+++ /dev/null
-From 882dd701c2d8315a4578bc4c9e860b155f90a8e2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 13 Aug 2025 14:06:29 +0200
-Subject: s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL
-
-From: Ilya Leoshkevich <iii@linux.ibm.com>
-
-[ Upstream commit c861a6b147137d10b5ff88a2c492ba376cd1b8b0 ]
-
-The tailcall_bpf2bpf_hierarchy_1 test hangs on s390. Its call graph is
-as follows:
-
- entry()
- subprog_tail()
- bpf_tail_call_static(0) -> entry + tail_call_start
- subprog_tail()
- bpf_tail_call_static(0) -> entry + tail_call_start
-
-entry() copies its tail call counter to the subprog_tail()'s frame,
-which then increments it. However, the incremented result is discarded,
-leading to an astronomically large number of tail calls.
-
-Fix by writing the incremented counter back to the entry()'s frame.
-
-Fixes: dd691e847d28 ("s390/bpf: Implement bpf_jit_supports_subprog_tailcalls()")
-Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Link: https://lore.kernel.org/bpf/20250813121016.163375-3-iii@linux.ibm.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/net/bpf_jit_comp.c | 23 ++++++++++++++++-------
- 1 file changed, 16 insertions(+), 7 deletions(-)
-
-diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
-index ead8d9ba9032c..a88d53fe87743 100644
---- a/arch/s390/net/bpf_jit_comp.c
-+++ b/arch/s390/net/bpf_jit_comp.c
-@@ -1775,13 +1775,6 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
- jit->seen |= SEEN_FUNC;
- /*
- * Copy the tail call counter to where the callee expects it.
-- *
-- * Note 1: The callee can increment the tail call counter, but
-- * we do not load it back, since the x86 JIT does not do this
-- * either.
-- *
-- * Note 2: We assume that the verifier does not let us call the
-- * main program, which clears the tail call counter on entry.
- */
- /* mvc STK_OFF_TCCNT(4,%r15),N(%r15) */
- _EMIT6(0xd203f000 | STK_OFF_TCCNT,
-@@ -1807,6 +1800,22 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
- call_r1(jit);
- /* lgr %b0,%r2: load return value into %b0 */
- EMIT4(0xb9040000, BPF_REG_0, REG_2);
-+
-+ /*
-+ * Copy the potentially updated tail call counter back.
-+ */
-+
-+ if (insn->src_reg == BPF_PSEUDO_CALL)
-+ /*
-+ * mvc frame_off+tail_call_cnt(%r15),
-+ * tail_call_cnt(4,%r15)
-+ */
-+ _EMIT6(0xd203f000 | (jit->frame_off +
-+ offsetof(struct prog_frame,
-+ tail_call_cnt)),
-+ 0xf000 | offsetof(struct prog_frame,
-+ tail_call_cnt));
-+
- break;
- }
- case BPF_JMP | BPF_TAIL_CALL: {
---
-2.51.0
-
+++ /dev/null
-From d40209feea67fcabbea45b180dc3afdba8ba225b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 13 Aug 2025 14:06:30 +0200
-Subject: s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG
-
-From: Ilya Leoshkevich <iii@linux.ibm.com>
-
-[ Upstream commit bc3905a71f02511607d3ccf732360580209cac4c ]
-
-The tailcall_bpf2bpf_hierarchy_fentry test hangs on s390. Its call
-graph is as follows:
-
- entry()
- subprog_tail()
- trampoline()
- fentry()
- the rest of subprog_tail() # via BPF_TRAMP_F_CALL_ORIG
- return to entry()
-
-The problem is that the rest of subprog_tail() increments the tail call
-counter, but the trampoline discards the incremented value. This
-results in an astronomically large number of tail calls.
-
-Fix by making the trampoline write the incremented tail call counter
-back.
-
-Fixes: 528eb2cb87bc ("s390/bpf: Implement arch_prepare_bpf_trampoline()")
-Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Link: https://lore.kernel.org/bpf/20250813121016.163375-4-iii@linux.ibm.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/net/bpf_jit_comp.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
-index a88d53fe87743..c15be6955cc7f 100644
---- a/arch/s390/net/bpf_jit_comp.c
-+++ b/arch/s390/net/bpf_jit_comp.c
-@@ -2808,6 +2808,9 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im,
- /* stg %r2,retval_off(%r15) */
- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_2, REG_0, REG_15,
- tjit->retval_off);
-+ /* mvc tccnt_off(%r15),tail_call_cnt(4,%r15) */
-+ _EMIT6(0xd203f000 | tjit->tccnt_off,
-+ 0xf000 | offsetof(struct prog_frame, tail_call_cnt));
-
- im->ip_after_call = jit->prg_buf + jit->prg;
-
---
-2.51.0
-
libbpf-fix-reuse-of-devmap.patch
arm-dts-renesas-porter-fix-can-pin-group.patch
leds-flash-leds-qcom-flash-update-torch-current-clam.patch
-s390-bpf-write-back-tail-call-counter-for-bpf_pseudo.patch
-s390-bpf-write-back-tail-call-counter-for-bpf_tramp_.patch
cpufreq-scmi-account-for-malformed-dt-in-scmi_dev_us.patch
firmware-arm_scmi-mark-virtio-ready-before-registeri.patch
arm64-dts-imx93-kontron-fix-gpio-for-panel-regulator.patch
+++ /dev/null
-From 74dfe6acd15cd6587d1244674e9452bd495b55d8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 13 Aug 2025 14:06:29 +0200
-Subject: s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL
-
-From: Ilya Leoshkevich <iii@linux.ibm.com>
-
-[ Upstream commit c861a6b147137d10b5ff88a2c492ba376cd1b8b0 ]
-
-The tailcall_bpf2bpf_hierarchy_1 test hangs on s390. Its call graph is
-as follows:
-
- entry()
- subprog_tail()
- bpf_tail_call_static(0) -> entry + tail_call_start
- subprog_tail()
- bpf_tail_call_static(0) -> entry + tail_call_start
-
-entry() copies its tail call counter to the subprog_tail()'s frame,
-which then increments it. However, the incremented result is discarded,
-leading to an astronomically large number of tail calls.
-
-Fix by writing the incremented counter back to the entry()'s frame.
-
-Fixes: dd691e847d28 ("s390/bpf: Implement bpf_jit_supports_subprog_tailcalls()")
-Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Link: https://lore.kernel.org/bpf/20250813121016.163375-3-iii@linux.ibm.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/net/bpf_jit_comp.c | 23 ++++++++++++++++-------
- 1 file changed, 16 insertions(+), 7 deletions(-)
-
-diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
-index 2d8facfd4e425..31a4bbd2e7dc4 100644
---- a/arch/s390/net/bpf_jit_comp.c
-+++ b/arch/s390/net/bpf_jit_comp.c
-@@ -1425,13 +1425,6 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
- jit->seen |= SEEN_FUNC;
- /*
- * Copy the tail call counter to where the callee expects it.
-- *
-- * Note 1: The callee can increment the tail call counter, but
-- * we do not load it back, since the x86 JIT does not do this
-- * either.
-- *
-- * Note 2: We assume that the verifier does not let us call the
-- * main program, which clears the tail call counter on entry.
- */
- /* mvc STK_OFF_TCCNT(4,%r15),N(%r15) */
- _EMIT6(0xd203f000 | STK_OFF_TCCNT,
-@@ -1457,6 +1450,22 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
- call_r1(jit);
- /* lgr %b0,%r2: load return value into %b0 */
- EMIT4(0xb9040000, BPF_REG_0, REG_2);
-+
-+ /*
-+ * Copy the potentially updated tail call counter back.
-+ */
-+
-+ if (insn->src_reg == BPF_PSEUDO_CALL)
-+ /*
-+ * mvc frame_off+tail_call_cnt(%r15),
-+ * tail_call_cnt(4,%r15)
-+ */
-+ _EMIT6(0xd203f000 | (jit->frame_off +
-+ offsetof(struct prog_frame,
-+ tail_call_cnt)),
-+ 0xf000 | offsetof(struct prog_frame,
-+ tail_call_cnt));
-+
- break;
- }
- case BPF_JMP | BPF_TAIL_CALL: {
---
-2.51.0
-
+++ /dev/null
-From 893445b9a191c634c2e59e7a3f7f182ea3e9076b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 13 Aug 2025 14:06:30 +0200
-Subject: s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG
-
-From: Ilya Leoshkevich <iii@linux.ibm.com>
-
-[ Upstream commit bc3905a71f02511607d3ccf732360580209cac4c ]
-
-The tailcall_bpf2bpf_hierarchy_fentry test hangs on s390. Its call
-graph is as follows:
-
- entry()
- subprog_tail()
- trampoline()
- fentry()
- the rest of subprog_tail() # via BPF_TRAMP_F_CALL_ORIG
- return to entry()
-
-The problem is that the rest of subprog_tail() increments the tail call
-counter, but the trampoline discards the incremented value. This
-results in an astronomically large number of tail calls.
-
-Fix by making the trampoline write the incremented tail call counter
-back.
-
-Fixes: 528eb2cb87bc ("s390/bpf: Implement arch_prepare_bpf_trampoline()")
-Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Link: https://lore.kernel.org/bpf/20250813121016.163375-4-iii@linux.ibm.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/net/bpf_jit_comp.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
-index 31a4bbd2e7dc4..fe0354ad3bb96 100644
---- a/arch/s390/net/bpf_jit_comp.c
-+++ b/arch/s390/net/bpf_jit_comp.c
-@@ -2442,6 +2442,9 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im,
- /* stg %r2,retval_off(%r15) */
- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_2, REG_0, REG_15,
- tjit->retval_off);
-+ /* mvc tccnt_off(%r15),tail_call_cnt(4,%r15) */
-+ _EMIT6(0xd203f000 | tjit->tccnt_off,
-+ 0xf000 | offsetof(struct prog_frame, tail_call_cnt));
-
- im->ip_after_call = jit->prg_buf + jit->prg;
-
---
-2.51.0
-
libbpf-fix-reuse-of-devmap.patch
arm-dts-renesas-porter-fix-can-pin-group.patch
leds-flash-leds-qcom-flash-update-torch-current-clam.patch
-s390-bpf-write-back-tail-call-counter-for-bpf_pseudo.patch
-s390-bpf-write-back-tail-call-counter-for-bpf_tramp_.patch
cpufreq-scmi-account-for-malformed-dt-in-scmi_dev_us.patch
acpi-processor-idle-fix-memory-leak-when-register-cp.patch
soc-qcom-rpmh-rsc-unconditionally-clear-_trigger-bit.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
