Re: [PATCH v2 3/6] powerpc64/bpf: Tailcall handling with trampolines

Wed, 14 Jan 2026 04:29:32 -0800 

> diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
> index 069a8822c30d..e3088cf089d1 100644
> --- a/arch/powerpc/net/bpf_jit_comp.c
> +++ b/arch/powerpc/net/bpf_jit_comp.c

[ ... ]

> +static void bpf_trampoline_setup_tail_call_info(u32 *image, struct 
> codegen_context *ctx,
> +                                            int func_frame_offset,
> +                                            int bpf_dummy_frame_size, int 
> r4_off)
> +{
> +     if (IS_ENABLED(CONFIG_PPC64)) {
> +             /* See bpf_jit_stack_tailcallinfo_offset() */
> +             int tailcallinfo_offset = BPF_PPC_TAILCALL;
> +             /*
> +              * func_frame_offset =                                   ...(1)
> +              *     bpf_dummy_frame_size + trampoline_frame_size
> +              */
> +             EMIT(PPC_RAW_LD(_R4, _R1, func_frame_offset));
> +             EMIT(PPC_RAW_LD(_R3, _R4, -tailcallinfo_offset));
                              ^^^^

Should this LD instruction be an ADDI instead? Looking at the stack frame
setup, after the two STLU instructions in __arch_prepare_bpf_trampoline():

  STLU _R1, _R1, -bpf_dummy_frame_size  ->  stores original _R1 at dummy frame
  STLU _R1, _R1, -bpf_frame_size        ->  stores dummy frame ptr at tramp 
frame

>From the trampoline frame, the back chain stored in the dummy frame at offset
bpf_frame_size points to the caller's frame. But func_frame_offset equals
(bpf_dummy_frame_size + bpf_frame_size), which points into the caller's frame
itself. Loading from that address returns the caller's back chain (pointing
to the grandparent frame), not a pointer to the caller's frame.

This appears to cause the subsequent load at [_R4 - 8] to read the grandparent's
tail_call_info rather than the caller's. Would loading from [_R1 + 
bpf_frame_size]
give the correct pointer to the caller's frame?

For comparison, the subprogram prologue in bpf_jit_build_prologue() uses
[_R1 + 0] to get the back chain pointing to its caller, which seems like
the right pattern.

> +
> +             /*
> +              * Setting the tail_call_info in trampoline's frame
> +              * depending on if previous frame had value or reference.
> +              */
> +             EMIT(PPC_RAW_CMPLWI(_R3, MAX_TAIL_CALL_CNT));
> +             PPC_COND_BRANCH(COND_GT, CTX_NIA(ctx) + 8);
> +             EMIT(PPC_RAW_ADDI(_R3, _R4, 
> bpf_jit_stack_tailcallinfo_offset(ctx)));

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20993216190

Reply via email to