Re: XDP BPF JIT memory leak on armv7

Next message: Daniel Palmer: "[PATCH v2 0/2] nolibc: Add fallocate()"
Previous message: Tung Quang Nguyen: "RE: [PATCH] tipc: crypto: require a NUL-terminated AEAD algorithm name"
In reply to: Puranjay Mohan: "Re: XDP BPF JIT memory leak on armv7"
Next in thread: Daniel Borkmann: "Re: XDP BPF JIT memory leak on armv7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Daniel Borkmann

Date: Fri Apr 17 2026 - 07:26:50 EST

On 4/17/26 11:56 AM, Puranjay Mohan wrote:

On 2026-04-16 16:36, Daniel Borkmann wrote:

I don't have access to arm32, but it looks like its completely missing the
ability to do BPF to BPF calls.. you would need something like the below
(uncompiled / untested).

Applying your Patch to latest master leads to a paging error [1] and
segmentation fault in xdp_program__attach when I run
./xdp_pass_user -d lo

I think the problem is that BPF to BPF calls are not supported but the
JIT doesn't reject them as well, so the best way to fix this would be
to do:

diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index deeb8f292454..91fef10e88bc 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -2047,6 +2047,8 @@ static int build_insn(const struct bpf_insn
*insn, struct jit_ctx *ctx)
/* function call */
case BPF_JMP | BPF_CALL:
{
+ if (insn->src_reg == BPF_PSEUDO_CALL)
+ goto notyet;
const s8 *r0 = bpf2a32[BPF_REG_0];
const s8 *r1 = bpf2a32[BPF_REG_1];
const s8 *r2 = bpf2a32[BPF_REG_2];

This will cause the memory to be freed properly.

This works for me and resolves the issue.

Tested-by: Jonas Rebmann <jre@xxxxxxxxxxxxxx>

Thanks for testing, let me send the patch to the list.

Sounds good, I think it might also be worth to check the other
JITs which are not mainstream to see if they have the extra
pass and if not then adding similar not-yet bailout to them.

Cheers,
Daniel