Skip to content

bpf: verifier: initialize imm in kfunc_tab in add_kfunc_call() #6344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

bpf: verifier: initialize imm in kfunc_tab in add_kfunc_call() #6344

wants to merge 2 commits into from

Conversation

@kernel-patches-daemon-bpf-rc
Copy link

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot commented Nov 13, 2025

Pull request for series with
subject: bpf: verifier: initialize imm in kfunc_tab in add_kfunc_call()
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 13, 2025

Upstream branch: 3249e8a
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 13, 2025

Upstream branch: 3249e8a
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 13, 2025

Upstream branch: f1d8c65
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 13, 2025

Upstream branch: 93ce3be
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 14, 2025

Upstream branch: 93ce3be
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 14, 2025

Upstream branch: c1da3df
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 14, 2025

Upstream branch: fea3f5e
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 14, 2025

Upstream branch: 63066b7
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Upstream branch: c133390
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Upstream branch: ef2c0b2
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@puranjaymohan
bpf: verifier: initialize imm in kfunc_tab in add_kfunc_call()
20a3d98 
Metadata about a kfunc call is added to the kfunc_tab in
add_kfunc_call() but the call instruction itself could get removed by
opt_remove_dead_code() later if it is not reachable.

If the call instruction is removed, specialize_kfunc() is never called
for it and the desc->imm in the kfunc_tab is never initialized for this
kfunc call. In this case, sort_kfunc_descs_by_imm_off(env->prog); in
do_misc_fixups() doesn't sort the table correctly.
This is a problem from s390 as its JIT uses this table to find the
addresses for kfuncs, and if this table is not sorted properly, JIT can
fail to find addresses for valid kfunc calls.

This was exposed by:

commit d869d56 ("bpf: verifier: refactor kfunc specialization")

as before this commit, desc->imm was initialised in add_kfunc_call().

Initialize desc->imm in add_kfunc_call(), it will be overwritten with new
imm in specialize_kfunc() if the instruction is not removed.

Signed-off-by: Puranjay Mohan <[email protected]>
Acked-by: Kumar Kartikeya Dwivedi <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Upstream branch: a4d31f4
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Upstream branch: 4f7bc83
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
version: 2

Pull request is NOT updated. Failed to apply https://patchwork.kernel.org/project/netdevbpf/list/?series=1022898
error message:

Cmd('git') failed due to: exit code(128)
  cmdline: git am --3way
  stdout: 'Applying: bpf: verifier: initialize imm in kfunc_tab in add_kfunc_call()
Using index info to reconstruct a base tree...
M	kernel/bpf/verifier.c
Falling back to patching base and 3-way merge...
Auto-merging kernel/bpf/verifier.c
CONFLICT (content): Merge conflict in kernel/bpf/verifier.c
Patch failed at 0001 bpf: verifier: initialize imm in kfunc_tab in add_kfunc_call()'
  stderr: 'error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"'

conflict:

diff --cc kernel/bpf/verifier.c
index 098dd7f21c89,31136f9c418b..000000000000
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@@ -22381,6 -22363,17 +22393,20 @@@ static int specialize_kfunc(struct bpf_
  		if (!env->insn_aux_data[insn_idx].non_sleepable)
  			addr = (unsigned long)bpf_dynptr_from_file_sleepable;
  	}
++<<<<<<< HEAD
++=======
+ 
+ set_imm:
+ 	if (!bpf_jit_supports_far_kfunc_call()) {
+ 		call_imm = BPF_CALL_IMM(addr);
+ 		/* Check whether the relative offset overflows desc->imm */
+ 		if ((unsigned long)(s32)call_imm != call_imm) {
+ 			verbose(env, "address of kernel func_id %u is out of range\n", func_id);
+ 			return -EINVAL;
+ 		}
+ 		desc->imm = call_imm;
+ 	}
++>>>>>>> bpf: verifier: initialize imm in kfunc_tab in add_kfunc_call()
  	desc->addr = addr;
  	return 0;
  }

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot deleted the series/1022898=>bpf-next branch November 17, 2025 10:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bpf-next merge-conflict new V2-ci-fail V2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@puranjaymohan