Re: [PATCH bpf-next v1] bpf: Fix unaligned interpreter panic on JIT fallback path

[Tiezhu Yang]

On 2026/6/11 下午3:37, Leon Hwang wrote:
> On 11/6/26 15:00, Tiezhu Yang wrote:
> [...]
> >   
> > +/*
> > + * Rewrite the helper call offset for inlined helpers when fallback to
> > + * the interpreter happens due to JIT compilation failure or JIT disabled.
> > + */
> > +static void bpf_fixup_fallback_inline_helpers(struct bpf_verifier_env *env, struct bpf_prog *fp)
> > +{
> > +	struct bpf_insn *insn = fp->insnsi;
> > +	const struct bpf_func_proto *fn;
> > +	int i;
> > +
> > +	if (!env || !env->ops->get_func_proto)
> > +		return;
> > +
> > +	for (i = 0; i < fp->len; i++, insn++) {
> > +		if (insn->code == (BPF_JMP | BPF_CALL) && insn->src_reg == 0) {
> > +			if (bpf_jit_inlines_helper_call(insn->imm)) {
> > +				fn = env->ops->get_func_proto(insn->imm, fp);
> > +				if (fn && fn->func)
> > +					insn->imm = fn->func - __bpf_call_base;
>
> Might have pointer-to-integer warning?

Thanks for the review!

I followed the existing implementation patterns in bpf_do_misc_fixups(),
where it explicitly assigns the delta directly without an explicit cast:

  insn->imm = fn->func - __bpf_call_base;

Keeping it this way ensures maximum consistency with the native code
style in the BPF subsystem, and it does not trigger pointer-to-integer
conversion warnings during my compilation tests.

> > +			}
> > +		}
> > +	}
> > +}
> > +
> >   struct bpf_prog *__bpf_prog_select_runtime(struct bpf_verifier_env *env, struct bpf_prog *fp,
> >   					   int *err)
> >   {
> > @@ -2639,6 +2663,15 @@ struct bpf_prog *__bpf_prog_select_runtime(struct bpf_verifier_env *env, struct
> >   
> >   		fp = bpf_prog_jit_compile(env, fp);
> >   		bpf_prog_jit_attempt_done(fp);
> > +
> > +		/*
> > +		 * If JIT compilation failed or is disabled (!fp->jited), we are
> > +		 * about to fall back to the interpreter path. Fix up the call
> > +		 * offsets to prevent unaligned memory access panic.
> > +		 */
> > +		if (!fp->jited)
> > +			bpf_fixup_fallback_inline_helpers(env, fp);
> > +
>
> Better to move it after (!fp->jited && jit_needed)?

This is a very sharp catch!

Moving it after (!fp->jited && jit_needed) avoids redundant instruction
traversal on mandatory JIT failure paths. I will update the placement
in the next vision.

Thanks,
Tiezhu