On Wed, Aug 20, 2025 at 11:37 PM Huacai Chen <chenhuacai@xxxxxxxxxx> wrote:
>
> Hi, Hengqi,
>
> On Wed, Aug 20, 2025 at 8:06 PM Hengqi Chen <hengqi.chen@xxxxxxxxx> wrote:
> >
> > The ns_bpf_qdisc selftest triggers a kernel panic:
> >
> > [ 2738.595309] CPU 0 Unable to handle kernel paging request at virtual address 0000000000741d58, era == 90000000851b5ac0, ra == 90000000851b5aa4
> > [ 2738.596716] Oops[#1]:
> > [ 2738.596980] CPU: 0 UID: 0 PID: 449 Comm: test_progs Tainted: G OE 6.16.0+ #3 PREEMPT(full)
> > [ 2738.597184] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
> > [ 2738.597265] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022
> > [ 2738.597386] pc 90000000851b5ac0 ra 90000000851b5aa4 tp 90000001076b8000 sp 90000001076bb600
> > [ 2738.597484] a0 0000000000741ce8 a1 0000000000000001 a2 90000001076bb5c0 a3 0000000000000008
> > [ 2738.597577] a4 90000001004c4620 a5 9000000100741ce8 a6 0000000000000000 a7 0100000000000000
> > [ 2738.597682] t0 0000000000000010 t1 0000000000000000 t2 9000000104d24d30 t3 0000000000000001
> > [ 2738.597835] t4 4f2317da8a7e08c4 t5 fffffefffc002f00 t6 90000001004c4620 t7 ffffffffc61c5b3d
> > [ 2738.597997] t8 0000000000000000 u0 0000000000000001 s9 0000000000000050 s0 90000001075bc800
> > [ 2738.598097] s1 0000000000000040 s2 900000010597c400 s3 0000000000000008 s4 90000001075bc880
> > [ 2738.598196] s5 90000001075bc8f0 s6 0000000000000000 s7 0000000000741ce8 s8 0000000000000000
> > [ 2738.598313] ra: 90000000851b5aa4 __qdisc_run+0xac/0x8d8
> > [ 2738.598553] ERA: 90000000851b5ac0 __qdisc_run+0xc8/0x8d8
> > [ 2738.598629] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
> > [ 2738.598991] PRMD: 00000004 (PPLV0 +PIE -PWE)
> > [ 2738.599065] EUEN: 00000007 (+FPE +SXE +ASXE -BTE)
> > [ 2738.599160] ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
> > [ 2738.599278] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)
> > [ 2738.599364] BADV: 0000000000741d58
> > [ 2738.599429] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
> > [ 2738.599513] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE)]
> > [ 2738.599724] Process test_progs (pid: 449, threadinfo=000000009af02b3a, task=00000000e9ba4956)
> > [ 2738.599916] Stack : 0000000000000000 90000001075bc8ac 90000000869524a8 9000000100741ce8
> > [ 2738.600065] 90000001075bc800 9000000100415300 90000001075bc8ac 0000000000000000
> > [ 2738.600170] 900000010597c400 900000008694a000 0000000000000000 9000000105b59000
> > [ 2738.600278] 90000001075bc800 9000000100741ce8 0000000000000050 900000008513000c
> > [ 2738.600381] 9000000086936000 0000000100094d4c fffffff400676208 0000000000000000
> > [ 2738.600482] 9000000105b59000 900000008694a000 9000000086bf0dc0 9000000105b59000
> > [ 2738.600585] 9000000086bf0d68 9000000085147010 90000001075be788 0000000000000000
> > [ 2738.600690] 9000000086bf0f98 0000000000000001 0000000000000010 9000000006015840
> > [ 2738.600795] 0000000000000000 9000000086be6c40 0000000000000000 0000000000000000
> > [ 2738.600901] 0000000000000000 4f2317da8a7e08c4 0000000000000101 4f2317da8a7e08c4
> > [ 2738.601007] ...
> > [ 2738.601062] Call Trace:
> > [ 2738.601135] [<90000000851b5ac0>] __qdisc_run+0xc8/0x8d8
> > [ 2738.601396] [<9000000085130008>] __dev_queue_xmit+0x578/0x10f0
> > [ 2738.601482] [<90000000853701c0>] ip6_finish_output2+0x2f0/0x950
> > [ 2738.601568] [<9000000085374bc8>] ip6_finish_output+0x2b8/0x448
> > [ 2738.601646] [<9000000085370b24>] ip6_xmit+0x304/0x858
> > [ 2738.601711] [<90000000853c4438>] inet6_csk_xmit+0x100/0x170
> > [ 2738.601784] [<90000000852b32f0>] __tcp_transmit_skb+0x490/0xdd0
> > [ 2738.601863] [<90000000852b47fc>] tcp_connect+0xbcc/0x1168
> > [ 2738.601934] [<90000000853b9088>] tcp_v6_connect+0x580/0x8a0
> > [ 2738.602019] [<90000000852e7738>] __inet_stream_connect+0x170/0x480
> > [ 2738.602103] [<90000000852e7a98>] inet_stream_connect+0x50/0x88
> > [ 2738.602175] [<90000000850f2814>] __sys_connect+0xe4/0x110
> > [ 2738.602244] [<90000000850f2858>] sys_connect+0x18/0x28
> > [ 2738.602320] [<9000000085520c94>] do_syscall+0x94/0x1a0
> > [ 2738.602399] [<9000000083df1fb8>] handle_syscall+0xb8/0x158
> > [ 2738.602502]
> > [ 2738.602546] Code: 4001ad80 2400873f 2400832d <240073cc> 001137ff 001133ff 6407b41f 001503cc 0280041d
> > [ 2738.602724]
> > [ 2738.602916] ---[ end trace 0000000000000000 ]---
> It is enough to end up here, and please remove the timestamp.
OK.
>
> > [ 2738.603210] Kernel panic - not syncing: Fatal exception in interrupt
> > [ 2738.603548] Kernel relocated by 0x83bb0000
> > [ 2738.603622] .text @ 0x9000000083db0000
> > [ 2738.603699] .data @ 0x9000000085690000
> > [ 2738.603753] .bss @ 0x9000000087491e00
> > [ 2738.603900] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
> >
> > The bpf_fifo_dequeue prog returns a skb which is a pointer.
> > The pointer is treated as a 32bit value and sign extend to
> > 64bit in epilogue. This behavior is right for most bpf prog
> > types but wrong for struct ops which requires LoongArch ABI.
> >
> > So let's sign extend struct ops return values according to
> > the return value spec in function model.
> >
> > Fixes: 6abf17d690d8 ("LoongArch: BPF: Add struct ops support for trampoline")
> > Signed-off-by: Hengqi Chen <hengqi.chen@xxxxxxxxx>
> > ---
> > arch/loongarch/net/bpf_jit.c | 47 ++++++++++++++++++++++++++++++------
> > 1 file changed, 40 insertions(+), 7 deletions(-)
> >
> > diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c
> > index abfdb6bb5c38..4077565c9934 100644
> > --- a/arch/loongarch/net/bpf_jit.c
> > +++ b/arch/loongarch/net/bpf_jit.c
> > @@ -1361,7 +1361,8 @@ static void restore_args(struct jit_ctx *ctx, int nargs, int args_off)
> > }
> >
> > static int invoke_bpf_prog(struct jit_ctx *ctx, struct bpf_tramp_link *l,
> > - int args_off, int retval_off, int run_ctx_off, bool save_ret)
> > + const struct btf_func_model *m, int args_off,
> > + int retval_off, int run_ctx_off, bool save_ret)
> > {
> > int ret;
> > u32 *branch;
> > @@ -1425,13 +1426,14 @@ static int invoke_bpf_prog(struct jit_ctx *ctx, struct bpf_tramp_link *l,
> > }
> >
> > static void invoke_bpf_mod_ret(struct jit_ctx *ctx, struct bpf_tramp_links *tl,
> > - int args_off, int retval_off, int run_ctx_off, u32 **branches)
> > + const struct btf_func_model *m, int args_off,
> > + int retval_off, int run_ctx_off, u32 **branches)
> > {
> > int i;
> >
> > emit_insn(ctx, std, LOONGARCH_GPR_ZERO, LOONGARCH_GPR_FP, -retval_off);
> > for (i = 0; i < tl->nr_links; i++) {
> > - invoke_bpf_prog(ctx, tl->links[i], args_off, retval_off, run_ctx_off, true);
> > + invoke_bpf_prog(ctx, tl->links[i], m, args_off, retval_off, run_ctx_off, true);
> > emit_insn(ctx, ldd, LOONGARCH_GPR_T1, LOONGARCH_GPR_FP, -retval_off);
> > branches[i] = (u32 *)ctx->image + ctx->idx;
> > emit_insn(ctx, nop);
> > @@ -1448,6 +1450,30 @@ void arch_free_bpf_trampoline(void *image, unsigned int size)
> > bpf_prog_pack_free(image, size);
> > }
> >
> > +/*
> > + * Sign-extend the register if necessary
> > + */
> > +static int sign_extend(struct jit_ctx *ctx, int r, u8 size)
> > +{
> > + switch (size) {
> > + case 1:
> > + emit_insn(ctx, sllid, r, r, 56);
> > + emit_insn(ctx, sraid, r, r, 56);
> > + return 0;
> > + case 2:
> > + emit_insn(ctx, sllid, r, r, 48);
> > + emit_insn(ctx, sraid, r, r, 48);
> > + return 0;
> > + case 4:
> > + emit_insn(ctx, addiw, r, r, 0);
> > + return 0;
> > + case 8:
> > + return 0;
> > + default:
> > + return -1;
> > + }
> > +}
> Is it possible to rewrite like this?
I guess no. This is a precaution. There are return values like
int128_t or struct.
BTF_FMODEL_STRUCT_ARG is an example.
>
> +static void sign_extend(struct jit_ctx *ctx, int r, u8 size)
> +{
> + switch (size) {
> + case 1:
> + emit_insn(ctx, sllid, r, r, 56);
> + emit_insn(ctx, sraid, r, r, 56);
> + break;
> + case 2:
> + emit_insn(ctx, sllid, r, r, 48);
> + emit_insn(ctx, sraid, r, r, 48);
> + break;
> + case 4:
> + emit_insn(ctx, addiw, r, r, 0);
> + break;
> + case 8:
> + default:
> + break;
> + }
> +}
>
> Huacai
>
> > +
> > static int __arch_prepare_bpf_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
> > const struct btf_func_model *m, struct bpf_tramp_links *tlinks,
> > void *func_addr, u32 flags)
> > @@ -1602,8 +1628,8 @@ static int __arch_prepare_bpf_trampoline(struct jit_ctx *ctx, struct bpf_tramp_i
> > }
> >
> > for (i = 0; i < fentry->nr_links; i++) {
> > - ret = invoke_bpf_prog(ctx, fentry->links[i], args_off, retval_off,
> > - run_ctx_off, flags & BPF_TRAMP_F_RET_FENTRY_RET);
> > + ret = invoke_bpf_prog(ctx, fentry->links[i], m, args_off, retval_off,
> > + run_ctx_off, flags & BPF_TRAMP_F_RET_FENTRY_RET);
> > if (ret)
> > return ret;
> > }
> > @@ -1612,7 +1638,7 @@ static int __arch_prepare_bpf_trampoline(struct jit_ctx *ctx, struct bpf_tramp_i
> > if (!branches)
> > return -ENOMEM;
> >
> > - invoke_bpf_mod_ret(ctx, fmod_ret, args_off, retval_off, run_ctx_off, branches);
> > + invoke_bpf_mod_ret(ctx, fmod_ret, m, args_off, retval_off, run_ctx_off, branches);
> > }
> >
> > if (flags & BPF_TRAMP_F_CALL_ORIG) {
> > @@ -1638,7 +1664,8 @@ static int __arch_prepare_bpf_trampoline(struct jit_ctx *ctx, struct bpf_tramp_i
> > }
> >
> > for (i = 0; i < fexit->nr_links; i++) {
> > - ret = invoke_bpf_prog(ctx, fexit->links[i], args_off, retval_off, run_ctx_off, false);
> > + ret = invoke_bpf_prog(ctx, fexit->links[i], m, args_off,
> > + retval_off, run_ctx_off, false);
> > if (ret)
> > goto out;
> > }
> > @@ -1657,6 +1684,12 @@ static int __arch_prepare_bpf_trampoline(struct jit_ctx *ctx, struct bpf_tramp_i
> > if (save_ret) {
> > emit_insn(ctx, ldd, LOONGARCH_GPR_A0, LOONGARCH_GPR_FP, -retval_off);
> > emit_insn(ctx, ldd, regmap[BPF_REG_0], LOONGARCH_GPR_FP, -(retval_off - 8));
> > + if (is_struct_ops) {
> > + move_reg(ctx, LOONGARCH_GPR_A0, regmap[BPF_REG_0]);
> > + ret = sign_extend(ctx, LOONGARCH_GPR_A0, m->ret_size);
> > + if (ret)
> > + goto out;
> > + }
> > }
> >
> > emit_insn(ctx, ldd, LOONGARCH_GPR_S1, LOONGARCH_GPR_FP, -sreg_off);
> > --
> > 2.43.5
> >
> >
