[PATCH bpf-next] bpf, arm32: Reject BPF_PSEUDO_CALL in the JIT
bot+bpf-ci at kernel.org
bot+bpf-ci at kernel.org
Fri Apr 17 04:17:04 PDT 2026
> Fixes: 1c2a088a6626 ("bpf: x64: add JIT support for multi-function programs")
Is this the correct Fixes tag? That commit only modified x64 JIT code
and BPF core infrastructure for BPF-to-BPF calls - it never touched
arch/arm/net/bpf_jit_32.c.
The actual bug was introduced by commit 39c13c204bb1 ("arm: eBPF JIT
compiler") from August 2017, which added the ARM32 eBPF JIT with
BPF_CALL handling but failed to reject BPF_PSEUDO_CALL. The code has
been incorrectly computing function addresses as 'func = __bpf_call_base
+ imm' for BPF_PSEUDO_CALL since the ARM32 JIT was first introduced.
Suggested: Fixes: 39c13c204bb1 ("arm: eBPF JIT compiler")
> diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
> index deeb8f292454..91fef10e88bc 100644
> --- a/arch/arm/net/bpf_jit_32.c
> +++ b/arch/arm/net/bpf_jit_32.c
> @@ -2047,6 +2047,8 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
> /* function call */
> case BPF_JMP | BPF_CALL:
> {
> + if (insn->src_reg == BPF_PSEUDO_CALL)
> + goto notyet;
> const s8 *r0 = bpf2a32[BPF_REG_0];
> const s8 *r1 = bpf2a32[BPF_REG_1];
> const s8 *r2 = bpf2a32[BPF_REG_2];
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/24561211195
More information about the linux-arm-kernel
mailing list