)]}' { "log": [ { "commit": "e2e6a6ea2418e23d6afaf3c37e207f6ca85ba9d8", "tree": "c5802af061e4ae3e25cb25ebb3ccd53039b3dffa", "parents": [ "749b925802c2351ae7204e6960ca086e4c4e4fa7", "2cb27158adb38f1a78729e99f7469199d71c714a" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:01:57 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:30:51 2026 -0700" }, "message": "Merge branch \u0027bpf-static-stack-liveness-data-flow-analysis\u0027\n\nEduard Zingerman says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: static stack liveness data flow analysis\n\nThis patch set converts current dynamic stack slot liveness tracking\nmechanism to a static data flow analysis. The result is used during\nstate pruning (clean_verifier_state): to zero out dead stack slots,\nenabling more aggressive state equivalence and pruning. To improve\nanalysis precision live stack slot tracking is converted to 4-byte\ngranularity.\n\nThe key ideas and the bulk of the execution behind the series belong\nto Alexei Starovoitov. I contributed to patch set integration\nwith existing liveness tracking mechanism.\n\nDue to complexity of the changes the bisectability property of the\npatch set is not preserved. Some selftests may fail between\nintermediate patches of the series.\n\nAnalysis consists of two passes:\n- A forward fixed-point analysis that tracks which frame\u0027s FP each\n register value is derived from, and at what byte offset. This is\n needed because a callee can receive a pointer to its caller\u0027s stack\n frame (e.g. r1 \u003d fp-16 at the call site), then do *(u64 *)(r1 + 0)\n inside the callee - a cross-frame stack access that the callee\u0027s\n local liveness must attribute to the caller\u0027s stack.\n- A backward dataflow pass within each callee subprog that computes\n live_in \u003d (live_out \\ def) ∪ use for both local and non-local\n (ancestor) stack slots. The result of the analysis for callee is\n propagated up to the callsite.\n\nThe key idea making such analysis possible is that limited and\nconservative argument tracking pass is sufficient to recover most of\nthe offsets / stack pointer arguments.\n\nChangelog:\nv3 -\u003e v4:\n liveness.c:\n - fill_from_stack(): correct conservative stack mask for imprecise\n result, instead of picking frames from pointer register\n (Alexei, sashiko).\n - spill_to_stack(): join with existing values instead of\n overwriting when dst has multiple offsets (cnt \u003e 1) or imprecise\n offset (cnt \u003d\u003d 0) (Alexei, sashiko).\n - analyze_subprog(): big change, now each analyze_subprog() is\n called with a fresh func_instance, once read/write marks are\n collected the instance is joined with the one accumulated for\n (callsite, depth) and update_instance() is called.\n This handles several issues:\n - Avoids stale must_write marks when same func_instance is reused\n by analyze_subprog() several times.\n - Handles potential calls multiple calls for mark_stack_write()\n within single instruction.\n (Alexei, sashiko).\n - analyze_subprog(): added complexity limit to avoid exponential\n analysis time blowup for crafted programs with lots of nested\n function calls (Alexei, sashiko).\n - the patch \"bpf: record arg tracking results in bpf_liveness masks\"\n is reinstated, it was accidentally squashed during v1-\u003ev2\n transition.\n\n verifier.c:\n - clean_live_states() is replaced by a direct call to\n clean_verifier_state(), bpf_verifier_state-\u003ecleaned is dropped.\n\n verifier_live_stack.c:\n - added selftests for arg tracking changes.\n\nv2 -\u003e v3:\n liveness.c:\n - record_stack_access(): handle S64_MIN (unknown read) with\n imprecise offset. Test case can\u0027t be created with existing\n helpers/kfuncs (sashiko).\n - fmt_subprog(): handle NULL name (subprogs without BTF info).\n - print_instance(): use u64 for pos/insn_pos avoid truncation\n (bot+bpf-ci).\n - compute_subprog_args(): return error if\n \u0027env-\u003ecallsite_at_stack[idx] \u003d kvmalloc_objs(...)\u0027 fails\n (sashiko).\n - clear_overlapping_stack_slots(): avoid integer promoting\n issues by adding explicit (int) cast (sashiko).\n\n bpf_verifier.h, verifier.c, liveness.c:\n - Fixes in comments and commit messages (bot+bpf-ci).\n\nv1 -\u003e v2:\n liveness.c:\n - Removed func_instance-\u003ecallsites and replaced it with explicit\n spine passed through analys_subprog() calls (sashiko).\n - Fixed BPF_LOAD_ACQ handling in arg_track_xfer: don\u0027t clear dst\n register tracking (sashiko).\n - Various error threading nits highlighted by bots\n (sashiko, bot+bpf-ci).\n - Massaged fmt_spis_mask() to be more concise (Alexei)\n\n verifier.c:\n - Move subprog_info[i].name assignment from add_subprog_and_kfunc to\n check_btf_func (sashiko, bot+bpf-ci).\n - Fixed inverse usage of msb/lsb halves by patch\n \"bpf: make liveness.c track stack with 4-byte granularity\"\n (sashiko, bot+bpf-ci).\n\nv1: https://lore.kernel.org/bpf/20260408-patch-set-v1-0-1a666e860d42@gmail.com/\nv2: https://lore.kernel.org/bpf/20260409-patch-set-v2-0-651804512349@gmail.com/\nv3: https://lore.kernel.org/bpf/20260410-patch-set-v3-0-1f5826dc0ef2@gmail.com/\n\nVerification performance impact (negative % is good):\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d selftests: master vs patch-set \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nFile Program Insns (A) Insns (B) Insns (DIFF)\n----------------------- ------------- --------- --------- ---------------\nxdp_synproxy_kern.bpf.o syncookie_tc 20363 22910 +2547 (+12.51%)\nxdp_synproxy_kern.bpf.o syncookie_xdp 20450 23001 +2551 (+12.47%)\n\nTotal progs: 4490\nOld success: 2856\nNew success: 2856\ntotal_insns diff min: -80.26%\ntotal_insns diff max: 12.51%\n0 -\u003e value: 0\nvalue -\u003e 0: 0\ntotal_insns abs max old: 837,487\ntotal_insns abs max new: 837,487\n -85 .. -75 %: 1\n -50 .. -40 %: 1\n -35 .. -25 %: 1\n -20 .. -10 %: 5\n -10 .. 0 %: 18\n 0 .. 5 %: 4458\n 5 .. 15 %: 6\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d scx: master vs patch-set \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nFile Program Insns (A) Insns (B) Insns (DIFF)\n-------------- --------- --------- --------- --------------\nscx_qmap.bpf.o qmap_init 20230 19022 -1208 (-5.97%)\n\nTotal progs: 376\nOld success: 351\nNew success: 351\ntotal_insns diff min: -27.15%\ntotal_insns diff max: 0.50%\n0 -\u003e value: 0\nvalue -\u003e 0: 0\ntotal_insns abs max old: 236,251\ntotal_insns abs max new: 233,669\n -30 .. -20 %: 8\n -20 .. -10 %: 2\n -10 .. 0 %: 21\n 0 .. 5 %: 345\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d meta: master vs patch-set \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nFile Program Insns (A) Insns (B) Insns (DIFF)\n---------------------------------------------------------------------------- ----------------- --------- --------- -----------------\n...\nthird-party-scx-backports-scheds-rust-scx_layered-bpf_skel_genskel-bpf.bpf.o layered_dispatch 13944 13104 -840 (-6.02%)\nthird-party-scx-backports-scheds-rust-scx_layered-bpf_skel_genskel-bpf.bpf.o layered_dispatch 13944 13104 -840 (-6.02%)\nthird-party-scx-gefe21962f49a-__scx_layered_bpf_skel_genskel-bpf.bpf.o layered_dispatch 13825 12985 -840 (-6.08%)\nthird-party-scx-v1.0.16-__scx_lavd_bpf_skel_genskel-bpf.bpf.o lavd_enqueue 15501 13602 -1899 (-12.25%)\nthird-party-scx-v1.0.16-__scx_lavd_bpf_skel_genskel-bpf.bpf.o lavd_select_cpu 19814 16231 -3583 (-18.08%)\nthird-party-scx-v1.0.17-__scx_lavd_bpf_skel_genskel-bpf.bpf.o lavd_enqueue 15501 13602 -1899 (-12.25%)\nthird-party-scx-v1.0.17-__scx_lavd_bpf_skel_genskel-bpf.bpf.o lavd_select_cpu 19814 16231 -3583 (-18.08%)\nthird-party-scx-v1.0.17-__scx_layered_bpf_skel_genskel-bpf.bpf.o layered_dispatch 13976 13151 -825 (-5.90%)\nthird-party-scx-v1.0.18-__scx_lavd_bpf_skel_genskel-bpf.bpf.o lavd_dispatch 260628 237930 -22698 (-8.71%)\nthird-party-scx-v1.0.18-__scx_lavd_bpf_skel_genskel-bpf.bpf.o lavd_enqueue 13437 12225 -1212 (-9.02%)\nthird-party-scx-v1.0.18-__scx_lavd_bpf_skel_genskel-bpf.bpf.o lavd_select_cpu 17744 14730 -3014 (-16.99%)\nthird-party-scx-v1.0.19-10-6b1958477-__scx_lavd_bpf_skel_genskel-bpf.bpf.o lavd_cpu_offline 19676 18418 -1258 (-6.39%)\nthird-party-scx-v1.0.19-10-6b1958477-__scx_lavd_bpf_skel_genskel-bpf.bpf.o lavd_cpu_online 19674 18416 -1258 (-6.39%)\n...\n\nTotal progs: 1540\nOld success: 1492\nNew success: 1493\ntotal_insns diff min: -75.83%\ntotal_insns diff max: 73.60%\n0 -\u003e value: 0\nvalue -\u003e 0: 0\ntotal_insns abs max old: 434,763\ntotal_insns abs max new: 666,036\n -80 .. -70 %: 2\n -55 .. -50 %: 7\n -50 .. -45 %: 10\n -45 .. -35 %: 4\n -35 .. -25 %: 4\n -25 .. -20 %: 8\n -20 .. -15 %: 15\n -15 .. -10 %: 11\n -10 .. -5 %: 45\n -5 .. 0 %: 112\n 0 .. 5 %: 1316\n 5 .. 15 %: 2\n 15 .. 25 %: 1\n 25 .. 35 %: 1\n 55 .. 65 %: 1\n 70 .. 75 %: 1\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d cilium: master vs patch-set \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nFile Program Insns (A) Insns (B) Insns (DIFF)\n--------------- --------------------------------- --------- --------- ----------------\nbpf_host.o cil_host_policy 45801 32027 -13774 (-30.07%)\nbpf_host.o cil_to_netdev 100287 69042 -31245 (-31.16%)\nbpf_host.o tail_handle_ipv4_cont_from_host 60911 20962 -39949 (-65.59%)\nbpf_host.o tail_handle_ipv4_from_netdev 59735 33155 -26580 (-44.50%)\nbpf_host.o tail_handle_ipv6_cont_from_host 23529 17036 -6493 (-27.60%)\nbpf_host.o tail_handle_ipv6_from_host 11906 10303 -1603 (-13.46%)\nbpf_host.o tail_handle_ipv6_from_netdev 29778 23743 -6035 (-20.27%)\nbpf_host.o tail_handle_snat_fwd_ipv4 61616 67463 +5847 (+9.49%)\nbpf_host.o tail_handle_snat_fwd_ipv6 30802 22806 -7996 (-25.96%)\nbpf_host.o tail_ipv4_host_policy_ingress 20017 10528 -9489 (-47.40%)\nbpf_host.o tail_ipv6_host_policy_ingress 20693 17301 -3392 (-16.39%)\nbpf_host.o tail_nodeport_nat_egress_ipv4 16455 13684 -2771 (-16.84%)\nbpf_host.o tail_nodeport_nat_ingress_ipv4 36174 20080 -16094 (-44.49%)\nbpf_host.o tail_nodeport_nat_ingress_ipv6 48039 25779 -22260 (-46.34%)\nbpf_lxc.o tail_handle_ipv4 13765 10001 -3764 (-27.34%)\nbpf_lxc.o tail_handle_ipv4_cont 96891 68725 -28166 (-29.07%)\nbpf_lxc.o tail_handle_ipv6_cont 21809 17697 -4112 (-18.85%)\nbpf_lxc.o tail_ipv4_ct_egress 15949 17746 +1797 (+11.27%)\nbpf_lxc.o tail_nodeport_nat_egress_ipv4 16183 13432 -2751 (-17.00%)\nbpf_lxc.o tail_nodeport_nat_ingress_ipv4 18532 10697 -7835 (-42.28%)\nbpf_overlay.o tail_handle_inter_cluster_revsnat 15708 11099 -4609 (-29.34%)\nbpf_overlay.o tail_handle_ipv4 105672 76108 -29564 (-27.98%)\nbpf_overlay.o tail_handle_ipv6 15733 19944 +4211 (+26.77%)\nbpf_overlay.o tail_handle_snat_fwd_ipv4 19327 26468 +7141 (+36.95%)\nbpf_overlay.o tail_handle_snat_fwd_ipv6 20817 12556 -8261 (-39.68%)\nbpf_overlay.o tail_nodeport_nat_egress_ipv4 16175 12184 -3991 (-24.67%)\nbpf_overlay.o tail_nodeport_nat_ingress_ipv4 20760 11951 -8809 (-42.43%)\nbpf_wireguard.o tail_handle_ipv4 27466 28909 +1443 (+5.25%)\nbpf_wireguard.o tail_nodeport_nat_egress_ipv4 15937 12094 -3843 (-24.11%)\nbpf_wireguard.o tail_nodeport_nat_ingress_ipv4 20624 11993 -8631 (-41.85%)\nbpf_xdp.o tail_lb_ipv4 42673 60855 +18182 (+42.61%)\nbpf_xdp.o tail_lb_ipv6 87903 108585 +20682 (+23.53%)\nbpf_xdp.o tail_nodeport_nat_ingress_ipv4 28787 20991 -7796 (-27.08%)\nbpf_xdp.o tail_nodeport_nat_ingress_ipv6 207593 152012 -55581 (-26.77%)\n\nTotal progs: 134\nOld success: 134\nNew success: 134\ntotal_insns diff min: -65.59%\ntotal_insns diff max: 42.61%\n0 -\u003e value: 0\nvalue -\u003e 0: 0\ntotal_insns abs max old: 207,593\ntotal_insns abs max new: 152,012\n -70 .. -60 %: 1\n -50 .. -40 %: 7\n -40 .. -30 %: 9\n -30 .. -25 %: 9\n -25 .. -20 %: 12\n -20 .. -15 %: 7\n -15 .. -10 %: 14\n -10 .. -5 %: 6\n -5 .. 0 %: 16\n 0 .. 5 %: 42\n 5 .. 15 %: 5\n 15 .. 25 %: 2\n 25 .. 35 %: 2\n 35 .. 45 %: 2\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260410-patch-set-v4-0-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2cb27158adb38f1a78729e99f7469199d71c714a", "tree": "c5802af061e4ae3e25cb25ebb3ccd53039b3dffa", "parents": [ "27417e5eb9cd4151320866e0b2cca0c612f1cdf7" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 13:56:05 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:13:38 2026 -0700" }, "message": "bpf: poison dead stack slots\n\nAs a sanity check poison stack slots that stack liveness determined\nto be dead, so that any read from such slots will cause program rejection.\nIf stack liveness logic is incorrect the poison can cause\nvalid program to be rejected, but it also will prevent unsafe program\nto be accepted.\n\nAllow global subprogs \"read\" poisoned stack slots.\nThe static stack liveness determined that subprog doesn\u0027t read certain\nstack slots, but sizeof(arg_type) based global subprog validation\nisn\u0027t accurate enough to know which slots will actually be read by\nthe callee, so it needs to check full sizeof(arg_type) at the caller.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-14-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "27417e5eb9cd4151320866e0b2cca0c612f1cdf7", "tree": "6b0c7bb4f9cf4d0a19c9f86629617bc15a9912bd", "parents": [ "957c30c06748ffe8ab20c242f1a5506447436d6e" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 13:56:04 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:13:38 2026 -0700" }, "message": "selftests/bpf: add new tests for static stack liveness analysis\n\nAdd a bunch of new tests to verify the static stack\nliveness analysis.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-13-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "957c30c06748ffe8ab20c242f1a5506447436d6e", "tree": "2ff087a1c04eff4540a08f32c156051ac0ff46b3", "parents": [ "b42eb55f6ca29d9cc9d2239f8665cca5f16efecb" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 13:56:03 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:13:38 2026 -0700" }, "message": "selftests/bpf: adjust verifier_log buffers\n\nThe new liveness analysis in liveness.c adds verbose output at\nBPF_LOG_LEVEL2, making the verifier log for good_prog exceed the 1024-byte\nreference buffer. When the reference is truncated in fixed mode, the\nrolling mode captures the actual tail of the full log, which doesn\u0027t match\nthe truncated reference.\n\nThe fix is to increase the buffer sizes in the test.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-12-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b42eb55f6ca29d9cc9d2239f8665cca5f16efecb", "tree": "63540f836f8d1e5010322dc9c46e3913f80f027e", "parents": [ "2c167d91775b0928eba1d2b9b5483ede63ca7b2e" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 13:56:02 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:13:37 2026 -0700" }, "message": "selftests/bpf: update existing tests due to liveness changes\n\nThe verifier cleans all dead registers and stack slots in the current\nstate. Adjust expected output in tests or insert dummy stack/register\nreads. Also update verifier_live_stack tests to adhere to new logging\nscheme.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-11-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2c167d91775b0928eba1d2b9b5483ede63ca7b2e", "tree": "54837fd66693952938ddff677ab55d11b5241263", "parents": [ "6762e3a0bce5fce94bca3c34ff13cde6a07b87f3" ], "author": { "name": "Eduard Zingerman", "email": "eddyz87@gmail.com", "time": "Fri Apr 10 13:56:01 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:13:37 2026 -0700" }, "message": "bpf: change logging scheme for live stack analysis\n\nInstead of breadcrumbs like:\n\n (d2,cs15) frame 0 insn 18 +live -16\n (d2,cs15) frame 0 insn 17 +live -16\n\nPrint final accumulated stack use/def data per-func_instance\nper-instruction. printed func_instance\u0027s are ordered by callsite and\ndepth. For example:\n\n stack use/def subprog#0 shared_instance_must_write_overwrite (d0,cs0):\n 0: (b7) r1 \u003d 1\n 1: (7b) *(u64 *)(r10 -8) \u003d r1 ; def: fp0-8\n 2: (7b) *(u64 *)(r10 -16) \u003d r1 ; def: fp0-16\n 3: (bf) r1 \u003d r10\n 4: (07) r1 +\u003d -8\n 5: (bf) r2 \u003d r10\n 6: (07) r2 +\u003d -16\n 7: (85) call pc+7 ; use: fp0-8 fp0-16\n 8: (bf) r1 \u003d r10\n 9: (07) r1 +\u003d -16\n 10: (bf) r2 \u003d r10\n 11: (07) r2 +\u003d -8\n 12: (85) call pc+2 ; use: fp0-8 fp0-16\n 13: (b7) r0 \u003d 0\n 14: (95) exit\n stack use/def subprog#1 forwarding_rw (d1,cs7):\n 15: (85) call pc+1 ; use: fp0-8 fp0-16\n 16: (95) exit\n stack use/def subprog#1 forwarding_rw (d1,cs12):\n 15: (85) call pc+1 ; use: fp0-8 fp0-16\n 16: (95) exit\n stack use/def subprog#2 write_first_read_second (d2,cs15):\n 17: (7a) *(u64 *)(r1 +0) \u003d 42\n 18: (79) r0 \u003d *(u64 *)(r2 +0) ; use: fp0-8 fp0-16\n 19: (95) exit\n\nFor groups of three or more consecutive stack slots, abbreviate as\nfollows:\n\n 25: (85) call bpf_loop#181 ; use: fp2-8..-512 fp1-8..-512 fp0-8..-512\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-10-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "6762e3a0bce5fce94bca3c34ff13cde6a07b87f3", "tree": "56be6482916223b1bb74342ba08915f4b6e99e8a", "parents": [ "fed53dbcdb61b0fbb1cf1d5bbd68d10f97aec974" ], "author": { "name": "Eduard Zingerman", "email": "eddyz87@gmail.com", "time": "Fri Apr 10 13:56:00 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:13:20 2026 -0700" }, "message": "bpf: simplify liveness to use (callsite, depth) keyed func_instances\n\nRework func_instance identification and remove the dynamic liveness\nAPI, completing the transition to fully static stack liveness analysis.\n\nReplace callchain-based func_instance keys with (callsite, depth)\npairs. The full callchain (all ancestor callsites) is no longer part\nof the hash key; only the immediate callsite and the call depth\nmatter. This does not lose precision in practice and simplifies the\ndata structure significantly: struct callchain is removed entirely,\nfunc_instance stores just callsite, depth.\n\nDrop must_write_acc propagation. Previously, must_write marks were\naccumulated across successors and propagated to the caller via\npropagate_to_outer_instance(). Instead, callee entry liveness\n(live_before at subprog start) is pulled directly back to the\ncaller\u0027s callsite in analyze_subprog() after each callee returns.\n\nSince (callsite, depth) instances are shared across different call\nchains that invoke the same subprog at the same depth, must_write\nmarks from one call may be stale for another. To handle this,\nanalyze_subprog() records into a fresh_instance() when the instance\nwas already visited (must_write_initialized), then merge_instances()\ncombines the results: may_read is unioned, must_write is intersected.\nThis ensures only slots written on ALL paths through all call sites\nare marked as guaranteed writes.\nThis replaces commit_stack_write_marks() logic.\n\nSkip recursive descent into callees that receive no FP-derived\narguments (has_fp_args() check). This is needed because global\nsubprogram calls can push depth beyond MAX_CALL_FRAMES (max depth\nis 64 for global calls but only 8 frames are accommodated for FP\npassing). It also handles the case where a callback subprog cannot be\ndetermined by argument tracking: such callbacks will be processed by\nanalyze_subprog() at depth 0 independently.\n\nUpdate lookup_instance() (used by is_live_before queries) to search\nfor the func_instance with maximal depth at the corresponding\ncallsite, walking depth downward from frameno to 0. This accounts for\nthe fact that instance depth no longer corresponds 1:1 to\nbpf_verifier_state-\u003ecurframe, since skipped non-FP calls create gaps.\n\nRemove the dynamic public liveness API from verifier.c:\n - bpf_mark_stack_{read,write}(), bpf_reset/commit_stack_write_marks()\n - bpf_update_live_stack(), bpf_reset_live_stack_callchain()\n - All call sites in check_stack_{read,write}_fixed_off(),\n check_stack_range_initialized(), mark_stack_slot_obj_read(),\n mark/unmark_stack_slots_{dynptr,iter,irq_flag}()\n - The per-instruction write mark accumulation in do_check()\n - The bpf_update_live_stack() call in prepare_func_exit()\n\nmark_stack_read() and mark_stack_write() become static functions in\nliveness.c, called only from the static analysis pass. The\nfunc_instance-\u003eupdated and must_write_dropped flags are removed.\nRemove spis_single_slot(), spis_one_bit() helpers from bpf_verifier.h\nas they are no longer used.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nTested-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-9-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "fed53dbcdb61b0fbb1cf1d5bbd68d10f97aec974", "tree": "b1e670cd1d68c776cee3339f73f1975ed0c0f5fc", "parents": [ "bf0c571f7feb6fa05a512e2a5e50702501849d61" ], "author": { "name": "Eduard Zingerman", "email": "eddyz87@gmail.com", "time": "Fri Apr 10 13:55:59 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:06:14 2026 -0700" }, "message": "bpf: record arg tracking results in bpf_liveness masks\n\nAfter arg tracking reaches a fixed point, perform a single linear scan\nover the converged at_in[] state and translate each memory access into\nliveness read/write masks on the func_instance:\n\n- Load/store instructions: FP-derived pointer\u0027s frame and offset(s)\n are converted to half-slot masks targeting\n per_frame_masks-\u003e{may_read,must_write}\n\n- Helper/kfunc calls: record_call_access() queries\n bpf_helper_stack_access_bytes() / bpf_kfunc_stack_access_bytes()\n for each FP-derived argument to determine access size and direction.\n Unknown access size (S64_MIN) conservatively marks all slots from\n fp_off to fp+0 as read.\n\n- Imprecise pointers (frame \u003d\u003d ARG_IMPRECISE): conservatively mark\n all slots in every frame covered by the pointer\u0027s frame bitmask\n as fully read.\n\n- Static subprog calls with unresolved arguments: conservatively mark\n all frames as fully read.\n\nInstead of a call to clean_live_states(), start cleaning the current\nstate continuously as registers and stack become dead since the static\nanalysis provides complete liveness information. This makes\nclean_live_states() and bpf_verifier_state-\u003ecleaned unnecessary.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-8-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "bf0c571f7feb6fa05a512e2a5e50702501849d61", "tree": "4b28e9e59142bebb7c6213d74ceae18f212e255a", "parents": [ "8d3219f64d98f4b6591063b15bfe102937b585be" ], "author": { "name": "Eduard Zingerman", "email": "eddyz87@gmail.com", "time": "Fri Apr 10 13:55:58 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:05:05 2026 -0700" }, "message": "bpf: introduce forward arg-tracking dataflow analysis\n\nThe analysis is a basis for static liveness tracking mechanism\nintroduced by the next two commits.\n\nA forward fixed-point analysis that tracks which frame\u0027s FP each\nregister value is derived from, and at what byte offset. This is\nneeded because a callee can receive a pointer to its caller\u0027s stack\nframe (e.g. r1 \u003d fp-16 at the call site), then do *(u64 *)(r1 + 0)\ninside the callee — a cross-frame stack access that the callee\u0027s local\nliveness must attribute to the caller\u0027s stack.\n\nEach register holds an arg_track value from a three-level lattice:\n- Precise {frame\u003dN, off\u003d[o1,o2,...]} — known frame index and\n up to 4 concrete byte offsets\n- Offset-imprecise {frame\u003dN, off_cnt\u003d0} — known frame, unknown offset\n- Fully-imprecise {frame\u003dARG_IMPRECISE, mask\u003dbitmask} — unknown frame,\n mask says which frames might be involved\n\nAt CFG merge points the lattice moves toward imprecision (same\nframe+offset stays precise, same frame different offsets merges offset\nsets or becomes offset-imprecise, different frames become\nfully-imprecise with OR\u0027d bitmask).\n\nThe analysis also tracks spills/fills to the callee\u0027s own stack\n(at_stack_in/out), so FP derived values spilled and reloaded.\n\nThis pass is run recursively per call site: when subprog A calls B\nwith specific FP-derived arguments, B is re-analyzed with those entry\nargs. The recursion follows analyze_subprog -\u003e compute_subprog_args -\u003e\n(for each call insn) -\u003e analyze_subprog. Subprogs that receive no\nFP-derived args are skipped during recursion and analyzed\nindependently at depth 0.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-7-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "8d3219f64d98f4b6591063b15bfe102937b585be", "tree": "8f647790d005e33bd9d38a62ce1a7f7eba470bc5", "parents": [ "be23266b4a08540aa43d8503a2ea10247c8daebe" ], "author": { "name": "Eduard Zingerman", "email": "eddyz87@gmail.com", "time": "Fri Apr 10 13:55:57 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:05:03 2026 -0700" }, "message": "bpf: prepare liveness internal API for static analysis pass\n\nMove the `updated` check and reset from bpf_update_live_stack() into\nupdate_instance() itself, so callers outside the main loop can reuse\nit. Similarly, move write_insn_idx assignment out of\nreset_stack_write_marks() into its public caller, and thread insn_idx\nas a parameter to commit_stack_write_marks() instead of reading it\nfrom liveness-\u003ewrite_insn_idx. Drop the unused `env` parameter from\nalloc_frame_masks() and mark_stack_read().\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-6-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "be23266b4a08540aa43d8503a2ea10247c8daebe", "tree": "f4fb91695c70112f6cd236f609a48e619bfc283b", "parents": [ "7ca5f68cda073a6c4aa6135e98a27c7b2a731cdd" ], "author": { "name": "Eduard Zingerman", "email": "eddyz87@gmail.com", "time": "Fri Apr 10 13:55:56 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:04:59 2026 -0700" }, "message": "bpf: 4-byte precise clean_verifier_state\n\nMigrate clean_verifier_state() and its liveness queries from 8-byte\nSPI granularity to 4-byte half-slot granularity.\n\nIn __clean_func_state(), each SPI is cleaned in two independent\nhalves:\n - half_spi 2*i (lo): slot_type[0..3]\n - half_spi 2*i+1 (hi): slot_type[4..7]\n\nSlot types STACK_DYNPTR, STACK_ITER and STACK_IRQ_FLAG are never\ncleaned, as their slot type markers are required by\ndestroy_if_dynptr_stack_slot(), is_iter_reg_valid_uninit() and\nis_irq_flag_reg_valid_uninit() for correctness.\n\nWhen only the hi half is dead, spilled_ptr metadata is destroyed and\nthe lo half\u0027s STACK_SPILL bytes are downgraded to STACK_MISC or\nSTACK_ZERO. When only the lo half is dead, spilled_ptr is preserved\nbecause the hi half may still need it for state comparison.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-5-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "7ca5f68cda073a6c4aa6135e98a27c7b2a731cdd", "tree": "e879d963ede17fce051ffc60ca99ec79dbbafd50", "parents": [ "2ad45b414b8779ba5c50f746fd767926cccde729" ], "author": { "name": "Eduard Zingerman", "email": "eddyz87@gmail.com", "time": "Fri Apr 10 13:55:55 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:04:56 2026 -0700" }, "message": "bpf: make liveness.c track stack with 4-byte granularity\n\nConvert liveness bitmask type from u64 to spis_t, doubling the number\nof trackable stack slots from 64 to 128 to support 4-byte granularity.\n\nEach 8-byte SPI now maps to two consecutive 4-byte sub-slots in the\nbitmask: spi*2 half and spi*2+1 half. In verifier.c,\ncheck_stack_write_fixed_off() now reports 4-byte aligned writes of\n4-byte writes as half-slot marks and 8-byte aligned 8-byte writes as\ntwo slots. Similar logic applied in check_stack_read_fixed_off().\n\nQueries (is_live_before) are not yet migrated to half-slot\ngranularity.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-4-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2ad45b414b8779ba5c50f746fd767926cccde729", "tree": "0889572d996f048ec51d828133080a60f582b41a", "parents": [ "cf3ee1ecf3466ddb978a58df9d5b638e7dff673d" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 13:55:54 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:04:51 2026 -0700" }, "message": "bpf: Add spis_*() helpers for 4-byte stack slot bitmasks\n\nAdd helper functions for manipulating u64[2] bitmasks that represent\n4-byte stack slot liveness. The 512-byte BPF stack is divided into\n128 4-byte slots, requiring 128 bits (two u64s) to track.\n\nThese will be used by the static stack liveness analysis in the\nnext commit.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-3-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "cf3ee1ecf3466ddb978a58df9d5b638e7dff673d", "tree": "eaa351c104f50d22c9ea7c24eceff39eb7d2a0b5", "parents": [ "33dfc521c20d02375c8696dcace04037d2a865e6" ], "author": { "name": "Eduard Zingerman", "email": "eddyz87@gmail.com", "time": "Fri Apr 10 13:55:53 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:01:56 2026 -0700" }, "message": "bpf: save subprogram name in bpf_subprog_info\n\nSubprogram name can be computed from function info and BTF, but it is\nconvenient to have the name readily available for logging purposes.\nUpdate comment saying that bpf_subprog_info-\u003estart has to be the first\nfield, this is no longer true, relevant sites access .start field\nby it\u0027s name.\n\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-2-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "33dfc521c20d02375c8696dcace04037d2a865e6", "tree": "9a9faf01b9e533a504f6fd31ecb896539b4c4c66", "parents": [ "749b925802c2351ae7204e6960ca086e4c4e4fa7" ], "author": { "name": "Eduard Zingerman", "email": "eddyz87@gmail.com", "time": "Fri Apr 10 13:55:52 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 15:01:55 2026 -0700" }, "message": "bpf: share several utility functions as internal API\n\nNamely:\n- bpf_subprog_is_global\n- bpf_vlog_alignment\n\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260410-patch-set-v4-1-5d4eecb343db@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "749b925802c2351ae7204e6960ca086e4c4e4fa7", "tree": "a1b5aa828eba7f5964aa1d0882d0e6fd0ec60ebc", "parents": [ "aacee214d57636fa1f63007c65f333b5ea75a7a0", "0e4dc6fbddb01b2ce0d0b4d67ad5f70e976bedcc" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:34:36 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:34:37 2026 -0700" }, "message": "Merge branch \u0027selftests-bpf-test-btf-sanitization\u0027\n\nAlan Maguire says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nselftests/bpf: Test BTF sanitization\n\nAllow simulation of missing BPF features through provision of\na synthetic feature cache set, and use this to simulate case\nwhere FEAT_BTF_LAYOUT is missing. Ensure sanitization leaves us\nwith expected BTF (layout info removed, layout header fields\nzeroed, strings data adjusted).\n\nSpecifying a feature cache with selected missing features will\nallow testing of other missing feature codepaths, but for now\nadd BTF layout sanitization test only.\n\nChanges since v2 [1]:\n\n- change zfree() to free() since we immediately assign the\n feat_cache (Jiri, patch 1)\n- \"goto out\" to avoid skeleton leak (Chengkaitao, patch 2)\n- just use kfree_skb__open() since we do not need to load\n skeleton\n\nChanges since v1 [2]:\n\n- renamed to bpf_object_set_feat_cache() (Andrii, patch 1)\n- remove __packed, relocate skeleton open/load, fix formatting\n issues (Andrii, patch 2)\n\n[1] https://lore.kernel.org/bpf/20260408105324.663280-1-alan.maguire@oracle.com/\n[2] https://lore.kernel.org/bpf/20260401164302.3844142-1-alan.maguire@oracle.com/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260408165735.843763-1-alan.maguire@oracle.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "0e4dc6fbddb01b2ce0d0b4d67ad5f70e976bedcc", "tree": "a1b5aa828eba7f5964aa1d0882d0e6fd0ec60ebc", "parents": [ "7419fcadd1dcd5efb5771a2725f9a80dc90d9e5a" ], "author": { "name": "Alan Maguire", "email": "alan.maguire@oracle.com", "time": "Wed Apr 08 17:57:35 2026 +0100" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:34:36 2026 -0700" }, "message": "selftests/bpf: Add BTF sanitize test covering BTF layout\n\nAdd test that fakes up a feature cache of supported BPF\nfeatures to simulate an older kernel that does not support\nBTF layout information. Ensure that BTF is sanitized correctly\nto remove layout info between types and strings, and that all\noffsets and lengths are adjusted appropriately.\n\nSigned-off-by: Alan Maguire \u003calan.maguire@oracle.com\u003e\nLink: https://lore.kernel.org/r/20260408165735.843763-3-alan.maguire@oracle.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "7419fcadd1dcd5efb5771a2725f9a80dc90d9e5a", "tree": "a165ced8f0344efc8174470ab8a285dcdaa81253", "parents": [ "aacee214d57636fa1f63007c65f333b5ea75a7a0" ], "author": { "name": "Alan Maguire", "email": "alan.maguire@oracle.com", "time": "Wed Apr 08 17:57:34 2026 +0100" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:34:36 2026 -0700" }, "message": "libbpf: Allow use of feature cache for non-token cases\n\nAllow bpf object feat_cache assignment in BPF selftests\nto simulate missing features via inclusion of libbpf_internal.h\nand use of bpf_object_set_feat_cache() and bpf_object__sanitize_btf() to\ntest BTF sanitization for cases where missing features are simulated.\n\nSigned-off-by: Alan Maguire \u003calan.maguire@oracle.com\u003e\nLink: https://lore.kernel.org/r/20260408165735.843763-2-alan.maguire@oracle.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "aacee214d57636fa1f63007c65f333b5ea75a7a0", "tree": "bbd1b14a95f5ef566efaacebfb500daf3128d3af", "parents": [ "4406942e65ca128c56c67443832988873c21d2e9" ], "author": { "name": "Venkat Rao Bagalkote", "email": "venkat88@linux.ibm.com", "time": "Fri Apr 10 16:24:04 2026 +0530" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:32:53 2026 -0700" }, "message": "selftests/bpf: Remove test_access_variable_array\n\ntest_access_variable_array relied on accessing struct sched_domain::span\nto validate variable-length array handling via BTF. Recent scheduler\nrefactoring removed or hid this field, causing the test\nto fail to build.\n\nGiven that this test depends on internal scheduler structures that are\nsubject to refactoring, and equivalent variable-length array coverage\nalready exists via bpf_testmod-based tests, remove\ntest_access_variable_array entirely.\n\nLink: https://lore.kernel.org/all/177434340048.1647592.8586759362906719839.tip-bot2@tip-bot2/\n\nSigned-off-by: Venkat Rao Bagalkote \u003cvenkat88@linux.ibm.com\u003e\nTested-by: Naveen Kumar Thummalapenta \u003cnaveen66@linux.ibm.com\u003e\nLink: https://lore.kernel.org/r/20260410105404.91126-1-venkat88@linux.ibm.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "4406942e65ca128c56c67443832988873c21d2e9", "tree": "651caef99f01b8feaced9a46768c4a0618c2c791", "parents": [ "ae1a82e5112e568f66cbbf2a15ea103940138dee" ], "author": { "name": "Sechang Lim", "email": "rhkrqnwk98@gmail.com", "time": "Tue Apr 07 10:38:23 2026 +0000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:10:06 2026 -0700" }, "message": "bpf: Fix RCU stall in bpf_fd_array_map_clear()\n\nAdd a missing cond_resched() in bpf_fd_array_map_clear() loop.\n\nFor PROG_ARRAY maps with many entries this loop calls\nprog_array_map_poke_run() per entry which can be expensive, and\nwithout yielding this can cause RCU stalls under load:\n\n rcu: Stack dump where RCU GP kthread last ran:\n CPU: 0 UID: 0 PID: 30932 Comm: kworker/0:2 Not tainted 6.14.0-13195-g967e8def1100 #2 PREEMPT(undef)\n Workqueue: events prog_array_map_clear_deferred\n RIP: 0010:write_comp_data+0x38/0x90 kernel/kcov.c:246\n Call Trace:\n \u003cTASK\u003e\n prog_array_map_poke_run+0x77/0x380 kernel/bpf/arraymap.c:1096\n __fd_array_map_delete_elem+0x197/0x310 kernel/bpf/arraymap.c:925\n bpf_fd_array_map_clear kernel/bpf/arraymap.c:1000 [inline]\n prog_array_map_clear_deferred+0x119/0x1b0 kernel/bpf/arraymap.c:1141\n process_one_work+0x898/0x19d0 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x770/0x10b0 kernel/workqueue.c:3400\n kthread+0x465/0x880 kernel/kthread.c:464\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x19/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nReviewed-by: Sun Jian \u003csun.jian.kdev@gmail.com\u003e\nFixes: da765a2f5993 (\"bpf: Add poke dependency tracking for prog array maps\")\nSigned-off-by: Sechang Lim \u003crhkrqnwk98@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260407103823.3942156-1-rhkrqnwk98@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "ae1a82e5112e568f66cbbf2a15ea103940138dee", "tree": "b56b6ad62966a92ed2976ab04d50f345066190b6", "parents": [ "a0c584fc18056709c8e047a82a6045d6c209f4ce", "4cbee026db54cad39c39db4d356100cb133412b3" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:05:16 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:05:16 2026 -0700" }, "message": "Merge branch \u0027bpf-fix-and-improve-open-coded-task_vma-iterator\u0027\n\nPuranjay Mohan says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: fix and improve open-coded task_vma iterator\n\nChangelog:\nv5: https://lore.kernel.org/all/20260326151111.4002475-1-puranjay@kernel.org/\nChanges in v6:\n- Replace local_irq_disable() + get_task_mm() with spin_trylock() on\n alloc_lock to avoid a softirq deadlock: if the target task holds its\n alloc_lock and gets interrupted, a softirq BPF program iterating\n that task would deadlock on task_lock() (Gemini)\n- Gate on CONFIG_MMU in patch 1 so that the mmput() fallback in\n bpf_iter_mmput_async() cannot sleep in non-sleepable BPF context\n on NOMMU; patch 2 tightens this to CONFIG_PER_VMA_LOCK (Gemini)\n- Merge the split if (irq_work_busy) / if (!mmap_read_trylock())\n back into a single if statement in patch 1 (Andrii)\n- Flip comparison direction in bpf_iter_task_vma_find_next() so both\n the locked and unlocked VMA failure cases read consistently:\n end \u003c\u003d next_addr → PAGE_SIZE, else - use end (Andrii)\n- Add Acked-by from Andrii on patch 3\n\nv4: https://lore.kernel.org/all/20260316185736.649940-1-puranjay@kernel.org/\nChanges in v5:\n- Use get_task_mm() instead of a lockless task-\u003emm read followed by\n mmget_not_zero() to fix a use-after-free: mm_struct is not\n SLAB_TYPESAFE_BY_RCU, so the lockless pointer can go stale (AI)\n- Add a local bpf_iter_mmput_async() wrapper with #ifdef CONFIG_MMU\n to avoid modifying fork.c and sched/mm.h outside the BPF tree\n- Drop the fork.c and sched/mm.h changes that widened the\n mmput_async() #if guard\n- Disable IRQs around get_task_mm() to prevent raw tracepoint\n re-entrancy from deadlocking on task_lock()\n\nv3: https://lore.kernel.org/all/20260311225726.808332-1-puranjay@kernel.org/\nChanges in v4:\n- Disable task_vma iterator in irq_disabled() contexts to mitigate deadlocks (Alexei)\n- Use a helper function to reset the snapshot (Andrii)\n- Remove the redundant snap-\u003evm_mm \u003d kit-\u003edata-\u003emm; (Andrii)\n- Remove all irq_work deferral as the iterator will not work in\n irq_disabled() sections anymore and _new() will return -EBUSY early.\n\nv2: https://lore.kernel.org/all/20260309155506.23490-1-puranjay@kernel.org/\nChanges in v3:\n- Remove the rename patch 1 (Andrii)\n- Put the irq_work in the iter data, per-cpu slot is not needed (Andrii)\n- Remove the unnecessary !in_hardirq() in the deferral path (Alexei)\n- Use PAGE_SIZE advancement in case vma shrinks back to maintain the\n forward progress guarantee (AI)\n\nv1: https://lore.kernel.org/all/20260304142026.1443666-1-puranjay@kernel.org/\nChanges in v2:\n- Add a preparatory patch to rename mmap_unlock_irq_work to\n bpf_iter_mm_irq_work (Mykyta)\n- Fix bpf_iter_mmput() to also defer for IRQ disabled regions (Alexei)\n- Fix a build issue where mmpu_async() is not available without\n CONFIG_MMU (kernel test robot)\n- Reuse mmap_unlock_irq_work (after rename) for mmput (Mykyta)\n- Move vma lookup (retry block) to a separate function (Mykyta)\n\nThis series fixes the mm lifecycle handling in the open-coded task_vma\nBPF iterator and switches it from mmap_lock to per-VMA locking to reduce\ncontention. It then fixes a deadlock that is caused by holding locks\naccross the body of the iterator where faulting is allowed.\n\nPatch 1 fixes a use-after-free where task-\u003emm was read locklessly and\ncould be freed before the iterator used it. It uses a trylock on\nalloc_lock to safely read task-\u003emm and acquire an mm reference, and\ndisables the iterator in irq_disabled() contexts by returning -EBUSY\nfrom _new().\n\nPatch 2 switches from holding mmap_lock for the entire iteration to\nper-VMA locking via lock_vma_under_rcu(). This still doesn\u0027t fix the\ndeadlock problem because holding the per-vma lock for the whole\niteration can still cause lock ordering issues when a faultable helper\nis called in the body of the iterator.\n\nPatch 3 resolves the lock ordering problems caused by holding the\nper-VMA lock or the mmap_lock (not applicable after patch 2) across BPF\nprogram execution. It snapshots VMA fields under the lock, then drops\nthe lock before returning to the BPF program. File references are\nmanaged via get_file()/fput() across iterations.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260408154539.3832150-1-puranjay@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "4cbee026db54cad39c39db4d356100cb133412b3", "tree": "b56b6ad62966a92ed2976ab04d50f345066190b6", "parents": [ "bee9ef4a40a277bf401be43d39ba7f7f063cf39c" ], "author": { "name": "Puranjay Mohan", "email": "puranjay@kernel.org", "time": "Wed Apr 08 08:45:37 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:05:16 2026 -0700" }, "message": "bpf: return VMA snapshot from task_vma iterator\n\nHolding the per-VMA lock across the BPF program body creates a lock\nordering problem when helpers acquire locks that depend on mmap_lock:\n\n vm_lock -\u003e i_rwsem -\u003e mmap_lock -\u003e vm_lock\n\nSnapshot the VMA under the per-VMA lock in _next() via memcpy(), then\ndrop the lock before returning. The BPF program accesses only the\nsnapshot.\n\nThe verifier only trusts vm_mm and vm_file pointers (see\nBTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference-\ncounted with get_file() under the lock and released via fput() on the\nnext iteration or in _destroy(). vm_mm is already correct because\nlock_vma_under_rcu() verifies vma-\u003evm_mm \u003d\u003d mm. All other pointers\nare left as-is by memcpy() since the verifier treats them as untrusted.\n\nFixes: 4ac454682158 (\"bpf: Introduce task_vma open-coded iterator kfuncs\")\nSigned-off-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nAcked-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/20260408154539.3832150-4-puranjay@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "bee9ef4a40a277bf401be43d39ba7f7f063cf39c", "tree": "7b18af20121c31ba3b3266419454214e2ad9d6d0", "parents": [ "d8e27d2d22b6e2df3a0125b8c08e9aace38c954c" ], "author": { "name": "Puranjay Mohan", "email": "puranjay@kernel.org", "time": "Wed Apr 08 08:45:36 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:05:16 2026 -0700" }, "message": "bpf: switch task_vma iterator from mmap_lock to per-VMA locks\n\nThe open-coded task_vma iterator holds mmap_lock for the entire duration\nof iteration, increasing contention on this highly contended lock.\n\nSwitch to per-VMA locking. Find the next VMA via an RCU-protected maple\ntree walk and lock it with lock_vma_under_rcu(). lock_next_vma() is not\nused because its fallback takes mmap_read_lock(), and the iterator must\nwork in non-sleepable contexts.\n\nlock_vma_under_rcu() is a point lookup (mas_walk) that finds the VMA\ncontaining a given address but cannot iterate across gaps. An\nRCU-protected vma_next() walk (mas_find) first locates the next VMA\u0027s\nvm_start to pass to lock_vma_under_rcu().\n\nBetween the RCU walk and the lock, the VMA may be removed, shrunk, or\nwrite-locked. On failure, advance past it using vm_end from the RCU\nwalk. Because the VMA slab is SLAB_TYPESAFE_BY_RCU, vm_end may be\nstale; fall back to PAGE_SIZE advancement when it does not make forward\nprogress. Concurrent VMA insertions at addresses already passed by the\niterator are not detected.\n\nCONFIG_PER_VMA_LOCK is required; return -EOPNOTSUPP without it.\n\nSigned-off-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260408154539.3832150-3-puranjay@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "d8e27d2d22b6e2df3a0125b8c08e9aace38c954c", "tree": "a49aa57d1c9d568201d277ec1abd950a6f3ac8e3", "parents": [ "a0c584fc18056709c8e047a82a6045d6c209f4ce" ], "author": { "name": "Puranjay Mohan", "email": "puranjay@kernel.org", "time": "Wed Apr 08 08:45:35 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 10 12:05:16 2026 -0700" }, "message": "bpf: fix mm lifecycle in open-coded task_vma iterator\n\nThe open-coded task_vma iterator reads task-\u003emm locklessly and acquires\nmmap_read_trylock() but never calls mmget(). If the task exits\nconcurrently, the mm_struct can be freed as it is not\nSLAB_TYPESAFE_BY_RCU, resulting in a use-after-free.\n\nSafely read task-\u003emm with a trylock on alloc_lock and acquire an mm\nreference. Drop the reference via bpf_iter_mmput_async() in _destroy()\nand error paths. bpf_iter_mmput_async() is a local wrapper around\nmmput_async() with a fallback to mmput() on !CONFIG_MMU.\n\nReject irqs-disabled contexts (including NMI) up front. Operations used\nby _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async)\ntake spinlocks with IRQs disabled (pool-\u003elock, pi_lock). Running from\nNMI or from a tracepoint that fires with those locks held could\ndeadlock.\n\nA trylock on alloc_lock is used instead of the blocking task_lock()\n(get_task_mm) to avoid a deadlock when a softirq BPF program iterates\na task that already holds its alloc_lock on the same CPU.\n\nFixes: 4ac454682158 (\"bpf: Introduce task_vma open-coded iterator kfuncs\")\nSigned-off-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260408154539.3832150-2-puranjay@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a0c584fc18056709c8e047a82a6045d6c209f4ce", "tree": "a780e409a1b0a22c10f51f529e534ff5469b9d7d", "parents": [ "8697bdd67be87fc007c1ea2f98a59e29ae902170" ], "author": { "name": "Jiayuan Chen", "email": "jiayuan.chen@linux.dev", "time": "Thu Apr 09 10:37:32 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 09 13:24:32 2026 -0700" }, "message": "bpf: Fix use-after-free in offloaded map/prog info fill\n\nWhen querying info for an offloaded BPF map or program,\nbpf_map_offload_info_fill_ns() and bpf_prog_offload_info_fill_ns()\nobtain the network namespace with get_net(dev_net(offmap-\u003enetdev)).\nHowever, the associated netdev\u0027s netns may be racing with teardown\nduring netns destruction. If the netns refcount has already reached 0,\nget_net() performs a refcount_t increment on 0, triggering:\n\n refcount_t: addition on 0; use-after-free.\n\nAlthough rtnl_lock and bpf_devs_lock ensure the netdev pointer remains\nvalid, they cannot prevent the netns refcount from reaching zero.\n\nFix this by using maybe_get_net() instead of get_net(). maybe_get_net()\nuses refcount_inc_not_zero() and returns NULL if the refcount is already\nzero, which causes ns_get_path_cb() to fail and the caller to return\n-ENOENT -- the correct behavior when the netns is being destroyed.\n\nFixes: 675fc275a3a2d (\"bpf: offload: report device information for offloaded programs\")\nFixes: 52775b33bb507 (\"bpf: offload: report device information about offloaded maps\")\nReported-by: Yinhao Hu \u003cdddddd@hust.edu.cn\u003e\nReported-by: Kaiyan Mei \u003cM202472210@hust.edu.cn\u003e\nReviewed-by: Dongliang Mu \u003cdzm91@hust.edu.cn\u003e\nCloses: https://lore.kernel.org/bpf/f0aa3678-79c9-47ae-9e8c-02a3d1df160a@hust.edu.cn/\nSigned-off-by: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\nAcked-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260409023733.168050-1-jiayuan.chen@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "8697bdd67be87fc007c1ea2f98a59e29ae902170", "tree": "b6115590a5a53980f738451f151f336de528781f", "parents": [ "9f118095dd341885dbc3f1cd6a028414da099aba" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Thu Apr 09 17:50:16 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 09 13:11:31 2026 -0700" }, "message": "selftests/bpf: Add test for stale pkt range after scalar arithmetic\n\nExtend the verifier_direct_packet_access BPF selftests to exercise the\nverifier code paths which ensure that the pkt range is cleared after\nadd/sub alu with a known scalar. The tests reject the invalid access.\n\n # LDLIBS\u003d-static PKG_CONFIG\u003d\u0027pkg-config --static\u0027 ./vmtest.sh -- ./test_progs -t verifier_direct\n [...]\n #592/35 verifier_direct_packet_access/direct packet access: pkt_range cleared after sub with known scalar:OK\n #592/36 verifier_direct_packet_access/direct packet access: pkt_range cleared after add with known scalar:OK\n #592/37 verifier_direct_packet_access/direct packet access: test3:OK\n #592/38 verifier_direct_packet_access/direct packet access: test3 @unpriv:OK\n #592/39 verifier_direct_packet_access/direct packet access: test34 (non-linear, cgroup_skb/ingress, too short eth):OK\n #592/40 verifier_direct_packet_access/direct packet access: test35 (non-linear, cgroup_skb/ingress, too short 1):OK\n #592/41 verifier_direct_packet_access/direct packet access: test36 (non-linear, cgroup_skb/ingress, long enough):OK\n #592 verifier_direct_packet_access:OK\n [...]\n Summary: 2/47 PASSED, 0 SKIPPED, 0 FAILED\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260409155016.536608-2-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "9f118095dd341885dbc3f1cd6a028414da099aba", "tree": "6afecdbc7c616ad74ac623771cb2421796b07a46", "parents": [ "e0fcb42bc6f41bab2895757d6610616b3820eff7" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Thu Apr 09 17:50:15 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 09 13:11:31 2026 -0700" }, "message": "bpf: Drop pkt_end markers on arithmetic to prevent is_pkt_ptr_branch_taken\n\nWhen a pkt pointer acquires AT_PKT_END or BEYOND_PKT_END range from\na comparison, and then, known-constant arithmetic is performed,\nadjust_ptr_min_max_vals() copies the stale range via dst_reg-\u003eraw \u003d\nptr_reg-\u003eraw without clearing the negative reg-\u003erange sentinel values.\n\nThis lets is_pkt_ptr_branch_taken() choose one branch direction and\nskip going through the other. Fix this by clearing negative pkt range\nvalues (that is, AT_PKT_END and BEYOND_PKT_END) after arithmetic on\npkt pointers. This ensures is_pkt_ptr_branch_taken() returns unknown\nand both branches are properly verified.\n\nFixes: 6d94e741a8ff (\"bpf: Support for pointers beyond pkt_end.\")\nReported-by: STAR Labs SG \u003cinfo@starlabs.sg\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260409155016.536608-1-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "e0fcb42bc6f41bab2895757d6610616b3820eff7", "tree": "ed0004e0056c51e8e3f6cc4a61191777d43427cf", "parents": [ "9dba0ae973e75051b63cbdd5b3532bb24aa63b3f" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Wed Apr 08 21:12:42 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed Apr 08 18:43:28 2026 -0700" }, "message": "selftests/bpf: Add tests for ld_{abs,ind} failure path in subprogs\n\nExtend the verifier_ld_ind BPF selftests with subprogs containing\nld_{abs,ind} and craft the test in a way where the invalid register\nread is rejected in the fixed case. Also add a success case each,\nand add additional coverage related to the BTF return type enforcement.\n\n # LDLIBS\u003d-static PKG_CONFIG\u003d\u0027pkg-config --static\u0027 ./vmtest.sh -- ./test_progs -t verifier_ld_ind\n [...]\n #611/1 verifier_ld_ind/ld_ind: check calling conv, r1:OK\n #611/2 verifier_ld_ind/ld_ind: check calling conv, r1 @unpriv:OK\n #611/3 verifier_ld_ind/ld_ind: check calling conv, r2:OK\n #611/4 verifier_ld_ind/ld_ind: check calling conv, r2 @unpriv:OK\n #611/5 verifier_ld_ind/ld_ind: check calling conv, r3:OK\n #611/6 verifier_ld_ind/ld_ind: check calling conv, r3 @unpriv:OK\n #611/7 verifier_ld_ind/ld_ind: check calling conv, r4:OK\n #611/8 verifier_ld_ind/ld_ind: check calling conv, r4 @unpriv:OK\n #611/9 verifier_ld_ind/ld_ind: check calling conv, r5:OK\n #611/10 verifier_ld_ind/ld_ind: check calling conv, r5 @unpriv:OK\n #611/11 verifier_ld_ind/ld_ind: check calling conv, r7:OK\n #611/12 verifier_ld_ind/ld_ind: check calling conv, r7 @unpriv:OK\n #611/13 verifier_ld_ind/ld_abs: subprog early exit on ld_abs failure:OK\n #611/14 verifier_ld_ind/ld_ind: subprog early exit on ld_ind failure:OK\n #611/15 verifier_ld_ind/ld_abs: subprog with both paths safe:OK\n #611/16 verifier_ld_ind/ld_ind: subprog with both paths safe:OK\n #611/17 verifier_ld_ind/ld_abs: reject void return subprog:OK\n #611/18 verifier_ld_ind/ld_ind: reject void return subprog:OK\n #611 verifier_ld_ind:OK\n Summary: 1/18 PASSED, 0 SKIPPED, 0 FAILED\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260408191242.526279-4-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "9dba0ae973e75051b63cbdd5b3532bb24aa63b3f", "tree": "ffd6fe3c142d5d1447102260bd39bceea183082a", "parents": [ "ee861486e377edc55361c08dcbceab3f6b6577bd" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Wed Apr 08 21:12:41 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed Apr 08 18:43:28 2026 -0700" }, "message": "bpf: Remove static qualifier from local subprog pointer\n\nThe local subprog pointer in create_jt() and visit_abnormal_return_insn()\nwas declared static.\n\nIt is unconditionally assigned via bpf_find_containing_subprog() before\nevery use. Thus, the static qualifier serves no purpose and rather creates\nconfusion. Just remove it.\n\nFixes: e40f5a6bf88a (\"bpf: correct stack liveness for tail calls\")\nFixes: 493d9e0d6083 (\"bpf, x86: add support for indirect jumps\")\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nAcked-by: Anton Protopopov \u003ca.s.protopopov@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260408191242.526279-3-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "ee861486e377edc55361c08dcbceab3f6b6577bd", "tree": "dd20440c32c8909b48d0b28c47854a8509663994", "parents": [ "6bd96e40f31dde8f8cd79772b4df0f171cf8a915" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Wed Apr 08 21:12:40 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed Apr 08 18:43:28 2026 -0700" }, "message": "bpf: Fix ld_{abs,ind} failure path analysis in subprogs\n\nUsage of ld_{abs,ind} instructions got extended into subprogs some time\nago via commit 09b28d76eac4 (\"bpf: Add abnormal return checks.\"). These\nare only allowed in subprograms when the latter are BTF annotated and\nhave scalar return types.\n\nThe code generator in bpf_gen_ld_abs() has an abnormal exit path (r0\u003d0 +\nexit) from legacy cBPF times. While the enforcement is on scalar return\ntypes, the verifier must also simulate the path of abnormal exit if the\npacket data load via ld_{abs,ind} failed.\n\nThis is currently not the case. Fix it by having the verifier simulate\nboth success and failure paths, and extend it in similar ways as we do\nfor tail calls. The success path (r0\u003dunknown, continue to next insn) is\npushed onto stack for later validation and the r0\u003d0 and return to the\ncaller is done on the fall-through side.\n\nFixes: 09b28d76eac4 (\"bpf: Add abnormal return checks.\")\nReported-by: STAR Labs SG \u003cinfo@starlabs.sg\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260408191242.526279-2-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "6bd96e40f31dde8f8cd79772b4df0f171cf8a915", "tree": "88647dba27bbfce6b9a248c3dacde39e0a2fab8f", "parents": [ "c7cab53f9d5273f0cf2a26bdf178c4e074bdfb50" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Wed Apr 08 21:12:39 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed Apr 08 18:43:28 2026 -0700" }, "message": "bpf: Propagate error from visit_tailcall_insn\n\nCommit e40f5a6bf88a (\"bpf: correct stack liveness for tail calls\") added\nvisit_tailcall_insn() but did not check its return value.\n\nFixes: e40f5a6bf88a (\"bpf: correct stack liveness for tail calls\")\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260408191242.526279-1-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "c7cab53f9d5273f0cf2a26bdf178c4e074bdfb50", "tree": "35bc78c048a8b305e7b8c5b8cd08e28d35d06f2b", "parents": [ "4f64d5b66418b7f5967b7f7614d6107bb1fba705" ], "author": { "name": "Varun R Mallya", "email": "varunrmallya@gmail.com", "time": "Thu Apr 09 00:31:37 2026 +0530" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed Apr 08 18:15:56 2026 -0700" }, "message": "selftests/bpf: Add test to ensure kprobe_multi is not sleepable\n\nAdd a selftest to ensure that kprobe_multi programs cannot be attached\nusing the BPF_F_SLEEPABLE flag. This test succeeds when the kernel\nrejects attachment of kprobe_multi when the BPF_F_SLEEPABLE flag is set.\n\nSuggested-by: Leon Hwang \u003cleon.hwang@linux.dev\u003e\nSigned-off-by: Varun R Mallya \u003cvarunrmallya@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260408190137.101418-3-varunrmallya@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "4f64d5b66418b7f5967b7f7614d6107bb1fba705", "tree": "73d7684cee8f222e1074bf01bb703b3deb857bf3", "parents": [ "fbb98834a9221de850a3b1afd78a25473685f9b5" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Wed Apr 08 04:13:54 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed Apr 08 18:09:56 2026 -0700" }, "message": "bpf: Make find_linfo widely available\n\nMove find_linfo() as bpf_find_linfo() into core.c to allow for its use\nin the verifier in subsequent patches.\n\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/20260408021359.3786905-4-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "fbb98834a9221de850a3b1afd78a25473685f9b5", "tree": "2da5d45c45db5bb3330def1b4a528f25bcbfbf95", "parents": [ "5c662b1c1789f51f79ee9c648681abc8410dfa81" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Wed Apr 08 04:13:53 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed Apr 08 18:09:56 2026 -0700" }, "message": "bpf: Extract bpf_get_linfo_file_line\n\nExtract bpf_get_linfo_file_line as its own function so that the logic to\nobtain the file, line, and line number for a given program can be shared\nin subsequent patches.\n\nReviewed-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260408021359.3786905-3-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "5c662b1c1789f51f79ee9c648681abc8410dfa81", "tree": "590e028c6fc8da35c26eb81087939bd7b79c4dda", "parents": [ "cac16ce1e3786bd98cec0c108e3bc06ed3d3c6a9", "4cfb09a38357dc1ae1082eb80aabd477d7c24b18" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 18:20:49 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 18:20:50 2026 -0700" }, "message": "Merge branch \u0027allow-referenced-dynptr-to-be-overwritten-when-siblings-exists\u0027\n\nAmery Hung says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nAllow referenced dynptr to be overwritten when siblings exists\n\nThe patchset conditionally allow a referenced dynptr to be overwritten\nwhen its siblings (original dynptr or dynptr clone) exist. Do it before\nthe verifier relation tracking refactor to mimimize verifier changes at\na time.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260406150548.1354271-1-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "4cfb09a38357dc1ae1082eb80aabd477d7c24b18", "tree": "590e028c6fc8da35c26eb81087939bd7b79c4dda", "parents": [ "017f5c4ef73c99ab4cdda3470a5310dc42094949" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Mon Apr 06 08:05:48 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 18:20:49 2026 -0700" }, "message": "selftests/bpf: Test overwriting referenced dynptr\n\nTest overwriting referenced dynptr and clones to make sure it is only\nallow when there is at least one other dynptr with the same ref_obj_id.\nAlso make sure slice is still invalidated after the dynptr\u0027s stack slot\nis destroyed.\n\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nAcked-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406150548.1354271-3-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "017f5c4ef73c99ab4cdda3470a5310dc42094949", "tree": "ccd3f9ac463621b21abdca7288e21226af1ca461", "parents": [ "cac16ce1e3786bd98cec0c108e3bc06ed3d3c6a9" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Mon Apr 06 08:05:47 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 18:20:49 2026 -0700" }, "message": "bpf: Allow overwriting referenced dynptr when refcnt \u003e 1\n\nThe verifier currently does not allow overwriting a referenced dynptr\u0027s\nstack slot to prevent resource leak. This is because referenced dynptr\nholds additional resources that requires calling specific helpers to\nrelease. This limitation can be relaxed when there are multiple copies\nof the same dynptr. Whether it is the orignial dynptr or one of its\nclones, as long as there exists at least one other dynptr with the same\nref_obj_id (to be used to release the reference), its stack slot should\nbe allowed to be overwritten.\n\nSuggested-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nAcked-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406150548.1354271-2-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "cac16ce1e3786bd98cec0c108e3bc06ed3d3c6a9", "tree": "d929cd8ca4e22ed43ee80c4236b5ea9fa5e8b8f4", "parents": [ "ed2eecdc0c6613353bc1565e900d2b23237713da" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Tue Apr 07 21:24:21 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 18:15:43 2026 -0700" }, "message": "selftests/bpf: Add tests for stale delta leaking through id reassignment\n\nExtend the verifier_linked_scalars BPF selftest with a stale delta test\nsuch that the div-by-zero path is rejected in the fixed case.\n\n # LDLIBS\u003d-static PKG_CONFIG\u003d\u0027pkg-config --static\u0027 ./vmtest.sh -- ./test_progs -t verifier_linked_scalars\n [...]\n ./test_progs -t verifier_linked_scalars\n #612/1 verifier_linked_scalars/scalars: find linked scalars:OK\n #612/2 verifier_linked_scalars/sync_linked_regs_preserves_id:OK\n #612/3 verifier_linked_scalars/scalars_neg:OK\n #612/4 verifier_linked_scalars/scalars_neg_sub:OK\n #612/5 verifier_linked_scalars/scalars_neg_alu32_add:OK\n #612/6 verifier_linked_scalars/scalars_neg_alu32_sub:OK\n #612/7 verifier_linked_scalars/scalars_pos:OK\n #612/8 verifier_linked_scalars/scalars_sub_neg_imm:OK\n #612/9 verifier_linked_scalars/scalars_double_add:OK\n #612/10 verifier_linked_scalars/scalars_sync_delta_overflow:OK\n #612/11 verifier_linked_scalars/scalars_sync_delta_overflow_large_range:OK\n #612/12 verifier_linked_scalars/scalars_alu32_big_offset:OK\n #612/13 verifier_linked_scalars/scalars_alu32_basic:OK\n #612/14 verifier_linked_scalars/scalars_alu32_wrap:OK\n #612/15 verifier_linked_scalars/scalars_alu32_zext_linked_reg:OK\n #612/16 verifier_linked_scalars/scalars_alu32_alu64_cross_type:OK\n #612/17 verifier_linked_scalars/scalars_alu32_alu64_regsafe_pruning:OK\n #612/18 verifier_linked_scalars/alu32_negative_offset:OK\n #612/19 verifier_linked_scalars/spurious_precision_marks:OK\n #612/20 verifier_linked_scalars/scalars_self_add_clears_id:OK\n #612/21 verifier_linked_scalars/scalars_self_add_alu32_clears_id:OK\n #612/22 verifier_linked_scalars/scalars_stale_delta_from_cleared_id:OK\n #612/23 verifier_linked_scalars/scalars_stale_delta_from_cleared_id_alu32:OK\n #612 verifier_linked_scalars:OK\n Summary: 1/23 PASSED, 0 SKIPPED, 0 FAILED\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260407192421.508817-4-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "ed2eecdc0c6613353bc1565e900d2b23237713da", "tree": "fc5de694bd5541eaa58736340ded173e6a9e2c6f", "parents": [ "1b327732c84640c1e3da487eefe9d00cc9f2dd34" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Tue Apr 07 21:24:20 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 18:15:43 2026 -0700" }, "message": "selftests/bpf: Add tests for delta tracking when src_reg \u003d\u003d dst_reg\n\nExtend the verifier_linked_scalars BPF selftest with a rX +\u003d rX test\nsuch that the div-by-zero path is rejected in the fixed case.\n\n # LDLIBS\u003d-static PKG_CONFIG\u003d\u0027pkg-config --static\u0027 ./vmtest.sh -- ./test_progs -t verifier_linked_scalars\n [...]\n ./test_progs -t verifier_linked_scalars\n #612/1 verifier_linked_scalars/scalars: find linked scalars:OK\n #612/2 verifier_linked_scalars/sync_linked_regs_preserves_id:OK\n #612/3 verifier_linked_scalars/scalars_neg:OK\n #612/4 verifier_linked_scalars/scalars_neg_sub:OK\n #612/5 verifier_linked_scalars/scalars_neg_alu32_add:OK\n #612/6 verifier_linked_scalars/scalars_neg_alu32_sub:OK\n #612/7 verifier_linked_scalars/scalars_pos:OK\n #612/8 verifier_linked_scalars/scalars_sub_neg_imm:OK\n #612/9 verifier_linked_scalars/scalars_double_add:OK\n #612/10 verifier_linked_scalars/scalars_sync_delta_overflow:OK\n #612/11 verifier_linked_scalars/scalars_sync_delta_overflow_large_range:OK\n #612/12 verifier_linked_scalars/scalars_alu32_big_offset:OK\n #612/13 verifier_linked_scalars/scalars_alu32_basic:OK\n #612/14 verifier_linked_scalars/scalars_alu32_wrap:OK\n #612/15 verifier_linked_scalars/scalars_alu32_zext_linked_reg:OK\n #612/16 verifier_linked_scalars/scalars_alu32_alu64_cross_type:OK\n #612/17 verifier_linked_scalars/scalars_alu32_alu64_regsafe_pruning:OK\n #612/18 verifier_linked_scalars/alu32_negative_offset:OK\n #612/19 verifier_linked_scalars/spurious_precision_marks:OK\n #612/20 verifier_linked_scalars/scalars_self_add_clears_id:OK\n #612/21 verifier_linked_scalars/scalars_self_add_alu32_clears_id:OK\n #612 verifier_linked_scalars:OK\n Summary: 1/21 PASSED, 0 SKIPPED, 0 FAILED\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260407192421.508817-3-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "1b327732c84640c1e3da487eefe9d00cc9f2dd34", "tree": "e0751559ee6248f6357376c7cd6b7c927eabb57c", "parents": [ "d7f14173c0d5866c3cae759dee560ad1bed10d2e" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Tue Apr 07 21:24:19 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 18:15:42 2026 -0700" }, "message": "bpf: Clear delta when clearing reg id for non-{add,sub} ops\n\nWhen a non-{add,sub} alu op such as xor is performed on a scalar\nregister that previously had a BPF_ADD_CONST delta, the else path\nin adjust_reg_min_max_vals() only clears dst_reg-\u003eid but leaves\ndst_reg-\u003edelta unchanged.\n\nThis stale delta can propagate via assign_scalar_id_before_mov()\nwhen the register is later used in a mov. It gets a fresh id but\nkeeps the stale delta from the old (now-cleared) BPF_ADD_CONST.\nThis stale delta can later propagate leading to a verifier-vs-\nruntime value mismatch.\n\nThe clear_id label already correctly clears both delta and id.\nMake the else path consistent by also zeroing the delta when id\nis cleared. More generally, this introduces a helper clear_scalar_id()\nwhich internally takes care of zeroing. There are various other\nlocations in the verifier where only the id is cleared. By using\nthe helper we catch all current and future locations.\n\nFixes: 98d7ca374ba4 (\"bpf: Track delta between \"linked\" registers.\")\nReported-by: STAR Labs SG \u003cinfo@starlabs.sg\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260407192421.508817-2-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "d7f14173c0d5866c3cae759dee560ad1bed10d2e", "tree": "a54d03622c18a251e3459a71b1331d1153b2efdf", "parents": [ "656e835bb0f850bdb7a42bfb64a2495f4f4d2064" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Tue Apr 07 21:24:18 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 18:15:42 2026 -0700" }, "message": "bpf: Fix linked reg delta tracking when src_reg \u003d\u003d dst_reg\n\nConsider the case of rX +\u003d rX where src_reg and dst_reg are pointers to\nthe same bpf_reg_state in adjust_reg_min_max_vals(). The latter first\nmodifies the dst_reg in-place, and later in the delta tracking, the\nsubsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the\npost-{add,sub} value instead of the original source.\n\nThis is problematic since it sets an incorrect delta, which sync_linked_regs()\nthen propagates to linked registers, thus creating a verifier-vs-runtime\nmismatch. Fix it by just skipping this corner case.\n\nFixes: 98d7ca374ba4 (\"bpf: Track delta between \"linked\" registers.\")\nReported-by: STAR Labs SG \u003cinfo@starlabs.sg\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260407192421.508817-1-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "656e835bb0f850bdb7a42bfb64a2495f4f4d2064", "tree": "f43e4965c0a9517498c8087a6851341aaf8d47e3", "parents": [ "a4985a1755ec9e5aa5cfb89468ba4b51546b5eeb", "cea4323f1cfe1d56dffcf98b5add1acd23aa91ed" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 16:27:29 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 16:28:13 2026 -0700" }, "message": "Merge branch \u0027tracing-fix-kprobe-attachment-when-module-shadows-vmlinux-symbol\u0027\n\nAndrey Grodzovsky says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\ntracing: Fix kprobe attachment when module shadows vmlinux symbol\n\nWhen a kernel module exports a symbol with the same name as an existing\nvmlinux symbol, kprobe attachment fails with -EADDRNOTAVAIL because\nnumber_of_same_symbols() counts matches across both vmlinux and all\nloaded modules, returning a count greater than 1.\n\nThis series takes a different approach from v1-v4, which implemented a\nlibbpf-side fallback parsing /proc/kallsyms and retrying with the\nabsolute address. That approach was rejected (Andrii Nakryiko, Ihor\nSolodrai) because ambiguous symbol resolution does not belong in libbpf.\n\nFollowing Ihor\u0027s suggestion, this series fixes the root cause in the\nkernel: when an unqualified symbol name is given and the symbol is found\nin vmlinux, prefer the vmlinux symbol and do not scan loaded modules.\nThis makes the skeleton auto-attach path work transparently with no\nlibbpf changes needed.\n\nPatch 1: Kernel fix - return vmlinux-only count from\n number_of_same_symbols() when the symbol is found in vmlinux,\n preventing module shadows from causing -EADDRNOTAVAIL.\nPatch 2: Selftests using bpf_fentry_shadow_test which exists in both\n vmlinux and bpf_testmod - tests unqualified (vmlinux) and\n MOD:SYM (module) attachment across all four attach modes, plus\n kprobe_multi with the duplicate symbol.\n\nChanges since v6 [1]:\n - Fix comment style: use /* on its own line instead of networking-style\n /* text on opener line (Alexei Starovoitov).\n\n[1] https://lore.kernel.org/bpf/20260407165145.1651061-1-andrey.grodzovsky@crowdstrike.com/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260407203912.1787502-1-andrey.grodzovsky@crowdstrike.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "cea4323f1cfe1d56dffcf98b5add1acd23aa91ed", "tree": "f43e4965c0a9517498c8087a6851341aaf8d47e3", "parents": [ "1870ddcd94b061f54613b90d6300a350f29fc2f4" ], "author": { "name": "Andrey Grodzovsky", "email": "andrey.grodzovsky@crowdstrike.com", "time": "Tue Apr 07 16:39:12 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 16:28:12 2026 -0700" }, "message": "selftests/bpf: Add tests for kprobe attachment with duplicate symbols\n\nbpf_fentry_shadow_test exists in both vmlinux (net/bpf/test_run.c) and\nbpf_testmod (bpf_testmod.c), creating a duplicate symbol condition when\nbpf_testmod is loaded. Add subtests that verify kprobe behavior with\nthis duplicate symbol:\n\nIn attach_probe:\n- dup-sym-{default,legacy,perf,link}: unqualified attach succeeds\n across all four modes, preferring vmlinux over module shadow.\n- MOD:SYM qualification attaches to the module version.\n\nIn kprobe_multi_test:\n- dup_sym: kprobe_multi attach with kprobe and kretprobe succeeds.\n\nbpf_fentry_shadow_test is not invoked via test_run, so tests verify\nattach and detach succeed without triggering the probe.\n\nSigned-off-by: Andrey Grodzovsky \u003candrey.grodzovsky@crowdstrike.com\u003e\nLink: https://lore.kernel.org/r/20260407203912.1787502-3-andrey.grodzovsky@crowdstrike.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "1870ddcd94b061f54613b90d6300a350f29fc2f4", "tree": "695a335b8514544f6664a873ae57ccaf2f02ffb0", "parents": [ "a4985a1755ec9e5aa5cfb89468ba4b51546b5eeb" ], "author": { "name": "Andrey Grodzovsky", "email": "andrey.grodzovsky@crowdstrike.com", "time": "Tue Apr 07 16:39:11 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 16:27:52 2026 -0700" }, "message": "bpf: Prefer vmlinux symbols over module symbols for unqualified kprobes\n\nWhen an unqualified kprobe target exists in both vmlinux and a loaded\nmodule, number_of_same_symbols() returns a count greater than 1,\ncausing kprobe attachment to fail with -EADDRNOTAVAIL even though the\nvmlinux symbol is unambiguous.\n\nWhen no module qualifier is given and the symbol is found in vmlinux,\nreturn the vmlinux-only count without scanning loaded modules. This\npreserves the existing behavior for all other cases:\n- Symbol only in a module: vmlinux count is 0, falls through to module\n scan as before.\n- Symbol qualified with MOD:SYM: mod !\u003d NULL, unchanged path.\n- Symbol ambiguous within vmlinux itself: count \u003e 1 is returned as-is.\n\nFixes: 926fe783c8a6 (\"tracing/kprobes: Fix symbol counting logic by looking at modules as well\")\nFixes: 9d8616034f16 (\"tracing/kprobes: Add symbol counting check when module loads\")\nSuggested-by: Ihor Solodrai \u003cihor.solodrai@linux.dev\u003e\nAcked-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nAcked-by: Ihor Solodrai \u003cihor.solodrai@linux.dev\u003e\nSigned-off-by: Andrey Grodzovsky \u003candrey.grodzovsky@crowdstrike.com\u003e\nLink: https://lore.kernel.org/r/20260407203912.1787502-2-andrey.grodzovsky@crowdstrike.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a4985a1755ec9e5aa5cfb89468ba4b51546b5eeb", "tree": "93b6e994639f1877730fe7e46b2bc4a0030477ac", "parents": [ "57b23c0f612dcfa1aae99c9422d6d36ced1670d4" ], "author": { "name": "Qi Tang", "email": "tpluszz77@gmail.com", "time": "Tue Apr 07 22:54:21 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 15:53:45 2026 -0700" }, "message": "selftests/bpf: add test for nullable PTR_TO_BUF access\n\nAdd iter_buf_null_fail with two tests and a test runner:\n - iter_buf_null_deref: verifier must reject direct dereference of\n ctx-\u003ekey (PTR_TO_BUF | PTR_MAYBE_NULL) without a null check\n - iter_buf_null_check_ok: verifier must accept dereference after\n an explicit null check\n\nAcked-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nReviewed-by: Amery Hung \u003cameryhung@gmail.com\u003e\nSigned-off-by: Qi Tang \u003ctpluszz77@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260407145421.4315-1-tpluszz77@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "57b23c0f612dcfa1aae99c9422d6d36ced1670d4", "tree": "da0dc70d4373e430095714eb14c2b6606e864d01", "parents": [ "a8aa306741cdeb7b1cb4832133390f9cd08ece14" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Tue Apr 07 18:22:33 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 12:24:49 2026 -0700" }, "message": "bpf: Retire rcu_trace_implies_rcu_gp()\n\nRCU Tasks Trace grace period implies RCU grace period, and this\nguarantee is expected to remain in the future. Only BPF is the user of\nthis predicate, hence retire the API and clean up all in-tree users.\n\nRCU Tasks Trace is now implemented on SRCU-fast and its grace period\nmechanism always has at least one call to synchronize_rcu() as it is\nrequired for SRCU-fast\u0027s correctness (it replaces the smp_mb() that\nSRCU-fast readers skip). So, RCU-tt GP will always imply RCU GP.\n\nReviewed-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nReviewed-by: Paul E. McKenney \u003cpaulmck@kernel.org\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260407162234.785270-1-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a8aa306741cdeb7b1cb4832133390f9cd08ece14", "tree": "284141b16f103b27226bbfb261f87c604cb7d259", "parents": [ "1c22483a2c4bbf747787f328392ca3e68619c4dc" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Tue Apr 07 16:56:06 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 12:24:29 2026 -0700" }, "message": "selftests/bpf: Allow prog name matching for tests with __description\n\nFor tests that carry a __description tag, allow matching on both the\ndescription string and program name for convenience. Before this commit,\nthe description string must be spelt out to filter the tests.\n\nSuggested-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260407145606.3991770-1-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "1c22483a2c4bbf747787f328392ca3e68619c4dc", "tree": "e690a9200d52f5087851af6af58e262ec4485361", "parents": [ "beaf0e96b1da74549a6cabd040f9667d83b2e97e" ], "author": { "name": "Weiming Shi", "email": "bestswngs@gmail.com", "time": "Sun Apr 05 00:12:20 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 08:27:55 2026 -0700" }, "message": "bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()\n\nCO-RE accessor strings are colon-separated indices that describe a path\nfrom a root BTF type to a target field, e.g. \"0:1:2\" walks through\nnested struct members. bpf_core_parse_spec() parses each component with\nsscanf(\"%d\"), so negative values like -1 are silently accepted. The\nsubsequent bounds checks (access_idx \u003e\u003d btf_vlen(t)) only guard the\nupper bound and always pass for negative values because C integer\npromotion converts the __u16 btf_vlen result to int, making the\ncomparison (int)(-1) \u003e\u003d (int)(N) false for any positive N.\n\nWhen -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,\nproducing an out-of-bounds read far past the members array. A crafted\nBPF program with a negative CO-RE accessor on any struct that exists in\nvmlinux BTF (e.g. task_struct) crashes the kernel deterministically\nduring BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF\u003dy\n(default on major distributions). The bug is reachable with CAP_BPF:\n\n BUG: unable to handle page fault for address: ffffed11818b6626\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: Oops: 0000 [#1] SMP KASAN NOPTI\n CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)\n RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)\n RAX: 00000000ffffffff\n Call Trace:\n \u003cTASK\u003e\n bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)\n bpf_core_apply (kernel/bpf/btf.c:9507)\n check_core_relo (kernel/bpf/verifier.c:19475)\n bpf_check (kernel/bpf/verifier.c:26031)\n bpf_prog_load (kernel/bpf/syscall.c:3089)\n __sys_bpf (kernel/bpf/syscall.c:6228)\n \u003c/TASK\u003e\n\nCO-RE accessor indices are inherently non-negative (struct member index,\narray element index, or enumerator index), so reject them immediately\nafter parsing.\n\nFixes: ddc7c3042614 (\"libbpf: implement BPF CO-RE offset relocation algorithm\")\nReported-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nSigned-off-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nAcked-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260404161221.961828-2-bestswngs@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "beaf0e96b1da74549a6cabd040f9667d83b2e97e", "tree": "e0d4016e778622dce3b076a836c9d8322c67abd7", "parents": [ "8b648a517522e308e4378f012c4d352271e0cecf" ], "author": { "name": "Jiayuan Chen", "email": "jiayuan.chen@linux.dev", "time": "Tue Apr 07 20:23:33 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Apr 07 07:57:07 2026 -0700" }, "message": "bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks\n\nbpf_lsm_task_to_inode() is called under rcu_read_lock() and\nbpf_lsm_inet_conn_established() is called from softirq context, so\nneither hook can be used by sleepable LSM programs.\n\nFixes: 423f16108c9d8 (\"bpf: Augment the set of sleepable LSM hooks\")\nReported-by: Quan Sun \u003c2022090917019@std.uestc.edu.cn\u003e\nReported-by: Yinhao Hu \u003cdddddd@hust.edu.cn\u003e\nReported-by: Kaiyan Mei \u003cM202472210@hust.edu.cn\u003e\nReported-by: Dongliang Mu \u003cdzm91@hust.edu.cn\u003e\nCloses: https://lore.kernel.org/bpf/3ab69731-24d1-431a-a351-452aafaaf2a5@std.uestc.edu.cn/T/#u\nSigned-off-by: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260407122334.344072-1-jiayuan.chen@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "8b648a517522e308e4378f012c4d352271e0cecf", "tree": "ea18b9b17eefc24e23249a3061e1e2f36a3d7169", "parents": [ "18474aed5d0d382f8057ceed7811a735134d28b9", "1c2e217ad349d2af5c09f8e6e1c0561ad912477d" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 18:38:33 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 18:38:33 2026 -0700" }, "message": "Merge branch \u0027properly-load-values-from-insn_arays-with-non-zero-offsets\u0027\n\nAnton Protopopov says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nProperly load values from insn_arays with non-zero offsets\n\nThe PTR_TO_INSN is always loaded via BPF_LDX_MEM instruction.\nHowever, the verifier doesn\u0027t properly verify such loads when the\noffset is not zero. Fix this and extend selftests with more scenarios.\n\nv2 -\u003e v3:\n * Add a C-level selftest which triggers a load with nonzero offset (Alexei)\n * Rephrase commit messages a bit\n\nv2: https://lore.kernel.org/bpf/20260402184647.988132-1-a.s.protopopov@gmail.com/\n\nv1: https://lore.kernel.org/bpf/20260401161529.681755-1-a.s.protopopov@gmail.com\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260406160141.36943-1-a.s.protopopov@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "1c2e217ad349d2af5c09f8e6e1c0561ad912477d", "tree": "ea18b9b17eefc24e23249a3061e1e2f36a3d7169", "parents": [ "43cd9d9520e6622f6b9ffcd4f68e9d99225482b2" ], "author": { "name": "Anton Protopopov", "email": "a.s.protopopov@gmail.com", "time": "Mon Apr 06 16:01:41 2026 +0000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 18:38:32 2026 -0700" }, "message": "selftests/bpf: Add more tests for loading insn arrays with offsets\n\nA `gotox rX` instruction accepts only values of type PTR_TO_INSN.\nThe only way to create such a value is to load it from a map of\ntype insn_array:\n\n rX \u003d *(rY + offset) # rY was read from an insn_array\n ...\n gotox rX\n\nAdd instruction-level and C-level selftests to validate loads\nwith nonzero offsets.\n\nSigned-off-by: Anton Protopopov \u003ca.s.protopopov@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406160141.36943-3-a.s.protopopov@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "43cd9d9520e6622f6b9ffcd4f68e9d99225482b2", "tree": "9d212d20117a87b400ee75139961f56810e1365f", "parents": [ "18474aed5d0d382f8057ceed7811a735134d28b9" ], "author": { "name": "Anton Protopopov", "email": "a.s.protopopov@gmail.com", "time": "Mon Apr 06 16:01:40 2026 +0000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 18:38:32 2026 -0700" }, "message": "bpf: Do not ignore offsets for loads from insn_arrays\n\nWhen a pointer to PTR_TO_INSN is dereferenced, the offset field\nof the BPF_LDX_MEM instruction can be nonzero. Patch the verifier\nto not ignore this field.\n\nReported-by: Jiyong Yang \u003cksur673@gmail.com\u003e\nFixes: 493d9e0d6083 (\"bpf, x86: add support for indirect jumps\")\nSigned-off-by: Anton Protopopov \u003ca.s.protopopov@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406160141.36943-2-a.s.protopopov@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "18474aed5d0d382f8057ceed7811a735134d28b9", "tree": "f5a0f7f4b62ed80d12c3ce34bd5ce5d3f0a4845a", "parents": [ "42e33c9af49c5199504bbfb16f65756a90fe90bf" ], "author": { "name": "Gustavo A. R. Silva", "email": "gustavoars@kernel.org", "time": "Mon Mar 30 16:38:18 2026 -0600" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 18:37:52 2026 -0700" }, "message": "bpf: Avoid -Wflex-array-members-not-at-end warnings\n\nApparently, struct bpf_empty_prog_array exists entirely to populate a\nsingle element of \"items\" in a global variable. \"null_prog\" is only\nused during the initializer.\n\nNone of this is needed; globals will be correctly sized with an array\ninitializer of a flexible-array member.\n\nSo, remove struct bpf_empty_prog_array and adjust the rest of the code,\naccordingly.\n\nWith these changes, fix the following warnings:\n\n./include/linux/bpf.h:2369:31: warning: structure containing a flexible\narray member is not at the end of another structure [-Wflex-array-member-not-at-end]\n\nSigned-off-by: Gustavo A. R. Silva \u003cgustavoars@kernel.org\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/acr7Whmn0br3xeBP@kspp\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "42e33c9af49c5199504bbfb16f65756a90fe90bf", "tree": "3668614b371432e63b8f69cbd67d53a4f373acda", "parents": [ "a1aa9ef47c299c5bbc30594d3c2f0589edf908e6", "171580e432727a9e729f286075ee86070424f490" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 15:27:27 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 15:27:27 2026 -0700" }, "message": "Merge branch \u0027allow-variable-offsets-for-syscall-ptr_to_ctx\u0027\n\nKumar Kartikeya Dwivedi says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nAllow variable offsets for syscall PTR_TO_CTX\n\nEnable pointer modification with variable offsets accumulated in the\nregister for PTR_TO_CTX for syscall programs where it won\u0027t be\nrewritten, and the context is user-supplied and checked against the max\noffset. See patches for details. Fixed offset support landed in [0].\n\nBy combining this set with [0], examples like the one below should\nsucceed verification now.\n\n SEC(\"syscall\")\n int prog(void *ctx) {\n\tint *arr \u003d ctx;\n\tint i;\n\n\tbpf_for(i, 0, 100)\n\t\tarr[i] *\u003d i;\n\n\treturn 0;\n }\n\n [0]: https://lore.kernel.org/bpf/20260227005725.1247305-1-memxor@gmail.com\n\nChangelog:\n----------\nv4 -\u003e v5\nv4: https://lore.kernel.org/bpf/20260401122818.2240807-1-memxor@gmail.com\n\n * Use is_var_ctx_off_allowed() consistently.\n * Add acks. (Emil)\n\nv3 -\u003e v4\nv3: https://lore.kernel.org/bpf/20260318103526.2590079-1-memxor@gmail.com\n\n * Drop comment around describing choice of fixed or variable offsets. (Eduard)\n * Simplify offset adjustment for different cases. (Eduard)\n * Add PTR_TO_CTX case in __check_mem_access(). (Eduard)\n * Drop aligned access constraint from syscall_prog_is_valid_access().\n * Wrap naked checks for BPF_PROG_TYPE_SYSCALL in a utility function. (Eduard)\n * Split tests into separate clean up and addition patches. (Eduard)\n * Remove CAP_SYS_ADMIN changes. (Eduard)\n * Enable unaligned access to syscall ctx, add tests.\n * Add more tests for various corner cases.\n * Add acks. (Puranjay, Mykyta)\n\nv2 -\u003e v3\nv2: https://lore.kernel.org/bpf/20260318075133.1031781-1-memxor@gmail.com\n\n * Prevent arg_type for KF_ARG_PTR_TO_CTX from applying to other cases\n due to preceding fallthrough. (Gemini/Sashiko)\n\nv1 -\u003e v2\nv1: https://lore.kernel.org/bpf/20260317111850.2107846-2-memxor@gmail.com\n\n * Harden check_func_arg_reg_off check with ARG_PTR_TO_CTX.\n * Add tests for unmodified ctx into tail calls.\n * Squash unmodified ctx change into base commit.\n * Add Reviewed-by\u0027s from Emil.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260406194403.1649608-1-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "171580e432727a9e729f286075ee86070424f490", "tree": "3668614b371432e63b8f69cbd67d53a4f373acda", "parents": [ "0dca817f4dbd45aa82b5bffb3b380e5409addba8" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Apr 06 21:44:01 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 15:27:27 2026 -0700" }, "message": "selftests/bpf: Add tests for syscall ctx accesses beyond U16_MAX\n\nEnsure we reject programs that access beyond the maximum syscall ctx\nsize, i.e. U16_MAX either through direct accesses or helpers/kfuncs.\n\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406194403.1649608-8-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "0dca817f4dbd45aa82b5bffb3b380e5409addba8", "tree": "409d3675f00d10293da37ab0723ac7435d281ccf", "parents": [ "02c68b10d84f133b88ebf160de49cb3fa4290d97" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Apr 06 21:44:00 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 15:27:27 2026 -0700" }, "message": "selftests/bpf: Add tests for unaligned syscall ctx accesses\n\nAdd coverage for unaligned access with fixed offsets and variable\noffsets, and through helpers or kfuncs.\n\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406194403.1649608-7-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "02c68b10d84f133b88ebf160de49cb3fa4290d97", "tree": "1d8813f00ec42755baa695933b717ff95eb2c859", "parents": [ "5a34139b273272af2badcb695931493ed400befc" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Apr 06 21:43:59 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 15:27:27 2026 -0700" }, "message": "selftests/bpf: Test modified syscall ctx for ARG_PTR_TO_CTX\n\nEnsure that global subprogs and tail calls can only accept an unmodified\nPTR_TO_CTX for syscall programs. For all other program types, fixed or\nvariable offsets on PTR_TO_CTX is rejected when passed into an argument\nof any call instruction type, through the unified logic of\ncheck_func_arg_reg_off.\n\nFinally, add a positive example of a case that should succeed with all\nour previous changes.\n\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nAcked-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406194403.1649608-6-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "5a34139b273272af2badcb695931493ed400befc", "tree": "fff764672502d29a7dd4ded9c2f95f2e4f6d7d8e", "parents": [ "02f500ce0109ec553864507da685bd5fbc906e94" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Apr 06 21:43:58 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 15:27:26 2026 -0700" }, "message": "selftests/bpf: Add syscall ctx variable offset tests\n\nAdd various tests to exercise fixed and variable offsets on PTR_TO_CTX\nfor syscall programs, and cover disallowed cases for other program types\nlacking convert_ctx_access callback. Load verifier_ctx with CAP_SYS_ADMIN\nso that kfunc related logic can be tested. While at it, convert assembly\ntests to C. Unfortunately, ctx_pointer_to_helper_2\u0027s unpriv case conflicts\nwith usage of kfuncs in the file and cannot be run.\n\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nAcked-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406194403.1649608-5-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "02f500ce0109ec553864507da685bd5fbc906e94", "tree": "cae4a4d3d625a27fc5b3caa82a282a575b9b7038", "parents": [ "f25777056e24c5e724935b94a9a1aa16641be49a" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Apr 06 21:43:57 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 15:27:26 2026 -0700" }, "message": "selftests/bpf: Convert ctx tests from ASM to C\n\nConvert existing tests from ASM to C, in prep for future changes to add\nmore comprehensive tests.\n\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406194403.1649608-4-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "f25777056e24c5e724935b94a9a1aa16641be49a", "tree": "f8d4338451e8b734711587fe988b538932060b16", "parents": [ "ae5ef001aa981e7ee0993e51b642bb2179711c7a" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Apr 06 21:43:56 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 15:27:26 2026 -0700" }, "message": "bpf: Enable unaligned accesses for syscall ctx\n\nDon\u0027t reject usage of fixed unaligned offsets for syscall ctx. Tests\nwill be added in later commits. Unaligned offsets already work for\nvariable offsets.\n\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406194403.1649608-3-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "ae5ef001aa981e7ee0993e51b642bb2179711c7a", "tree": "4af7baf1b752d9ffc33d359d7bb358310f16a75f", "parents": [ "a1aa9ef47c299c5bbc30594d3c2f0589edf908e6" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Apr 06 21:43:55 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Mon Apr 06 15:27:26 2026 -0700" }, "message": "bpf: Support variable offsets for syscall PTR_TO_CTX\n\nAllow accessing PTR_TO_CTX with variable offsets in syscall programs.\nFixed offsets are already enabled for all program types that do not\nconvert their ctx accesses, since the changes we made in the commit\nde6c7d99f898 (\"bpf: Relax fixed offset check for PTR_TO_CTX\"). Note\nthat we also lift the restriction on passing syscall context into\nhelpers, which was not permitted before, and passing modified syscall\ncontext into kfuncs.\n\nThe structure of check_mem_access can be mostly shared and preserved,\nbut we must use check_mem_region_access to correctly verify access with\nvariable offsets.\n\nThe check made in check_helper_mem_access is hardened to only allow\nPTR_TO_CTX for syscall programs to be passed in as helper memory. This\nwas the original intention of the existing code anyway, and it makes\nlittle sense for other program types\u0027 context to be utilized as a memory\nbuffer. In case a convincing example presents itself in the future, this\ncheck can be relaxed further.\n\nWe also no longer use the last-byte access to simulate helper memory\naccess, but instead go through check_mem_region_access. Since this no\nlonger updates our max_ctx_offset, we must do so manually, to keep track\nof the maximum offset at which the program ctx may be accessed.\n\nTake care to ensure that when arg_type is ARG_PTR_TO_CTX, we do not\nrelax any fixed or variable offset constraints around PTR_TO_CTX even in\nsyscall programs, and require them to be passed unmodified. There are\nseveral reasons why this is necessary. First, if we pass a modified ctx,\nthen the global subprog\u0027s accesses will not update the max_ctx_offset to\nits true maximum offset, and can lead to out of bounds accesses. Second,\ntail called program (or extension program replacing global subprog) where\ntheir max_ctx_offset exceeds the program they are being called from can\nalso cause issues. For the latter, unmodified PTR_TO_CTX is the first\nrequirement for the fix, the second is ensuring max_ctx_offset \u003e\u003d the\nprogram they are being called from, which has to be a separate change\nnot made in this commit.\n\nAll in all, we can hint using arg_type when we expect ARG_PTR_TO_CTX and\nmake our relaxation around offsets conditional on it.\n\nDrop coverage of syscall tests from verifier_ctx.c temporarily for\nnegative cases until they are updated in subsequent commits.\n\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nAcked-by: Puranjay Mohan \u003cpuranjay@kernel.org\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260406194403.1649608-2-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a1aa9ef47c299c5bbc30594d3c2f0589edf908e6", "tree": "94029c8ea3d252368dada5123504fd5869f26688", "parents": [ "f254fb58dde38addca8f0767f92559120cfe54cf" ], "author": { "name": "MingTao Huang", "email": "mintaohuang@tencent.com", "time": "Thu Apr 02 20:18:50 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Apr 05 18:48:09 2026 -0700" }, "message": "bpf: Fix stale offload-\u003eprog pointer after constant blinding\n\nWhen a dev-bound-only BPF program (BPF_F_XDP_DEV_BOUND_ONLY) undergoes\nJIT compilation with constant blinding enabled (bpf_jit_harden \u003e\u003d 2),\nbpf_jit_blind_constants() clones the program. The original prog is then\nfreed in bpf_jit_prog_release_other(), which updates aux-\u003eprog to point\nto the surviving clone, but fails to update offload-\u003eprog.\n\nThis leaves offload-\u003eprog pointing to the freed original program. When\nthe network namespace is subsequently destroyed, cleanup_net() triggers\nbpf_dev_bound_netdev_unregister(), which iterates ondev-\u003eprogs and calls\n__bpf_prog_offload_destroy(offload-\u003eprog). Accessing the freed prog\ncauses a page fault:\n\nBUG: unable to handle page fault for address: ffffc900085f1038\nWorkqueue: netns cleanup_net\nRIP: 0010:__bpf_prog_offload_destroy+0xc/0x80\nCall Trace:\n__bpf_offload_dev_netdev_unregister+0x257/0x350\nbpf_dev_bound_netdev_unregister+0x4a/0x90\nunregister_netdevice_many_notify+0x2a2/0x660\n...\ncleanup_net+0x21a/0x320\n\nThe test sequence that triggers this reliably is:\n\n1. Set net.core.bpf_jit_harden\u003d2 (echo 2 \u003e /proc/sys/net/core/bpf_jit_harden)\n2. Run xdp_metadata selftest, which creates a dev-bound-only XDP\n program on a veth inside a netns (./test_progs -t xdp_metadata)\n3. cleanup_net -\u003e page fault in __bpf_prog_offload_destroy\n\nDev-bound-only programs are unique in that they have an offload structure\nbut go through the normal JIT path instead of bpf_prog_offload_compile().\nThis means they are subject to constant blinding\u0027s prog clone-and-replace,\nwhile also having offload-\u003eprog that must stay in sync.\n\nFix this by updating offload-\u003eprog in bpf_jit_prog_release_other(),\nalongside the existing aux-\u003eprog update. Both are back-pointers to\nthe prog that must be kept in sync when the prog is replaced.\n\nFixes: 2b3486bc2d23 (\"bpf: Introduce device-bound XDP programs\")\nSigned-off-by: MingTao Huang \u003cmintaohuang@tencent.com\u003e\nLink: https://lore.kernel.org/r/tencent_BCF692F45859CCE6C22B7B0B64827947D406@qq.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "f254fb58dde38addca8f0767f92559120cfe54cf", "tree": "5923a0b5770f52d95c6f59a0179a3e6e4a526236", "parents": [ "c6095cb9684e278a59cb5a25deff6bfef9aecf27" ], "author": { "name": "Alexis Lothoré (eBPF Foundation)", "email": "alexis.lothore@bootlin.com", "time": "Fri Apr 03 09:52:06 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Apr 05 18:45:48 2026 -0700" }, "message": "selftests/bpf: remove unused toggle in tc_tunnel\n\ntc_tunnel test is based on a send_and_test_data function which takes a\nsubtest configuration, and a boolean indicating whether the connection\nis supposed to fail or not. This boolean is systematically passed to\ntrue, and is a remnant from the first (not integrated) attempts to\nconvert tc_tunnel to test_progs: those versions validated for\nexample that a connection properly fails when only one side of the\nconnection has tunneling enabled. This specific testing has not been\nintegrated because it involved large timeouts which increased quite a\nlot the test duration, for little added value.\n\nRemove the unused boolean from send_and_test_data to simplify the\ngeneric part of subtests.\n\nSigned-off-by: Alexis Lothoré (eBPF Foundation) \u003calexis.lothore@bootlin.com\u003e\nAcked-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260403-tc_tunnel_cleanup-v1-1-4f1bb113d3ab@bootlin.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "c6095cb9684e278a59cb5a25deff6bfef9aecf27", "tree": "315465f33f330ac4aa8ef2009651b978dccbb505", "parents": [ "24dbbf8a2343d4063c370a1f25645eabc50d68c9", "262b857da6bee528420514690895ed7d2c65077e" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Apr 05 18:45:05 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Apr 05 18:45:06 2026 -0700" }, "message": "Merge branch \u0027bpf-fix-end-of-list-detection-in-cgroup_storage_get_next_key\u0027\n\nWeiming Shi says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: fix end-of-list detection in cgroup_storage_get_next_key()\n\nlist_next_entry() never returns NULL, so the NULL check in\ncgroup_storage_get_next_key() is dead code. When iterating past the last\nelement, the function reads storage-\u003ekey from a bogus pointer that aliases\ninternal map fields and copies the result to userspace.\n\nPatch 1 replaces the NULL check with list_entry_is_head() so the function\ncorrectly returns -ENOENT when there are no more entries.\n\nPatch 2 adds a selftest to cover this corner case, as suggested by Sun Jian\nand Paul Chaignon.\n\nv2:\n - Added selftest (Paul Chaignon)\n - Collected Reviewed-by and Acked-by tags\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260403132951.43533-1-bestswngs@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "262b857da6bee528420514690895ed7d2c65077e", "tree": "315465f33f330ac4aa8ef2009651b978dccbb505", "parents": [ "5828b9e5b272ecff7cf5d345128d3de7324117f7" ], "author": { "name": "Weiming Shi", "email": "bestswngs@gmail.com", "time": "Fri Apr 03 21:29:51 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Apr 05 18:45:05 2026 -0700" }, "message": "selftests/bpf: add get_next_key boundary test for cgroup_storage\n\nVerify that bpf_map__get_next_key() correctly returns -ENOENT when\ncalled on the last (and only) key in a cgroup_storage map. Before the\nfix in the previous patch, this would succeed with bogus key data\ninstead of failing.\n\nSuggested-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nSigned-off-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nAcked-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260403132951.43533-3-bestswngs@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "5828b9e5b272ecff7cf5d345128d3de7324117f7", "tree": "0d6e62cec79330d4ecb64cb21bd27a80733ed1d4", "parents": [ "24dbbf8a2343d4063c370a1f25645eabc50d68c9" ], "author": { "name": "Weiming Shi", "email": "bestswngs@gmail.com", "time": "Fri Apr 03 21:29:50 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Apr 05 18:45:05 2026 -0700" }, "message": "bpf: fix end-of-list detection in cgroup_storage_get_next_key()\n\nlist_next_entry() never returns NULL -- when the current element is the\nlast entry it wraps to the list head via container_of(). The subsequent\nNULL check is therefore dead code and get_next_key() never returns\n-ENOENT for the last element, instead reading storage-\u003ekey from a bogus\npointer that aliases internal map fields and copying the result to\nuserspace.\n\nReplace it with list_entry_is_head() so the function correctly returns\n-ENOENT when there are no more entries.\n\nFixes: de9cbbaadba5 (\"bpf: introduce cgroup storage maps\")\nReported-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nSigned-off-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nReviewed-by: Sun Jian \u003csun.jian.kdev@gmail.com\u003e\nAcked-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260403132951.43533-2-bestswngs@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "24dbbf8a2343d4063c370a1f25645eabc50d68c9", "tree": "151644c9a12e571bd9257619b9cbd4fb1774506c", "parents": [ "6a14beefab457f267b8cedc6ac697a9562ec1244", "f64eb44ce9067d37e6334a940518dcf1254e83fe" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Apr 05 18:37:32 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Apr 05 18:37:41 2026 -0700" }, "message": "Merge branch \u0027bpf-fix-torn-writes-in-non-prealloc-htab-with-bpf_f_lock\u0027\n\nMykyta Yatsenko says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: Fix torn writes in non-prealloc htab with BPF_F_LOCK\n\nA torn write issue was reported in htab_map_update_elem() with\nBPF_F_LOCK on hash maps. The BPF_F_LOCK fast path performs\na lockless lookup and copies the value under the element\u0027s embedded\nspin_lock. A concurrent delete can free the element via\nbpf_mem_cache_free(), which allows immediate reuse. When\nalloc_htab_elem() recycles the same memory, it writes the value with\nplain copy_map_value() without taking the spin_lock, racing with the\nstale lock holder and producing torn writes.\n\nPatch 1 fixes alloc_htab_elem() to use copy_map_value_locked() when\nBPF_F_LOCK is set.\n\nPatch 2 adds a selftest that reliably detects the torn writes on an\nunpatched kernel.\n\nReported-by: Aaron Esau \u003caaron1esau@gmail.com\u003e\nSigned-off-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260401-bpf_map_torn_writes-v1-0-782d071c55e7@meta.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "f64eb44ce9067d37e6334a940518dcf1254e83fe", "tree": "151644c9a12e571bd9257619b9cbd4fb1774506c", "parents": [ "07738bc566c38e0a8c82084e962890d1d59715c8" ], "author": { "name": "Mykyta Yatsenko", "email": "yatsenko@meta.com", "time": "Wed Apr 01 06:50:37 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Apr 05 18:37:32 2026 -0700" }, "message": "selftests/bpf: Add torn write detection test for htab BPF_F_LOCK\n\nAdd a consistency subtest to htab_reuse that detects torn writes\ncaused by the BPF_F_LOCK lockless update racing with element\nreallocation in alloc_htab_elem().\n\nThe test uses three thread roles started simultaneously via a pipe:\n - locked updaters: BPF_F_LOCK|BPF_EXIST in-place updates\n - delete+update workers: delete then BPF_ANY|BPF_F_LOCK insert\n - locked readers: BPF_F_LOCK lookup checking value consistency\n\nSigned-off-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/20260401-bpf_map_torn_writes-v1-2-782d071c55e7@meta.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "07738bc566c38e0a8c82084e962890d1d59715c8", "tree": "2cf538b17ecb8f82466cf916be9fdb7b3eef782b", "parents": [ "6a14beefab457f267b8cedc6ac697a9562ec1244" ], "author": { "name": "Mykyta Yatsenko", "email": "yatsenko@meta.com", "time": "Wed Apr 01 06:50:36 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Apr 05 18:37:32 2026 -0700" }, "message": "bpf: Use copy_map_value_locked() in alloc_htab_elem() for BPF_F_LOCK\n\nWhen a BPF_F_LOCK update races with a concurrent delete, the freed\nelement can be immediately recycled by alloc_htab_elem(). The fast path\nin htab_map_update_elem() performs a lockless lookup and then calls\ncopy_map_value_locked() under the element\u0027s spin_lock. If\nalloc_htab_elem() recycles the same memory, it overwrites the value\nwith plain copy_map_value(), without taking the spin_lock, causing\ntorn writes.\n\nUse copy_map_value_locked() when BPF_F_LOCK is set so the new element\u0027s\nvalue is written under the embedded spin_lock, serializing against any\nstale lock holders.\n\nFixes: 96049f3afd50 (\"bpf: introduce BPF_F_LOCK flag\")\nReported-by: Aaron Esau \u003caaron1esau@gmail.com\u003e\nCloses: https://lore.kernel.org/all/CADucPGRvSRpkneb94dPP08YkOHgNgBnskTK6myUag_Mkjimihg@mail.gmail.com/\nSigned-off-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/20260401-bpf_map_torn_writes-v1-1-782d071c55e7@meta.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "6a14beefab457f267b8cedc6ac697a9562ec1244", "tree": "91b4f07c35046a6a73a53505555c2799beab5fcd", "parents": [ "891a05ccba927050cee17eb90c74692fe083ddaf", "1a1cadbd5d50b31ae1340c2a9938947719696ca0" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 03 08:33:48 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 03 08:34:47 2026 -0700" }, "message": "Merge branch \u0027bpf-prep-patches-for-static-stack-liveness\u0027\n\nAlexei Starovoitov says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: Prep patches for static stack liveness.\n\nv4-\u003ev5:\n- minor test fixup\n\nv3-\u003ev4:\n- fixed invalid recursion detection when calback is called multiple times\n\nv3: https://lore.kernel.org/bpf/20260402212856.86606-1-alexei.starovoitov@gmail.com/\n\nv2-\u003ev3:\n- added recursive call detection\n- fixed ubsan warning\n- removed double declaration in the header\n- added Acks\n\nv2: https://lore.kernel.org/bpf/20260402061744.10885-1-alexei.starovoitov@gmail.com/\n\nv1-\u003ev2:\n. fixed bugs spotted by Eduard, Mykyta, claude and gemini\n. fixed selftests that were failing in unpriv\n. gemini(sashiko) found several precision improvements in patch 6,\n but they made no difference in real programs.\n\nv1: https://lore.kernel.org/bpf/20260401021635.34636-1-alexei.starovoitov@gmail.com/\nFirst 6 prep patches for static stack liveness.\n\n. do src/dst_reg validation early and remove defensive checks\n\n. sort subprog in topo order. We wanted to do this long ago\n to process global subprogs this way and in other cases.\n\n. Add constant folding pass that computes map_ptr, subprog_idx,\n loads from readonly maps, and other constants that fit into 32-bit\n\n. Use these constants to eliminate dead code. Replace predicted\n conditional branches with \"jmp always\". That reduces JIT prog size.\n\n. Add two helpers that return access size from their arguments.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260403024422.87231-1-alexei.starovoitov@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "1a1cadbd5d50b31ae1340c2a9938947719696ca0", "tree": "91b4f07c35046a6a73a53505555c2799beab5fcd", "parents": [ "19dbb1347481105e8aabc7479af35c09a65333a9" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 19:44:21 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 03 08:34:44 2026 -0700" }, "message": "bpf: Add helper and kfunc stack access size resolution\n\nThe static stack liveness analysis needs to know how many bytes a\nhelper or kfunc accesses through a stack pointer argument, so it can\nprecisely mark the affected stack slots as stack \u0027def\u0027 or \u0027use\u0027.\n\nAdd bpf_helper_stack_access_bytes() and bpf_kfunc_stack_access_bytes()\nwhich resolve the access size for a given call argument.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260403024422.87231-7-alexei.starovoitov@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "19dbb1347481105e8aabc7479af35c09a65333a9", "tree": "4eb498bd81ac829d8da02cc240cddfcb7dde2ae7", "parents": [ "f1606dd0ac49230f5a5fa1a279210fdf0249c20f" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 19:44:20 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 03 08:34:41 2026 -0700" }, "message": "bpf: Move verifier helpers to header\n\nMove several helpers to header as preparation for\nthe subsequent stack liveness patches.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260403024422.87231-6-alexei.starovoitov@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "f1606dd0ac49230f5a5fa1a279210fdf0249c20f", "tree": "4544482bf2f4193f74df6b70ebec9d28a982c82d", "parents": [ "427c07ddb9e63dc96488bbf51bb196e7aca19825" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 19:44:19 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 03 08:34:36 2026 -0700" }, "message": "bpf: Add bpf_compute_const_regs() and bpf_prune_dead_branches() passes\n\nAdd two passes before the main verifier pass:\n\nbpf_compute_const_regs() is a forward dataflow analysis that tracks\nregister values in R0-R9 across the program using fixed-point\niteration in reverse postorder. Each register is tracked with\na six-state lattice:\n\n UNVISITED -\u003e CONST(val) / MAP_PTR(map_index) /\n MAP_VALUE(map_index, offset) / SUBPROG(num) -\u003e UNKNOWN\n\nAt merge points, if two paths produce the same state and value for\na register, it stays; otherwise it becomes UNKNOWN.\n\nThe analysis handles:\n - MOV, ADD, SUB, AND with immediate or register operands\n - LD_IMM64 for plain constants, map FDs, map values, and subprogs\n - LDX from read-only maps: constant-folds the load by reading the\n map value directly via bpf_map_direct_read()\n\nResults that fit in 32 bits are stored per-instruction in\ninsn_aux_data and bitmasks.\n\nbpf_prune_dead_branches() uses the computed constants to evaluate\nconditional branches. When both operands of a conditional jump are\nknown constants, the branch outcome is determined statically and the\ninstruction is rewritten to an unconditional jump.\nThe CFG postorder is then recomputed to reflect new control flow.\nThis eliminates dead edges so that subsequent liveness analysis\ndoesn\u0027t propagate through dead code.\n\nAlso add runtime sanity check to validate that precomputed\nconstants match the verifier\u0027s tracked state.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260403024422.87231-5-alexei.starovoitov@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "427c07ddb9e63dc96488bbf51bb196e7aca19825", "tree": "0fe7786147d64fbff58d168d31809e721d25fd00", "parents": [ "e6898ec751e4d8577b210f8e816ea9f8c2a7158a" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 19:44:18 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 03 08:34:33 2026 -0700" }, "message": "selftests/bpf: Add tests for subprog topological ordering\n\nAdd few tests for topo sort:\n- linear chain: main -\u003e A -\u003e B\n- diamond: main -\u003e A, main -\u003e B, A -\u003e C, B -\u003e C\n- mixed global/static: main -\u003e global -\u003e static leaf\n- shared callee: main -\u003e leaf, main -\u003e global -\u003e leaf\n- duplicate calls: main calls same subprog twice\n- no calls: single subprog\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260403024422.87231-4-alexei.starovoitov@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "e6898ec751e4d8577b210f8e816ea9f8c2a7158a", "tree": "8b17f798fa4f8b5580436b6fc13943f0fb682af9", "parents": [ "503d21ef8eac1437d76919921115acf0aef328a0" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 19:44:17 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 03 08:34:30 2026 -0700" }, "message": "bpf: Sort subprogs in topological order after check_cfg()\n\nAdd a pass that sorts subprogs in topological order so that iterating\nsubprog_topo_order[] walks leaf subprogs first, then their callers.\nThis is computed as a DFS post-order traversal of the CFG.\n\nThe pass runs after check_cfg() to ensure the CFG has been validated\nbefore traversing and after postorder has been computed to avoid\nwalking dead code.\n\nReviewed-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260403024422.87231-3-alexei.starovoitov@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "503d21ef8eac1437d76919921115acf0aef328a0", "tree": "8ac31295349d7bf7592c289950deb1f37996fe40", "parents": [ "891a05ccba927050cee17eb90c74692fe083ddaf" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 19:44:16 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 03 08:34:26 2026 -0700" }, "message": "bpf: Do register range validation early\n\nInstead of checking src/dst range multiple times during\nthe main verifier pass do them once.\n\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260403024422.87231-2-alexei.starovoitov@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "891a05ccba927050cee17eb90c74692fe083ddaf", "tree": "0ca1e1ee18f52cfe550898a7b78ae3839d73e8bd", "parents": [ "6f6c794d0ff05dab1fa4677f39043de8a6a80da3", "d8a9a4b11a137909e306e50346148fc5c3b63f9d" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 03 08:12:58 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Apr 03 08:14:13 2026 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 7.0-rc6+\n\nCross-merge BPF and other fixes after downstream PR.\n\nMinor conflict in kernel/bpf/verifier.c\n\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "d8a9a4b11a137909e306e50346148fc5c3b63f9d", "tree": "5b02536cdfb8743d8642e43710f3de99a4bff213", "parents": [ "7b9e74c5a49e1331e03c8ae5f981067da4f33328", "78ec5bf2f589ec7fd8f169394bfeca541b077317" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 21:04:28 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 21:04:28 2026 -0700" }, "message": "Merge tag \u0027v7.0-rc6-smb3-client-fix\u0027 of git://git.samba.org/sfrench/cifs-2.6\n\nPull smb client fix from Steve French:\n\n - Fix potential out of bounds read in mount\n\n* tag \u0027v7.0-rc6-smb3-client-fix\u0027 of git://git.samba.org/sfrench/cifs-2.6:\n fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath\n" }, { "commit": "7b9e74c5a49e1331e03c8ae5f981067da4f33328", "tree": "8628e0e4cded0b478adbf9ab1908c559b12f8184", "parents": [ "5a9617dde77d0777b53f0af7dee58109650bda41", "e1b5687a862a43429f1d9f69065b3bbc7780a97a" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 18:59:56 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 18:59:56 2026 -0700" }, "message": "Merge tag \u0027bpf-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf\n\nPull bpf fixes from Alexei Starovoitov:\n\n - Fix register equivalence for pointers to packet (Alexei Starovoitov)\n\n - Fix incorrect pruning due to atomic fetch precision tracking (Daniel\n Borkmann)\n\n - Fix grace period wait for bpf_link-ed tracepoints (Kumar Kartikeya\n Dwivedi)\n\n - Fix use-after-free of sockmap\u0027s sk-\u003esk_socket (Kuniyuki Iwashima)\n\n - Reject direct access to nullable PTR_TO_BUF pointers (Qi Tang)\n\n - Reject sleepable kprobe_multi programs at attach time (Varun R\n Mallya)\n\n* tag \u0027bpf-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:\n selftests/bpf: Add more precision tracking tests for atomics\n bpf: Fix incorrect pruning due to atomic fetch precision tracking\n bpf: Reject sleepable kprobe_multi programs at attach time\n bpf: reject direct access to nullable PTR_TO_BUF pointers\n bpf: sockmap: Fix use-after-free of sk-\u003esk_socket in sk_psock_verdict_data_ready().\n bpf: Fix grace period wait for tracepoint bpf_link\n bpf: Fix regsafe() for pointers to packet\n" }, { "commit": "6f6c794d0ff05dab1fa4677f39043de8a6a80da3", "tree": "c3d3a2e0538b64a9ea27fcc87caac932aee713a7", "parents": [ "7e85ca02ef3aa2f37ce6dbba820f55b385330ce9", "7cbded6ed98f363cc7fa84304da1f03eefa03f67" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 18:23:25 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 18:23:26 2026 -0700" }, "message": "Merge branch \u0027fix-invariant-violations-and-improve-branch-detection\u0027\n\nPaul Chaignon says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nFix invariant violations and improve branch detection\n\nThis patchset fixes invariant violations on register bounds. These\ninvariant violations cause a warning and happen when reg_bounds_sync is\ntrying to refine register bounds while walking an impossible branch.\n\nThis patchset takes this situation as an opportunity to improve\nverification performance. That is, the verifier will use the invariant\nviolations as a signal that a branch cannot be taken and process it as\ndead code.\n\nThis patchset implements this approach and covers it in selftests with\na new invariant violation case. Some of the logic in reg_bounds_sync\nlikely acts as a duplicate with logic from is_scalar_branch_taken. This\npatchset does not attempt to remove superfluous logic from\nis_scalar_branch_taken and leaves it to a future patchset (ex. once\nsyzbot has confirmed that all invariant violations are fixed).\n\nIn the future, there is also a potential opportunity to simplify\nexisting logic by merging reg_bounds_sync and range_bounds_violation\n(have reg_bounds_sync error out on invariant violation). That is\nhowever not needed to fix invariant violation, which we focus on in\nthis patchset.\n\nChanges in v3:\n - Rename and refactor the helper functions checking for tnum-related\n invariant violations (Mykyta).\n - Small changes to comment style in verifier changes and new selftest\n (Mykyta).\n - Rebased.\nChanges in v2:\n - Moved tmp registers to env in preparatory commit (Eduard).\n - Updated reg_bounds_sync to bail out in case of ill-formed\n registers, thus avoiding one set of invariant violation checks in\n simulate_both_branches_taken (Eduard).\n - Drop the Fixes tag to avoid misleading backporters (Shung-Hsi).\n - Improve wording of commit descriptions (Shung-Hsi, Hari).\n - Fix error in code comments (AI bot).\n - Rebased.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/cover.1775142354.git.paul.chaignon@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "7cbded6ed98f363cc7fa84304da1f03eefa03f67", "tree": "c3d3a2e0538b64a9ea27fcc87caac932aee713a7", "parents": [ "2ba199067b89edcf4dcc760941b26753494eb668" ], "author": { "name": "Paul Chaignon", "email": "paul.chaignon@gmail.com", "time": "Thu Apr 02 17:12:48 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 18:23:25 2026 -0700" }, "message": "selftests/bpf: Remove invariant violation flags\n\nWith the changes to the verifier in previous commits, we\u0027re not\nexpecting any invariant violations anymore. We should therefore always\nenable BPF_F_TEST_REG_INVARIANTS to fail on invariant violations. Turns\nout that\u0027s already the case and we\u0027ve been explicitly setting this flag\nin selftests when it wasn\u0027t necessary. This commit removes those flags\nfrom selftests, which should hopefully make clearer that it\u0027s always\nenabled.\n\nSigned-off-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/9afce92510a7d44569dc3af63c9b8c608e69298a.1775142354.git.paul.chaignon@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2ba199067b89edcf4dcc760941b26753494eb668", "tree": "f3ca787f8174dccfc92f98431d3fe733a5893901", "parents": [ "b254c6d816e53ca02856b6f46b4dc56caf6e7713" ], "author": { "name": "Paul Chaignon", "email": "paul.chaignon@gmail.com", "time": "Thu Apr 02 17:11:41 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 18:23:25 2026 -0700" }, "message": "selftests/bpf: Cover invariant violation case from syzbot\n\nThis patch adds a selftest for the change in the previous patch. The\nselftest is derived from a syzbot reproducer from [1] (among the 22\nreproducers on that page, only 4 still reproduced on latest bpf tree,\nall being small variants of the same invariant violation).\n\nThe test case failure without the previous patch is shown below.\n\n 0: R1\u003dctx() R10\u003dfp0\n 0: (85) call bpf_get_prandom_u32#7 ; R0\u003dscalar()\n 1: (bf) r5 \u003d r0 ; R0\u003dscalar(id\u003d1) R5\u003dscalar(id\u003d1)\n 2: (57) r5 \u0026\u003d -4 ; R5\u003dscalar(smax\u003d0x7ffffffffffffffc,umax\u003d0xfffffffffffffffc,smax32\u003d0x7ffffffc,umax32\u003d0xfffffffc,var_off\u003d(0x0; 0xfffffffffffffffc))\n 3: (bf) r7 \u003d r0 ; R0\u003dscalar(id\u003d1) R7\u003dscalar(id\u003d1)\n 4: (57) r7 \u0026\u003d 1 ; R7\u003dscalar(smin\u003dsmin32\u003d0,smax\u003dumax\u003dsmax32\u003dumax32\u003d1,var_off\u003d(0x0; 0x1))\n 5: (07) r7 +\u003d -43 ; R7\u003dscalar(smin\u003dsmin32\u003d-43,smax\u003dsmax32\u003d-42,umin\u003d0xffffffffffffffd5,umax\u003d0xffffffffffffffd6,umin32\u003d0xffffffd5,umax32\u003d0xffffffd6,var_off\u003d(0xffffffffffffffd4; 0x3))\n 6: (5e) if w5 !\u003d w7 goto pc+1\n verifier bug: REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64\u003d[0xffffffd5, 0xffffffffffffffd4] s64\u003d[0x80000000ffffffd5, 0x7fffffffffffffd4] u32\u003d[0xffffffd5, 0xffffffd4] s32\u003d[0xffffffd5, 0xffffffd4] var_off\u003d(0xffffffd4, 0xffffffff00000000)\n\nR5 and R7 are prepared such that their tnums intersection results in a\nknown constant but that constant isn\u0027t within R7\u0027s u32 bounds.\nis_branch_taken isn\u0027t able to detect this case today, so the verifier\nwalks the impossible fallthrough branch. After regs_refine_cond_op and\nreg_bounds_sync refine R5 on the assumption that the branch is taken,\nthe impossibility becomes apparent and results in an invariant violation\nfor R5: umin32 is greater than umax32.\n\nThe previous patch fixes this by using regs_refine_cond_op and\nreg_bounds_sync in is_branch_taken to detect the impossible branch. The\nfallthrough branch is therefore correctly detected as dead code.\n\nLink: https://syzkaller.appspot.com/bug?extid\u003dc950cc277150935cc0b5 [1]\nSigned-off-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/b1e22233a3206ead522f02eda27b9c5c991a0de9.1775142354.git.paul.chaignon@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b254c6d816e53ca02856b6f46b4dc56caf6e7713", "tree": "3967fbe2007f3351e89caa830d31e8edc42dcbb5", "parents": [ "a2a14e874b4e7ec4c4ef226f93edb94be687f7e6" ], "author": { "name": "Harishankar Vishwanathan", "email": "harishankar.vishwanathan@gmail.com", "time": "Thu Apr 02 17:10:43 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 18:23:25 2026 -0700" }, "message": "bpf: Simulate branches to prune based on range violations\n\nThis patch fixes the invariant violations that can happen after we\nrefine ranges \u0026 tnum based on an incorrectly-detected branch condition.\nFor example, the branch is always true, but we miss it in\nis_branch_taken; we then refine based on the branch being false and end\nup with incoherent ranges (e.g. umax \u003c umin).\n\nTo avoid this, we can simulate the refinement on both branches. More\nspecifically, this patch simulates both branches taken using\nregs_refine_cond_op and reg_bounds_sync. If the resulting register\nstates are ill-formed on one of the branches, is_branch_taken can mark\nthat branch as \"never taken\".\n\nOn a more formal note, we can deduce a branch is not taken when\nregs_refine_cond_op or reg_bounds_sync returns an ill-formed state\nbecause the branch operators are sound (verified with Agni [1]).\nSoundness means that the verifier is guaranteed to produce sound\noutputs on the taken branches. On the non-taken branch (explored\nbecause of imprecision in the bounds), the verifier is free to produce\nany output. We use ill-formedness as a signal that the branch is dead\nand prune that branch.\n\nThis patch moves the refinement logic for both branches from\nreg_set_min_max to their own function, simulate_both_branches_taken,\nwhich is called from is_scalar_branch_taken. As a result,\nreg_set_min_max now only runs sanity checks and has been renamed to\nreg_bounds_sanity_check_branches to reflect that.\n\nWe have had five patches fixing specific cases of invariant violations\nin the past, all added with selftests:\n- commit fbc7aef517d8 (\"bpf: Fix u32/s32 bounds when ranges cross\n min/max boundary\")\n- commit efc11a667878 (\"bpf: Improve bounds when tnum has a single\n possible value\")\n- commit f41345f47fb2 (\"bpf: Use tnums for JEQ/JNE is_branch_taken\n logic\")\n- commit 00bf8d0c6c9b (\"bpf: Improve bounds when s64 crosses sign\n boundary\")\n- commit 6279846b9b25 (\"bpf: Forget ranges when refining tnum after\n JSET\")\n\nTo confirm that this patch addresses all invariant violations, we have\nalso reverted those five commits and verified that their related\nselftests don\u0027t cause any invariant violation warnings anymore. Those\nselftests still fail but only because of misdetected branches or\nless-precise bounds than expected. This demonstrates that the current\npatch is enough to avoid the invariant violation warning AND that the\nprevious five patches are still useful to improve branch detection.\n\nIn addition to the selftests, this change was also tested with the\nCilium complexity test suite: all programs were successfully loaded and\nit didn\u0027t change the number of processed instructions.\n\nLink: https://github.com/bpfverif/agni [1]\nReported-by: syzbot+c950cc277150935cc0b5@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003dc950cc277150935cc0b5\nCo-developed-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nSigned-off-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nCo-developed-by: Srinivas Narayana \u003csrinivas.narayana@rutgers.edu\u003e\nSigned-off-by: Srinivas Narayana \u003csrinivas.narayana@rutgers.edu\u003e\nCo-developed-by: Santosh Nagarakatte \u003csantosh.nagarakatte@rutgers.edu\u003e\nSigned-off-by: Santosh Nagarakatte \u003csantosh.nagarakatte@rutgers.edu\u003e\nSigned-off-by: Harishankar Vishwanathan \u003charishankar.vishwanathan@gmail.com\u003e\nAcked-by: Shung-Hsi Yu \u003cshung-hsi.yu@suse.com\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/a166b54a3cbbbdbcdf8a87f53045f1097176218b.1775142354.git.paul.chaignon@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a2a14e874b4e7ec4c4ef226f93edb94be687f7e6", "tree": "8568cdad52ee8cff07499ae195ea00588bca06b2", "parents": [ "ec1d77cb0ee98249142dcd0376d76e7a48ba0b31" ], "author": { "name": "Harishankar Vishwanathan", "email": "harishankar.vishwanathan@gmail.com", "time": "Thu Apr 02 17:10:09 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 18:23:25 2026 -0700" }, "message": "bpf: Exit early if reg_bounds_sync gets invalid inputs\n\nIn the subsequent commit, to prune dead branches we will rely on\ndetecting ill-formed ranges using range_bounds_violations()\n(e.g., umin \u003e umax) after refining register bounds using\nregs_refine_cond_op().\n\nHowever, reg_bounds_sync() can sometimes \"repair\" ill-formed bounds,\npotentially masking a violation that was produced by\nregs_refine_cond_op().\n\nThis commit modifies reg_bounds_sync() to exit early if an invariant\nviolation is already present in the input.\n\nThis ensures ill-formed reg_states remain ill-formed after\nreg_bounds_sync(), allowing simulate_both_branches_taken() to correctly\nidentify dead branches with a single check to range_bounds_violation().\n\nSuggested-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nSigned-off-by: Harishankar Vishwanathan \u003charishankar.vishwanathan@gmail.com\u003e\nSigned-off-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nAcked-by: Shung-Hsi Yu \u003cshung-hsi.yu@suse.com\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/73127d628841c59cb7423d6bdcd204bf90bcdc80.1775142354.git.paul.chaignon@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "ec1d77cb0ee98249142dcd0376d76e7a48ba0b31", "tree": "e88ef247bab431205851192f7997616ac665467b", "parents": [ "a1311b94ef85c61b600a1ffd3b7b1ea169392115" ], "author": { "name": "Paul Chaignon", "email": "paul.chaignon@gmail.com", "time": "Thu Apr 02 17:09:15 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 18:23:25 2026 -0700" }, "message": "bpf: Use bpf_verifier_env buffers for reg_set_min_max\n\nIn a subsequent patch, the regs_refine_cond_op and reg_bounds_sync\nfunctions will be called in is_branch_taken instead of reg_set_min_max,\nto simulate each branch\u0027s outcome. Since they will run before we branch\nout, these two functions will need to work on temporary registers for\nthe two branches.\n\nThis refactoring patch prepares for that change, by introducing the\ntemporary registers on bpf_verifier_env and using them in\nreg_set_min_max.\n\nThis change also allows us to save one fake_reg slot as we don\u0027t need to\nallocate an additional temporary buffer in case of a BPF_K condition.\n\nFinally, you may notice that this patch removes the check for\n\"false_reg1 \u003d\u003d false_reg2\" in reg_set_min_max. That check was introduced\nin commit d43ad9da8052 (\"bpf: Skip bounds adjustment for conditional\njumps on same scalar register\") to avoid an invariant violation. Given\nthat \"env-\u003efalse_reg1 \u003d\u003d env-\u003efalse_reg2\" doesn\u0027t make sense and\ninvariant violations are addressed in a subsequent commit, this patch\njust removes the check.\n\nSuggested-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nCo-developed-by: Harishankar Vishwanathan \u003charishankar.vishwanathan@gmail.com\u003e\nSigned-off-by: Harishankar Vishwanathan \u003charishankar.vishwanathan@gmail.com\u003e\nSigned-off-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nAcked-by: Shung-Hsi Yu \u003cshung-hsi.yu@suse.com\u003e\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/260b0270052944a420e1c56e6a92df4d43cadf03.1775142354.git.paul.chaignon@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a1311b94ef85c61b600a1ffd3b7b1ea169392115", "tree": "4110b5e509e2b3e2d4f1f81d08ec94388357a13c", "parents": [ "7e85ca02ef3aa2f37ce6dbba820f55b385330ce9" ], "author": { "name": "Harishankar Vishwanathan", "email": "harishankar.vishwanathan@gmail.com", "time": "Thu Apr 02 17:08:19 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 18:23:24 2026 -0700" }, "message": "bpf: Refactor reg_bounds_sanity_check\n\nThis commit refactors reg_bounds_sanity_check to factor out the logic\nthat performs the sanity check from the logic that does the reporting.\n\nSigned-off-by: Harishankar Vishwanathan \u003charishankar.vishwanathan@gmail.com\u003e\nSigned-off-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nAcked-by: Shung-Hsi Yu \u003cshung-hsi.yu@suse.com\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/198ec3e69343e2c46dc9cbe2b1bc9be9ae2df5bd.1775142354.git.paul.chaignon@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "5a9617dde77d0777b53f0af7dee58109650bda41", "tree": "bcc15ea657e4506e7c7365ef9dd43983b60497be", "parents": [ "19abf08d5e66713e7e02a3e160f51647512c1302", "e02494114ebf7c8b42777c6cd6982f113bfdbec7" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 17:29:48 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 17:29:48 2026 -0700" }, "message": "Merge tag \u0027v7.0-p4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6\n\nPull crypto fixes from Herbert Xu:\n\n - Add missing async markers to tegra\n\n - Fix long hmac key DMA handling in caam\n\n - Fix spurious ENOSPC errors in deflate\n\n - Fix SG chaining in af_alg\n\n - Do not use in-place process in algif_aead\n\n - Fix out-of-place destination overflow in authencesn\n\n* tag \u0027v7.0-p4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:\n crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n crypto: algif_aead - Revert to operating out-of-place\n crypto: af-alg - fix NULL pointer dereference in scatterwalk\n crypto: deflate - fix spurious -ENOSPC\n crypto: caam - fix overflow on long hmac keys\n crypto: caam - fix DMA corruption on long hmac keys\n crypto: tegra - Add missing CRYPTO_ALG_ASYNC\n" }, { "commit": "7e85ca02ef3aa2f37ce6dbba820f55b385330ce9", "tree": "371e33ce55eb534b8d467ae5612c202e31608a0f", "parents": [ "e8aec1058ca598fe2013ef3489ae729a8070801b", "63f5156a9c3e85ecfcc0127df6069cd7baa7eeb0" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 15:11:08 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 15:11:16 2026 -0700" }, "message": "Merge branch \u0027task-local-data-bug-fixes-and-improvement\u0027\n\nAmery Hung says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nTask local data bug fixes and improvement\n\nThis patchset fixed three task local data bugs, improved the\nmemory allocation code, and dropped unnecessary TLD_READ_ONCE. Please\nfind the detail in each patch\u0027s commit msg.\n\nOne thing worth mentioning is that Patch 3 allows us to renable task\nlocal data selftests as the library now always calls aligned_alloc()\nwith size matching alignment under default configuration.\n\nv1 -\u003e v2\n - Fix potential memory leak\n - Drop TLD_READ_ONCE()\n Link: https://lore.kernel.org/bpf/20260326052437.590158-1-ameryhung@gmail.com/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260331213555.1993883-1-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "63f5156a9c3e85ecfcc0127df6069cd7baa7eeb0", "tree": "371e33ce55eb534b8d467ae5612c202e31608a0f", "parents": [ "0b481a6915ed649f12ae0a9625206781bfdcc705" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Tue Mar 31 14:35:55 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 15:11:08 2026 -0700" }, "message": "selftests/bpf: Improve task local data documentation and fix potential memory leak\n\nIf TLD_FREE_DATA_ON_THREAD_EXIT is not enabled in a translation unit\nthat calls __tld_create_key() first, another translation unit that\nenables it will not get the auto cleanup feature as pthread key is only\ncreated once when allocation metadata. Fix it by always try to create\nthe pthread key when __tld_create_key() is called.\n\nAlso improve the documentation:\n- Discourage user from using different options in different translation\n units\n- Specify calling tld_free() before thread exit as undefined behavior\n\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260331213555.1993883-6-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "0b481a6915ed649f12ae0a9625206781bfdcc705", "tree": "56c11115e262ae1c237bdd0b0533994f35558bb7", "parents": [ "80aa8e9c64d0351f8bb215816e1b2277240c9e11" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Tue Mar 31 14:35:54 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 15:11:08 2026 -0700" }, "message": "selftests/bpf: Remove TLD_READ_ONCE() in the user space header\n\nTLD_READ_ONCE() is redundant as the only reference passed to it is\ndefined as _Atomic. The load is guaranteed to be atomic in C11 standard\n(6.2.6.1). Drop the macro.\n\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nAcked-by: Sun Jian \u003csun.jian.kdev@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260331213555.1993883-5-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "80aa8e9c64d0351f8bb215816e1b2277240c9e11", "tree": "97add1f95976c1735a1b9e2c9317e9a67f57a339", "parents": [ "bb6d9f5cf1d407150658dc5c0dfa566ab2ec09ab" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Tue Mar 31 14:35:53 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 15:11:08 2026 -0700" }, "message": "selftests/bpf: Make sure TLD_DEFINE_KEY runs first\n\nWithout specifying constructor priority of the hidden constructor\nfunction defined by TLD_DEFINE_KEY, __tld_create_key(..., dyn_data \u003d\nfalse) may run after tld_get_data() called from other constructors.\nThreads calling tld_get_data() before __tld_create_key(..., dyn_data\n\u003d false) will not allocate enough memory for all TLDs and later result\nin OOB access. Therefore, set it to the lowest value available to\nusers. Note that lower means higher priority and 0-100 is reserved to\nthe compiler.\n\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nAcked-by: Sun Jian \u003csun.jian.kdev@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260331213555.1993883-4-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "bb6d9f5cf1d407150658dc5c0dfa566ab2ec09ab", "tree": "129d0808cdd2724f3c6bd9269b84ea91faa918fd", "parents": [ "7c8ca532a7413b9ecf533d870641e9cff333d685" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Tue Mar 31 14:35:52 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 15:11:08 2026 -0700" }, "message": "selftests/bpf: Simplify task_local_data memory allocation\n\nSimplify data allocation by always using aligned_alloc() and passing\nsize_pot, size rounded up to the closest power of two to alignment.\n\nCurrently, aligned_alloc(page_size, size) is only intended to be used\nwith memory allocators that can fulfill the request without rounding\nsize up to page_size to conserve memory. This is enabled by defining\nTLD_DATA_USE_ALIGNED_ALLOC. The reason to align to page_size is due to\nthe limitation of UPTR where only a page can be pinned to the kernel.\nOtherwise, malloc(size * 2) is used to allocate memory for data.\n\nHowever, we don\u0027t need to call aligned_alloc(page_size, size) to get\na contiguous memory of size bytes within a page. aligned_alloc(size_pot,\n...) will also do the trick. Therefore, just use aligned_alloc(size_pot,\n...) universally.\n\nAs for the size argument, create a new option,\nTLD_DONT_ROUND_UP_DATA_SIZE, to specify not rounding up the size.\nThis preserves the current TLD_DATA_USE_ALIGNED_ALLOC behavior, allowing\nmemory allocators with low overhead aligned_alloc() to not waste memory.\nTo enable this, users need to make sure it is not an undefined behavior\nfor the memory allocator to have size not being an integral multiple of\nalignment.\n\nCompared to the current implementation, !TLD_DATA_USE_ALIGNED_ALLOC\nused to always waste size-byte of memory due to malloc(size * 2).\nNow the worst case becomes size - 1 and the best case is 0 when the size\nis already a power of two.\n\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260331213555.1993883-3-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "7c8ca532a7413b9ecf533d870641e9cff333d685", "tree": "842439fd609ce0d348f21de6bbad4d41fd00fe03", "parents": [ "e8aec1058ca598fe2013ef3489ae729a8070801b" ], "author": { "name": "Amery Hung", "email": "ameryhung@gmail.com", "time": "Tue Mar 31 14:35:51 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Thu Apr 02 15:11:08 2026 -0700" }, "message": "selftests/bpf: Fix task_local_data data allocation size\n\nCurrently, when allocating memory for data, size of tld_data_u-\u003estart\nis not taken into account. This may cause OOB access. Fixed it by adding\nthe non-flexible array part of tld_data_u.\n\nBesides, explicitly align tld_data_u-\u003edata to 8 bytes in case some\nfields are added before data in the future. It could break the\nassumption that every data field is 8 byte aligned and\nsizeof(tld_data_u) will no longer be equal to\noffsetof(struct tld_data_u, data), which we use interchangeably.\n\nSigned-off-by: Amery Hung \u003cameryhung@gmail.com\u003e\nAcked-by: Sun Jian \u003csun.jian.kdev@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260331213555.1993883-2-ameryhung@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "e8aec1058ca598fe2013ef3489ae729a8070801b", "tree": "db8aa70bb6ed814b79c44634c9caf018e8669a41", "parents": [ "1cc96e0e20489159398009d2f453e59c10e413c9", "9d77cefe8fcd4bd1c0bcfd4073fe6cd4325c8d9e" ], "author": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu Apr 02 13:23:19 2026 -0700" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu Apr 02 13:23:19 2026 -0700" }, "message": "Merge branch \u0027libbpf-clarify-raw-address-single-kprobe-attach-behavior\u0027\n\nHoyeon Lee says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nlibbpf: clarify raw-address single kprobe attach behavior\n\nToday libbpf documents single-kprobe attach through func_name, with an\noptional offset. For the PMU-based path, func_name \u003d NULL with an\nabsolute address in offset already works as well, but that is not\ndescribed in the API.\n\nThis patchset clarifies this behavior. First commit fixes kprobe\nand uprobe attach error handling to use direct error codes. Next adds\nkprobe API comments for the raw-address form and rejects it explicitly\nfor legacy tracefs/debugfs kprobes. Last adds PERF and LINK selftests\nfor the raw-address form, and checks that LEGACY rejects it.\n---\nChanges in v7:\n- Change selftest line wrapping and assertions\n\nChanges in v6:\n- Split the kprobe/uprobe direct error-code fix into a separate patch\n\nChanges in v5:\n- Add kprobe API docs, use -EOPNOTSUPP, and switch selftests to LIBBPF_OPTS\n\nChanges in v4:\n- Inline raw-address error formatting and remove the probe_target buffer\n\nChanges in v3:\n- Drop bpf_kprobe_opts.addr and reuse offset when func_name is NULL\n- Make legacy tracefs/debugfs kprobes reject the raw-address form\n- Update selftests to cover PERF/LINK raw-address attach and LEGACY reject\n\nChanges in v2:\n- Fix line wrapping and indentation\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260401143116.185049-1-hoyeon.lee@suse.com\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\n" }, { "commit": "9d77cefe8fcd4bd1c0bcfd4073fe6cd4325c8d9e", "tree": "db8aa70bb6ed814b79c44634c9caf018e8669a41", "parents": [ "e1621c752865dcd682d9f52c3566ba3c6b9ee589" ], "author": { "name": "Hoyeon Lee", "email": "hoyeon.lee@suse.com", "time": "Wed Apr 01 23:29:31 2026 +0900" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu Apr 02 13:23:19 2026 -0700" }, "message": "selftests/bpf: Add test for raw-address single kprobe attach\n\nCurrently, attach_probe covers manual single-kprobe attaches by\nfunc_name, but not the raw-address form that the PMU-based\nsingle-kprobe path can accept.\n\nThis commit adds PERF and LINK raw-address coverage. It resolves\nSYS_NANOSLEEP_KPROBE_NAME through kallsyms, passes the absolute address\nin bpf_kprobe_opts.offset with func_name \u003d NULL, and verifies that\nkprobe and kretprobe are still triggered. It also verifies that LEGACY\nrejects the same form.\n\nSigned-off-by: Hoyeon Lee \u003choyeon.lee@suse.com\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nAcked-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260401143116.185049-4-hoyeon.lee@suse.com\n" }, { "commit": "e1621c752865dcd682d9f52c3566ba3c6b9ee589", "tree": "79e58d5b851165f27415bd76596c56c08072a5ef", "parents": [ "f547cf79475fdfee39dcab07a2b381026427a0b3" ], "author": { "name": "Hoyeon Lee", "email": "hoyeon.lee@suse.com", "time": "Wed Apr 01 23:29:30 2026 +0900" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu Apr 02 13:23:19 2026 -0700" }, "message": "libbpf: Clarify raw-address single kprobe attach behavior\n\nbpf_program__attach_kprobe_opts() documents single-kprobe attach\nthrough func_name, with an optional offset. For the PMU-based path,\nfunc_name \u003d NULL with an absolute address in offset already works as\nwell, but that is not described in the API.\n\nThis commit clarifies this existing non-legacy behavior. For PMU-based\nattach, callers can use func_name \u003d NULL with an absolute address in\noffset as the raw-address form. For legacy tracefs/debugfs kprobes,\nreject this form explicitly.\n\nSigned-off-by: Hoyeon Lee \u003choyeon.lee@suse.com\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nAcked-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260401143116.185049-3-hoyeon.lee@suse.com\n" }, { "commit": "f547cf79475fdfee39dcab07a2b381026427a0b3", "tree": "4760cd69b7a79c6ed7f03d243bd0247c899030a2", "parents": [ "1cc96e0e20489159398009d2f453e59c10e413c9" ], "author": { "name": "Hoyeon Lee", "email": "hoyeon.lee@suse.com", "time": "Wed Apr 01 23:29:29 2026 +0900" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu Apr 02 13:23:19 2026 -0700" }, "message": "libbpf: Use direct error codes for kprobe/uprobe attach\n\nperf_event_open_probe() and perf_event_{k,u}probe_open_legacy() helpers\nare returning negative error codes directly on failure. This commit\nchanges bpf_program__attach_{k,u}probe_opts() to use those return\nvalues directly instead of re-reading possibly changed errno.\n\nSigned-off-by: Hoyeon Lee \u003choyeon.lee@suse.com\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nAcked-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260401143116.185049-2-hoyeon.lee@suse.com\n" }, { "commit": "1cc96e0e20489159398009d2f453e59c10e413c9", "tree": "6e083e459dcba0e3c7ec95ce58b6a6b6fbc81f6a", "parents": [ "e25cfbec08558e15fdf0f31f229b9f2a491e8288" ], "author": { "name": "Mykyta Yatsenko", "email": "yatsenko@meta.com", "time": "Wed Apr 01 16:16:40 2026 +0100" }, "committer": { "name": "Andrii Nakryiko", "email": "andrii@kernel.org", "time": "Thu Apr 02 13:02:46 2026 -0700" }, "message": "libbpf: Fix BTF handling in bpf_program__clone()\n\nAlign bpf_program__clone() with bpf_object_load_prog() by gating\nBTF func/line info on FEAT_BTF_FUNC kernel support, and resolve\ncaller-provided prog_btf_fd before checking obj-\u003ebtf so that callers\nwith their own BTF can use clone() even when the object has no BTF\nloaded.\n\nWhile at it, treat func_info and line_info fields as atomic groups\nto prevent mismatches between pointer and count from different sources.\n\nMove bpf_program__clone() to libbpf 1.8.\n\nFixes: 970bd2dced35 (\"libbpf: Introduce bpf_program__clone()\")\nSigned-off-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260401151640.356419-1-mykyta.yatsenko5@gmail.com\n" }, { "commit": "19abf08d5e66713e7e02a3e160f51647512c1302", "tree": "163df8b11f8a6f30826d22cdf4e36bbfa152153a", "parents": [ "5619b098e2fbf3a23bf13d91897056a1fe238c6d", "fda9522ed6afaec45cabc198d8492270c394c7bc" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 12:03:15 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 12:03:15 2026 -0700" }, "message": "Merge tag \u0027v7.0-rc6-ksmbd-server-fix\u0027 of git://git.samba.org/ksmbd\n\nPull smb server fix from Steve French:\n\n - Fix out of bound write\n\n* tag \u0027v7.0-rc6-ksmbd-server-fix\u0027 of git://git.samba.org/ksmbd:\n ksmbd: fix OOB write in QUERY_INFO for compound requests\n" }, { "commit": "5619b098e2fbf3a23bf13d91897056a1fe238c6d", "tree": "1f807b9a0be31d90e9cb8eb082ead3424d3b05b4", "parents": [ "f8f5627a8aeab15183eef8930bf75ba88a51622f", "316fb1b3169efb081d2db910cbbfef445afa03b9" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 10:31:30 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 10:31:30 2026 -0700" }, "message": "Merge tag \u0027for-7.0-rc6-tag\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux\n\nPull btrfs fix from David Sterba:\n \"One more fix for a potential extent tree corruption due to an\n unexpected error value.\n\n When the search for an extent item failed, it under some circumstances\n was reported as a success to the caller\"\n\n* tag \u0027for-7.0-rc6-tag\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:\n btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()\n" } ], "next": "e1b5687a862a43429f1d9f69065b3bbc7780a97a" }