BPF_PROG_LOAD can now provide log parameters through both union bpf_attr
and struct bpf_common_attr. Define clear conflict and precedence rules:
- if both are provided and log_buf/log_size/log_level match, use them;
- if only one side provides a log buffer, use that one;
- if both provide log buffers but differ, return -EINVAL.
Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
---
include/linux/bpf_verifier.h | 3 ++-
kernel/bpf/log.c | 24 ++++++++++++++++++++++--
kernel/bpf/syscall.c | 3 ++-
3 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index c805b85b6f7a..0d106fddbbc5 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -638,7 +638,8 @@ struct bpf_log_attr {
};
int bpf_prog_load_log_attr_init(struct bpf_log_attr *attr_log, union bpf_attr *attr,
- bpfptr_t uattr, u32 size);
+ bpfptr_t uattr, u32 size, struct bpf_common_attr *attr_common,
+ bpfptr_t uattr_common, u32 size_common);
int bpf_log_attr_finalize(struct bpf_log_attr *attr, struct bpf_verifier_log *log);
#define BPF_MAX_SUBPROGS 256
diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
index ff579fcba36f..345005ba98dd 100644
--- a/kernel/bpf/log.c
+++ b/kernel/bpf/log.c
@@ -873,10 +873,30 @@ static void bpf_log_attr_init(struct bpf_log_attr *attr_log, int offsetof_true_s
attr_log->uattr = uattr;
}
+static bool bpf_log_attrs_diff(struct bpf_common_attr *common, u64 log_buf, u32 log_size,
+ u32 log_level)
+{
+ return log_buf && common->log_buf && (log_buf != common->log_buf ||
+ log_size != common->log_size ||
+ log_level != common->log_level);
+}
+
int bpf_prog_load_log_attr_init(struct bpf_log_attr *attr_log, union bpf_attr *attr,
- bpfptr_t uattr, u32 size)
+ bpfptr_t uattr, u32 size, struct bpf_common_attr *attr_common,
+ bpfptr_t uattr_common, u32 size_common)
{
- bpf_log_attr_init(attr_log, offsetof(union bpf_attr, log_true_size), uattr, size);
+ if (bpf_log_attrs_diff(attr_common, attr->log_buf, attr->log_size, attr->log_level))
+ return -EINVAL;
+
+ if (!attr->log_buf && attr_common->log_buf) {
+ attr->log_buf = attr_common->log_buf;
+ attr->log_size = attr_common->log_size;
+ attr->log_level = attr_common->log_level;
+ bpf_log_attr_init(attr_log, offsetof(struct bpf_common_attr, log_true_size),
+ uattr_common, size_common);
+ } else {
+ bpf_log_attr_init(attr_log, offsetof(union bpf_attr, log_true_size), uattr, size);
+ }
return 0;
}
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index e81199361241..7125ea445c6c 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -6232,7 +6232,8 @@ static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr, unsigned int size,
err = map_freeze(&attr);
break;
case BPF_PROG_LOAD:
- err = bpf_prog_load_log_attr_init(&attr_log, &attr, uattr, size);
+ err = bpf_prog_load_log_attr_init(&attr_log, &attr, uattr, size, &attr_common,
+ uattr_common, size_common);
err = err ?: bpf_prog_load(&attr, uattr, &attr_log);
break;
case BPF_OBJ_PIN:
--
2.52.0On Mon, Feb 2, 2026 at 6:42 AM Leon Hwang <leon.hwang@linux.dev> wrote:
>
> BPF_PROG_LOAD can now provide log parameters through both union bpf_attr
> and struct bpf_common_attr. Define clear conflict and precedence rules:
>
> - if both are provided and log_buf/log_size/log_level match, use them;
> - if only one side provides a log buffer, use that one;
> - if both provide log buffers but differ, return -EINVAL.
>
> Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
> ---
> include/linux/bpf_verifier.h | 3 ++-
> kernel/bpf/log.c | 24 ++++++++++++++++++++++--
> kernel/bpf/syscall.c | 3 ++-
> 3 files changed, 26 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
> index c805b85b6f7a..0d106fddbbc5 100644
> --- a/include/linux/bpf_verifier.h
> +++ b/include/linux/bpf_verifier.h
> @@ -638,7 +638,8 @@ struct bpf_log_attr {
> };
>
> int bpf_prog_load_log_attr_init(struct bpf_log_attr *attr_log, union bpf_attr *attr,
> - bpfptr_t uattr, u32 size);
> + bpfptr_t uattr, u32 size, struct bpf_common_attr *attr_common,
> + bpfptr_t uattr_common, u32 size_common);
> int bpf_log_attr_finalize(struct bpf_log_attr *attr, struct bpf_verifier_log *log);
>
> #define BPF_MAX_SUBPROGS 256
> diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
> index ff579fcba36f..345005ba98dd 100644
> --- a/kernel/bpf/log.c
> +++ b/kernel/bpf/log.c
> @@ -873,10 +873,30 @@ static void bpf_log_attr_init(struct bpf_log_attr *attr_log, int offsetof_true_s
> attr_log->uattr = uattr;
> }
>
> +static bool bpf_log_attrs_diff(struct bpf_common_attr *common, u64 log_buf, u32 log_size,
> + u32 log_level)
> +{
> + return log_buf && common->log_buf && (log_buf != common->log_buf ||
> + log_size != common->log_size ||
> + log_level != common->log_level);
let's validate (unless we do this somewhere else) that if log_buf is
set, then log_size and log_level (? not sure, maybe zero is fine) are
set, or all three are not set. Same for common->log* fields...
> +}
> +
> int bpf_prog_load_log_attr_init(struct bpf_log_attr *attr_log, union bpf_attr *attr,
> - bpfptr_t uattr, u32 size)
> + bpfptr_t uattr, u32 size, struct bpf_common_attr *attr_common,
> + bpfptr_t uattr_common, u32 size_common)
> {
> - bpf_log_attr_init(attr_log, offsetof(union bpf_attr, log_true_size), uattr, size);
> + if (bpf_log_attrs_diff(attr_common, attr->log_buf, attr->log_size, attr->log_level))
> + return -EINVAL;
> +
> + if (!attr->log_buf && attr_common->log_buf) {
> + attr->log_buf = attr_common->log_buf;
> + attr->log_size = attr_common->log_size;
> + attr->log_level = attr_common->log_level;
why are we setting this? Do we still have code that can access
attr->log_buf even though we pass attr_log everywhere? If yes, should
we still have that "split brain" code?
If we don't have this assignment, then I think we don't need to have
bpf_prog_load-specific and btf_load-specific log_attr_init() helpers.
They can be unified into generic log_attr_init, where for
bpf_prog_load you'll pass offsetof(log_true_size) +
attr->log_{buf,size,level}, and for btf_load you'll pass different
offset of and btf-specific attr->btf_log*
This helper will just be making decision whether to use common_attr's
log fields or passed directly command-specific ones.
Or what am I missing?
> + bpf_log_attr_init(attr_log, offsetof(struct bpf_common_attr, log_true_size),
> + uattr_common, size_common);
> + } else {
> + bpf_log_attr_init(attr_log, offsetof(union bpf_attr, log_true_size), uattr, size);
> + }
> return 0;
> }
>
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index e81199361241..7125ea445c6c 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -6232,7 +6232,8 @@ static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr, unsigned int size,
> err = map_freeze(&attr);
> break;
> case BPF_PROG_LOAD:
> - err = bpf_prog_load_log_attr_init(&attr_log, &attr, uattr, size);
> + err = bpf_prog_load_log_attr_init(&attr_log, &attr, uattr, size, &attr_common,
> + uattr_common, size_common);
> err = err ?: bpf_prog_load(&attr, uattr, &attr_log);
> break;
> case BPF_OBJ_PIN:
> --
> 2.52.0
>
On 5/2/26 03:48, Andrii Nakryiko wrote:
> On Mon, Feb 2, 2026 at 6:42 AM Leon Hwang <leon.hwang@linux.dev> wrote:
>>
>> BPF_PROG_LOAD can now provide log parameters through both union bpf_attr
>> and struct bpf_common_attr. Define clear conflict and precedence rules:
>>
>> - if both are provided and log_buf/log_size/log_level match, use them;
>> - if only one side provides a log buffer, use that one;
>> - if both provide log buffers but differ, return -EINVAL.
>>
>> Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
>> ---
>> include/linux/bpf_verifier.h | 3 ++-
>> kernel/bpf/log.c | 24 ++++++++++++++++++++++--
>> kernel/bpf/syscall.c | 3 ++-
>> 3 files changed, 26 insertions(+), 4 deletions(-)
>>
>> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
>> index c805b85b6f7a..0d106fddbbc5 100644
>> --- a/include/linux/bpf_verifier.h
>> +++ b/include/linux/bpf_verifier.h
>> @@ -638,7 +638,8 @@ struct bpf_log_attr {
>> };
>>
>> int bpf_prog_load_log_attr_init(struct bpf_log_attr *attr_log, union bpf_attr *attr,
>> - bpfptr_t uattr, u32 size);
>> + bpfptr_t uattr, u32 size, struct bpf_common_attr *attr_common,
>> + bpfptr_t uattr_common, u32 size_common);
>> int bpf_log_attr_finalize(struct bpf_log_attr *attr, struct bpf_verifier_log *log);
>>
>> #define BPF_MAX_SUBPROGS 256
>> diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
>> index ff579fcba36f..345005ba98dd 100644
>> --- a/kernel/bpf/log.c
>> +++ b/kernel/bpf/log.c
>> @@ -873,10 +873,30 @@ static void bpf_log_attr_init(struct bpf_log_attr *attr_log, int offsetof_true_s
>> attr_log->uattr = uattr;
>> }
>>
>> +static bool bpf_log_attrs_diff(struct bpf_common_attr *common, u64 log_buf, u32 log_size,
>> + u32 log_level)
>> +{
>> + return log_buf && common->log_buf && (log_buf != common->log_buf ||
>> + log_size != common->log_size ||
>> + log_level != common->log_level);
>
> let's validate (unless we do this somewhere else) that if log_buf is
> set, then log_size and log_level (? not sure, maybe zero is fine) are
> set, or all three are not set. Same for common->log* fields...
>
Ack.
Will validate 'log_buf && log_size && log_level' first.
>
>> +}
>> +
>> int bpf_prog_load_log_attr_init(struct bpf_log_attr *attr_log, union bpf_attr *attr,
>> - bpfptr_t uattr, u32 size)
>> + bpfptr_t uattr, u32 size, struct bpf_common_attr *attr_common,
>> + bpfptr_t uattr_common, u32 size_common)
>> {
>> - bpf_log_attr_init(attr_log, offsetof(union bpf_attr, log_true_size), uattr, size);
>> + if (bpf_log_attrs_diff(attr_common, attr->log_buf, attr->log_size, attr->log_level))
>> + return -EINVAL;
>> +
>> + if (!attr->log_buf && attr_common->log_buf) {
>> + attr->log_buf = attr_common->log_buf;
>> + attr->log_size = attr_common->log_size;
>> + attr->log_level = attr_common->log_level;
>
> why are we setting this? Do we still have code that can access
> attr->log_buf even though we pass attr_log everywhere? If yes, should
> we still have that "split brain" code?
>
'attr->log_buf' is accessed only in bpf_check().
> If we don't have this assignment, then I think we don't need to have
> bpf_prog_load-specific and btf_load-specific log_attr_init() helpers.
> They can be unified into generic log_attr_init, where for
> bpf_prog_load you'll pass offsetof(log_true_size) +
> attr->log_{buf,size,level}, and for btf_load you'll pass different
> offset of and btf-specific attr->btf_log*
>
> This helper will just be making decision whether to use common_attr's
> log fields or passed directly command-specific ones.
>
> Or what am I missing?
>
If the log attributes differ, where should the effective
log_* values be stored?
Should they live in struct bpf_common_attr, or should we extend
struct bpf_log_attr to carry them?
Note that in v8, Alexei suggested struct bpf_log_attr only needs
u32 offsetof_true_size;
bpfptr_t uattr;
so I’d like to clarify the intended direction here. Once that’s clear, a
single generic log_attr_init() should be sufficient to handle this.
Thanks,
Leon
>
>> + bpf_log_attr_init(attr_log, offsetof(struct bpf_common_attr, log_true_size),
>> + uattr_common, size_common);
>> + } else {
>> + bpf_log_attr_init(attr_log, offsetof(union bpf_attr, log_true_size), uattr, size);
>> + }
>> return 0;
>> }
>>
>> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
>> index e81199361241..7125ea445c6c 100644
>> --- a/kernel/bpf/syscall.c
>> +++ b/kernel/bpf/syscall.c
>> @@ -6232,7 +6232,8 @@ static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr, unsigned int size,
>> err = map_freeze(&attr);
>> break;
>> case BPF_PROG_LOAD:
>> - err = bpf_prog_load_log_attr_init(&attr_log, &attr, uattr, size);
>> + err = bpf_prog_load_log_attr_init(&attr_log, &attr, uattr, size, &attr_common,
>> + uattr_common, size_common);
>> err = err ?: bpf_prog_load(&attr, uattr, &attr_log);
>> break;
>> case BPF_OBJ_PIN:
>> --
>> 2.52.0
>>
On Wed, Feb 4, 2026 at 7:42 PM Leon Hwang <leon.hwang@linux.dev> wrote:
>
>
>
> On 5/2/26 03:48, Andrii Nakryiko wrote:
> > On Mon, Feb 2, 2026 at 6:42 AM Leon Hwang <leon.hwang@linux.dev> wrote:
> >>
> >> BPF_PROG_LOAD can now provide log parameters through both union bpf_attr
> >> and struct bpf_common_attr. Define clear conflict and precedence rules:
> >>
> >> - if both are provided and log_buf/log_size/log_level match, use them;
> >> - if only one side provides a log buffer, use that one;
> >> - if both provide log buffers but differ, return -EINVAL.
> >>
> >> Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
> >> ---
> >> include/linux/bpf_verifier.h | 3 ++-
> >> kernel/bpf/log.c | 24 ++++++++++++++++++++++--
> >> kernel/bpf/syscall.c | 3 ++-
> >> 3 files changed, 26 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
> >> index c805b85b6f7a..0d106fddbbc5 100644
> >> --- a/include/linux/bpf_verifier.h
> >> +++ b/include/linux/bpf_verifier.h
> >> @@ -638,7 +638,8 @@ struct bpf_log_attr {
> >> };
> >>
> >> int bpf_prog_load_log_attr_init(struct bpf_log_attr *attr_log, union bpf_attr *attr,
> >> - bpfptr_t uattr, u32 size);
> >> + bpfptr_t uattr, u32 size, struct bpf_common_attr *attr_common,
> >> + bpfptr_t uattr_common, u32 size_common);
> >> int bpf_log_attr_finalize(struct bpf_log_attr *attr, struct bpf_verifier_log *log);
> >>
> >> #define BPF_MAX_SUBPROGS 256
> >> diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
> >> index ff579fcba36f..345005ba98dd 100644
> >> --- a/kernel/bpf/log.c
> >> +++ b/kernel/bpf/log.c
> >> @@ -873,10 +873,30 @@ static void bpf_log_attr_init(struct bpf_log_attr *attr_log, int offsetof_true_s
> >> attr_log->uattr = uattr;
> >> }
> >>
> >> +static bool bpf_log_attrs_diff(struct bpf_common_attr *common, u64 log_buf, u32 log_size,
> >> + u32 log_level)
> >> +{
> >> + return log_buf && common->log_buf && (log_buf != common->log_buf ||
> >> + log_size != common->log_size ||
> >> + log_level != common->log_level);
> >
> > let's validate (unless we do this somewhere else) that if log_buf is
> > set, then log_size and log_level (? not sure, maybe zero is fine) are
> > set, or all three are not set. Same for common->log* fields...
> >
>
> Ack.
>
> Will validate 'log_buf && log_size && log_level' first.
>
> >
> >> +}
> >> +
> >> int bpf_prog_load_log_attr_init(struct bpf_log_attr *attr_log, union bpf_attr *attr,
> >> - bpfptr_t uattr, u32 size)
> >> + bpfptr_t uattr, u32 size, struct bpf_common_attr *attr_common,
> >> + bpfptr_t uattr_common, u32 size_common)
> >> {
> >> - bpf_log_attr_init(attr_log, offsetof(union bpf_attr, log_true_size), uattr, size);
> >> + if (bpf_log_attrs_diff(attr_common, attr->log_buf, attr->log_size, attr->log_level))
> >> + return -EINVAL;
> >> +
> >> + if (!attr->log_buf && attr_common->log_buf) {
> >> + attr->log_buf = attr_common->log_buf;
> >> + attr->log_size = attr_common->log_size;
> >> + attr->log_level = attr_common->log_level;
> >
> > why are we setting this? Do we still have code that can access
> > attr->log_buf even though we pass attr_log everywhere? If yes, should
> > we still have that "split brain" code?
> >
>
> 'attr->log_buf' is accessed only in bpf_check().
bpf_check should be changed then, see below
>
> > If we don't have this assignment, then I think we don't need to have
> > bpf_prog_load-specific and btf_load-specific log_attr_init() helpers.
> > They can be unified into generic log_attr_init, where for
> > bpf_prog_load you'll pass offsetof(log_true_size) +
> > attr->log_{buf,size,level}, and for btf_load you'll pass different
> > offset of and btf-specific attr->btf_log*
> >
> > This helper will just be making decision whether to use common_attr's
> > log fields or passed directly command-specific ones.
> >
> > Or what am I missing?
> >
>
> If the log attributes differ, where should the effective
> log_* values be stored?
>
> Should they live in struct bpf_common_attr, or should we extend
> struct bpf_log_attr to carry them?
>
> Note that in v8, Alexei suggested struct bpf_log_attr only needs
> u32 offsetof_true_size;
> bpfptr_t uattr;
>
> so I’d like to clarify the intended direction here. Once that’s clear, a
> single generic log_attr_init() should be sufficient to handle this.
>
The intended direction is to have log buf/size/level in one place
(after attr and common_attr validations), so we keep internal logic
simple. Let's put all of that and log_true_size **pointer** (we don't
have to much with offsetof, just calculate user addr for
log_true_size, which just might be NULL) into bpf_log_attrs and teach
all code to look and work *only* with that struct, ignoring anything
log related from attr.
> Thanks,
> Leon
>
> >
> >> + bpf_log_attr_init(attr_log, offsetof(struct bpf_common_attr, log_true_size),
> >> + uattr_common, size_common);
> >> + } else {
> >> + bpf_log_attr_init(attr_log, offsetof(union bpf_attr, log_true_size), uattr, size);
> >> + }
> >> return 0;
> >> }
> >>
> >> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> >> index e81199361241..7125ea445c6c 100644
> >> --- a/kernel/bpf/syscall.c
> >> +++ b/kernel/bpf/syscall.c
> >> @@ -6232,7 +6232,8 @@ static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr, unsigned int size,
> >> err = map_freeze(&attr);
> >> break;
> >> case BPF_PROG_LOAD:
> >> - err = bpf_prog_load_log_attr_init(&attr_log, &attr, uattr, size);
> >> + err = bpf_prog_load_log_attr_init(&attr_log, &attr, uattr, size, &attr_common,
> >> + uattr_common, size_common);
> >> err = err ?: bpf_prog_load(&attr, uattr, &attr_log);
> >> break;
> >> case BPF_OBJ_PIN:
> >> --
> >> 2.52.0
> >>
>
On 6/2/26 06:18, Andrii Nakryiko wrote:
> On Wed, Feb 4, 2026 at 7:42 PM Leon Hwang <leon.hwang@linux.dev> wrote:
[...]
>>>> +
>>>> + if (!attr->log_buf && attr_common->log_buf) {
>>>> + attr->log_buf = attr_common->log_buf;
>>>> + attr->log_size = attr_common->log_size;
>>>> + attr->log_level = attr_common->log_level;
>>>
>>> why are we setting this? Do we still have code that can access
>>> attr->log_buf even though we pass attr_log everywhere? If yes, should
>>> we still have that "split brain" code?
>>>
>>
>> 'attr->log_buf' is accessed only in bpf_check().
>
> bpf_check should be changed then, see below
>
>>
>>> If we don't have this assignment, then I think we don't need to have
>>> bpf_prog_load-specific and btf_load-specific log_attr_init() helpers.
>>> They can be unified into generic log_attr_init, where for
>>> bpf_prog_load you'll pass offsetof(log_true_size) +
>>> attr->log_{buf,size,level}, and for btf_load you'll pass different
>>> offset of and btf-specific attr->btf_log*
>>>
>>> This helper will just be making decision whether to use common_attr's
>>> log fields or passed directly command-specific ones.
>>>
>>> Or what am I missing?
>>>
>>
>> If the log attributes differ, where should the effective
>> log_* values be stored?
>>
>> Should they live in struct bpf_common_attr, or should we extend
>> struct bpf_log_attr to carry them?
>>
>> Note that in v8, Alexei suggested struct bpf_log_attr only needs
>> u32 offsetof_true_size;
>> bpfptr_t uattr;
>>
>> so I’d like to clarify the intended direction here. Once that’s clear, a
>> single generic log_attr_init() should be sufficient to handle this.
>>
>
> The intended direction is to have log buf/size/level in one place
> (after attr and common_attr validations), so we keep internal logic
> simple. Let's put all of that and log_true_size **pointer** (we don't
> have to much with offsetof, just calculate user addr for
> log_true_size, which just might be NULL) into bpf_log_attrs and teach
> all code to look and work *only* with that struct, ignoring anything
> log related from attr.
>
It’s clear now.
I’ll follow this direction in the next revision and consolidate all
log-related fields (including the log_true_size pointer) into
bpf_log_attr, so that internal code relies solely on that struct.
Thanks,
Leon
© 2016 - 2026 Red Hat, Inc.