1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index dbba2b8060176..18e673c0ac159 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -19774,6 +19774,9 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
     if (!tr)
         return -ENOMEM;

+   if (tgt_prog && tgt_prog->aux->tail_call_reachable)
+       tr->flags = BPF_TRAMP_F_TAIL_CALL_CTX;
+
     prog->aux->dst_trampoline = tr;
     return 0;
 }

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index bcca1c9b9a027..2846c21d75bfa 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -1022,6 +1022,10 @@ static void emit_shiftx(u8 **pprog, u32 dst_reg, u8 src_reg, bool is64, u8 op)

 #define INSN_SZ_DIFF (((addrs[i] - addrs[i - 1]) - (prog - temp)))

+/* mov rax, qword ptr [rbp - rounded_stack_depth - 8] */
+#define RESTORE_TAIL_CALL_CNT(stack)               \
+   EMIT3_off32(0x48, 0x8B, 0x85, -round_up(stack, 8) - 8)
+
// ...
@@ -2404,6 +2406,7 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, void *i
      *                     [ ...        ]
      *                     [ stack_arg2 ]
      * RBP - arg_stack_off [ stack_arg1 ]
+    * RSP                 [ tail_call_cnt ] BPF_TRAMP_F_TAIL_CALL_CTX
      */

     /* room for return value of orig_call or fentry prog */
@@ -2468,6 +2471,8 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, void *i
     else
         /* sub rsp, stack_size */
         EMIT4(0x48, 0x83, 0xEC, stack_size);
+   if (flags & BPF_TRAMP_F_TAIL_CALL_CTX)
+       EMIT1(0x50);        /* push rax */
     /* mov QWORD PTR [rbp - rbx_off], rbx */
     emit_stx(&prog, BPF_DW, BPF_REG_FP, BPF_REG_6, -rbx_off);

@@ -2520,9 +2525,15 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, void *i
         restore_regs(m, &prog, regs_off);
         save_args(m, &prog, arg_stack_off, true);

+       if (flags & BPF_TRAMP_F_TAIL_CALL_CTX)
+           /* Before calling the original function, restore the
+            * tail_call_cnt from stack to rax.
+            */
+           RESTORE_TAIL_CALL_CNT(stack_size);
+
         if (flags & BPF_TRAMP_F_ORIG_STACK) {
-           emit_ldx(&prog, BPF_DW, BPF_REG_0, BPF_REG_FP, 8);
-           EMIT2(0xff, 0xd0); /* call *rax */
+           emit_ldx(&prog, BPF_DW, BPF_REG_6, BPF_REG_FP, 8);
+           EMIT2(0xff, 0xd3); /* call *rbx */
         } else {
             /* call original function */
             if (emit_rsb_call(&prog, orig_call, prog)) {
@@ -2573,7 +2584,12 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, void *i
             ret = -EINVAL;
             goto cleanup;
         }
-   }
+   } else if (flags & BPF_TRAMP_F_TAIL_CALL_CTX)
+       /* Before running the original function, restore the
+        * tail_call_cnt from stack to rax.
+        */
+       RESTORE_TAIL_CALL_CNT(stack_size);
+
     /* restore return value of orig_call or fentry prog back into RAX */
     if (save_ret)
         emit_ldx(&prog, BPF_DW, BPF_REG_0, BPF_REG_FP, -8);