[PATCH bpf-next v6 6/7] riscv, bpf: Mixing bpf2bpf and tailcalls

Pu Lehui pulehui at huaweicloud.com
Thu Jul 9 08:09:37 PDT 2026


On 2026/7/9 19:37, Björn Töpel wrote:
> Sorry for the delay here -- the bot had me thinking a bit.
> 
> On Wed, 8 Jul 2026 at 10:54, Pu Lehui <pulehui at huaweicloud.com> wrote:
> 
> ...
> 
>>> This assumes a fixed number of instructions before the tailcall entry
>>> point. When is_subprog is true, the rv_addi() instruction is not emitted,
>>> which means the tailcall entry point moves forward by 4 bytes relative to
>>> where RV_TAILCALL_OFFSET expects it to be.
>>>
>>> The tailcall entry is used in emit_bpf_tail_call() when calculating the
>>> jump target for the tail call. If RV_TAILCALL_OFFSET doesn't account for
>>> the conditional emission, could this cause the wrong entry point to be
>>> used when tail calling into subprograms?
>>
>> This is not an issue, subprog can not be the tailcall callee.
> 
> Say, that we have an entry function that does bpf_for_each_map_array()
> into a callback cb(). cb() is a subprogram, so no init of TCC. Now,
> cb() calls another subprogram that does a tailcall.
> 
> The callback to cb() is coming from the kernel, so a6 could have been
> clobbered, no? We're entering a subprogram coming from the C ABI. Now,
> if the callback calls a subprog that's tail-call reachable, the TCC
> can be garbage?

Sashiko reported the same issue yesterday. I verified that the verifier 
rejects cases where a tail call is invoked within a callback; 
specifically, while the callback's return value range is [0, 1], the 
simulation of the exit path in `check_helper_call` (handling the tail 
call helper) marks R0 as UNKNOWN, causing the verifier to reject it—so I 
didn't investigate further. However, I just verified that the verifier 
*does* accept the scenario where a callback calls a subprogram, and that 
subprogram subsequently calls a tail call. I believe this scenario ought 
to be rejected; perhaps some changes are needed in the verifier, 
otherwise tail calls on other architectures (like x86) would also be 
susceptible to infinite loop issues.

> 
> 
> Björn




More information about the linux-riscv mailing list