Hello, this series follows some discussions started in [1] around bpf trampolines limitations on specific cases. When a trampoline is generated for a target function involving many arguments, it has to properly find and save the arguments that has been passed through stack. While this is doable with basic types (eg: scalars), it brings more uncertainty when dealing with specific types like structs (many ABIs allow to pass structures by value if they fit in a register or a pair of registers). The issue is that those structures layout and location on the stack can be altered (ie with attributes, like packed or aligned(x)), and this kind of alteration is not encoded in dwarf or BTF, making the trampolines clueless about the needed adjustments. Rather than trying to support this specific case, as agreed in [2], this series aims to properly deny it.
It targets all the architectures currently implementing arch_prepare_bpf_trampoline (except aarch64, since it has been handled while adding the support for many args): - x86 - s390 - riscv - powerpc A small validation function is added in the JIT compiler for each of those architectures, ensuring that no argument passed on stack is a struct. If so, the trampoline creation is cancelled. Any check on args already implemented in a JIT comp has been moved in this new function. On top of that, it updates the tracing_struct_many_args test, which now merely checks that this case is indeed denied. [1] https://lore.kernel.org/bpf/20250411-many_args_arm64-v1-0-0a32fe723...@bootlin.com/ [2] https://lore.kernel.org/bpf/caadnvqkr3ftnt1uqvrxbe0a2o37zyro2phqcohunw6pe5t2...@mail.gmail.com/ Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.loth...@bootlin.com> --- Alexis Lothoré (eBPF Foundation) (7): bpf/x86: use define for max regs count used for arguments bpf/x86: prevent trampoline attachment when args location on stack is uncertain bpf/riscv: prevent trampoline attachment when args location on stack is uncertain bpf/s390: prevent trampoline attachment when args location on stack is uncertain bpf/powerpc64: use define for max regs count used for arguments bpf/powerpc64: prevent trampoline attachment when args location on stack is uncertain selftests/bpf: ensure that functions passing structs on stack can not be hooked arch/powerpc/net/bpf_jit_comp.c | 38 ++++++++++-- arch/riscv/net/bpf_jit_comp64.c | 26 +++++++- arch/s390/net/bpf_jit_comp.c | 33 ++++++++-- arch/x86/net/bpf_jit_comp.c | 50 ++++++++++++---- .../selftests/bpf/prog_tests/tracing_struct.c | 37 +----------- .../selftests/bpf/progs/tracing_struct_many_args.c | 70 ---------------------- .../testing/selftests/bpf/test_kmods/bpf_testmod.c | 43 ++----------- 7 files changed, 129 insertions(+), 168 deletions(-) --- base-commit: c4f4f8da70044d8b28fccf73016b4119f3e2fd50 change-id: 20250609-deny_trampoline_structs_on_stack-5bbc7bc20dd1 Best regards, -- Alexis Lothoré, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
