From nobody Sun Feb 8 19:20:50 2026 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 529F32D8DA3 for ; Sat, 20 Dec 2025 11:35:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766230554; cv=none; b=PAI5vzoNGjKrGhxoNKEvf4gjz3kkD6x/gJhIaQgp1KxXl2jDLKWiQPEEGkANUjF4j/+65hdjtz6oG2BXpY8aLDoW5jlp6qgvEknplc7KeYZ87dT4H7wETuUue1i5Qpkv8LuaXZ8AoC43Afa05KFqzqOpJ+lP3o0NnUOXyCGMU1w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766230554; c=relaxed/simple; bh=TzPsFbXzEN8yJbx8ENdKQ00Lv+fJ8UDDohHsL3t0pNQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bsH3H5lVJ4WSWp6J/e4ymSdW2cBGapFi8MvyfO/gtgCL17oSFHIRD+YvREnYK7ikLyljgPD/LfG1sJD7+Nvh+avyvyhUlhMeBOCRtakZe9CIu1SH7RtROJ5LIi9yL+bPTOEHWjnr3SfC8/1/u0UsWyDPaLjTvb6qiVigLSXNq3Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=bNUw4PRD; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="bNUw4PRD" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-7b9387df58cso4293492b3a.3 for ; Sat, 20 Dec 2025 03:35:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766230551; x=1766835351; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=O0zqUWkRr1OhlERiva29GCpoJfzXQoSXsvZUKYgXshQ=; b=bNUw4PRDd+cCA/vyQB21p28eMoM8y4ZRnVmknWpV2YAc6pMDGKhWTBgpbnifcSwugc ZywTWlZh9pevCbDl6ihRDotev21OlkZtCLT4cirnHtQ7KOk7TDBwdZlZh334GA+9Fu0d EGkmgt3Mmen74nw0xGQ89fVpTIyw1RYzn39eFmLAEfywgdtiMyoAWuRNf1Pshsu7RoMy MhVyi+05UcJlL4G2Cl9SuGKbGbGWe+yNoUSLTey0pnFUA/Oeb2IS7dgYm7AJ6eXaV57s 7aTF2iB3U85JRFO/ZQR+JO4EKBtuGI3U3iXamRbuUnRSH9Kw/xlfm6v36+q4b1BcNVYY Yrwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766230551; x=1766835351; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=O0zqUWkRr1OhlERiva29GCpoJfzXQoSXsvZUKYgXshQ=; b=TvH7VTiR67H42sOH0q42fkzY0tmz/5iPM71RtRtcp9TPciSY7ulSLXqNwpQa3Xfz3U fLPEhlKP9H2guXCT/vyQtuhAgfvUG3ybyYK5ITfJdPnhVbEyWGYYxgaP4s4roqNECqE2 cYiTV1Ns1uXYwdTpyvuXm5r6TRVFhivmIec3TJ8CrsRkWHLesjXB7MftMBglZso25n3L R/c2q5i9j/owRdpgDIUyY13eD/M/dz1Eouvk665zgXY7nwKq0CzugALgsugwzHIaJFnG NzWzEKbOOfIsaNxsZZuBxLp7xS0Y8G2/r7Mgv8paIMD8Y4q0AT4zerGDuVpT/Ch0LfeM qKMQ== X-Forwarded-Encrypted: i=1; AJvYcCUFOLk2lw2R8xqtHFZawHJzgSuP4AXQJkei5OgPx+GIWLzIm8RO/+v3wMYXZrAoco9kHplw6z36gUP7IUg=@vger.kernel.org X-Gm-Message-State: AOJu0YxvjFvxwkDm7gLfbg0q6+bxUvYZzTR9VezsuCAJ2GbLODC2K+QS JL2wganQLYqqdE1UyXjK+BC4kjlVjYzkDktOqLaxrnJuP4Fy1UjdskxI X-Gm-Gg: AY/fxX5iHfuWhtNC/KafAq37K+m+/dMwdu7OKKyxPOrCwVge7ORQONQb2EBxAbWkNn/ 8ydPJHip/T7H1KVzzxqhERSHH1cZ5Owvp2rsJr+CFESSbzeWXm3hhIwk6ltw1y8UjGJ7apvMrte NKKu6CBwcpC87l7KeegR/ozf+peTHU9Drqb7IKYRa0bztwNI3/GQ75oTKah7t24kkxifpy1Rahv tbEbuzuBLqH3uC/yzn80dsnRcAX0JoDCq8cj598LhgTqS3p07oq1xo+HQAYUNrl/8HhW/xNfhtt 8OXFkavvk9gL7SbYyV4gCz9xKrLgZXK87QDS2R+/PP49sMjAOkasguJAlNdfFq8mEMJ5l90I/qm HUgOm57QO2eH6/RtkPoENzo/AKkCl4yGvbSlPBY4HBTVpW8OUM7FmGlj0u88JJaSuYc7c3jVLLl pE+J6JfQdTqzc= X-Google-Smtp-Source: AGHT+IGjXxkdEc26flzm1tjMlF1UGlJYpJbfDXErsjFRqInN2xVsk033RWoq042V5e9gt/g5HQEI6g== X-Received: by 2002:a05:6a20:7f93:b0:366:14b0:1a31 with SMTP id adf61e73a8af0-376aaefd515mr5284172637.63.1766230550204; Sat, 20 Dec 2025 03:35:50 -0800 (PST) Received: from [127.0.0.1] ([188.253.121.153]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34e70d65653sm7799389a91.5.2025.12.20.03.35.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 20 Dec 2025 03:35:49 -0800 (PST) From: Zesen Liu Date: Sat, 20 Dec 2025 19:35:04 +0800 Subject: [RFC PATCH bpf 1/2] bpf: Fix memory access tags in helper prototypes Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251220-helper_proto-v1-1-2206e0d9422d@gmail.com> References: <20251220-helper_proto-v1-0-2206e0d9422d@gmail.com> In-Reply-To: <20251220-helper_proto-v1-0-2206e0d9422d@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Matt Bobrowski , Steven Rostedt , Masami Hiramatsu , Mathieu Desnoyers , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Xu , Shuah Khan Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, Zesen Liu , Shuran Liu , Peili Gao , Haoran Ni X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=4723; i=ftyghome@gmail.com; h=from:subject:message-id; bh=TzPsFbXzEN8yJbx8ENdKQ00Lv+fJ8UDDohHsL3t0pNQ=; b=owGbwMvMwCXWI1/u+8bXqJ3xtFoSQ6ZbF0v7/Qwf330Cdnmb2e2jt0ScOaRnKWfMI7P12AJe7 wZXsf6OUhYGMS4GWTFFlt4fhndXZpobb7NZcBBmDisTyBAGLk4BmIhbDsP/0vAbV95In89d8W2J wHG+n4W9rqGi3yaL3zxxaobcJSbpN4wMO3mD/DolW82Xrd0d9UDy/5ezqW8vb5U9eSH+9KXoabX WnAA= X-Developer-Key: i=ftyghome@gmail.com; a=openpgp; fpr=8DF831DDA9693733B63CA0C18C1F774DEC4D3287 After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type trac= king"), the verifier started relying on the access type tags in helper function prototypes to perform memory access optimizations. Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the corresponding MEM_RDONLY or MEM_WRITE tags. This omission causes the verifier to incorrectly assume that the buffer contents are unchanged across the helper call. Consequently, the verifier may optimize away subsequent reads based on this wrong assumption, leading to correctness issues. Similar issues were recently addressed for specific helpers in commit ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer") and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name a= rgs"). Fix these prototypes by adding the correct memory access tags. Fixes: 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking") Co-developed-by: Shuran Liu Signed-off-by: Shuran Liu Co-developed-by: Peili Gao Signed-off-by: Peili Gao Co-developed-by: Haoran Ni Signed-off-by: Haoran Ni Signed-off-by: Zesen Liu --- kernel/bpf/helpers.c | 2 +- kernel/trace/bpf_trace.c | 6 +++--- net/core/filter.c | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index db72b96f9c8c..f66284f8ec2c 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -1077,7 +1077,7 @@ const struct bpf_func_proto bpf_snprintf_proto =3D { .func =3D bpf_snprintf, .gpl_only =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM_OR_NULL, + .arg1_type =3D ARG_PTR_TO_MEM_OR_NULL | MEM_WRITE, .arg2_type =3D ARG_CONST_SIZE_OR_ZERO, .arg3_type =3D ARG_PTR_TO_CONST_STR, .arg4_type =3D ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY, diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index fe28d86f7c35..59c2394981c7 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -1022,7 +1022,7 @@ const struct bpf_func_proto bpf_snprintf_btf_proto = =3D { .func =3D bpf_snprintf_btf, .gpl_only =3D false, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM, + .arg1_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg2_type =3D ARG_CONST_SIZE, .arg3_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type =3D ARG_CONST_SIZE, @@ -1526,7 +1526,7 @@ static const struct bpf_func_proto bpf_read_branch_re= cords_proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM_OR_NULL, + .arg2_type =3D ARG_PTR_TO_MEM_OR_NULL | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, .arg4_type =3D ARG_ANYTHING, }; @@ -1661,7 +1661,7 @@ static const struct bpf_func_proto bpf_get_stack_prot= o_raw_tp =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, + .arg2_type =3D ARG_PTR_TO_UNINIT_MEM, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, .arg4_type =3D ARG_ANYTHING, }; diff --git a/net/core/filter.c b/net/core/filter.c index 616e0520a0bb..6e07bb994aa7 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -6399,7 +6399,7 @@ static const struct bpf_func_proto bpf_xdp_fib_lookup= _proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE, .arg4_type =3D ARG_ANYTHING, }; @@ -6454,7 +6454,7 @@ static const struct bpf_func_proto bpf_skb_fib_lookup= _proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE, .arg4_type =3D ARG_ANYTHING, }; @@ -8010,7 +8010,7 @@ static const struct bpf_func_proto bpf_tcp_raw_gen_sy= ncookie_ipv4_proto =3D { .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, .arg1_size =3D sizeof(struct iphdr), - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, }; =20 @@ -8042,7 +8042,7 @@ static const struct bpf_func_proto bpf_tcp_raw_gen_sy= ncookie_ipv6_proto =3D { .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, .arg1_size =3D sizeof(struct ipv6hdr), - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, }; =20 --=20 2.43.0 From nobody Sun Feb 8 19:20:50 2026 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FD1E30ACE3 for ; Sat, 20 Dec 2025 11:35:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766230562; cv=none; b=NUMGv3D0Hx4yZ1HPv9GklwHYTVva1lDCQw6RSp8beYwT/zcYve+C9gix8VPD0Mibol7a6p04w91Kg1W/1ja/+hcKxOL+Dtmfple/e2mFbaXpD4o2hrYaR+oUmO54ziGLhzoUx/xGP1WGVcfpf8yFxcM8nzcAzXvuUIV5vZvBAbc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766230562; c=relaxed/simple; bh=jIDhSYVp9j8QWzc+Ung+SecNY2NPdp5wG0Cu5OE+NrM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=L2FfmPufXk5Y69oJUcFdz8kDTq03eVX/oO3PQ2VtxXQa2CsSxE9RkDpI1WWYiCt0VfT7pBDnF3PYkfduFY4AaiVfIY2+XptxR2Xr75ZSVTdiuYBDU2Q/GQNWvprKROCWPFLCDONfgw9MtBFESwZ4qEO6/cvrgkzoFvuRKjTO/yk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CQnNlTob; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CQnNlTob" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-34c708702dfso2859952a91.1 for ; Sat, 20 Dec 2025 03:35:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766230559; x=1766835359; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=FIP/p9vK+z99OUz21qCwPYKTeE+7MGP1Av2Ob1HiCgE=; b=CQnNlToboKp35sjY9vHd+4cIG9QXrSvWvDrr/vYrDmK5xYISc8BeFOXgExrzfiMhLb J7g/bmOmmgKAjItZQZrpuRytJy+aQ7eNzhCJ65b8VuVkuNtCcBlXdcaBAlu1HBRdqWmw F2dBz5ZmLtjfdxSh0fzmtTqe10UhTc/OeWtpH+pIAWMigmGQkAZNbOny5W5ixTTpwf/7 Hp3yBRYvWi29Uyrj0E5giKBU9W1+lKbFO/M4I3SEztCPLIh2tl2RzhKP94xhLYlHg9pT BxcimyA8JbJVDBrJ5EZkiLF71T/cq97BCeFFedoKAbngeEmA5xywLhvm1Xl9NKfu8zvK S44w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766230559; x=1766835359; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=FIP/p9vK+z99OUz21qCwPYKTeE+7MGP1Av2Ob1HiCgE=; b=s9cUY8Be2taE2I/bLdOspQEzjwL19rf9a/0goXhsYj2L+5GY8jmu0AQboy/TZEhpCf 6141JeCwg7ki9zoSlTQxU+S6vHcF8QFHZ8Ho0ZgUgeYHIhF/Dnj011LN3vhivzAr/yUB rIKPKXteKrdW+c5omYuliLEMfCK6NK4ljAXJHdzIWXPtbaC8DeSu5N5rmzOzXYkDc4LS qoIsNIMZvekp7UmBRsmmaV9ZxR43yAGMPyxMRo0iwjcmFQR980Y5I0GrJoKJ7rXCBTMM fNSgeDIignnYHjMEMx81izE3rUO+kh1jehxfcz+ZdGE8QFbs1mQ2CwaZZ+YbLS/cN0RW z2iQ== X-Forwarded-Encrypted: i=1; AJvYcCXEj/wgmBp2UR6sH8FbHoR01RP0KBp8NNf0n688kN58/gAPACvMw+FRcY1hMqf7bPxT+A5NR8lH1i9gZvI=@vger.kernel.org X-Gm-Message-State: AOJu0YxQFfhGCSwXe1lnicKKNNwwsI4BZ/yU13yi/NBI8bM1LYSuYDwT bqsXmlQYCs1wHx9gAd3MveS2K7OrA6+5pkXErZooKP/FnZwn0XqqOoVQ X-Gm-Gg: AY/fxX4jcnBxwS8NwyLEJe2xlDDJLU1mQBf9ebe+3AJDD9LA08K1hKqOOQlv0d6199X GyxwgRPHQWvWvmBP+7n2TQaLXQ36kNiEFso0tMhn0bVGCiieW4+JvEOFXwhHvjWu/lzreZGa2Cz 89yHIqaKaXKtMKwNG92WmUaG38tvJ1vXL7bHNgbZaauHyLcsDNOfwWbaeiNK3qt3O4ROVq0us+Z XT3TW8ENcRzBiMzfu6/RQ+6nttWUfRjNfA9fmG3nkx3p6zWyz9Vok961GtI9YIykDAzktgSgazb v5gZiNs2UeqBJ5nKSlLvrl9oRNtw09kionugOfVX5k3CY3zw5mx0jsgZS32GwEwJ3eGxv3b4v9k +IASLmS/O36Z0u6qPcC1O3MeC2hmBaTv3ImGc1QuyLYQoDRT8MYnaeqhjOhFoY0YjV1y/xtsYOs YZrHMz7HIlaO8= X-Google-Smtp-Source: AGHT+IFdI/LDc0piR9RWMjmgLQ3q3D7MDPC24mANcTglaDLcS2snWjW0R/06TaK3G00xl98gaRtVzA== X-Received: by 2002:a17:90a:dfc6:b0:340:d1a1:af8e with SMTP id 98e67ed59e1d1-34e921e60d9mr4930318a91.37.1766230558471; Sat, 20 Dec 2025 03:35:58 -0800 (PST) Received: from [127.0.0.1] ([188.253.121.153]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34e70d65653sm7799389a91.5.2025.12.20.03.35.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 20 Dec 2025 03:35:58 -0800 (PST) From: Zesen Liu Date: Sat, 20 Dec 2025 19:35:05 +0800 Subject: [RFC PATCH bpf 2/2] selftests/bpf: add regression tests for snprintf and get_stack helpers Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251220-helper_proto-v1-2-2206e0d9422d@gmail.com> References: <20251220-helper_proto-v1-0-2206e0d9422d@gmail.com> In-Reply-To: <20251220-helper_proto-v1-0-2206e0d9422d@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Matt Bobrowski , Steven Rostedt , Masami Hiramatsu , Mathieu Desnoyers , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Xu , Shuah Khan Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, Zesen Liu , Shuran Liu , Peili Gao , Haoran Ni X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=8326; i=ftyghome@gmail.com; h=from:subject:message-id; bh=jIDhSYVp9j8QWzc+Ung+SecNY2NPdp5wG0Cu5OE+NrM=; b=owGbwMvMwCXWI1/u+8bXqJ3xtFoSQ6ZbF2tb9avMwFYrbdsTx/xaRSZ9NZ6QKZRypff5IfeWL SzSTkwdpSwMYlwMsmKKLL0/DO+uzDQ33maz4CDMHFYmkCEMXJwCMJGUkwz/lOepX93K7nbaUf3v nQ2qTvM2KHNuyzmd1TxZPLltx519eQx/eBeYs5xiusURpPFXICUhf012/du5V3pazPQ7P8xObKr mBgA= X-Developer-Key: i=ftyghome@gmail.com; a=openpgp; fpr=8DF831DDA9693733B63CA0C18C1F774DEC4D3287 Add regression tests for bpf_snprintf(), bpf_snprintf_btf(), and bpf_get_stack() to cover incorrect verifier assumptions caused by incorrect function prototypes. These tests reproduce the scenario where the verifier previously incorrectly assumed that the destination buffer remained unwritten across the helper call. The tests call these helpers and verify that subsequent reads see the updated data, ensuring that the verifier correctly marks the memory as clobbered and does not optimize away the reads based on stale assumptions. Co-developed-by: Shuran Liu Signed-off-by: Shuran Liu Co-developed-by: Peili Gao Signed-off-by: Peili Gao Co-developed-by: Haoran Ni Signed-off-by: Haoran Ni Signed-off-by: Zesen Liu --- tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c | 15 +++++++++++= ++-- tools/testing/selftests/bpf/prog_tests/snprintf.c | 6 ++++++ tools/testing/selftests/bpf/prog_tests/snprintf_btf.c | 3 +++ tools/testing/selftests/bpf/progs/netif_receive_skb.c | 13 +++++++++++= +- tools/testing/selftests/bpf/progs/test_get_stack_rawtp.c | 11 ++++++++++- tools/testing/selftests/bpf/progs/test_snprintf.c | 12 ++++++++++++ 6 files changed, 56 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c b/to= ols/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c index 858e0575f502..7c2774b49138 100644 --- a/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c +++ b/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c @@ -87,13 +87,13 @@ void test_get_stack_raw_tp(void) const char *file =3D "./test_get_stack_rawtp.bpf.o"; const char *file_err =3D "./test_get_stack_rawtp_err.bpf.o"; const char *prog_name =3D "bpf_prog1"; - int i, err, prog_fd, exp_cnt =3D MAX_CNT_RAWTP; + int i, err, prog_fd, exp_cnt =3D MAX_CNT_RAWTP, key =3D 0, valid_top_stac= k =3D 0; struct perf_buffer *pb =3D NULL; struct bpf_link *link =3D NULL; struct timespec tv =3D {0, 10}; struct bpf_program *prog; struct bpf_object *obj; - struct bpf_map *map; + struct bpf_map *map, *bss_map; cpu_set_t cpu_set; =20 err =3D bpf_prog_test_load(file_err, BPF_PROG_TYPE_RAW_TRACEPOINT, &obj, = &prog_fd); @@ -135,6 +135,17 @@ void test_get_stack_raw_tp(void) for (i =3D 0; i < MAX_CNT_RAWTP; i++) nanosleep(&tv, NULL); =20 + bss_map =3D bpf_object__find_map_by_name(obj, ".bss"); + if (CHECK(!bss_map, "find .bss map", "not found\n")) + goto close_prog; + + err =3D bpf_map_lookup_elem(bpf_map__fd(bss_map), &key, &valid_top_stack); + if (CHECK(err, "lookup .bss", "err %d errno %d\n", err, errno)) + goto close_prog; + + if (!ASSERT_EQ(valid_top_stack, 1, "valid_top_stack")) + goto close_prog; + while (exp_cnt > 0) { err =3D perf_buffer__poll(pb, 100); if (err < 0 && CHECK(err < 0, "pb__poll", "err %d\n", err)) diff --git a/tools/testing/selftests/bpf/prog_tests/snprintf.c b/tools/test= ing/selftests/bpf/prog_tests/snprintf.c index 594441acb707..80d6f2655b5f 100644 --- a/tools/testing/selftests/bpf/prog_tests/snprintf.c +++ b/tools/testing/selftests/bpf/prog_tests/snprintf.c @@ -33,6 +33,9 @@ =20 #define EXP_NO_BUF_RET 29 =20 +#define EXP_STACK_OUT "stack_out" +#define EXP_STACK_RET sizeof(EXP_STACK_OUT) + static void test_snprintf_positive(void) { char exp_addr_out[] =3D EXP_ADDR_OUT; @@ -79,6 +82,9 @@ static void test_snprintf_positive(void) =20 ASSERT_EQ(skel->bss->nobuf_ret, EXP_NO_BUF_RET, "no_buf_ret"); =20 + ASSERT_EQ(skel->bss->stack_ret, EXP_STACK_RET, "stack_ret"); + ASSERT_STREQ(skel->bss->stack_out, EXP_STACK_OUT, "stack_out"); + cleanup: test_snprintf__destroy(skel); } diff --git a/tools/testing/selftests/bpf/prog_tests/snprintf_btf.c b/tools/= testing/selftests/bpf/prog_tests/snprintf_btf.c index dd41b826be30..a2e400a4880d 100644 --- a/tools/testing/selftests/bpf/prog_tests/snprintf_btf.c +++ b/tools/testing/selftests/bpf/prog_tests/snprintf_btf.c @@ -55,6 +55,9 @@ void serial_test_snprintf_btf(void) bss->ran_subtests)) goto cleanup; =20 + if (!ASSERT_EQ(bss->stack_out_test_passed, 1, "stack output test failed")) + goto cleanup; + cleanup: netif_receive_skb__destroy(skel); } diff --git a/tools/testing/selftests/bpf/progs/netif_receive_skb.c b/tools/= testing/selftests/bpf/progs/netif_receive_skb.c index 9e067dcbf607..f78d5f56f6c9 100644 --- a/tools/testing/selftests/bpf/progs/netif_receive_skb.c +++ b/tools/testing/selftests/bpf/progs/netif_receive_skb.c @@ -12,9 +12,11 @@ long ret =3D 0; int num_subtests =3D 0; int ran_subtests =3D 0; +int stack_out_test_passed =3D 0; bool skip =3D false; =20 -#define STRSIZE 2048 +#define STRSIZE 2048 +#define STACK_STRSIZE 64 #define EXPECTED_STRSIZE 256 =20 #if defined(bpf_target_s390) @@ -98,6 +100,7 @@ int BPF_PROG(trace_netif_receive_skb, struct sk_buff *sk= b) __u32 key =3D 0; int i, __ret; char *str; + char stack_out[STACK_STRSIZE] =3D { }; =20 #if __has_builtin(__builtin_btf_type_id) str =3D bpf_map_lookup_elem(&strdata, &key); @@ -124,6 +127,13 @@ int BPF_PROG(trace_netif_receive_skb, struct sk_buff *= skb) ret =3D -ERANGE; } =20 + /* Check when writing to a buffer on the stack */ + p.type_id =3D bpf_core_type_id_kernel(struct sk_buff); + p.ptr =3D skb; + ret =3D bpf_snprintf_btf(stack_out, STACK_STRSIZE, &p, sizeof(p), 0); + if (ret >=3D 0 && stack_out[0] !=3D '\0') + stack_out_test_passed =3D 1; + /* Verify type display for various types. */ =20 /* simple int */ @@ -242,6 +252,7 @@ int BPF_PROG(trace_netif_receive_skb, struct sk_buff *s= kb) TEST_BTF(str, struct bpf_insn, BTF_F_NONAME, "{1,0x2,0x3,4,5,}", {.code =3D 1, .dst_reg =3D 0x2, .src_reg =3D 0x3, .off =3D 4, .imm =3D 5,}); + #else skip =3D true; #endif diff --git a/tools/testing/selftests/bpf/progs/test_get_stack_rawtp.c b/too= ls/testing/selftests/bpf/progs/test_get_stack_rawtp.c index b6a6eb279e54..57723dc823a0 100644 --- a/tools/testing/selftests/bpf/progs/test_get_stack_rawtp.c +++ b/tools/testing/selftests/bpf/progs/test_get_stack_rawtp.c @@ -54,14 +54,17 @@ struct { __type(value, __u64[2 * MAX_STACK_RAWTP]); } rawdata_map SEC(".maps"); =20 +int valid_top_stack =3D 0; + SEC("raw_tracepoint/sys_enter") int bpf_prog1(void *ctx) { int max_len, max_buildid_len, total_size; struct stack_trace_t *data; - long usize, ksize; + long usize, ksize, top_usize; void *raw_data; __u32 key =3D 0; + __u64 top_user_stack =3D 0; =20 data =3D bpf_map_lookup_elem(&stackdata_map, &key); if (!data) @@ -88,6 +91,12 @@ int bpf_prog1(void *ctx) if (usize < 0) return 0; =20 + /* checks if the verifier correctly marks the stack variable as written. = */ + top_usize =3D bpf_get_stack(ctx, &top_user_stack, sizeof(__u64), + BPF_F_USER_STACK); + if (top_usize > 0 && top_user_stack !=3D 0) + valid_top_stack =3D 1; + ksize =3D bpf_get_stack(ctx, raw_data + usize, max_len - usize, 0); if (ksize < 0) return 0; diff --git a/tools/testing/selftests/bpf/progs/test_snprintf.c b/tools/test= ing/selftests/bpf/progs/test_snprintf.c index 8fda07544023..ce78fd7add03 100644 --- a/tools/testing/selftests/bpf/progs/test_snprintf.c +++ b/tools/testing/selftests/bpf/progs/test_snprintf.c @@ -32,6 +32,9 @@ long noarg_ret =3D 0; =20 long nobuf_ret =3D 0; =20 +char stack_out[64] =3D {}; +long stack_ret =3D 0; + extern const void schedule __ksym; =20 SEC("raw_tp/sys_enter") @@ -42,6 +45,7 @@ int handler(const void *ctx) const __u8 ex_ipv6[] =3D {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}; static const char str1[] =3D "str1"; static const char longstr[] =3D "longstr"; + char buf[64] =3D {}; =20 if ((int)bpf_get_current_pid_tgid() !=3D pid) return 0; @@ -71,6 +75,14 @@ int handler(const void *ctx) /* No buffer */ nobuf_ret =3D BPF_SNPRINTF(NULL, 0, "only interested in length %d", 60); =20 + /* Write to a buffer on the stack */ + stack_ret =3D BPF_SNPRINTF(buf, sizeof(buf), "stack_out"); + /* The condition is necessary to check if the verifier + * correctly marks the stack memory as written. + */ + if (buf[0] !=3D '\0') + __builtin_memcpy(stack_out, buf, 64); + return 0; } =20 --=20 2.43.0