[PATCH bpf-next v3 2/3] bpf, riscv: add fsession support for trampolines

bot+bpf-ci at kernel.org bot+bpf-ci at kernel.org
Fri Feb 6 04:51:36 PST 2026 

> diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
> --- a/arch/riscv/net/bpf_jit_comp64.c
> +++ b/arch/riscv/net/bpf_jit_comp64.c

[ ... ]

> +static int invoke_bpf(struct bpf_tramp_links *tl, int args_off, int retval_off,
> +		      int run_ctx_off, int func_meta_off, bool save_ret, u64 func_meta,
> +		      int cookie_off, struct rv_jit_context *ctx)
> +{
> +	int i, cur_cookie = (cookie_off - args_off) / 8;
> +
> +	for (i = 0; i < tl->nr_links; i++) {
> +		int err;
> +
> +		if (bpf_prog_calls_session_cookie(&tl->links[i])) {
                                                ^^^^^^^^^^^^^^

Should this be tl->links[i] instead of &tl->links[i]?

The function bpf_prog_calls_session_cookie() expects a struct bpf_tramp_link
pointer, but tl->links is an array of pointers, so tl->links[i] is already
a struct bpf_tramp_link pointer. The extra & passes a pointer-to-pointer.

For comparison, arm64 uses:

    if (bpf_prog_calls_session_cookie(fentry->links[i]))

And include/linux/bpf.h uses:

    if (bpf_prog_calls_session_cookie(fentries.links[i]))

Both without the &.

> +			u64 meta = func_meta | ((u64)cur_cookie << BPF_TRAMP_COOKIE_INDEX_SHIFT);
> +
> +			emit_store_stack_imm64(RV_REG_T1, -func_meta_off, meta, ctx);
> +			cur_cookie--;
> +		}
> +		err = invoke_bpf_prog(tl->links[i], args_off, retval_off, run_ctx_off,
> +				      save_ret, ctx);

Note that invoke_bpf_prog() correctly uses tl->links[i] without the &.


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21750727924

AI-authorship-score: low
AI-authorship-explanation: The code follows kernel conventions and has been reviewed by maintainers with acked-by tags, indicating human authorship.
issues-found: 1
issue-severity-score: high
issue-severity-explanation: Wrong pointer type passed to bpf_prog_calls_session_cookie() will cause undefined behavior when accessing session cookie state, breaking fsession functionality on RISC-V.

More information about the linux-riscv mailing list