Re: [PATCH v2 3/6] powerpc64/bpf: Tailcall handling with trampolines

[PATCH v2 0/6] powerpc64/bpf: Support tailcalls with subprogs & BPF exceptions · <hidden> · 2026-01-14
[PATCH v2 1/6] powerpc64/bpf: Move tail_call_cnt to bottom of stack frame · <hidden> · 2026-01-14
Re: [PATCH v2 1/6] powerpc64/bpf: Move tail_call_cnt to bottom of stack frame · bot+bpf-ci@kernel.org · 2026-01-14
Re: [PATCH v2 1/6] powerpc64/bpf: Move tail_call_cnt to bottom of stack frame · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-01-15
Re: [PATCH v2 1/6] powerpc64/bpf: Move tail_call_cnt to bottom of stack frame · Hari Bathini <hbathini@linux.ibm.com> · 2026-01-17
[PATCH v2 2/6] powerpc64/bpf: Support tailcalls with subprogs · <hidden> · 2026-01-14
Re: [PATCH v2 2/6] powerpc64/bpf: Support tailcalls with subprogs · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-01-14
Re: [PATCH v2 2/6] powerpc64/bpf: Support tailcalls with subprogs · Hari Bathini <hbathini@linux.ibm.com> · 2026-01-17
[PATCH v2 3/6] powerpc64/bpf: Tailcall handling with trampolines · <hidden> · 2026-01-14
Re: [PATCH v2 3/6] powerpc64/bpf: Tailcall handling with trampolines · bot+bpf-ci@kernel.org · 2026-01-14
Re: [PATCH v2 3/6] powerpc64/bpf: Tailcall handling with trampolines · kernel test robot <hidden> · 2026-01-14
Re: [PATCH v2 3/6] powerpc64/bpf: Tailcall handling with trampolines · Hari Bathini <hbathini@linux.ibm.com> · 2026-01-17
Re: [PATCH v2 3/6] powerpc64/bpf: Tailcall handling with trampolines · Hari Bathini <hbathini@linux.ibm.com> · 2026-01-17
[PATCH v2 5/6] powerpc64/bpf: Support exceptions · <hidden> · 2026-01-14
Re: [PATCH v2 5/6] powerpc64/bpf: Support exceptions · Hari Bathini <hbathini@linux.ibm.com> · 2026-01-16
[PATCH v2 4/6] powerpc64/bpf: Add arch_bpf_stack_walk() for BPF JIT · <hidden> · 2026-01-14
Re: [PATCH v2 4/6] powerpc64/bpf: Add arch_bpf_stack_walk() for BPF JIT · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-01-14
[PATCH v2 6/6] powerpc64/bpf: Additional NVR handling for bpf_throw · <hidden> · 2026-01-14
Re: [PATCH v2 6/6] powerpc64/bpf: Additional NVR handling for bpf_throw · bot+bpf-ci@kernel.org · 2026-01-14
Re: [PATCH v2 6/6] powerpc64/bpf: Additional NVR handling for bpf_throw · Hari Bathini <hbathini@linux.ibm.com> · 2026-01-17
Re: [PATCH v2 0/6] powerpc64/bpf: Support tailcalls with subprogs & BPF exceptions · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-01-14

From: bot+bpf-ci@kernel.org
Date: 2026-01-14 12:25:20
Also in: bpf, linux-kselftest, lkml

diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
index 069a8822c30d..e3088cf089d1 100644
--- a/arch/powerpc/net/bpf_jit_comp.c
+++ b/arch/powerpc/net/bpf_jit_comp.c

[ ... ]

+static void bpf_trampoline_setup_tail_call_info(u32 *image, struct codegen_context *ctx,
+					       int func_frame_offset,
+					       int bpf_dummy_frame_size, int r4_off)
+{
+	if (IS_ENABLED(CONFIG_PPC64)) {
+		/* See bpf_jit_stack_tailcallinfo_offset() */
+		int tailcallinfo_offset = BPF_PPC_TAILCALL;
+		/*
+		 * func_frame_offset =                                   ...(1)
+		 *     bpf_dummy_frame_size + trampoline_frame_size
+		 */
+		EMIT(PPC_RAW_LD(_R4, _R1, func_frame_offset));
+		EMIT(PPC_RAW_LD(_R3, _R4, -tailcallinfo_offset));

                              ^^^^

Should this LD instruction be an ADDI instead? Looking at the stack frame
setup, after the two STLU instructions in __arch_prepare_bpf_trampoline():

  STLU _R1, _R1, -bpf_dummy_frame_size  ->  stores original _R1 at dummy frame
  STLU _R1, _R1, -bpf_frame_size        ->  stores dummy frame ptr at tramp frame

From the trampoline frame, the back chain stored in the dummy frame at offset
bpf_frame_size points to the caller's frame. But func_frame_offset equals
(bpf_dummy_frame_size + bpf_frame_size), which points into the caller's frame
itself. Loading from that address returns the caller's back chain (pointing
to the grandparent frame), not a pointer to the caller's frame.

This appears to cause the subsequent load at [_R4 - 8] to read the grandparent's
tail_call_info rather than the caller's. Would loading from [_R1 + bpf_frame_size]
give the correct pointer to the caller's frame?

For comparison, the subprogram prologue in bpf_jit_build_prologue() uses
[_R1 + 0] to get the back chain pointing to its caller, which seems like
the right pattern.

+
+		/*
+		 * Setting the tail_call_info in trampoline's frame
+		 * depending on if previous frame had value or reference.
+		 */
+		EMIT(PPC_RAW_CMPLWI(_R3, MAX_TAIL_CALL_CNT));
+		PPC_COND_BRANCH(COND_GT, CTX_NIA(ctx) + 8);
+		EMIT(PPC_RAW_ADDI(_R3, _R4, bpf_jit_stack_tailcallinfo_offset(ctx)));

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20993216190

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help