From nobody Thu Apr 9 13:31:31 2026 Received: from out-181.mta1.migadu.com (out-181.mta1.migadu.com [95.215.58.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C2C93FD15D for ; Mon, 2 Mar 2026 15:04:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463866; cv=none; b=G/ovpRlF3riKlxPs8H07WwOYCwZZHajh2UKz43aa3P+/z3slLOPtf6FsAH6TPq+VV3ui43ovRs0i7iJjsKoB/CqBGL5cBJFF6iYVtrHZXRntSZV0lx3M1UUfF4yBvdwfb+G4tQdsILsJSsFo04DcLAj7oNLpV6NzfHeWX6CIsmo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463866; c=relaxed/simple; bh=/n9d+NC8JOM19qYu10Vbdt4z3rtQyN0QXnMlGzk4p90=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ic2bhTOD8hMCQVdhfz1dhKRvKePWNDi2QwDToO6uLZFj//rTZAYTEWWu5prsxepMVRX8p7R00f4ExEdNlM5wZog+8f8ZMdEY0MRkcroXhwGia25wM2z/vw+ZzCex7dL/aNOFEBXYJiMiJxn/0ttqk7kwNkI2BQMdOGrK7DzbpWg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=g/UrCEWD; arc=none smtp.client-ip=95.215.58.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="g/UrCEWD" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1772463861; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PxXd5uD0uoa/0anu8jDjtKQ562RChNx+PmdQxbvuGhg=; b=g/UrCEWDihyVXhzbUUFgZDqU5+P5cl0s3zn3IK3c57D2uxsc+EFVmvxytaNjKhHUyB3UwQ r19TQm1aJb87/7V3FW9ABOUha23OQO6YNbWaMOYE4WOQhN+ZQmyeGqcEkk7HjCDAXeArqW 5+WU0ZrqDufY+//61CFpNNTu3F2alN8= From: Leon Hwang To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Feng Yang , Leon Hwang , Menglong Dong , Puranjay Mohan , =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , Pu Lehui , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, netdev@vger.kernel.org, kernel-patches-bot@fb.com Subject: [PATCH bpf-next v2 1/6] bpf: Add fsession to verbose log in check_get_func_ip() Date: Mon, 2 Mar 2026 23:03:37 +0800 Message-ID: <20260302150342.55709-2-leon.hwang@linux.dev> In-Reply-To: <20260302150342.55709-1-leon.hwang@linux.dev> References: <20260302150342.55709-1-leon.hwang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" Since bpf_get_func_ip() is supported for fsession, add fsession to the verbose log message in check_get_func_ip(). No functional change intended. Signed-off-by: Leon Hwang --- kernel/bpf/verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index fc4ccd1de569..636836a315b7 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -11493,7 +11493,7 @@ static int check_get_func_ip(struct bpf_verifier_en= v *env) =20 if (type =3D=3D BPF_PROG_TYPE_TRACING) { if (!bpf_prog_has_trampoline(env->prog)) { - verbose(env, "func %s#%d supported only for fentry/fexit/fmod_ret progr= ams\n", + verbose(env, "func %s#%d supported only for fentry/fexit/fsession/fmod_= ret programs\n", func_id_name(func_id), func_id); return -ENOTSUPP; } --=20 2.52.0 From nobody Thu Apr 9 13:31:31 2026 Received: from out-180.mta1.migadu.com (out-180.mta1.migadu.com [95.215.58.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E587407598; Mon, 2 Mar 2026 15:04:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463872; cv=none; b=Mn4vuP6Kgjtw87FsoNIGgctjKaFbqiA/upHTXjBDKeMW6cTMfZrGbAkvf21tctFVUQwhsyMRNMC5JZQVzgT9XVwuhwqgAOUJjxPr6YRh+iz3H8nL+OPKyEdTahSIrxSgFOFsAv0P/RaQ/740GYe+0Rn28GfwPuIgobfxwM41RrM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463872; c=relaxed/simple; bh=wetn+BhjoCd6GaTj6qsiXs+0U3i59ctE0mLs/xexuPI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EEFt+XRG91/FH5ZNo9iA8b/cfp2BmJDNsa88VwHRDSTUdN7Hwv8as6VnE1jsdQB0wlnaOJXts5yXaw56anXYMfFYlLJLhICXOHdCgNeHIt0F6129ttKzFW+8Md4HsAa4+YuqU4YK72EFAk+cXJnQR+wxPD+re8bb4F2JeQgrkcI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=IBhDUvLg; arc=none smtp.client-ip=95.215.58.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="IBhDUvLg" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1772463868; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pfTsEtc+4MDeNoDV9HupmgjRya/Vhl9qu21qBDHMts0=; b=IBhDUvLgAnjupfk/5LeC5EY0ZnpODYNDk1UY4orVXPxHP20MMuRAUyGqloOEOpBdusKQZE uL0IZ443w43enf4oiqlBzoKN7RPAJPcJkx6ln1Ob1q83D6Ot6SjVbNJyxQSr3KIePsi7AE clu3NS2KpRsio7eO6ls4obSesmB0Qek= From: Leon Hwang To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Feng Yang , Leon Hwang , Menglong Dong , Puranjay Mohan , =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , Pu Lehui , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, netdev@vger.kernel.org, kernel-patches-bot@fb.com Subject: [PATCH bpf-next v2 2/6] bpf: Factor out bpf_map_owner_[init,matches]() helpers Date: Mon, 2 Mar 2026 23:03:38 +0800 Message-ID: <20260302150342.55709-3-leon.hwang@linux.dev> In-Reply-To: <20260302150342.55709-1-leon.hwang@linux.dev> References: <20260302150342.55709-1-leon.hwang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" When adding more attributes to validate in __bpf_prog_map_compatible(), both the if and else code blocks become harder to read. To improve readability, factor out bpf_map_owner_init() and bpf_map_owner_matches() helpers. No functional changes intended. Signed-off-by: Leon Hwang --- kernel/bpf/core.c | 100 ++++++++++++++++++++++++++-------------------- 1 file changed, 57 insertions(+), 43 deletions(-) diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 229c74f3d6ae..b24a613d99f2 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -2380,14 +2380,66 @@ static unsigned int __bpf_prog_ret0_warn(const void= *ctx, return 0; } =20 +static void bpf_map_owner_init(struct bpf_map_owner *owner, const struct b= pf_prog *fp, + enum bpf_prog_type prog_type) +{ + struct bpf_prog_aux *aux =3D fp->aux; + enum bpf_cgroup_storage_type i; + + owner->type =3D prog_type; + owner->jited =3D fp->jited; + owner->xdp_has_frags =3D aux->xdp_has_frags; + owner->sleepable =3D fp->sleepable; + owner->expected_attach_type =3D fp->expected_attach_type; + owner->attach_func_proto =3D aux->attach_func_proto; + for_each_cgroup_storage_type(i) + owner->storage_cookie[i] =3D aux->cgroup_storage[i] ? + aux->cgroup_storage[i]->cookie : 0; +} + +static bool bpf_map_owner_matches(const struct bpf_map *map, const struct = bpf_prog *fp, + enum bpf_prog_type prog_type) +{ + struct bpf_map_owner *owner =3D map->owner; + struct bpf_prog_aux *aux =3D fp->aux; + enum bpf_cgroup_storage_type i; + u64 cookie; + + if (owner->type !=3D prog_type || + owner->jited !=3D fp->jited || + owner->xdp_has_frags !=3D aux->xdp_has_frags || + owner->sleepable !=3D fp->sleepable) + return false; + + if (map->map_type =3D=3D BPF_MAP_TYPE_PROG_ARRAY && + owner->expected_attach_type !=3D fp->expected_attach_type) + return false; + + for_each_cgroup_storage_type(i) { + cookie =3D aux->cgroup_storage[i] ? aux->cgroup_storage[i]->cookie : 0; + if (cookie && cookie !=3D owner->storage_cookie[i]) + return false; + } + + if (owner->attach_func_proto !=3D aux->attach_func_proto) { + switch (prog_type) { + case BPF_PROG_TYPE_TRACING: + case BPF_PROG_TYPE_LSM: + case BPF_PROG_TYPE_EXT: + case BPF_PROG_TYPE_STRUCT_OPS: + return false; + default: + break; + } + } + return true; +} + static bool __bpf_prog_map_compatible(struct bpf_map *map, const struct bpf_prog *fp) { enum bpf_prog_type prog_type =3D resolve_prog_type(fp); - struct bpf_prog_aux *aux =3D fp->aux; - enum bpf_cgroup_storage_type i; bool ret =3D false; - u64 cookie; =20 if (fp->kprobe_override) return ret; @@ -2398,48 +2450,10 @@ static bool __bpf_prog_map_compatible(struct bpf_ma= p *map, map->owner =3D bpf_map_owner_alloc(map); if (!map->owner) goto err; - map->owner->type =3D prog_type; - map->owner->jited =3D fp->jited; - map->owner->xdp_has_frags =3D aux->xdp_has_frags; - map->owner->sleepable =3D fp->sleepable; - map->owner->expected_attach_type =3D fp->expected_attach_type; - map->owner->attach_func_proto =3D aux->attach_func_proto; - for_each_cgroup_storage_type(i) { - map->owner->storage_cookie[i] =3D - aux->cgroup_storage[i] ? - aux->cgroup_storage[i]->cookie : 0; - } + bpf_map_owner_init(map->owner, fp, prog_type); ret =3D true; } else { - ret =3D map->owner->type =3D=3D prog_type && - map->owner->jited =3D=3D fp->jited && - map->owner->xdp_has_frags =3D=3D aux->xdp_has_frags && - map->owner->sleepable =3D=3D fp->sleepable; - if (ret && - map->map_type =3D=3D BPF_MAP_TYPE_PROG_ARRAY && - map->owner->expected_attach_type !=3D fp->expected_attach_type) - ret =3D false; - for_each_cgroup_storage_type(i) { - if (!ret) - break; - cookie =3D aux->cgroup_storage[i] ? - aux->cgroup_storage[i]->cookie : 0; - ret =3D map->owner->storage_cookie[i] =3D=3D cookie || - !cookie; - } - if (ret && - map->owner->attach_func_proto !=3D aux->attach_func_proto) { - switch (prog_type) { - case BPF_PROG_TYPE_TRACING: - case BPF_PROG_TYPE_LSM: - case BPF_PROG_TYPE_EXT: - case BPF_PROG_TYPE_STRUCT_OPS: - ret =3D false; - break; - default: - break; - } - } + ret =3D bpf_map_owner_matches(map, fp, prog_type); } err: spin_unlock(&map->owner_lock); --=20 2.52.0 From nobody Thu Apr 9 13:31:31 2026 Received: from out-177.mta0.migadu.com (out-177.mta0.migadu.com [91.218.175.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F01263446B0 for ; Mon, 2 Mar 2026 15:05:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463905; cv=none; b=p+FNGYbDMkEnIIkncXcwhXvEPZXyclBBcrSidAKjJKoeKAv0mAi026aah1/PQNLtQZK+Fvt+dI0RCgYdHEOJhKpnMcl4ou6AEYjBGTFJfNnAahp5plsXZ1zdvorqE2oFPUc7HtmYkgKR0s2SJa0VCgeV6XKbFMDXu174lMCt+gI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463905; c=relaxed/simple; bh=0L0CZRR5yaZjUnkGUuTJtr8n6o/HzHfEIlbHobJvreM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jyohTtJf9vw8S4Zgxxa3lVZEPA+3F2gFsBmpYWhTRFxdJJnYA5uxvkHzZOpJ3Il+Y6diBgPGoP0GZdug5PWJUnAdueBjJT+3CYTHSSw/Ss17JUv7gwTVXzzwRCl8ubt6ngiOklTnpL+Wx7dM3bcFn5e6IzRk3ITSz2gtRFWHCAs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=aTpBTrrN; arc=none smtp.client-ip=91.218.175.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="aTpBTrrN" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1772463891; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q3gwaQ0eVXEyMgQ4Qe+myf5VQ4j4Q5VbSSpgZqEgTR8=; b=aTpBTrrNFjTaFvIbBzdOLCJWm6Dx9XTMAfWNbsOmKnTKVEkf2xBX3Vf1mIuAHdsPxAl8Zv wOkTDmTIXlqLiSbTlY2t4kzZxd+bkMprc/oiYGOYktdFhhSVFWT/LSenbCx+31zltiXXYw enIf99xJopvWMF+8keEzmPhiF2vCkME= From: Leon Hwang To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Feng Yang , Leon Hwang , Menglong Dong , Puranjay Mohan , =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , Pu Lehui , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, netdev@vger.kernel.org, kernel-patches-bot@fb.com Subject: [PATCH bpf-next v2 3/6] bpf: Disallow !kprobe_write_ctx progs tail-calling kprobe_write_ctx progs Date: Mon, 2 Mar 2026 23:03:39 +0800 Message-ID: <20260302150342.55709-4-leon.hwang@linux.dev> In-Reply-To: <20260302150342.55709-1-leon.hwang@linux.dev> References: <20260302150342.55709-1-leon.hwang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" Uprobe programs that modify regs require different runtime assumptions than those that do not. Mixing !kprobe_write_ctx progs with kprobe_write_ctx progs via tail calls could break these assumptions. To address this, reject the combination of !kprobe_write_ctx progs with kprobe_write_ctx progs in bpf_map_owner_matches(), which prevents the tail callee from modifying regs unexpectedly. Also reject kprobe_write_ctx mismatches during initialization to prevent bypassing the above restriction. Without this check, the above restriction can be bypassed as follows. struct { __uint(type, BPF_MAP_TYPE_PROG_ARRAY); __uint(max_entries, 1); __uint(key_size, 4); __uint(value_size, 4); } jmp_table SEC(".maps"); SEC("?kprobe") int prog_a(struct pt_regs *regs) { regs->ax =3D 0; bpf_tail_call_static(regs, &jmp_table, 0); return 0; } SEC("?kprobe") int prog_b(struct pt_regs *regs) { bpf_tail_call_static(regs, &jmp_table, 0); return 0; } The jmp_table is shared between prog_a and prog_b. * Load prog_a. At this point, owner->kprobe_write_ctx=3Dtrue. * Load prog_b. At this point, prog_b passes the compatibility check. * Add prog_a to jmp_table. * Attach prog_b to a kernel function. When the kernel function runs, prog_a will unexpectedly modify regs. Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers= ") Signed-off-by: Leon Hwang --- include/linux/bpf.h | 7 ++++--- kernel/bpf/core.c | 30 +++++++++++++++++++++++++----- 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 05b34a6355b0..dbafed52b2ba 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -285,9 +285,10 @@ struct bpf_list_node_kern { */ struct bpf_map_owner { enum bpf_prog_type type; - bool jited; - bool xdp_has_frags; - bool sleepable; + u32 jited:1; + u32 xdp_has_frags:1; + u32 sleepable:1; + u32 kprobe_write_ctx:1; u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE]; const struct btf_type *attach_func_proto; enum bpf_attach_type expected_attach_type; diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index b24a613d99f2..121a697d4da5 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -2390,6 +2390,7 @@ static void bpf_map_owner_init(struct bpf_map_owner *= owner, const struct bpf_pro owner->jited =3D fp->jited; owner->xdp_has_frags =3D aux->xdp_has_frags; owner->sleepable =3D fp->sleepable; + owner->kprobe_write_ctx =3D aux->kprobe_write_ctx; owner->expected_attach_type =3D fp->expected_attach_type; owner->attach_func_proto =3D aux->attach_func_proto; for_each_cgroup_storage_type(i) @@ -2397,8 +2398,14 @@ static void bpf_map_owner_init(struct bpf_map_owner = *owner, const struct bpf_pro aux->cgroup_storage[i]->cookie : 0; } =20 +enum bpf_map_owner_match_type { + BPF_MAP_OWNER_MATCH_FOR_INIT, + BPF_MAP_OWNER_MATCH_FOR_UPDATE, +}; + static bool bpf_map_owner_matches(const struct bpf_map *map, const struct = bpf_prog *fp, - enum bpf_prog_type prog_type) + enum bpf_prog_type prog_type, + enum bpf_map_owner_match_type match) { struct bpf_map_owner *owner =3D map->owner; struct bpf_prog_aux *aux =3D fp->aux; @@ -2411,6 +2418,18 @@ static bool bpf_map_owner_matches(const struct bpf_m= ap *map, const struct bpf_pr owner->sleepable !=3D fp->sleepable) return false; =20 + switch (match) { + case BPF_MAP_OWNER_MATCH_FOR_INIT: + if (owner->kprobe_write_ctx !=3D aux->kprobe_write_ctx) + return false; + break; + + case BPF_MAP_OWNER_MATCH_FOR_UPDATE: + if (!owner->kprobe_write_ctx && aux->kprobe_write_ctx) + return false; + break; + } + if (map->map_type =3D=3D BPF_MAP_TYPE_PROG_ARRAY && owner->expected_attach_type !=3D fp->expected_attach_type) return false; @@ -2436,7 +2455,8 @@ static bool bpf_map_owner_matches(const struct bpf_ma= p *map, const struct bpf_pr } =20 static bool __bpf_prog_map_compatible(struct bpf_map *map, - const struct bpf_prog *fp) + const struct bpf_prog *fp, + enum bpf_map_owner_match_type match) { enum bpf_prog_type prog_type =3D resolve_prog_type(fp); bool ret =3D false; @@ -2453,7 +2473,7 @@ static bool __bpf_prog_map_compatible(struct bpf_map = *map, bpf_map_owner_init(map->owner, fp, prog_type); ret =3D true; } else { - ret =3D bpf_map_owner_matches(map, fp, prog_type); + ret =3D bpf_map_owner_matches(map, fp, prog_type, match); } err: spin_unlock(&map->owner_lock); @@ -2470,7 +2490,7 @@ bool bpf_prog_map_compatible(struct bpf_map *map, con= st struct bpf_prog *fp) if (bpf_prog_is_dev_bound(fp->aux)) return false; =20 - return __bpf_prog_map_compatible(map, fp); + return __bpf_prog_map_compatible(map, fp, BPF_MAP_OWNER_MATCH_FOR_UPDATE); } =20 static int bpf_check_tail_call(const struct bpf_prog *fp) @@ -2485,7 +2505,7 @@ static int bpf_check_tail_call(const struct bpf_prog = *fp) if (!map_type_contains_progs(map)) continue; =20 - if (!__bpf_prog_map_compatible(map, fp)) { + if (!__bpf_prog_map_compatible(map, fp, BPF_MAP_OWNER_MATCH_FOR_INIT)) { ret =3D -EINVAL; goto out; } --=20 2.52.0 From nobody Thu Apr 9 13:31:31 2026 Received: from out-173.mta0.migadu.com (out-173.mta0.migadu.com [91.218.175.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94F543FFAC9 for ; Mon, 2 Mar 2026 15:05:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463906; cv=none; b=AuzbGr2wPD3Dn7qNkr5N8/JloGCR58GJSKZsuAi8K1fxXzZh619BJFMYexkXAACXiqQjZg6Nj1aGS9QZfwBciw0VAdMWttnRqKAT1owIuywKAG7MK+4ia8TZkb74DNhzwY4t8j2SZKvUvRG8AVdlSZ8jHO78l/YEXPCFjPVS9/Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463906; c=relaxed/simple; bh=g8iFQt8PutO9ez9QZhPdi2ZlJazN1/pZxoozXBn3C6Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=baoWRvYuVdbz8UtfwITHZtIHdv0GcoC90jKN9/sUIdOQ8YjInuKCDgkkuJ4gFw28rsk8cQuB5kB0UxH92Q7PHmrBGc0Fx4aI2WdCKFObDh1ffoL9j8lRQtsFYNDHlYLRaNG7UCR2jBNQHYbDBFDLFIlpdsTsGEmlNaoNz9DObUw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=LtiQJZDB; arc=none smtp.client-ip=91.218.175.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="LtiQJZDB" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1772463901; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P+PWWkwazjgxzegEXu2v7YMpb7U2FHOXq8Nh1mdAOFE=; b=LtiQJZDBVu1SJwdRRouZ70fq6wxNk92yLmHsbbZ+531nmHWqAS5Vuy9FtkOVQq/fEJPjt/ GvdbEkqNLGv0ovEBqlw88Tu+fPMfKPVIqxoGA4h3/LjH9oIJsxylPoQpvVV/rueIIauCIe lilecwkNCo6/TixA2a9GJJoCvK9HMVs= From: Leon Hwang To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Feng Yang , Leon Hwang , Menglong Dong , Puranjay Mohan , =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , Pu Lehui , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, netdev@vger.kernel.org, kernel-patches-bot@fb.com Subject: [PATCH bpf-next v2 4/6] bpf: Disallow !call_get_func_ip progs tail-calling call_get_func_ip progs Date: Mon, 2 Mar 2026 23:03:40 +0800 Message-ID: <20260302150342.55709-5-leon.hwang@linux.dev> In-Reply-To: <20260302150342.55709-1-leon.hwang@linux.dev> References: <20260302150342.55709-1-leon.hwang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" Trampoline-based tracing programs that call bpf_get_func_ip() rely on the func IP stored on the stack. Mixing !call_get_func_ip progs with call_get_func_ip progs via tail calls could break this assumption. To address this, reject the combination of !call_get_func_ip progs with call_get_func_ip progs in bpf_map_owner_matches(), which prevents the tail callee from getting a bogus func IP. Also reject call_get_func_ip mismatches during initialization to prevent bypassing the above restriction. Without this check, the above restriction can be bypassed as follows. struct { __uint(type, BPF_MAP_TYPE_PROG_ARRAY); __uint(max_entries, 1); __uint(key_size, sizeof(__u32)); __uint(value_size, sizeof(__u32)); } jmp_table SEC(".maps"); SEC("?fentry") int BPF_PROG(prog_a) { bpf_printk("FUNC IP: 0x%llx\n", bpf_get_func_ip()); bpf_tail_call_static(ctx, &jmp_table, 0); return 0; } SEC("?fentry") int BPF_PROG(prog_b) { bpf_tail_call_static(ctx, &jmp_table, 0); return 0; } The jmp_table is shared between prog_a and prog_b. * Load prog_a first. At this point, owner->call_get_func_ip=3Dtrue. * Load prog_b next. At this point, prog_b passes the compatibility check. * Add prog_a to jmp_table. * Attach prog_b to a kernel function. When the kernel function runs, prog_a will get a bogus func IP because no func IP is prepared on the trampoline stack. Fixes: 1e37392cccde ("bpf: Enable BPF_TRAMP_F_IP_ARG for trampolines with c= all_get_func_ip") Signed-off-by: Leon Hwang --- include/linux/bpf.h | 1 + kernel/bpf/core.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index dbafed52b2ba..fb978650b169 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -289,6 +289,7 @@ struct bpf_map_owner { u32 xdp_has_frags:1; u32 sleepable:1; u32 kprobe_write_ctx:1; + u32 call_get_func_ip:1; u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE]; const struct btf_type *attach_func_proto; enum bpf_attach_type expected_attach_type; diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 121a697d4da5..1b88878fe5c5 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -2391,6 +2391,7 @@ static void bpf_map_owner_init(struct bpf_map_owner *= owner, const struct bpf_pro owner->xdp_has_frags =3D aux->xdp_has_frags; owner->sleepable =3D fp->sleepable; owner->kprobe_write_ctx =3D aux->kprobe_write_ctx; + owner->call_get_func_ip =3D fp->call_get_func_ip; owner->expected_attach_type =3D fp->expected_attach_type; owner->attach_func_proto =3D aux->attach_func_proto; for_each_cgroup_storage_type(i) @@ -2422,11 +2423,17 @@ static bool bpf_map_owner_matches(const struct bpf_= map *map, const struct bpf_pr case BPF_MAP_OWNER_MATCH_FOR_INIT: if (owner->kprobe_write_ctx !=3D aux->kprobe_write_ctx) return false; + if (owner->call_get_func_ip !=3D fp->call_get_func_ip) + return false; break; =20 case BPF_MAP_OWNER_MATCH_FOR_UPDATE: if (!owner->kprobe_write_ctx && aux->kprobe_write_ctx) return false; + if (bpf_prog_has_trampoline(fp)) { + if (!owner->call_get_func_ip && fp->call_get_func_ip) + return false; + } break; } =20 --=20 2.52.0 From nobody Thu Apr 9 13:31:31 2026 Received: from out-188.mta0.migadu.com (out-188.mta0.migadu.com [91.218.175.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C6A041161B; Mon, 2 Mar 2026 15:05:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.188 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463913; cv=none; b=suTWKNQxhC5Ww/XAKPrXprI1xWwKcL7pTcAEDI+g3KLWDnzvSvkrhlE98bDiqPFKb9NdUbezBLKEa1sdWK6fe7kv9HFxD7kMlrgRdLMRko+4J/TNdrvL7Wlx6+pGkpavJuCkoM4Ii9cjw6WyVo3rPNx/BcnOWCE0mExYaw9/h60= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463913; c=relaxed/simple; bh=nEWKuoSdePm95rFgEKVllhx1pMSJsEpr7/UWYSW+dXA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qp2NYC2+jdPeyXdWwrCfPxk4B6hrwjoCYsAQwUVlz+m0Xj8RioRxriRkmiROHcJgJ85bkr4i8gTsAKcaad7IOscJ1KqnGHnazJ5caTg/EpWIskpiDHU0++pIRIpAypdPcE1GBFB3d1Ml2FwWX2F3zu8Nq4c89CDty8wOmCwSmzQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=WJCIV5j0; arc=none smtp.client-ip=91.218.175.188 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="WJCIV5j0" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1772463909; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hNJfA3Xf+e4vt84NatwltvsAO0vxWfNT/RjgAWRYZ18=; b=WJCIV5j0PMJLfL1brDaqfMtiYBDrrsR6JwkwcQCZU/6iorBSLDg/kAXFoLPWuxnh+C0RhW e5HKOSiuUd+4MW3QTZu/Z6L/MHlTnWcg+zP0dwBURxC+7ifJv18cWP5RlgXmp43jAy924/ mc4stwme4HLtCpuW7gY2geNMQkv45MY= From: Leon Hwang To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Feng Yang , Leon Hwang , Menglong Dong , Puranjay Mohan , =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , Pu Lehui , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, netdev@vger.kernel.org, kernel-patches-bot@fb.com Subject: [PATCH bpf-next v2 5/6] bpf: Disallow !call_session_cookie progs tail-calling call_session_cookie progs Date: Mon, 2 Mar 2026 23:03:41 +0800 Message-ID: <20260302150342.55709-6-leon.hwang@linux.dev> In-Reply-To: <20260302150342.55709-1-leon.hwang@linux.dev> References: <20260302150342.55709-1-leon.hwang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" Fsession progs that call bpf_session_cookie() kfunc depend on consistent session metadata stored on the stack. Mixing !call_session_cookie progs with call_session_cookie progs via tail calls could break this assumption. To address this, reject the combination of !call_session_cookie progs with call_session_cookie progs in bpf_map_owner_matches(), which prevents the tail callee from accessing a bogus session cookie. Also reject call_session_cookie mismatches during initialization to prevent bypassing the above restriction. Without this check, the above restriction can be bypassed as follows. struct { __uint(type, BPF_MAP_TYPE_PROG_ARRAY); __uint(max_entries, 1); __uint(key_size, sizeof(__u32)); __uint(value_size, sizeof(__u32)); } jmp_table SEC(".maps"); SEC("?fsession") int BPF_PROG(prog_a) { u64 *cookie =3D bpf_session_cookie(ctx); *cookie =3D 42; bpf_tail_call_static(ctx, &jmp_table, 0); return 0; } SEC("?fsession") int BPF_PROG(prog_b) { bpf_tail_call_static(ctx, &jmp_table, 0); return 0; } The jmp_table is shared between prog_a and prog_b. * Load prog_a first. At this point, owner->call_session_cookie=3Dtrue. * Load prog_b next. At this point, prog_b passes the compatibility check. * Add prog_a to jmp_table. * Attach prog_b to a kernel function. When the kernel function runs, prog_a will get a u64 pointer to the first arg slot on the trampoline stack, and will modify the arg via this pointer. Fixes: eeee4239dbb1 ("bpf: support fsession for bpf_session_cookie") Signed-off-by: Leon Hwang --- include/linux/bpf.h | 1 + kernel/bpf/core.c | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index fb978650b169..3931fdbca3a7 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -290,6 +290,7 @@ struct bpf_map_owner { u32 sleepable:1; u32 kprobe_write_ctx:1; u32 call_get_func_ip:1; + u32 call_session_cookie:1; u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE]; const struct btf_type *attach_func_proto; enum bpf_attach_type expected_attach_type; diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 1b88878fe5c5..03d2d8f244c8 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -2392,6 +2392,7 @@ static void bpf_map_owner_init(struct bpf_map_owner *= owner, const struct bpf_pro owner->sleepable =3D fp->sleepable; owner->kprobe_write_ctx =3D aux->kprobe_write_ctx; owner->call_get_func_ip =3D fp->call_get_func_ip; + owner->call_session_cookie =3D fp->call_session_cookie; owner->expected_attach_type =3D fp->expected_attach_type; owner->attach_func_proto =3D aux->attach_func_proto; for_each_cgroup_storage_type(i) @@ -2425,6 +2426,8 @@ static bool bpf_map_owner_matches(const struct bpf_ma= p *map, const struct bpf_pr return false; if (owner->call_get_func_ip !=3D fp->call_get_func_ip) return false; + if (owner->call_session_cookie !=3D fp->call_session_cookie) + return false; break; =20 case BPF_MAP_OWNER_MATCH_FOR_UPDATE: @@ -2433,6 +2436,8 @@ static bool bpf_map_owner_matches(const struct bpf_ma= p *map, const struct bpf_pr if (bpf_prog_has_trampoline(fp)) { if (!owner->call_get_func_ip && fp->call_get_func_ip) return false; + if (!owner->call_session_cookie && fp->call_session_cookie) + return false; } break; } --=20 2.52.0 From nobody Thu Apr 9 13:31:31 2026 Received: from out-174.mta0.migadu.com (out-174.mta0.migadu.com [91.218.175.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4BF03FFAD6 for ; Mon, 2 Mar 2026 15:05:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463938; cv=none; b=Op/fed3TfaWeTL+aFUVAaK6tda/gducf3f2lDVRJMvXk3Rp3oFjQQRBiwf1HaGDVGmY1rAOVb2kJxhCL7DtdkzPplyjwTJPMoONJyRl2JyrJyRMmLBw7ZTalGRnIKJLmbHFUdEm3waQ9XGZlwt3z+/L9hGwaRyOMGjskOdd6jL4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772463938; c=relaxed/simple; bh=P0lp57O3xVx8qjH4XeIzmvz7D2tk1xI95GIqlyzq810=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=L3NAkmfDuyl3lC5z0kjrfBcDpjCmUe9jMmfLxHclMGrLLolpz+IhFHNV6Ky6zpXHe8aPPZCqpF0IWXu/tuEGyWVb9RnjfRxLHjTRgcQ8+Prk0NR8WUy82C9J6AGhUqvg2rQrpccBlzx6OWomtomycFGaBE9HSsy5wOs8+ycjh+U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=JwqosRZB; arc=none smtp.client-ip=91.218.175.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="JwqosRZB" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1772463933; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ALIJ7LIlV+z/PhSVVXXCJAIsp2KMkktx7GQtroRZcKI=; b=JwqosRZB5VmSP5OzFL5hsD6xn2q0e2+39jB5C8TkyomR4KeQzDC2sDvOVth+pLi8AVd9A9 XSVJ/wGNPtwRBgIzXWXKKR5Bc571A7ETNikDOrvA7nWTuFoyCvzJpnZ1c7M9x+Sz0JXqif /cx3VW2V4Oz93SfKnNU8UfrdnvCfq/A= From: Leon Hwang To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Feng Yang , Leon Hwang , Menglong Dong , Puranjay Mohan , =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , Pu Lehui , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, netdev@vger.kernel.org, kernel-patches-bot@fb.com Subject: [PATCH bpf-next v2 6/6] selftests/bpf: Add tests to verify prog_array map compatibility Date: Mon, 2 Mar 2026 23:03:42 +0800 Message-ID: <20260302150342.55709-7-leon.hwang@linux.dev> In-Reply-To: <20260302150342.55709-1-leon.hwang@linux.dev> References: <20260302150342.55709-1-leon.hwang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" Add tests to verify the following tail call restrictions: * !kprobe_write_ctx progs are not compatible with kprobe_write_ctx progs. * !call_get_func_ip progs are not compatible with call_get_func_ip progs. * !call_session_cookie progs are not compatible with call_session_cookie progs. For kprobe_write_ctx, call_get_func_ip, and call_session_cookie, a prog_array map cannot be shared between progs with different values. Signed-off-by: Leon Hwang --- .../selftests/bpf/prog_tests/tailcalls.c | 319 ++++++++++++++++++ .../bpf/progs/tailcall_map_compatible.c | 103 ++++++ 2 files changed, 422 insertions(+) create mode 100644 tools/testing/selftests/bpf/progs/tailcall_map_compatib= le.c diff --git a/tools/testing/selftests/bpf/prog_tests/tailcalls.c b/tools/tes= ting/selftests/bpf/prog_tests/tailcalls.c index 7d534fde0af9..1063e73ecffa 100644 --- a/tools/testing/selftests/bpf/prog_tests/tailcalls.c +++ b/tools/testing/selftests/bpf/prog_tests/tailcalls.c @@ -9,6 +9,7 @@ #include "tc_bpf2bpf.skel.h" #include "tailcall_fail.skel.h" #include "tailcall_sleepable.skel.h" +#include "tailcall_map_compatible.skel.h" =20 /* test_tailcall_1 checks basic functionality by patching multiple locatio= ns * in a single program for a single tail call slot with nop->jmp, jmp->nop @@ -1725,6 +1726,312 @@ static void test_tailcall_sleepable(void) tailcall_sleepable__destroy(skel); } =20 +#ifdef __x86_64__ +/* uprobe attach point */ +static noinline int trigger_uprobe_fn(int a) +{ + asm volatile ("" : "+r"(a)); + return a; +} + +static void test_map_compatible_update_kprobe_write_ctx(void) +{ + struct bpf_program *dummy, *kprobe, *fsession; + struct tailcall_map_compatible *skel; + struct bpf_link *link =3D NULL; + int err, prog_fd, key =3D 0; + struct bpf_map *map; + LIBBPF_OPTS(bpf_kprobe_opts, kprobe_opts); + LIBBPF_OPTS(bpf_uprobe_opts, uprobe_opts); + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel =3D tailcall_map_compatible__open(); + if (!ASSERT_OK_PTR(skel, "tailcall_map_compatible__open")) + return; + + dummy =3D skel->progs.dummy_kprobe; + bpf_program__set_autoload(dummy, true); + + kprobe =3D skel->progs.kprobe; + bpf_program__set_autoload(kprobe, true); + + fsession =3D skel->progs.fsession_tailcall; + bpf_program__set_autoload(fsession, true); + + skel->bss->data =3D 0xdeadbeef; + + err =3D tailcall_map_compatible__load(skel); + if (!ASSERT_OK(err, "tailcall_map_compatible__load")) + goto out; + + prog_fd =3D bpf_program__fd(kprobe); + map =3D skel->maps.prog_array_dummy; + err =3D bpf_map_update_elem(bpf_map__fd(map), &key, &prog_fd, BPF_ANY); + ASSERT_ERR(err, "bpf_map_update_elem kprobe"); + + skel->links.dummy_kprobe =3D bpf_program__attach_kprobe_opts(dummy, "bpf_= fentry_test1", + &kprobe_opts); + if (!ASSERT_OK_PTR(skel->links.dummy_kprobe, "bpf_program__attach_kprobe_= opts")) + goto out; + + skel->links.fsession_tailcall =3D bpf_program__attach_trace(fsession); + if (!ASSERT_OK_PTR(skel->links.fsession_tailcall, "bpf_program__attach_tr= ace")) + goto out; + + err =3D bpf_prog_test_run_opts(bpf_program__fd(fsession), &topts); + ASSERT_OK(err, "bpf_prog_test_run_opts fsession"); + + ASSERT_EQ(topts.retval, 0, "dummy retval"); + ASSERT_EQ(skel->bss->dummy_run, 1, "dummy_run"); + ASSERT_EQ(skel->bss->data, 0xdeadbeef, "data"); + + err =3D bpf_map_delete_elem(bpf_map__fd(map), &key); + ASSERT_TRUE(!err || err =3D=3D -ENOENT, "bpf_map_delete_elem"); + + uprobe_opts.func_name =3D "trigger_uprobe_fn"; + link =3D bpf_program__attach_uprobe_opts(kprobe, 0, "/proc/self/exe", 0, = &uprobe_opts); + if (!ASSERT_OK_PTR(link, "bpf_program__attach_uprobe_opts")) + goto out; + + prog_fd =3D bpf_program__fd(dummy); + map =3D skel->maps.prog_array_kprobe; + err =3D bpf_map_update_elem(bpf_map__fd(map), &key, &prog_fd, BPF_ANY); + ASSERT_OK(err, "bpf_map_update_elem dummy"); + + ASSERT_EQ(trigger_uprobe_fn(1), 0, "trigger_uprobe_fn retval"); /* modifi= ed by uprobe */ + + ASSERT_EQ(topts.retval, 0, "dummy retval"); + ASSERT_EQ(skel->bss->dummy_run, 2, "dummy_run"); + ASSERT_EQ(skel->bss->data, 0, "data"); + +out: + bpf_link__destroy(link); + tailcall_map_compatible__destroy(skel); +} +#else +static void test_map_compatible_update_kprobe_write_ctx(void) +{ + test__skip(); +} +#endif + +static void test_map_compatible_update_get_func_ip(void) +{ + struct tailcall_map_compatible *skel; + struct bpf_program *dummy, *fentry; + struct bpf_link *link =3D NULL; + int err, prog_fd, key =3D 0; + struct bpf_map *map; + __u64 func_ip; + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel =3D tailcall_map_compatible__open(); + if (!ASSERT_OK_PTR(skel, "tailcall_map_compatible__open")) + return; + + dummy =3D skel->progs.dummy_fentry; + bpf_program__set_autoload(dummy, true); + + fentry =3D skel->progs.fentry; + bpf_program__set_autoload(fentry, true); + + err =3D tailcall_map_compatible__load(skel); + if (!ASSERT_OK(err, "tailcall_map_compatible__load")) + goto out; + + link =3D bpf_program__attach_trace(fentry); + if (!ASSERT_OK_PTR(link, "bpf_program__attach_trace fentry")) + goto out; + + err =3D bpf_prog_test_run_opts(bpf_program__fd(fentry), &topts); + if (!ASSERT_OK(err, "bpf_prog_test_run_opts fentry")) + goto out; + + ASSERT_EQ(topts.retval, 0, "fentry retval"); + ASSERT_EQ(skel->bss->dummy_run, 0, "dummy_run"); + ASSERT_NEQ(skel->bss->data, 0, "data"); + func_ip =3D skel->bss->data; + + skel->bss->data =3D 0xdeadbeef; + + err =3D bpf_link__destroy(link); + link =3D NULL; + if (!ASSERT_OK(err, "bpf_link__destroy")) + goto out; + + prog_fd =3D bpf_program__fd(fentry); + map =3D skel->maps.prog_array_dummy; + err =3D bpf_map_update_elem(bpf_map__fd(map), &key, &prog_fd, BPF_ANY); + ASSERT_ERR(err, "bpf_map_update_elem fentry"); + + link =3D bpf_program__attach_trace(dummy); + if (!ASSERT_OK_PTR(link, "bpf_program__attach_trace dummy")) + goto out; + + err =3D bpf_prog_test_run_opts(bpf_program__fd(dummy), &topts); + if (!ASSERT_OK(err, "bpf_prog_test_run_opts dummy")) + goto out; + + ASSERT_EQ(topts.retval, 0, "dummy retval"); + ASSERT_EQ(skel->bss->dummy_run, 1, "dummy_run"); + ASSERT_EQ(skel->bss->data, 0xdeadbeef, "data"); + ASSERT_NEQ(skel->bss->data, func_ip, "data func_ip"); + + err =3D bpf_link__destroy(link); + link =3D NULL; + if (!ASSERT_OK(err, "bpf_link__destroy")) + goto out; + + err =3D bpf_map_delete_elem(bpf_map__fd(map), &key); + ASSERT_TRUE(!err || err =3D=3D -ENOENT, "bpf_map_delete_elem"); + + prog_fd =3D bpf_program__fd(dummy); + map =3D skel->maps.prog_array_tracing; + err =3D bpf_map_update_elem(bpf_map__fd(map), &key, &prog_fd, BPF_ANY); + ASSERT_OK(err, "bpf_map_update_elem dummy"); + + link =3D bpf_program__attach_trace(fentry); + if (!ASSERT_OK_PTR(link, "bpf_program__attach_trace fentry")) + goto out; + + err =3D bpf_prog_test_run_opts(bpf_program__fd(fentry), &topts); + if (!ASSERT_OK(err, "bpf_prog_test_run_opts fentry")) + goto out; + + ASSERT_EQ(topts.retval, 0, "fentry retval"); + ASSERT_EQ(skel->bss->dummy_run, 2, "dummy_run"); + ASSERT_EQ(skel->bss->data, func_ip, "data"); + +out: + bpf_link__destroy(link); + tailcall_map_compatible__destroy(skel); +} + +static void test_map_compatible_update_session_cookie(void) +{ + struct tailcall_map_compatible *skel; + struct bpf_program *dummy, *fsession; + struct bpf_link *link =3D NULL; + int err, prog_fd, key =3D 0; + struct bpf_map *map; + LIBBPF_OPTS(bpf_test_run_opts, topts); + + skel =3D tailcall_map_compatible__open(); + if (!ASSERT_OK_PTR(skel, "tailcall_map_compatible__open")) + return; + + dummy =3D skel->progs.dummy_fsession; + bpf_program__set_autoload(dummy, true); + + fsession =3D skel->progs.fsession_cookie; + bpf_program__set_autoload(fsession, true); + + skel->bss->data =3D 0xdeadbeef; + + err =3D tailcall_map_compatible__load(skel); + if (err =3D=3D -EOPNOTSUPP) { + test__skip(); + goto out; + } + if (!ASSERT_OK(err, "tailcall_map_compatible__load")) + goto out; + + prog_fd =3D bpf_program__fd(fsession); + map =3D skel->maps.prog_array_dummy; + err =3D bpf_map_update_elem(bpf_map__fd(map), &key, &prog_fd, BPF_ANY); + ASSERT_ERR(err, "bpf_map_update_elem fsession"); + + link =3D bpf_program__attach_trace(dummy); + if (!ASSERT_OK_PTR(link, "bpf_program__attach_trace dummy")) + goto out; + + err =3D bpf_prog_test_run_opts(bpf_program__fd(dummy), &topts); + ASSERT_OK(err, "bpf_prog_test_run_opts dummy"); + + ASSERT_EQ(topts.retval, 0, "dummy retval"); + ASSERT_EQ(skel->bss->dummy_run, 2, "dummy_run"); + ASSERT_EQ(skel->bss->data, 0xdeadbeef, "data"); + + err =3D bpf_link__destroy(link); + link =3D NULL; + if (!ASSERT_OK(err, "bpf_link__destroy")) + goto out; + + err =3D bpf_map_delete_elem(bpf_map__fd(map), &key); + ASSERT_TRUE(!err || err =3D=3D -ENOENT, "bpf_map_delete_elem"); + + prog_fd =3D bpf_program__fd(dummy); + map =3D skel->maps.prog_array_tracing; + err =3D bpf_map_update_elem(bpf_map__fd(map), &key, &prog_fd, BPF_ANY); + ASSERT_OK(err, "bpf_map_update_elem dummy"); + + link =3D bpf_program__attach_trace(fsession); + if (!ASSERT_OK_PTR(link, "bpf_program__attach_trace fsession")) + goto out; + + err =3D bpf_prog_test_run_opts(bpf_program__fd(fsession), &topts); + if (!ASSERT_OK(err, "bpf_prog_test_run_opts fsession")) + goto out; + + ASSERT_EQ(topts.retval, 0, "fsession retval"); + ASSERT_EQ(skel->bss->dummy_run, 4, "dummy_run"); + ASSERT_EQ(skel->bss->data, 0, "data"); + +out: + bpf_link__destroy(link); + tailcall_map_compatible__destroy(skel); +} + +static void test_map_compatible_init(const char *prog1, const char *prog2) +{ + struct tailcall_map_compatible *skel; + struct bpf_program *p1, *p2; + int err; + + skel =3D tailcall_map_compatible__open(); + if (!ASSERT_OK_PTR(skel, "tailcall_map_compatible__open")) + return; + + p1 =3D bpf_object__find_program_by_name(skel->obj, prog1); + if (!ASSERT_OK_PTR(p1, "bpf_object__find_program_by_name prog1")) + goto out; + bpf_program__set_autoload(p1, true); + + p2 =3D bpf_object__find_program_by_name(skel->obj, prog2); + if (!ASSERT_OK_PTR(p2, "bpf_object__find_program_by_name prog2")) + goto out; + bpf_program__set_autoload(p2, true); + + err =3D tailcall_map_compatible__load(skel); + if (err =3D=3D -EOPNOTSUPP) { + test__skip(); + goto out; + } + ASSERT_ERR(err, "tailcall_map_compatible__load"); + +out: + tailcall_map_compatible__destroy(skel); +} + +static void test_map_compatible_init_kprobe_write_ctx(void) +{ +#ifdef __x86_64__ + test_map_compatible_init("kprobe", "kprobe_tailcall"); +#else + test__skip(); +#endif +} + +static void test_map_compatible_init_call_get_func_ip(void) +{ + test_map_compatible_init("fentry", "fentry_tailcall"); +} + +static void test_map_compatible_init_call_session_cookie(void) +{ + test_map_compatible_init("fsession_cookie", "fsession_tailcall"); +} + void test_tailcalls(void) { if (test__start_subtest("tailcall_1")) @@ -1781,4 +2088,16 @@ void test_tailcalls(void) test_tailcall_failure(); if (test__start_subtest("tailcall_sleepable")) test_tailcall_sleepable(); + if (test__start_subtest("map_compatible/update/kprobe_write_ctx")) + test_map_compatible_update_kprobe_write_ctx(); + if (test__start_subtest("map_compatible/update/get_func_ip")) + test_map_compatible_update_get_func_ip(); + if (test__start_subtest("map_compatible/update/session_cookie")) + test_map_compatible_update_session_cookie(); + if (test__start_subtest("map_compatible/init/kprobe_write_ctx")) + test_map_compatible_init_kprobe_write_ctx(); + if (test__start_subtest("map_compatible/init/call_get_func_ip")) + test_map_compatible_init_call_get_func_ip(); + if (test__start_subtest("map_compatible/init/call_session_cookie")) + test_map_compatible_init_call_session_cookie(); } diff --git a/tools/testing/selftests/bpf/progs/tailcall_map_compatible.c b/= tools/testing/selftests/bpf/progs/tailcall_map_compatible.c new file mode 100644 index 000000000000..991b799c89ac --- /dev/null +++ b/tools/testing/selftests/bpf/progs/tailcall_map_compatible.c @@ -0,0 +1,103 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include + +char _license[] SEC("license") =3D "GPL"; + +int dummy_run; +u64 data; + +struct { + __uint(type, BPF_MAP_TYPE_PROG_ARRAY); + __uint(max_entries, 1); + __uint(key_size, sizeof(__u32)); + __uint(value_size, sizeof(__u32)); +} prog_array_dummy SEC(".maps"); + +#if defined(__TARGET_ARCH_x86) +SEC("?kprobe") +int dummy_kprobe(void *ctx) +{ + dummy_run++; + bpf_tail_call_static(ctx, &prog_array_dummy, 0); + return 0; +} + +struct { + __uint(type, BPF_MAP_TYPE_PROG_ARRAY); + __uint(max_entries, 1); + __uint(key_size, sizeof(__u32)); + __uint(value_size, sizeof(__u32)); +} prog_array_kprobe SEC(".maps"); + +SEC("?kprobe") +int kprobe(struct pt_regs *regs) +{ + data =3D regs->di =3D 0; + bpf_tail_call_static(regs, &prog_array_kprobe, 0); + return 0; +} + +SEC("?kprobe") +int kprobe_tailcall(struct pt_regs *regs) +{ + bpf_tail_call_static(regs, &prog_array_kprobe, 0); + return 0; +} +#endif + +SEC("?fentry/bpf_fentry_test1") +int dummy_fentry(void *ctx) +{ + dummy_run++; + bpf_tail_call_static(ctx, &prog_array_dummy, 0); + return 0; +} + +struct { + __uint(type, BPF_MAP_TYPE_PROG_ARRAY); + __uint(max_entries, 1); + __uint(key_size, sizeof(__u32)); + __uint(value_size, sizeof(__u32)); +} prog_array_tracing SEC(".maps"); + +SEC("?fentry/bpf_fentry_test1") +int BPF_PROG(fentry) +{ + data =3D bpf_get_func_ip(ctx); + bpf_tail_call_static(ctx, &prog_array_tracing, 0); + return 0; +} + +SEC("?fentry/bpf_fentry_test1") +int BPF_PROG(fentry_tailcall) +{ + bpf_tail_call_static(ctx, &prog_array_tracing, 0); + return 0; +} + +SEC("?fsession/bpf_fentry_test2") +int dummy_fsession(void *ctx) +{ + dummy_run++; + bpf_tail_call_static(ctx, &prog_array_dummy, 0); + return 0; +} + +SEC("?fsession/bpf_fentry_test2") +int BPF_PROG(fsession_cookie) +{ + u64 *cookie =3D bpf_session_cookie(ctx); + + data =3D *cookie =3D 0; + bpf_tail_call_static(ctx, &prog_array_tracing, 0); + return 0; +} + +SEC("?fsession/bpf_fentry_test2") +int BPF_PROG(fsession_tailcall) +{ + bpf_tail_call_static(ctx, &prog_array_tracing, 0); + return 0; +} --=20 2.52.0