf_jit_comp.c
> @@ -1790,16 +1790,11 @@ static noinline int bpf_jit_insn(struct
> bpf_jit *jit, struct bpf_prog *fp,
>  
>  		REG_SET_SEEN(BPF_REG_5);
>  		jit->seen |= SEEN_FUNC;
> +
>  		/*
>  		 * Copy the tail call counter to where the callee
> expects it.
> -		 *
> -		 * Note 1: The callee can increment the tail call
> counter, but
> -		 * we do not load it back, since the x86 JIT does
> not do this
> -		 * either.
> -		 *
> -		 * Note 2: We assume that the verifier does not let
> us call the
> -		 * main program, which clears the tail call counter
> on entry.
>  		 */
> +
>  		/* mvc
> tail_call_cnt(4,%r15),frame_off+tail_call_cnt(%r15) */
>  		_EMIT6(0xd203f000 | offsetof(struct prog_frame,
> tail_call_cnt),
>  		       0xf000 | (jit->frame_off +
> @@ -1825,6 +1820,17 @@ static noinline int bpf_jit_insn(struct
> bpf_jit *jit, struct bpf_prog *fp,
>  		call_r1(jit);
>  		/* lgr %b0,%r2: load return value into %b0 */
>  		EMIT4(0xb9040000, BPF_REG_0, REG_2);
> +
> +		/*
> +		 * Copy the potentially updated tail call counter
> back.
> +		 */
> +
> +		/* mvc
> frame_off+tail_call_cnt(%r15),tail_call_cnt(4,%r15) */
> +		_EMIT6(0xd203f000 | (jit->frame_off +
> +				     offsetof(struct prog_frame,
> +					      tail_call_cnt)),
> +		       0xf000 | offsetof(struct prog_frame,
> tail_call_cnt));
> +
>  		break;
>  	}
>  	case BPF_JMP | BPF_TAIL_CALL: {

Hmm, we need to do this only for BPF_PSEUDO_CALLs, otherwise a helper
or a kfunc, which is unaware of the tail call counter convention, will
clobber it with something random, potentially causing a kernel stack
overflow.

I will send a v2 and also provide a test that catches this issue.

next prev parent reply	other threads:[~2025-08-12 16:00 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-12 14:07 [PATCH bpf-next 0/2] s390/bpf: Write back the tail call counter Ilya Leoshkevich
2025-08-12 14:07 ` [PATCH bpf-next 1/2] s390/bpf: Write back the tail call counter for BPF_CALL Ilya Leoshkevich
2025-08-12 16:00   ` Ilya Leoshkevich [this message]
2025-08-12 14:07 ` [PATCH bpf-next 2/2] s390/bpf: Write back the tail call counter for BPF_TRAMP_F_CALL_ORIG Ilya Leoshkevich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c5ba6c4a7cd7cdbf869fc5ea88be1302018d7e21.camel@linux.ibm.com \
    --to=iii@linux.ibm.com \
    --cc=agordeev@linux.ibm.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).