From: Ilya Leoshkevich <iii@linux.ibm.com>
To: stable@vger.kernel.org
Cc: Ilya Leoshkevich <iii@linux.ibm.com>,
Daniel Borkmann <daniel@iogearbox.net>
Subject: [PATCH 6.6.y 5/5] s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG
Date: Thu, 16 Oct 2025 23:51:28 +0200 [thread overview]
Message-ID: <20251016215450.53494-6-iii@linux.ibm.com> (raw)
In-Reply-To: <20251016215450.53494-1-iii@linux.ibm.com>
commit bc3905a71f02511607d3ccf732360580209cac4c upstream.
The tailcall_bpf2bpf_hierarchy_fentry test hangs on s390. Its call
graph is as follows:
entry()
subprog_tail()
trampoline()
fentry()
the rest of subprog_tail() # via BPF_TRAMP_F_CALL_ORIG
return to entry()
The problem is that the rest of subprog_tail() increments the tail call
counter, but the trampoline discards the incremented value. This
results in an astronomically large number of tail calls.
Fix by making the trampoline write the incremented tail call counter
back.
Fixes: 528eb2cb87bc ("s390/bpf: Implement arch_prepare_bpf_trampoline()")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20250813121016.163375-4-iii@linux.ibm.com
---
arch/s390/net/bpf_jit_comp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index 15c6ab660a5ba..5a64d34a37482 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -2462,6 +2462,9 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im,
/* stg %r2,retval_off(%r15) */
EMIT6_DISP_LH(0xe3000000, 0x0024, REG_2, REG_0, REG_15,
tjit->retval_off);
+ /* mvc tccnt_off(%r15),tail_call_cnt(4,%r15) */
+ _EMIT6(0xd203f000 | tjit->tccnt_off,
+ 0xf000 | offsetof(struct prog_frame, tail_call_cnt));
im->ip_after_call = jit->prg_buf + jit->prg;
--
2.51.0
prev parent reply other threads:[~2025-10-16 21:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-16 21:51 [PATCH 6.6.y 0/5] s390/bpf: Tail call counter fixes Ilya Leoshkevich
2025-10-16 21:51 ` [PATCH 6.6.y 1/5] s390/bpf: Change seen_reg to a mask Ilya Leoshkevich
2025-10-16 21:51 ` [PATCH 6.6.y 2/5] s390/bpf: Centralize frame offset calculations Ilya Leoshkevich
2025-10-16 21:51 ` [PATCH 6.6.y 3/5] s390/bpf: Describe the frame using a struct instead of constants Ilya Leoshkevich
2025-10-16 21:51 ` [PATCH 6.6.y 4/5] s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL Ilya Leoshkevich
2025-10-16 21:51 ` Ilya Leoshkevich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251016215450.53494-6-iii@linux.ibm.com \
--to=iii@linux.ibm.com \
--cc=daniel@iogearbox.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox