)]}' { "log": [ { "commit": "30dee2c176e7954f63d1fa3e52d172f30beb9bfb", "tree": "62d762df6071e1a9b365d49b8904f71348b80c87", "parents": [ "10627ddc0167aab5c1c390a10ef461e9937aba08" ], "author": { "name": "Lin Ma", "email": "malin89@huawei.com", "time": "Wed Jun 10 12:55:39 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed Jun 10 16:16:46 2026 -0700" }, "message": "selftests/bpf: Cover tail-call cgroup storage prog-array checks\n\nAdd tail-call selftests for prog-array ownership when cgroup storage\nis in use. Verify that loading succeeds when callers and callees reuse\nthe owner\u0027s cgroup storage map, and that loading fails for a different\nstorage map and for the A(storage) -\u003e B(no storage) -\u003e C(storage)\nbridge case addressed in the previous commit.\n\nAlso verify that a storage-less leaf program which cannot perform tail\ncalls itself is still allowed to join a storage-owned prog array, while\na storage-less tail-caller is rejected also at map update time.\n\n # LDLIBS\u003d-static PKG_CONFIG\u003d\u0027pkg-config --static\u0027 ./vmtest.sh -- ./test_progs -t tailcalls\n [...]\n #475/25 tailcalls/tailcall_freplace:OK\n #475/26 tailcalls/tailcall_bpf2bpf_freplace:OK\n #475/27 tailcalls/tailcall_failure:OK\n #475/28 tailcalls/reject_tail_call_spin_lock:OK\n #475/29 tailcalls/reject_tail_call_rcu_lock:OK\n #475/30 tailcalls/reject_tail_call_preempt_lock:OK\n #475/31 tailcalls/reject_tail_call_ref:OK\n #475/32 tailcalls/tailcall_sleepable:OK\n #475/33 tailcalls/tailcall_cgrp_storage:OK\n #475/34 tailcalls/tailcall_cgrp_storage_diff_storage:OK\n #475/35 tailcalls/tailcall_cgrp_storage_no_storage:OK\n #475/36 tailcalls/tailcall_cgrp_storage_no_storage_leaf:OK\n #475/37 tailcalls/tailcall_cgrp_storage_no_storage_bridge:OK\n #475 tailcalls:OK\n Summary: 1/37 PASSED, 0 SKIPPED, 0 FAILED\n\nSigned-off-by: Lin Ma \u003cmalin89@huawei.com\u003e\nSigned-off-by: Rongzhen Cui \u003ccuirongzhen@huawei.com\u003e\nSigned-off-by: Jingguo Tan \u003ctanjingguo@huawei.com\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nAcked-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260610105539.705887-2-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "10627ddc0167aab5c1c390a10ef461e9937aba08", "tree": "5f8819af0af1878d52fa5ee9b4d19c21f362c28f", "parents": [ "2e8ad1ff712d2a397e407c9fde60901f68d077dc" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Wed Jun 10 12:55:38 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed Jun 10 16:16:46 2026 -0700" }, "message": "bpf: Tighten cgroup storage cookie checks for prog arrays\n\nThe fix in commit abad3d0bad72 (\"bpf: Fix oob access in cgroup local\nstorage\") is still incomplete. The prog-array compatibility check\ntreats a program with no cgroup storage as compatible with any stored\nstorage cookie. This allows a storage-less program to bridge a tail\ncall chain between an entry program and a storage-using callee even\nthough cgroup local storage at runtime still follows the caller\u0027s\ncontext, that is, A -\u003e B(no storage) -\u003e C(storage) path.\n\nRequiring exact cookie equality would break the legitimate case of a\nstorage-less leaf program being tail called from a storage-using one.\nInstead, only accept a zero storage cookie if the program cannot\nperform tail calls itself. This keeps A -\u003e B(no storage) working\nwhile rejecting the A -\u003e B(no storage) -\u003e C(storage) bridge.\n\nFixes: abad3d0bad72 (\"bpf: Fix oob access in cgroup local storage\")\nReported-by: Lin Ma \u003cmalin89@huawei.com\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nAcked-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260610105539.705887-1-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2e8ad1ff712d2a397e407c9fde60901f68d077dc", "tree": "ff1ce1687a39ff3c89df123ab089f9eb42aabede", "parents": [ "1fed2e47fac582e824f77f68722a8a13820e58e2" ], "author": { "name": "Yonghong Song", "email": "yonghong.song@linux.dev", "time": "Tue Jun 09 22:18:31 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Wed Jun 10 08:02:29 2026 -0700" }, "message": "selftests/bpf: Fix bpf_iter/task_vma test\n\nFor selftest bpf_iter/task_vma, I got a failure like below on my qemu run:\n\ntest_task_vma_common:FAIL:compare_output unexpected compare_output:\n actual\n \u0027561593546000-561593585000r--p0000000000:241256579534/root/devshare/bpf-next/tools/testing/selftests/bpf/test_progs\u0027\n !\u003d expected\n \u0027561593546000-561593585000r--p0000000000:245551546830/root/devshare/bpf-next/tools/testing/selftests/bpf/test_progs\u0027\n\nFurther debugging found out file-\u003ef_inode-\u003ei_ino value may exceed 32bit,\ne.g., i_ino \u003d 0x14c2eae35, but the format string is \u0027%u\u0027. This caused\ninode mismatch between bpf iter and proc result.\n\nFix the issue by using format string \u0027%llu\u0027 to accommodate 64bit i_ino.\n\nFixes: e8168840e16c (\"selftests/bpf: Add test for bpf_iter_task_vma\")\nSigned-off-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nAcked-by: Leon Hwang \u003cleon.hwang@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260610051831.1346659-1-yonghong.song@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "1fed2e47fac582e824f77f68722a8a13820e58e2", "tree": "703f21d578314c1ee115b1c9a44ee754bdbd90cf", "parents": [ "140fa23df957b51385aa847986d44ad7f59b0563", "2e7c6cb4d8437a2fe7cd95aac7ca53d7eb05e9f4" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 21:23:12 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 21:23:12 2026 -0700" }, "message": "Merge branch \u0027fix-kptr-dtor-deadlock\u0027\n\nKumar Kartikeya Dwivedi says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nFix kptr dtor deadlock\n\nReferenced kptr destruction can run from tracing/NMI contexts through\nbpf_obj_drop() and map value update/delete paths, reaching NMI-unsafe\nspecial field teardown and deadlocks. Justin reported the issue and\niterated on fixes in [0]-[2], and also confirmed the bpf_obj_drop()\nreproducer in [3].\n\nThis series rejects unsafe obj drops from non-iterator tracing programs,\nlimits map value recycle to NMI-safe field cancellation, and adds\nfocused selftests for the obj_drop(), NMI delete, and recycle teardown\ncases.\n\nSee patches for details.\n\n [0]: https://lore.kernel.org/bpf/20260505150851.3090688-1-utilityemal77@gmail.com\n [1]: https://lore.kernel.org/bpf/20260507175453.1140400-1-utilityemal77@gmail.com\n [2]: https://lore.kernel.org/bpf/20260519011450.1144935-1-utilityemal77@gmail.com\n [3]: https://lore.kernel.org/bpf/agyG3eQwgmoJwmj2@suesslenovo\n\nChangelog:\n----------\nv2 -\u003e v3\nv2: https://lore.kernel.org/bpf/20260609093719.2858096-1-memxor@gmail.com\n\n * Replace bpf_obj_cancel_fields() to use bpf_map_free_internal_structs(). (Mykyta)\n * Fix CI failures.\n\nv1 -\u003e v2\nv1: https://lore.kernel.org/bpf/20260608144841.1732406-1-memxor@gmail.com\n\n * Drop is_tracing_prog_type() fix due to compat breakage, revisit separately.\n * Rework bpf_obj_drop() fix to additionally reject non-iter tracing progs.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260609202548.3571690-1-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2e7c6cb4d8437a2fe7cd95aac7ca53d7eb05e9f4", "tree": "703f21d578314c1ee115b1c9a44ee754bdbd90cf", "parents": [ "4b84518137ce841eca2acae83096adb829dad05c" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Tue Jun 09 22:25:46 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 21:23:11 2026 -0700" }, "message": "selftests/bpf: Exercise kptr map update lifetime\n\nAdd focused map_kptr coverage for BPF-side map updates that touch values\ncontaining referenced kptrs.\n\nThe new syscall programs stash the testmod refcounted object in an array\nmap, a preallocated hash map, and a no-prealloc hash map, then update the\nsame map from BPF. The refcount must remain elevated after the update,\nwhile the userspace runner destroys the skeleton and reuses the existing\nrefcount wait to confirm map teardown releases the kptr.\n\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260609202548.3571690-5-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "4b84518137ce841eca2acae83096adb829dad05c", "tree": "66cae2d20b32e94f2d0f80c5f19a1c8bc6a81aad", "parents": [ "a3a81d247651218e47153f2d2afd7aee236726fd" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Tue Jun 09 22:25:45 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 21:23:11 2026 -0700" }, "message": "selftests/bpf: Exercise unsafe obj drops from tracing progs\n\nAdd task_kfunc failure cases for bpf_obj_drop() on local objects with\nreferenced kptr fields from tracing and NMI tracing programs. These programs\nmust be rejected because dropping the object would run full special-field\ndestruction synchronously in an unsafe context.\n\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260609202548.3571690-4-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a3a81d247651218e47153f2d2afd7aee236726fd", "tree": "243bddd5e5085f96f65fdd1a596f0773b75f6928", "parents": [ "94c8d1c21be40a845357854f98ec07e21bb14bc9" ], "author": { "name": "Justin Suess", "email": "utilityemal77@gmail.com", "time": "Tue Jun 09 22:25:44 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 21:23:11 2026 -0700" }, "message": "bpf: Cancel special fields on map value recycle\n\nMap update and delete paths currently call bpf_obj_free_fields() when a\nvalue is being replaced or recycled. That makes field destruction depend\non the context of the update/delete operation. For tracing programs this\ncan include NMI context, where referenced kptr destructors, uptr\nunpinning, and graph root destruction are not generally safe.\n\nIntroduce bpf_obj_cancel_fields() for the reusable-value path. It only\nperforms NMI-safe cleanup for timer, workqueue, and task_work fields.\nFields that need full destruction are left attached to the recycled value\nand are destroyed by the final cleanup path instead.\n\nSwitch array and hashtab update/delete/recycle paths to this cancel\nhelper. Keep bpf_obj_free_fields() for final map destruction and for\nbpf_mem_alloc destructors. Preallocated hashtabs do not have allocator\ndestructors, so teardown continues to walk the normal and extra elements\nand fully destroy their fields.\n\nThis deliberately relaxes the eager-free semantics of map update/delete\nfor special fields. Programs that relied on a recycled map slot becoming\nempty immediately after update/delete were relying on behavior that\ncannot be implemented safely from every BPF execution context without\noffloading arbitrary destructors.\n\nThere is a chance this change breaks programs making assumptions\nregarding the eager freeing of fields. If so, we can relax semantics to\ncancellation only when irqs_disabled() is true in the future. However,\ntheoretically, map values that get reused eagerly already have weaker\nguarantees as parallel users can recreate freed fields before the new\nelement becomes visible again.\n\nFixes: 14a324f6a67e (\"bpf: Wire up freeing of referenced kptr\")\nSigned-off-by: Justin Suess \u003cutilityemal77@gmail.com\u003e\nCo-developed-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260609202548.3571690-3-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "94c8d1c21be40a845357854f98ec07e21bb14bc9", "tree": "84799a5d311006ec5b0f2ce7fdc3586e63104892", "parents": [ "140fa23df957b51385aa847986d44ad7f59b0563" ], "author": { "name": "Justin Suess", "email": "utilityemal77@gmail.com", "time": "Tue Jun 09 22:25:43 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 21:23:11 2026 -0700" }, "message": "bpf: Reject bpf_obj_drop() from tracing progs\n\nbpf_obj_drop() runs bpf_obj_free_fields() synchronously for\nprogram-allocated objects. When such an object contains NMI unsafe\nfields, tracing programs that can run from arbitrary instrumented\ncontext can reach that destruction from unsafe contexts, including NMI.\n\nNMI is likely one instance of this problem, and other instances would\ninclude possible unsafe reentrancy. Deferring bpf_obj_drop() is not\nappealing either: it would add delayed-free machinery to a release\noperation that otherwise has straightforward synchronous ownership\nsemantics.\n\nReject bpf_obj_drop() and bpf_percpu_obj_drop() from tracing programs\nthat may run from unsafe contexts unless every field in the object\u0027s BTF\nrecord is explicitly NMI safe. Do not reject sleepable\nBPF_PROG_TYPE_TRACING programs, since they are not the arbitrary/NMI\ncontexts that motivate the restriction.\n\nNote that while bpf_rb_root and bpf_list_head would be NMI safe on their\nown to free, the objects recursively held by them may not be; be\nconservative and just mark them as not NMI safe for now.\n\nUse a whitelist for the NMI-safe field set instead of listing only known\nNMI unsafe fields. Locks, async fields, unreferenced kptrs, and\nrefcounts are known to be NMI safe because their destruction is either a\nno-op, simple state reset, or async cancellation. Referenced kptrs,\npercpu referenced kptrs, uptrs, graph roots, graph nodes, and any future\nfield type are rejected until audited for arbitrary tracing and NMI\ncontexts. This is less susceptible to future changes in fields that were\npreviously safe by exclusion, and to new fields being added without\nupdating this check.\n\nConvert the existing recursive local-object drop success case to a\nsyscall program in the same commit, since this verifier change makes the\nold tracing program form invalid. The test still exercises\nbpf_obj_drop() releasing a referenced task kptr from a safe program\ntype.\n\nFixes: ac9f06050a35 (\"bpf: Introduce bpf_obj_drop\")\nSigned-off-by: Justin Suess \u003cutilityemal77@gmail.com\u003e\nCo-developed-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260609202548.3571690-2-memxor@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "140fa23df957b51385aa847986d44ad7f59b0563", "tree": "92fe3028f6b1cadfd44baef9aca8602f9436c6a1", "parents": [ "c15261b1bba0bb7921552cdd86c8b0202697a8f9", "e775c522a455b97db7e0a466c400f74672990bad" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 21:21:15 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 21:21:16 2026 -0700" }, "message": "Merge branch \u0027selftests-bpf-fix-tests-for-llvm23-true-signature\u0027\n\nYonghong Song says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nselftests/bpf: Fix tests for llvm23 true signature\n\nLLVM23 ([1]) records the \u0027true\u0027 function signature in BTF, i.e. the\nsignature inferred after optimization rather than the one written in C.\nThis caused two kinds of selftest failures (see below).\n\nCase 1: keep int return type for tailcall subprogs\n\nThe verifier requires any subprog that issues a bpf_tail_call to return\nan \u0027int\u0027 (see check_btf_func() in kernel/bpf/check_btf.c, which rejects\nit with \"tail_call is only allowed in functions that return \u0027int\u0027\").\n\nSeveral tailcall subprogs do \u0027return 0\u0027 (or another constant) whose\nresult no caller uses. With llvm23 the compiler folds the constant and,\nsince the return value is dead, optimizes the subprog to effectively\nreturn \u0027void\u0027 and records \u0027void\u0027 in BTF, so the program fails to load.\n\nUse barrier_var() and __sink() to prevent returned value from being\noptimized.\n\nCase 2: adjust tracing prog ctx layout for the true signature\n\ntest_pkt_access_subprog2() has an unused argument that llvm optimizes\naway. Before llvm23 the BTF signature did not match the optimized\nassembly, so the verifier fell back to MAX_BPF_FUNC_REG_ARGS (5) u64\narguments and the fexit return value sat after args[5]. With llvm23 the\ntrue signature has a single argument, so the return value moves to the\nslot after args[1]. Select the matching ctx struct based on __clang_major__\nso the test works with both old and new llvm.\n\n [1] https://github.com/llvm/llvm-project/pull/198426\n\nChangelogs:\n v1 -\u003e v2:\n - v1: https://lore.kernel.org/bpf/20260609163947.1717694-1-yonghong.song@linux.dev/\n - Do not use bpf array map or bpf global var. Use __sink() instead.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260609233402.2711071-1-yonghong.song@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "e775c522a455b97db7e0a466c400f74672990bad", "tree": "92fe3028f6b1cadfd44baef9aca8602f9436c6a1", "parents": [ "be1d838b88e445fa6edfb9f98af1603cbf2ee94d" ], "author": { "name": "Yonghong Song", "email": "yonghong.song@linux.dev", "time": "Tue Jun 09 16:34:12 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 21:21:15 2026 -0700" }, "message": "selftests/bpf: Adjust fexit_bpf2bpf ctx layout for llvm23 true signature\n\ntest_pkt_access_subprog2() is defined in C as\n\n int test_pkt_access_subprog2(int val, volatile struct __sk_buff *skb)\n\nbut llvm optimizes away the unused \u0027int val\u0027 argument. Before llvm23 the\nBTF signature did not match the optimized assembly, so the verifier set\nattach_func_proto to NULL and fell back to MAX_BPF_FUNC_REG_ARGS (5) u64\narguments (see btf_ctx_access()). The fexit ctx struct therefore placed\nthe return value after args[5].\n\nWith llvm23 the \u0027true\u0027 signature\n\n int test_pkt_access_subprog2(volatile struct __sk_buff *skb)\n\nis recorded in BTF, so nr_args becomes 1 and the return value moves to\nthe slot right after args[1]. Select the matching args_subprog2 layout\nbased on __clang_major__ so the test works with both old and new llvm.\n\nSigned-off-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260609233412.2712178-1-yonghong.song@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "be1d838b88e445fa6edfb9f98af1603cbf2ee94d", "tree": "12c097f7391d6456343e8beb18a093eae32d2802", "parents": [ "c15261b1bba0bb7921552cdd86c8b0202697a8f9" ], "author": { "name": "Yonghong Song", "email": "yonghong.song@linux.dev", "time": "Tue Jun 09 16:34:07 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 21:21:15 2026 -0700" }, "message": "selftests/bpf: Keep int return type for tailcall subprogs\n\nLLVM23 ([1]) supports \u0027true\u0027 function signature in BTF. The return type\nof the caller of a tailcall must be an \u0027int\u0027. Otherwise, verification will\nfail (see check_btf_func() in check_btf.c). So with llvm23, it is possible\nthat the compiler may change the caller\u0027s return type from \u0027int\u0027 to \u0027void\u0027.\nTo prevent this, barrier_var() and __sink() are used to avoid returning\na constant prone to be optimized.\n\n [1] https://github.com/llvm/llvm-project/pull/198426\n\nSigned-off-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260609233407.2711577-1-yonghong.song@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "c15261b1bba0bb7921552cdd86c8b0202697a8f9", "tree": "cad9bd402c5aabd40da9f53a135e14077ffe4e24", "parents": [ "68f4e480b089abae26fbab0c38c3df3cbac3d79d", "a3d76e27bbbf91d1025ce99eb55068ae0aa14322" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 12:42:04 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 12:42:50 2026 -0700" }, "message": "Merge branch \u0027bpf-lpm_trie-allow-sleepable-bpf-programs-to-use-lpm-tries\u0027\n\nVlad Poenaru says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf, lpm_trie: Allow sleepable BPF programs to use LPM tries\n\ntrie_lookup_elem() annotates its rcu_dereference_check() walks with only\nrcu_read_lock_bh_held(), so a sleepable BPF program that touches an LPM\ntrie (e.g. a sleepable LSM hook calling bpf_map_lookup_elem()) trips a\n\"suspicious RCU usage\" lockdep splat on debug kernels: it holds only\nrcu_read_lock_trace(), which that annotation does not accept.\n\nPatch 1 relaxes the rcu_dereference annotations in the trie walks so they\nno longer trip lockdep from the Tasks Trace context, including the\ntrie_update_elem()/trie_delete_elem() writer walks (protected by\ntrie-\u003elock). Patch 2 adds BPF_MAP_TYPE_LPM_TRIE to the verifier\u0027s\nsleepable map whitelist so sleepable programs can reference an LPM trie\ndirectly, not just as the inner map of a map-of-maps. LPM trie nodes are\nreclaimed via bpf_mem_cache_free_rcu(), which chains a regular RCU grace\nperiod into a Tasks Trace grace period before freeing -- the same\ndiscipline BPF_MAP_TYPE_HASH relies on for sleepable access.\n\nChanges since v1:\n- Split into a 2-patch series.\n- Patch 1 now also converts the trie_update_elem()/trie_delete_elem()\n walks from rcu_dereference() to rcu_dereference_protected(*p, 1),\n addressing review feedback that v1 only fixed the lookup path and left\n the same splat on the writer paths.\n- New patch 2 adds the verifier whitelist entry so the fix is actually\n reachable for directly-referenced LPM tries.\n- Retitled v1 (\"Allow lookups from sleepable BPF programs\").\n\nv1: https://lore.kernel.org/all/20260529174233.2954240-1-vlad.wing@gmail.com/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260609135558.193287-1-vlad.wing@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a3d76e27bbbf91d1025ce99eb55068ae0aa14322", "tree": "cad9bd402c5aabd40da9f53a135e14077ffe4e24", "parents": [ "2f884d371fafea137afea504d49ee4a7c8d7985b" ], "author": { "name": "Vlad Poenaru", "email": "vlad.wing@gmail.com", "time": "Tue Jun 09 06:55:58 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 12:42:38 2026 -0700" }, "message": "bpf: Allow sleepable programs to use LPM trie maps directly\n\nThe previous change relaxed the rcu_dereference annotations in\nlpm_trie.c so the trie walks no longer trip lockdep when reached from a\nsleepable BPF program holding only rcu_read_lock_trace(). By itself\nthat only helps tries reached as the inner map of a map-of-maps, or\nfrom the classic-RCU syscall path: a sleepable program that references\nan LPM trie directly is still rejected at load time by\ncheck_map_prog_compatibility(), whose sleepable whitelist omits\nBPF_MAP_TYPE_LPM_TRIE:\n\n Sleepable programs can only use array, hash, ringbuf and local storage maps\n\nLPM trie nodes are allocated from a bpf_mem_alloc (trie-\u003ema) and freed\nwith bpf_mem_cache_free_rcu(), which chains a regular RCU grace period\ninto a Tasks Trace grace period before the node -- and the value\nembedded in it that trie_lookup_elem() returns to the program -- is\nreleased. That is the same reclaim discipline BPF_MAP_TYPE_HASH relies\non for sleepable access, so a value handed to a sleepable reader cannot\nbe freed while the program is still running under rcu_read_lock_trace().\nThe writer paths take trie-\u003elock across the walk and never relied on the\nRCU read-side lock to keep nodes alive.\n\nAdd BPF_MAP_TYPE_LPM_TRIE to the sleepable map whitelist so these\nprograms can use LPM tries directly.\n\nSigned-off-by: Vlad Poenaru \u003cvlad.wing@gmail.com\u003e\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260609135558.193287-3-vlad.wing@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2f884d371fafea137afea504d49ee4a7c8d7985b", "tree": "bf0f9e20560b63318afea05520f39a805120e622", "parents": [ "68f4e480b089abae26fbab0c38c3df3cbac3d79d" ], "author": { "name": "Vlad Poenaru", "email": "vlad.wing@gmail.com", "time": "Tue Jun 09 06:55:57 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 12:42:22 2026 -0700" }, "message": "bpf: Allow LPM map access from sleepable BPF programs\n\ntrie_lookup_elem() annotates its rcu_dereference_check() walks with\nonly rcu_read_lock_bh_held(). Because rcu_dereference_check(p, c)\nresolves to \"c || rcu_read_lock_held()\", this passes for XDP/NAPI and\nclassic RCU readers but fails for sleepable BPF programs, which enter\nvia __bpf_prog_enter_sleepable() and hold only rcu_read_lock_trace().\n\ntrie_update_elem() and trie_delete_elem() have the same problem in a\ndifferent form: they walk the trie with plain rcu_dereference(), which\nasserts rcu_read_lock_held() unconditionally. Both are reachable from\nsleepable BPF programs via the bpf_map_update_elem / bpf_map_delete_elem\nhelpers, and from the syscall path under classic rcu_read_lock(). In\nthe writer paths the trie is actually protected by trie-\u003elock (an\nrqspinlock taken across the walk); we never relied on the RCU read-side\nlock to keep nodes alive there.\n\nA sleepable LSM hook that ends up touching an LPM trie therefore\ntriggers lockdep on debug kernels:\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n WARNING: suspicious RCU usage\n 7.1.0-... Tainted: G E\n -----------------------------\n kernel/bpf/lpm_trie.c:249 suspicious rcu_dereference_check() usage!\n 1 lock held by net_tests/540:\n #0: (rcu_tasks_trace_srcu_struct){....}-{0:0},\n at: __bpf_prog_enter_sleepable+0x26/0x280\n Call Trace:\n dump_stack_lvl\n lockdep_rcu_suspicious\n trie_lookup_elem\n bpf_prog_..._enforce_security_socket_connect\n bpf_trampoline_...\n security_socket_connect\n __sys_connect\n do_syscall_64\n\nThis is lockdep-only -- no UAF, since Tasks Trace RCU does serialize\nagainst the trie\u0027s reclaim path -- but it spams the console once per\ndistinct callsite on every debug kernel running a sleepable BPF LSM\nthat touches an LPM trie, which is increasingly common.\n\nFor the lookup path, switch the rcu_dereference_check() annotation\nfrom rcu_read_lock_bh_held() to bpf_rcu_lock_held(), which accepts all\nthree contexts (classic, BH, Tasks Trace). Other map types already\nfollow this convention.\n\nFor trie_update_elem() and trie_delete_elem(), annotate the walks as\nrcu_dereference_protected(*p, 1) -- matching trie_free() in the same\nfile -- since trie-\u003elock is held across the walk. rqspinlock has no\nlockdep_map, so the predicate degenerates to \u00271\u0027 rather than\nlockdep_is_held(\u0026trie-\u003elock); the protection is real but not\nmachine-verifiable. trie_get_next_key() also uses bare\nrcu_dereference() but is reachable only from the BPF syscall, which\nholds classic rcu_read_lock() before dispatching, so it is left\nuntouched.\n\nFixes: 694cea395fde (\"bpf: Allow RCU-protected lookups to happen from bh context\")\nCc: stable@vger.kernel.org\nSigned-off-by: Vlad Poenaru \u003cvlad.wing@gmail.com\u003e\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260609135558.193287-2-vlad.wing@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "68f4e480b089abae26fbab0c38c3df3cbac3d79d", "tree": "89f8b04561da336612c7355884e8a8ba77c05cf3", "parents": [ "f1a660bbd12dd855fce6cf13f144008c4e45e7c7" ], "author": { "name": "Emil Tsalapatis", "email": "emil@etsalapatis.com", "time": "Tue Jun 09 02:36:30 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Tue Jun 09 11:10:25 2026 -0700" }, "message": "selftests/bpf: Avoid spurious spmc parallel selftest errors in libarena\n\nThe libarena parallel spmc selftest is nondeterministic by design.\nAs a result it depends up to a point on the relative timing between the\nproducer and consumer threads. This introduces the possibility for two\nkinds of spurious failures that this patch addresses.\n\n1) Spurious timeouts. The test proceeds in phases, and threads use a\n common counter as a barrier to avoid proceeding to the next phase\n until all threads are ready to do so. If a thread takes too long to\n reach the barrier, the already waiting threads may time out.\n\n Increase the current timeout. The timeout\u0027s value is a balance\n between the maximum amount of time spent on the test and the\n possibility of spurious failures. Right now the timeout is too short.\n Err on the side of caution and significantly increase it to avoid\n spurious failures.\n\n2) Spurious resize failures. Some selftests require the spmc queue to\n resize itself. This in turn requires for the producer side to be\n materially faster than the consumer side so that the queue gets full\n enough for a resize. However, in the benchmark the spmc queue\u0027s producer\n is outnumbered 3:1. To offset it we add busy waits for consume\n queues. However, we still see occasional failures due to the queue\n never resizing.\n\n Minimize the possibility for this in two ways: First, remove one of\n the consumers. The 2 consumers still exercise the \"race between\n consumers\" scenario. Second, increase the busy wait duration to\n decrease the rate by which the consumers act on the queue.\n\n While at it, also replace a stray invalid error value \"153\" with EINVAL.\n\nFixes: 42998f819256 (\"selftests/bpf: libarena: parallel test harness and spmc parallel selftest\")\nReported-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nSigned-off-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260609063630.10245-1-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "f1a660bbd12dd855fce6cf13f144008c4e45e7c7", "tree": "2a62aaa899e85eae3f0d567e73ed73ceee025105", "parents": [ "dd0f9684d2f7d3f99aee63f5fa80562f2207b964", "af8c3f170f7314d316023efc0ae670384e220b09" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Tue Jun 09 17:39:46 2026 +0200" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Tue Jun 09 17:39:47 2026 +0200" }, "message": "Merge branch \u0027bpf-enforce-btf-pointer-write-checks-for-global-args\u0027\n\nNuoqi Gui says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: Enforce BTF pointer write checks for global args\n\ncheck_mem_reg() verifies both read and write access when a caller passes\nmemory into a global subprogram. For PTR_TO_BTF_ID callers,\ncheck_helper_mem_access() currently always checks the access as BPF_READ.\n\nThat lets a tracing program pass a task_struct field pointer to a global\nsubprogram argument typed as writable memory. The direct field store is rejected\nwith \"only read is supported\", but the callee is validated with a generic\nwritable PTR_TO_MEM argument and can store through it.\n\nForward the requested access type into the PTR_TO_BTF_ID helper-access path and\nadd verifier coverage for the global-subprogram argument case.\n\nValidation (tested on bpf-next 8496d9020ff3):\n\n Without this series:\n direct BTF field store rejected with \"only read is supported\";\n global-subprogram candidate loaded, attached, and runtime-confirmed.\n\n With this series applied:\n direct BTF field store rejected with \"only read is supported\";\n global-subprogram candidate rejected with \"only read is supported\".\n\nSigned-off-by: Nuoqi Gui \u003cgnq25@mails.tsinghua.edu.cn\u003e\n---\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260609-f01-04-btf-writable-arg-v1-0-f449cd970669@mails.tsinghua.edu.cn\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "af8c3f170f7314d316023efc0ae670384e220b09", "tree": "2a62aaa899e85eae3f0d567e73ed73ceee025105", "parents": [ "fa75b7c85b0d2b6ab1c3ee0f06d35e2b98078c45" ], "author": { "name": "Nuoqi Gui", "email": "gnq25@mails.tsinghua.edu.cn", "time": "Tue Jun 09 22:43:51 2026 +0800" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Tue Jun 09 17:39:46 2026 +0200" }, "message": "selftests/bpf: Cover writable BTF field global subprog args\n\nAdd a verifier test for passing a BTF-backed task_struct field pointer to a\nglobal subprogram argument typed as writable memory.\n\nThe direct field store is already rejected.\nThe global subprogram path should be rejected too.\nThe callee must not lose the BTF pointer\u0027s read-only provenance.\nIt must not validate the argument as ordinary writable memory.\n\nSigned-off-by: Nuoqi Gui \u003cgnq25@mails.tsinghua.edu.cn\u003e\nLink: https://lore.kernel.org/bpf/20260609-f01-04-btf-writable-arg-v1-2-f449cd970669@mails.tsinghua.edu.cn\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "fa75b7c85b0d2b6ab1c3ee0f06d35e2b98078c45", "tree": "aadba537053403a1e02e2003d3ff9d8a01b3a78b", "parents": [ "dd0f9684d2f7d3f99aee63f5fa80562f2207b964" ], "author": { "name": "Nuoqi Gui", "email": "gnq25@mails.tsinghua.edu.cn", "time": "Tue Jun 09 22:43:50 2026 +0800" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Tue Jun 09 17:39:46 2026 +0200" }, "message": "bpf: Enforce write checks for BTF pointer helper access\n\ncheck_mem_reg() verifies both read and write access for global subprogram\nmemory arguments. When the caller register is PTR_TO_BTF_ID,\ncheck_helper_mem_access() currently forwards the access to\ncheck_ptr_to_btf_access() as BPF_READ regardless of the requested access\ntype.\n\nThis lets a BTF-backed kernel object field pointer pass the caller-side\nwritable memory check for a global subprogram argument. The callee is then\nvalidated with a generic writable PTR_TO_MEM argument and can store through\nit, even though an equivalent direct BTF field store is rejected with \"only\nread is supported\".\n\nForward the requested access type to check_ptr_to_btf_access().\nThis enforces existing BTF write restrictions for global subprogram memory\narguments as well.\n\nFixes: 3e30be4288b3 (\"bpf: Allow helpers access trusted PTR_TO_BTF_ID.\")\nSigned-off-by: Nuoqi Gui \u003cgnq25@mails.tsinghua.edu.cn\u003e\nLink: https://lore.kernel.org/bpf/20260609-f01-04-btf-writable-arg-v1-1-f449cd970669@mails.tsinghua.edu.cn\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "dd0f9684d2f7d3f99aee63f5fa80562f2207b964", "tree": "effd2772ec1a6ec1755abddc12c304ccbf3b191c", "parents": [ "b9452b594fd3aecbfd4aa0a6a1f741330a37dab7" ], "author": { "name": "Paul Moses", "email": "p@1g4.org", "time": "Tue Jun 09 05:08:54 2026 -0500" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Tue Jun 09 17:00:05 2026 +0200" }, "message": "selftests/bpf: Add BTF repeated field count overflow test\n\nAdd a raw BTF test that exercises repeated special-field expansion with a\nlarge array count. The compact element layout keeps the array byte size\nrepresentable while the repeated field count overflows the old u32 capacity\ncalculation in btf_repeat_fields().\n\nSigned-off-by: Paul Moses \u003cp@1g4.org\u003e\nLink: https://lore.kernel.org/bpf/SzebdWqm2zREZBf8Tc5Kc-JDWbh9nBztnk4PUu5kRSD1OOdr_ESVTt__2Hd3-lClr47jIjJCXfOH0RHsMpjjpEUh_R2v30nh3T1IXNT6Pbo\u003d@1g4.org\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "b9452b594fd3aecbfd4aa0a6a1f741330a37dab7", "tree": "236c6d571232b4827fa125455ba591be747f6387", "parents": [ "50dff00615522f3ec03449680ca23beb4cfc549c" ], "author": { "name": "Paul Moses", "email": "p@1g4.org", "time": "Fri Jun 05 23:43:09 2026 +0000" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Tue Jun 09 10:28:39 2026 +0200" }, "message": "bpf: Validate BTF repeated field counts before expansion\n\nbtf_parse_struct_metas() walks user-supplied BTF during BPF_BTF_LOAD,\nand btf_repeat_fields() expands repeatable fields from array elements\ninto the fixed BTF_FIELDS_MAX scratch array used by btf_parse_fields().\n\nThe remaining-capacity check performs the expanded field count calculation\nin u32. A malformed BTF can wrap that calculation, causing the check to\npass even when the expanded field count exceeds the scratch array\ncapacity. The following memcpy() can then write past the end of the\narray.\n\nUse checked addition and multiplication before copying repeated fields\nand reject impossible counts.\n\nFixes: 797d73ee232d (\"bpf: Check the remaining info_cnt before repeating btf fields\")\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moses \u003cp@1g4.org\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/bpf/20260605234301.1109063-1-p@1g4.org\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "50dff00615522f3ec03449680ca23beb4cfc549c", "tree": "aca2e2dfce3776afdcb5d65796a70b9891f4efe9", "parents": [ "af5cb68eed4030823c0940ad4b7e3d3b6a316b45" ], "author": { "name": "Sechang Lim", "email": "rhkrqnwk98@gmail.com", "time": "Mon Jun 08 05:00:00 2026 +0000" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Jun 08 13:33:55 2026 +0200" }, "message": "bpf: Fix NULL pointer dereference in bpf_task_from_vpid()\n\nbpf_task_from_vpid() looks up a task in the pid namespace of the\ncurrent task, via find_task_by_vpid():\n\n find_task_by_vpid(vpid)\n find_task_by_pid_ns(vpid, task_active_pid_ns(current))\n find_pid_ns(nr, ns) -\u003e idr_find(\u0026ns-\u003eidr, nr)\n\ncgroup_skb programs run in softirq, which may interrupt a task that is\nitself in do_exit(). Once that task has passed\nexit_notify() -\u003e release_task() -\u003e __unhash_process(), its thread_pid is\ncleared, so task_active_pid_ns(current) returns NULL and find_pid_ns()\ndereferences \u0026NULL-\u003eidr:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000050\n RIP: 0010:idr_find+0x11/0x30 lib/idr.c:176\n Call Trace:\n \u003cIRQ\u003e\n find_pid_ns kernel/pid.c:370 [inline]\n find_task_by_pid_ns+0x3b/0xe0 kernel/pid.c:485\n bpf_task_from_vpid+0x5b/0x200 kernel/bpf/helpers.c:2916\n bpf_prog_run_array_cg+0x17e/0x530 kernel/bpf/cgroup.c:81\n __cgroup_bpf_run_filter_skb+0x12b/0x250 kernel/bpf/cgroup.c:1612\n sk_filter_trim_cap+0x1dc/0x4c0 net/core/filter.c:148\n tcp_v4_rcv+0x18d1/0x2200 net/ipv4/tcp_ipv4.c:2223\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n do_exit+0xa63/0x1270 kernel/exit.c:1010\n get_signal+0x141c/0x1530 kernel/signal.c:3037\n\nBail out when current has no pid namespace.\n\nFixes: 675c3596ff32 (\"bpf: Add bpf_task_from_vpid() kfunc\")\nSigned-off-by: Sechang Lim \u003crhkrqnwk98@gmail.com\u003e\nAcked-by: Leon Hwang \u003cleon.hwang@linux.dev\u003e\nLink: https://lore.kernel.org/bpf/20260608050001.2545245-1-rhkrqnwk98@gmail.com\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "af5cb68eed4030823c0940ad4b7e3d3b6a316b45", "tree": "61437a4d0d18b726a6ec2239c43feebf4762e005", "parents": [ "71385b78dbc290328e3b04ebd9b27786642afaca", "a3847994b4d20c0701ccc54fe110920ea78e73dc" ], "author": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Jun 08 13:31:52 2026 +0200" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Jun 08 13:33:17 2026 +0200" }, "message": "Merge branch \u0027keep-dynamic-inner-array-lookups-nullable\u0027\n\nNuoqi Gui says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nKeep dynamic inner array lookups nullable\n\nAn ARRAY_OF_MAPS can use an array created with BPF_F_INNER_MAP as its\ninner map template. The flag allows a concrete inner array with a\ndifferent max_entries value to replace the template.\n\nThe verifier currently uses the template\u0027s max_entries to elide\nnullness for a constant-key lookup through the inner map pointer. At\nruntime, the lookup uses the concrete inner array\u0027s max_entries instead.\nThe verifier can therefore accept an unchecked dereference even though\nthe runtime helper returns NULL.\n\nPatch 1 keeps lookups through BPF_F_INNER_MAP array templates nullable.\nPatch 2 adds a verifier regression test for the unchecked dereference.\n\nBefore the fix, the regression program is accepted and the runtime\nreproducer triggers a NULL dereference. With the fix, both programs are\nrejected with an invalid map_value_or_null access.\n\nTested by compiling kernel/bpf/verifier.o and\nverifier_map_in_map.bpf.o, and by running the regression program and\nruntime reproducer in QEMU before and after the fix.\n\nSigned-off-by: Nuoqi Gui \u003cgnq25@mails.tsinghua.edu.cn\u003e\nAcked-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\n---\nv1-\u003ev2:\n- Update the can_elide_value_nullness() comment to match the changed\n parameter (const struct bpf_map *map).\n\nv1: https://patch.msgid.link/20260604151153.2488051-1-gnq25@mails.tsinghua.edu.cn\n\nTo: Alexei Starovoitov \u003cast@kernel.org\u003e\nTo: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nTo: Andrii Nakryiko \u003candrii@kernel.org\u003e\nCc: Daniel Xu \u003cdxu@dxuuu.xyz\u003e\nCc: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nCc: John Fastabend \u003cjohn.fastabend@gmail.com\u003e\nCc: Martin KaFai Lau \u003cmartin.lau@linux.dev\u003e\nCc: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nCc: Song Liu \u003csong@kernel.org\u003e\nCc: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nCc: Jiri Olsa \u003cjolsa@kernel.org\u003e\nCc: Shuah Khan \u003cshuah@kernel.org\u003e\nCc: Ihor Solodrai \u003cisolodrai@meta.com\u003e\nCc: bpf@vger.kernel.org\nCc: linux-kernel@vger.kernel.org\nCc: linux-kselftest@vger.kernel.org\n\n---\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260607-f01-v2-v2-0-da48453146e8@mails.tsinghua.edu.cn\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "a3847994b4d20c0701ccc54fe110920ea78e73dc", "tree": "61437a4d0d18b726a6ec2239c43feebf4762e005", "parents": [ "53040a81ae57cdca8af8ac36fe4e661730cf7c6b" ], "author": { "name": "Nuoqi Gui", "email": "gnq25@mails.tsinghua.edu.cn", "time": "Sun Jun 07 21:24:14 2026 +0800" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Jun 08 13:33:10 2026 +0200" }, "message": "selftests/bpf: Cover dynamic inner array lookup nullability\n\nAdd a verifier regression test that looks up a constant key through a\ndynamic inner array template and dereferences the result without a NULL\ncheck.\n\nThe verifier must reject the program because BPF_F_INNER_MAP allows the\nconcrete runtime array to have fewer entries than the template.\n\nSigned-off-by: Nuoqi Gui \u003cgnq25@mails.tsinghua.edu.cn\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nAcked-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260607-f01-v2-v2-2-da48453146e8@mails.tsinghua.edu.cn\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "53040a81ae57cdca8af8ac36fe4e661730cf7c6b", "tree": "f3f92cb0731f565923b00a940f83132c79a815e0", "parents": [ "71385b78dbc290328e3b04ebd9b27786642afaca" ], "author": { "name": "Nuoqi Gui", "email": "gnq25@mails.tsinghua.edu.cn", "time": "Sun Jun 07 21:24:13 2026 +0800" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Jun 08 13:32:52 2026 +0200" }, "message": "bpf: Keep dynamic inner array lookups nullable\n\nAn ARRAY_OF_MAPS can use an array created with BPF_F_INNER_MAP as its\ninner map template. A concrete inner array with a different max_entries\nvalue can then replace the template.\n\nAfter a successful outer map lookup, the verifier represents the\nresulting map pointer using the inner map template. Const-key lookup\nnullness elision consequently uses the template max_entries even though\nthe runtime helper uses the concrete inner map max_entries.\n\nDo not elide lookup result nullness for maps marked with BPF_F_INNER_MAP,\nbecause the template max_entries does not prove that the key is in bounds\nfor the concrete runtime map.\n\nFixes: d2102f2f5d75 (\"bpf: verifier: Support eliding map lookup nullness\")\nSigned-off-by: Nuoqi Gui \u003cgnq25@mails.tsinghua.edu.cn\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nAcked-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nCc: stable@vger.kernel.org\nLink: https://lore.kernel.org/bpf/20260607-f01-v2-v2-1-da48453146e8@mails.tsinghua.edu.cn\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "71385b78dbc290328e3b04ebd9b27786642afaca", "tree": "6d5729e1a44a9b8427202db74a145016eace4831", "parents": [ "63a6f3bc62308a491c63d0de1c537d7c9bc60859" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Sun Jun 07 21:25:47 2026 -1000" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Mon Jun 08 13:30:01 2026 +0200" }, "message": "arm64: mm: Complete the PTE store in ptep_try_set()\n\nptep_try_set() installs a kernel PTE with try_cmpxchg() but, unlike\n__set_pte(), skips the barriers that arm64 requires after writing a valid\nkernel PTE. Without them a subsequent access can fault instead of seeing\nthe new mapping.\n\nIssue them with emit_pte_barriers() rather than __set_pte_complete().\nptep_try_set() must finish the store before it returns, but\n__set_pte_complete() would defer the barriers when the calling context is in\nlazy MMU mode.\n\nv2: Emit the barriers directly instead of __set_pte_complete(). (Catalin)\n\nFixes: 258df8fce42f (\"mm: Add ptep_try_set() for lockless empty-slot installs\")\nSuggested-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nReviewed-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nLink: https://lore.kernel.org/all/aiRFcz78QTZdIHHB@arm.com/\nLink: https://lore.kernel.org/bpf/7f5f7c94601312c1a401fb18998291cc@kernel.org\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "63a6f3bc62308a491c63d0de1c537d7c9bc60859", "tree": "1e06bc2ffa13d72ff5eef491068daf7d9eb868b8", "parents": [ "1444ee886e6fedf20b9c5bc74a273c6b7d100fdc", "6e1e4a9d60edb0e12d373fb6f2b55d90d20a363b" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 18:46:13 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 18:46:20 2026 -0700" }, "message": "Merge branch \u0027bpf-fix-lru-nmi-tracepoint-re-entry-deadlock\u0027\n\nMykyta Yatsenko says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: Fix LRU NMI/tracepoint re-entry deadlock\n\nThis series fixes AA-deadlocks where NMI and tracepoint BPF programs\nre-enter the per-CPU or global LRU lock already held on the same CPU\n(syzbot c69a0a2c816716f1e0d5, 18b26edb69b2e19f3b33).\n\nPatch 1 converts every LRU lock site to rqspinlock_t\nand adds explicit recovery for some failures so no node leaks.\n\nPatch 2 refreshes Documentation/bpf/map_lru_hash_update.dot to show\nthe new rqspinlock failure exits and recovery routes.\n\nPatch 3 introduces a stress test.\n\nSigned-off-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\n---\nChanges in v3:\n- Removed RFC tag\n- Link to v2: https://patch.msgid.link/20260603-lru_map_spin-v2-0-7060cfb6cdac@meta.com\n\nChanges in v2:\n- Patch 1: __bpf_lru_node_move_in() now clears pending_free only when\n moving to the FREE list.\n- Patch 3: address sashiko\u0027s feedback.\n- Link to v1: https://patch.msgid.link/20260528-lru_map_spin-v1-0-4f52223170cf@meta.com\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260607-lru_map_spin-v3-0-bcd9332e911b@meta.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "6e1e4a9d60edb0e12d373fb6f2b55d90d20a363b", "tree": "1e06bc2ffa13d72ff5eef491068daf7d9eb868b8", "parents": [ "8f6802d26d96ef424fc9fc9e2e68c43b6cf0fa59" ], "author": { "name": "Mykyta Yatsenko", "email": "yatsenko@meta.com", "time": "Sun Jun 07 13:30:43 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 18:46:13 2026 -0700" }, "message": "selftests/bpf: Stress LRU rqspinlock recovery paths\n\nIntroduces stress test for bpf_lru_list that exercises\nlock-failures and orphan-recovery, added by the LRU rqspinlock\nconversion.\n\nRuns three subtests: common LRU, per-CPU LRU lists (BPF_F_NO_COMMON_LRU),\nand per-CPU LRU map. Each pins one userspace hammer per CPU and attaches\nthe perf_event NMI BPF prog (update+delete mix) on every online CPU.\nPre-fix, lockdep fires the \"INITIAL USE -\u003e IN-NMI\" splat during stress.\n\nAfter stress test, drain_then_verify_capacity() drains every key\nand refills the lru map.\nA stranded node on any CPU\u0027s pool would have forced eviction of\na just-inserted key on that CPU, surfacing here as a missing lookup.\n\nMarked serial_ because per-CPU pinning and high-rate HW perf events\nwould perturb parallel tests.\n\nSigned-off-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/20260607-lru_map_spin-v3-3-bcd9332e911b@meta.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "8f6802d26d96ef424fc9fc9e2e68c43b6cf0fa59", "tree": "fa50e90ddc7f99ff0d3debfc58b13f78c842a8e1", "parents": [ "89edbdfc5d0308cef57b71359331de5c4ddbf763" ], "author": { "name": "Mykyta Yatsenko", "email": "yatsenko@meta.com", "time": "Sun Jun 07 13:30:42 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 18:46:13 2026 -0700" }, "message": "Documentation/bpf: Refresh map_lru_hash_update.dot for rqspinlock\n\nReflect the rqspinlock conversion and orphan-recovery paths added in\nthe previous commit:\n\n - All LRU locks are rqspinlock_t; any acquire can fail (AA or\n timeout). A shared \"rqspinlock acquire failed\" terminal collapses\n to the existing -ENOMEM exit. Dashed arrows from each acquire site\n mark the failure paths.\n\n - The per-CPU local freelist is now lockless (free_llist).\n\n - Post-steal: re-acquiring loc_l-\u003elock to insert the stolen node\n into the local pending list can fail; on failure the node is\n published to free_llist instead of being orphaned, and the call\n returns -ENOMEM.\n\n - Steal-loop victim lock failure is silent: skip the victim and try\n the next CPU.\n\nSigned-off-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/20260607-lru_map_spin-v3-2-bcd9332e911b@meta.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "89edbdfc5d0308cef57b71359331de5c4ddbf763", "tree": "ecfc5f0f51192bb2207adaa249723b527a154be6", "parents": [ "1444ee886e6fedf20b9c5bc74a273c6b7d100fdc" ], "author": { "name": "Mykyta Yatsenko", "email": "yatsenko@meta.com", "time": "Sun Jun 07 13:30:41 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 18:46:13 2026 -0700" }, "message": "bpf: Fix NMI/tracepoint re-entry deadlock on lru locks\n\nNMI and tracepoint BPF programs can re-enter the per-CPU or global\nLRU lock that bpf_lru_pop_free()/push_free() already hold on the\nsame CPU, AA-deadlocking. Lockdep reports \"inconsistent\n{INITIAL USE} -\u003e {IN-NMI}\" on \u0026l-\u003elock (syzbot c69a0a2c816716f1e0d5)\nand \"possible recursive locking detected\" on \u0026loc_l-\u003elock (syzbot\n18b26edb69b2e19f3b33).\n\nPrior trylock and rqspinlock based fixes (see links) were nacked\nbecause compromised on reliability.\n\nThis patch converts every LRU lock site to rqspinlock_t and adds a\nrecovery path for some failure windows to avoid node leaks.\n\nFailure recovery:\n\n - *_pop_free top-level: return NULL; prealloc_lru_pop() already\n treats that as no-free-element (-ENOMEM).\n\n - Cross-CPU steal: skip the victim\u0027s locked loc_l, try next CPU.\n\n - Post-steal local lock fail: publish stolen node to lockless\n per-CPU free_llist; next pop on this CPU picks it up.\n\n - push_free fail: mark node pending_free\u003d1. __local_list_flush(),\n __local_list_pop_pending() reclaim the node from pending_list.\n __bpf_lru_list_shrink_inactive() reclaims the node from inactive\n list. Nodes from active list are reclaimed by __bpf_lru_list_shrink()\n or after __bpf_lru_list_rotate_active() demotes it to the inactive.\n\nFixes: 3a08c2fd7634 (\"bpf: LRU List\")\nReported-by: syzbot+c69a0a2c816716f1e0d5@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003dc69a0a2c816716f1e0d5\nReported-by: syzbot+18b26edb69b2e19f3b33@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003d18b26edb69b2e19f3b33\nLink: https://lore.kernel.org/bpf/CAPPBnEYO4R+m+SpVc2gNj_x31R6fo1uJvj2bK2YS1P09GWT6kQ@mail.gmail.com/\nLink: https://lore.kernel.org/bpf/CAPPBnEZmFA3ab8Uc\u003dPEm0bdojZy\u003d7T_F5_+eyZSHyZR3MBG4Vw@mail.gmail.com/\nLink: https://lore.kernel.org/bpf/20251030030010.95352-1-dongml2@chinatelecom.cn/\nLink: https://lore.kernel.org/bpf/20260119142120.28170-1-leon.hwang@linux.dev/\nSigned-off-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/20260607-lru_map_spin-v3-1-bcd9332e911b@meta.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "1444ee886e6fedf20b9c5bc74a273c6b7d100fdc", "tree": "ea4266cf4f09bbc002e340137c650871afa29b8a", "parents": [ "c49f336dbcf30ff8622d3725c54fe1c90e8ccd9c" ], "author": { "name": "Mykyta Yatsenko", "email": "yatsenko@meta.com", "time": "Sat Jun 06 10:30:32 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 12:36:13 2026 -0700" }, "message": "rhashtable: Fix rhashtable_next_key() build warnings\n\nrhashtable.o builds with warnings as rhashtable_next_key() kdoc\nfrom lib/rhashtable.c does not have the arguments descriptions.\n\nMove rhashtable_next_key() kdoc from header to c file, matching\nother functions.\n\nMove rhashtable_next_key() next to the other forward declarations\nin the header file.\n\nReported-by: kernel test robot \u003clkp@intel.com\u003e\nCloses: https://lore.kernel.org/oe-kbuild-all/202606061925.WI4bYI8k-lkp@intel.com/\nFixes: 8f4fa9f89b72 (\"rhashtable: Add rhashtable_next_key() API\")\nSigned-off-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nLink: https://lore.kernel.org/r/20260606-rhash_fixes_1-v1-1-932ab036e6bc@meta.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "c49f336dbcf30ff8622d3725c54fe1c90e8ccd9c", "tree": "32c71ce153aaeecfe26cadafdf9592a396af93d4", "parents": [ "5b038319be442c620f774e6fc9e9283deeca1c75", "b349efe49a123f032e54d7e894d708ea5daa10d2" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:03 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 11:03:05 2026 -0700" }, "message": "Merge branch \u0027bpf-tracing_multi-link\u0027\n\nJiri Olsa says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: tracing_multi link\n\nAdd tracing_multi link support that allows fast attachment\nof tracing program to many functions.\n\nRFC: https://lore.kernel.org/bpf/20260203093819.2105105-1-jolsa@kernel.org/\nv1: https://lore.kernel.org/bpf/20260220100649.628307-1-jolsa@kernel.org/\nv2: https://lore.kernel.org/bpf/20260304222141.497203-1-jolsa@kernel.org/\nv3: https://lore.kernel.org/bpf/20260316075138.465430-1-jolsa@kernel.org/\nv4: https://lore.kernel.org/bpf/20260324081846.2334094-1-jolsa@kernel.org/\nv5: https://lore.kernel.org/bpf/20260417192502.194548-1-jolsa@kernel.org/\nv6: https://lore.kernel.org/bpf/20260527113951.46265-1-jolsa@kernel.org/\nv7: https://lore.kernel.org/bpf/20260603110554.29590-1-jolsa@kernel.org/\n\nv8 changes:\n- add back the btf_is_union check to btf_get_type_size [sashiko]\n\nv7 changes:\n- added ftrace_hash_count stub for !CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS cade [sashiko]\n- selftests fixes [sashiko]\n- use hash_ptr in select_trampoline_lock [sashiko]\n- changed the check duplicate logic in check_dup_ids [sashiko]\n- use sort_r_nonatomic in check_dup_ids [sashiko]\n- added BPF_TRACE_FSESSION_MULTI to can_be_sleepable,\n plus added testcase for sleepable fsession\n- make bpf_tracing_multi_opts pointer fields as const\n- add ___migrate_enable to trace_blacklist\n\nv6 changes:\n- move ftrace_hash_count declaration under CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS [sashiko]\n- fix ftrace_hash_remove check/deref [sashiko]\n- disable context access for multi programs by using stub function with no arguments\n for verification [sashiko]\n- add __used for bpf_multi_func, and removed arguments, we do not allow direct access [sashiko]\n- rebased on latest loongarch changes, fix ppc build\n- guard update_ftrace_direct_del with ftrace_hash_count on rollback [sashiko]\n- fix noreturn attachment condition in bpf_check_attach_btf_id_multi [sashiko]\n- fail early on multiple same IDs provided by user [sashiko]\n- fix selftests error paths [sashiko]\n- add MAX_RESOLVE_DEPTH check to btf_get_type_size [sashiko]\n- use btf__pointer_size [sashiko]\n- fixed compilation on powerpc [sashiko]\n- added verifier fails selftest\n- after discussing with Song, it was determined that cleaning up FTRACE_OPS_CMD_DISABLE_SHARE_IPMODIFY_PEER\n is not strictly necessary — keeping the trampoline in the ipmodify_enabled state is acceptable.\n The race condition this introduces remains unlikely, so the concern raised in [1] will not be\n addressed at this time.\n [1] https://lore.kernel.org/bpf/aec7bAbGlnEo3R1g@krava/\n\nv5 changes:\n- add dedicated hashes used for detach, so there\u0027s no need to allocate\n them on detach [sashiko]\n- safely release old trampoline images [sashiko]\n- add cond_resched() to couple of loops [sashiko]\n- validate attr-\u003elink_create.target_fd [sashiko]\n- allow only bpf_get_func_ret() for return value retrieval [sashiko]\n- do not allow attachment of fexit/fsession_multi for noreturn functions [sashiko]\n- fixed double free/close in libbpf btf cleanup, in separate patch [sashiko]\n- make btf_type_is_traceable_func closer to btf_distill_func_proto [sashiko]\n- add prog-\u003eattach_btf_obj_fd check to collect_func_ids_by_glob,\n to check we don\u0027t load module programs for kernel [sashiko]\n- make sure program is loaded in bpf_program__attach_tracing_multi [sashiko]\n- several selftests fixes [sashiko]\n- add attach_type to fdinfo output [Leon Hwang]\n- selftests cleanup fixes [Leon Hwang]\n\nv4 changes:\n- unlink rollback fix (added ftrace_hash_count) [bot]\n- use const for some bpf_link_create_opts tracing_multi members [bot]\n- adding missing comment for lockdep keys [bot]\n- selftest error path fixes (leaks) and other assorted test fixes [Leon Hwang]\n- several compile fixes wrt CONFIG_BPF_SYSCALL and CONFIG_BPF_JIT [kernel test robot]\n- make ftrace_hash_clear global, because it\u0027s needed in rollback\n\nv3 changes:\n- fix module parsing [Leon Hwang]\n- use function traceable check from libbpf [Leon Hwang]\n- use ptr_to_u64 and fix/updated few comments [ci]\n- display cookies as decimal numbers [ci]\n- added link_create.flags check [ci]\n- fix error path in bpf_trampoline_multi_detach [ci]\n- make fentry/fexit.multi not extendable [ci]\n- add missing OPTS_VALID to bpf_program__attach_tracing_multi [ci]\n\nv2 changes:\n- allocate data.unreg in bpf_trampoline_multi_attach for rollback path [ci]\n and fixed link count setup in rollback path [ci]\n- several small assorted fixes [ci]\n- added loongarch and powerpc changes for struct bpf_tramp_node change\n- added support to attach functions from modules\n- added tests for sleepable programs\n- added rollback tests\n\nv1 changes:\n- added ftrace_hash_count as wrapper for hash_count [Steven]\n- added trampoline mutex pool [Andrii]\n- reworked \u0027struct bpf_tramp_node\u0027 separatoin [Andrii]\n - the \u0027struct bpf_tramp_node\u0027 now holds pointer to bpf_link,\n which is similar to what we do for uprobe_multi;\n I understand it\u0027s not a fundamental change compared to previous\n version which used bpf_prog pointer instead, but I don\u0027t see better\n way of doing this.. I\u0027m happy to discuss this further if there\u0027s\n better idea\n- reworked \u0027struct bpf_fsession_link\u0027 based on bpf_tramp_node\n- made btf__find_by_glob_kind function internal helper [Andrii]\n- many small assorted fixes [Andrii,CI]\n- added session support [Leon Hwang]\n- added cookies support\n- added more tests\n\nNote I plan to send linkinfo support separately, the patchset is big enough.\n\nthanks,\njirka\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260606123955.345967-1-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b349efe49a123f032e54d7e894d708ea5daa10d2", "tree": "32c71ce153aaeecfe26cadafdf9592a396af93d4", "parents": [ "4db8f60b6baf64f4f405bc8eb92a36315b353481" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:54 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 11:03:05 2026 -0700" }, "message": "selftests/bpf: Add tracing multi attach rollback tests\n\nAdding tests for the rollback code when the tracing_multi\nlink won\u0027t get attached, covering 2 reasons:\n\n - wrong btf id passed by user, where all previously allocated\n trampolines will be released\n - trampoline for requested function is fully attached (has already\n maximum programs attached) and the link fails, the rollback code\n needs to release all previously link-ed trampolines and release\n them\n\nWe need the bpf_fentry_test* unattached for the tests to pass,\nso the rollback tests are serial.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-30-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "4db8f60b6baf64f4f405bc8eb92a36315b353481", "tree": "ac9973f0ec59be94f0a25438e5736451c3bdf768", "parents": [ "443c91d08c4bf48caeab6243edaca4e987573d8a" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:53 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 11:02:04 2026 -0700" }, "message": "selftests/bpf: Add tracing multi attach benchmark test\n\nAdding benchmark test that attaches to (almost) all allowed tracing\nfunctions and display attach/detach times.\n\n # ./test_progs -t tracing_multi_bench_attach -v\n bpf_testmod.ko is already unloaded.\n Loading bpf_testmod.ko...\n Successfully loaded bpf_testmod.ko.\n serial_test_tracing_multi_bench_attach:PASS:btf__load_vmlinux_btf 0 nsec\n serial_test_tracing_multi_bench_attach:PASS:tracing_multi_bench__open_and_load 0 nsec\n serial_test_tracing_multi_bench_attach:PASS:get_syms 0 nsec\n serial_test_tracing_multi_bench_attach:PASS:bpf_program__attach_tracing_multi 0 nsec\n serial_test_tracing_multi_bench_attach: found 51186 functions\n serial_test_tracing_multi_bench_attach: attached in 1.295s\n serial_test_tracing_multi_bench_attach: detached in 0.243s\n #507 tracing_multi_bench_attach:OK\n Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED\n Successfully unloaded bpf_testmod.ko.\n\nExporting skip_entry as is_unsafe_function and using it in the test.\n\nAlso updating trace_blacklist with ___migrate_enable to be in sync\nwith kernel functions deny list.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-29-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "443c91d08c4bf48caeab6243edaca4e987573d8a", "tree": "6f6202270087e05c866f9faaa5347180fe7176aa", "parents": [ "1fd8328549979d96540252fa826481df93885a5a" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:52 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:03 2026 -0700" }, "message": "selftests/bpf: Add tracing multi verifier fails test\n\nAdding tests for verifier fails on tracing multi programs.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-28-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "1fd8328549979d96540252fa826481df93885a5a", "tree": "1af1c95233f7a262072040433d8eb08d6283a526", "parents": [ "69f25d4b0c17cc947ce26391cac0015182b07dc0" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:51 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:03 2026 -0700" }, "message": "selftests/bpf: Add tracing multi attach fails test\n\nAdding tests for attach fails on tracing multi link.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-27-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "69f25d4b0c17cc947ce26391cac0015182b07dc0", "tree": "a8bb799f72cdbc307efc38150be959ae2af7eedb", "parents": [ "1b938f42f5fa1789d0dcc2b9aa6262edba3a7f51" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:50 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:03 2026 -0700" }, "message": "selftests/bpf: Add tracing multi session test\n\nAdding tests for tracing multi link session.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-26-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "1b938f42f5fa1789d0dcc2b9aa6262edba3a7f51", "tree": "dea839de1c07231d1717272d6c77e6db14d1ebbc", "parents": [ "4309f580a0a6608bd0c0fe090ef5283173ff4f1a" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:49 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:02 2026 -0700" }, "message": "selftests/bpf: Add tracing multi cookies test\n\nAdding tests for using cookies on tracing multi link.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-25-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "4309f580a0a6608bd0c0fe090ef5283173ff4f1a", "tree": "6e74597ef62f157b634abf64c11c7f0c1a40042a", "parents": [ "2863f074f146adf7f63bd567de05ae03fad64a01" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:48 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:02 2026 -0700" }, "message": "selftests/bpf: Add tracing multi intersect tests\n\nAdding tracing multi tests for intersecting attached functions.\n\nUsing bits from (from 1 to 16 values) to specify (up to 4) attached\nprograms, and randomly choosing bpf_fentry_test* functions they are\nattached to.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-24-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2863f074f146adf7f63bd567de05ae03fad64a01", "tree": "2dd06fd18ce6ab5f6102b9a589de0aee0bd98cb8", "parents": [ "2922dd58413cd9a7d9cbe029e7d60f3bc432c553" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:47 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:02 2026 -0700" }, "message": "selftests/bpf: Add tracing multi skel/pattern/ids module attach tests\n\nAdding tests for tracing_multi link attachment via all possible\nlibbpf apis - skeleton, function pattern and btf ids on top of\nbpf_testmod kernel module.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-23-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2922dd58413cd9a7d9cbe029e7d60f3bc432c553", "tree": "7e46d7384efb924d6ac34ba7773d0296940adf49", "parents": [ "f2aa370dfe571abf51631c1ac27bb58d5d0e3466" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:46 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:02 2026 -0700" }, "message": "selftests/bpf: Add tracing multi skel/pattern/ids attach tests\n\nAdding tests for tracing_multi link attachment via all possible\nlibbpf apis - skeleton, function pattern and btf ids.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-22-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "f2aa370dfe571abf51631c1ac27bb58d5d0e3466", "tree": "7ea5f15ff121dc70224bc455ed484f59f01c2e4f", "parents": [ "616a93b473a6ab33494db27057f8a413f375ac4f" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:45 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:02 2026 -0700" }, "message": "libbpf: Add support to create tracing multi link\n\nAdding bpf_program__attach_tracing_multi function for attaching\ntracing program to multiple functions.\n\n struct bpf_link *\n bpf_program__attach_tracing_multi(const struct bpf_program *prog,\n const char *pattern,\n const struct bpf_tracing_multi_opts *opts);\n\nUser can specify functions to attach with \u0027pattern\u0027 argument that\nallows wildcards (*?\u0027 supported) or provide BTF ids of functions\nin array directly via opts argument. These options are mutually\nexclusive.\n\nWhen using BTF ids, user can also provide cookie value for each\nprovided id/function, that can be retrieved later in bpf program\nwith bpf_get_attach_cookie helper. Each cookie value is paired with\nprovided BTF id with the same array index.\n\nAdding support to auto attach programs with following sections:\n\n fsession.multi/\u003cpattern\u003e\n fsession.multi.s/\u003cpattern\u003e\n fentry.multi/\u003cpattern\u003e\n fexit.multi/\u003cpattern\u003e\n fentry.multi.s/\u003cpattern\u003e\n fexit.multi.s/\u003cpattern\u003e\n\nThe provided \u003cpattern\u003e is used as \u0027pattern\u0027 argument in\nbpf_program__attach_kprobe_multi_opts function.\n\nThe \u003cpattern\u003e allows to specify optional kernel module name with\nfollowing syntax:\n\n \u003cmodule\u003e:\u003cfunction_pattern\u003e\n\nIn order to attach tracing_multi link to a module functions:\n- program must be loaded with \u0027module\u0027 btf fd\n (in attr::attach_btf_obj_fd)\n- bpf_program__attach_tracing_multi must either have\n pattern with module spec or BTF ids from the module\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-21-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "616a93b473a6ab33494db27057f8a413f375ac4f", "tree": "bfa6d52861fc3247f0edf89846a6182d5b696c4e", "parents": [ "630e85a9f0056a7534601ed1ec2532d6ac85b7d7" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:44 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:02 2026 -0700" }, "message": "libbpf: Add btf_type_is_traceable_func function\n\nAdding btf_type_is_traceable_func function to perform same checks\nas the kernel\u0027s btf_distill_func_proto function to prevent attachment\non some of the functions.\n\nExporting the function via libbpf_internal.h because it will be used\nby benchmark test in following changes.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-20-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "630e85a9f0056a7534601ed1ec2532d6ac85b7d7", "tree": "75d3e530785fb452cf9eadfbe64138878b462b5b", "parents": [ "fe9c8cb2b52b455149d363bbca0fc3648ba0cea6" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:43 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:02 2026 -0700" }, "message": "libbpf: Add bpf_link_create support for tracing_multi link\n\nAdding bpf_link_create support for tracing_multi link with\nnew tracing_multi record in struct bpf_link_create_opts.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-19-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "fe9c8cb2b52b455149d363bbca0fc3648ba0cea6", "tree": "32c2fd007a622d7ca86fe229697005015385a91e", "parents": [ "8abecdafd57553c053bb68db47ed32a54972d5f4" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:42 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:02 2026 -0700" }, "message": "libbpf: Add bpf_object_cleanup_btf function\n\nAdding bpf_object_cleanup_btf function to cleanup btf objects.\nIt will be used in following changes.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-18-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "8abecdafd57553c053bb68db47ed32a54972d5f4", "tree": "22babda10d23566392d13b4d2bde8697b862556e", "parents": [ "ba042ed6446fc524c1d804227765b45616f9cba3" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:41 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:02 2026 -0700" }, "message": "bpf: Add support for tracing_multi link fdinfo\n\nAdding tracing_multi link fdinfo support with following output:\n\npos: 0\nflags: 02000000\nmnt_id: 19\nino: 3087\nlink_type: tracing_multi\nlink_id: 9\nprog_tag: 599ba0e317244f86\nprog_id: 94\nattach_type: 59\ncnt: 10\nobj-id btf-id cookie func\n1 91593 8 bpf_fentry_test1+0x4/0x10\n1 91595 9 bpf_fentry_test2+0x4/0x10\n1 91596 7 bpf_fentry_test3+0x4/0x20\n1 91597 5 bpf_fentry_test4+0x4/0x20\n1 91598 4 bpf_fentry_test5+0x4/0x20\n1 91599 2 bpf_fentry_test6+0x4/0x20\n1 91600 3 bpf_fentry_test7+0x4/0x10\n1 91601 1 bpf_fentry_test8+0x4/0x10\n1 91602 10 bpf_fentry_test9+0x4/0x10\n1 91594 6 bpf_fentry_test10+0x4/0x10\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-17-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "ba042ed6446fc524c1d804227765b45616f9cba3", "tree": "0bd500b29f204abb300a5a061ffaca3c84038732", "parents": [ "46b42af27d40021a97c147d23de8cb29eb5020df" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:40 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:01 2026 -0700" }, "message": "bpf: Add support for tracing_multi link session\n\nAdding support to use session attachment with tracing_multi link.\n\nAdding new BPF_TRACE_FSESSION_MULTI program attach type, that follows\nthe BPF_TRACE_FSESSION behaviour but on the tracing_multi link.\n\nSuch program is called on entry and exit of the attached function\nand allows to pass cookie value from entry to exit execution.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-16-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "46b42af27d40021a97c147d23de8cb29eb5020df", "tree": "9a230aa73f01f5e5919632beb76ac70e003b86a7", "parents": [ "c1d32dea5d4694c1a6c14d1d1c3192d0e18ffc7b" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:39 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:01 2026 -0700" }, "message": "bpf: Add support for tracing_multi link cookies\n\nAdd support to specify cookies for tracing_multi link.\n\nCookies are provided in array where each value is paired with provided\nBTF ID value with the same array index.\n\nSuch cookie can be retrieved by bpf program with bpf_get_attach_cookie\nhelper call.\n\nWe need to sort cookies array together with ids array in check_dup_ids,\nto keep the id-\u003ecookie relation.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-15-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "c1d32dea5d4694c1a6c14d1d1c3192d0e18ffc7b", "tree": "ce3deb1d130e13e5ff067b72451975140b63e41e", "parents": [ "aef4dfa790b22d8052cfb78044eadbe03c876c39" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:38 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:01 2026 -0700" }, "message": "bpf: Add support for tracing multi link\n\nAdding new link to allow to attach program to multiple function\nBTF IDs. The link is represented by struct bpf_tracing_multi_link.\n\nTo configure the link, new fields are added to bpf_attr::link_create\nto pass array of BTF IDs;\n\n struct {\n __aligned_u64 ids;\n __u32 cnt;\n } tracing_multi;\n\nEach BTF ID represents function (BTF_KIND_FUNC) that the link will\nattach bpf program to.\n\nWe use previously added bpf_trampoline_multi_attach/detach functions\nto attach/detach the link.\n\nThe linkinfo/fdinfo callbacks will be implemented in following changes.\n\nNote this is supported only for archs (x86_64) with ftrace direct and\nhave single ops support.\n\n CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS \u0026\u0026\n CONFIG_HAVE_SINGLE_FTRACE_DIRECT_OPS\n\nNote using sort_r (instead of plain sort) in check_dup_ids, because we\nwill use the swap callback in following changes.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-14-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "aef4dfa790b22d8052cfb78044eadbe03c876c39", "tree": "6fbaa1b10f87119bd82947549d566e7f9b9d2b5a", "parents": [ "bd06659d3b8abe7a79ae473209ee89bf3a23af36" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:37 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:01 2026 -0700" }, "message": "bpf: Add bpf_trampoline_multi_attach/detach functions\n\nAdding bpf_trampoline_multi_attach/detach functions that allows to\nattach/detach tracing program to multiple functions/trampolines.\n\nThe attachment is defined with bpf_program and array of BTF ids of\nfunctions to attach the bpf program to.\n\nAdding bpf_tracing_multi_link object that holds all the attached\ntrampolines and is initialized in attach and used in detach.\n\nThe attachment allocates or uses currently existing trampoline\nfor each function to attach and links it with the bpf program.\n\nThe attach works as follows:\n- we get all the needed trampolines\n- lock them and add the bpf program to each (__bpf_trampoline_link_prog)\n- the trampoline_multi_ops passed in __bpf_trampoline_link_prog gathers\n ftrace_hash (ip -\u003e trampoline) objects\n- we call update_ftrace_direct_add/mod to update needed locations\n- we unlock all the trampolines\n\nThe detach works as follows:\n- we lock all the needed trampolines\n- remove the program from each (__bpf_trampoline_unlink_prog)\n- the trampoline_multi_ops passed in __bpf_trampoline_unlink_prog gathers\n ftrace_hash (ip -\u003e trampoline) objects\n- we call update_ftrace_direct_del/mod to update needed locations\n- we unlock and put all the trampolines\n\nWe store the old image/flags in the trampoline before the update\nand use it in case we need to rollback the attachment.\n\nWe keep the ftrace_hash objects allocated during attach in the link\nso they can be used for detach as well.\n\nAdding trampoline_(un)lock_all functions to (un)lock all trampolines\nto gate the tracing_multi attachment.\n\nNote this is supported only for archs (x86_64) with ftrace direct and\nhave single ops support.\n\n CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS \u0026\u0026\n CONFIG_HAVE_SINGLE_FTRACE_DIRECT_OPS\n\nIt also needs CONFIG_BPF_SYSCALL enabled.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-13-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "bd06659d3b8abe7a79ae473209ee89bf3a23af36", "tree": "4ae2e1d611172591bb2f835e2b420bf5d4c85300", "parents": [ "d14e6b4346bf397eca7cb5f4b7b0b8054be632d8" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:36 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:01 2026 -0700" }, "message": "bpf: Move sleepable verification code to btf_id_allow_sleepable\n\nMove sleepable verification code to btf_id_allow_sleepable function.\nIt will be used in following changes.\n\nAdding code to retrieve type\u0027s name instead of passing it from\nbpf_check_attach_target function, because this function will be\ncalled from another place in following changes and it\u0027s easier\nto retrieve the name directly in here.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-12-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "d14e6b4346bf397eca7cb5f4b7b0b8054be632d8", "tree": "d545fcaa1bf11283dffb30c3398690f9e8009515", "parents": [ "880db5d4abb29e931d82b9feefb4382f76fcf9e5" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:35 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:01 2026 -0700" }, "message": "bpf: Add multi tracing attach types\n\nAdding new program attach types multi tracing attachment:\n BPF_TRACE_FENTRY_MULTI\n BPF_TRACE_FEXIT_MULTI\n\nand their base support in verifier code.\n\nPrograms with such attach type will use specific link attachment\ninterface coming in following changes.\n\nThis was suggested by Andrii some (long) time ago and turned out\nto be easier than having special program flag for that.\n\nBpf programs with such types have \u0027bpf_multi_func\u0027 function set as\ntheir attach_btf_id and keep module reference when it\u0027s specified\nby attach_prog_fd.\n\nThey are also accepted as sleepable programs during verification,\nand the real validation for specific BTF_IDs/functions will happen\nduring the multi link attachment in following changes.\n\nSuggested-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-11-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "880db5d4abb29e931d82b9feefb4382f76fcf9e5", "tree": "3c66ca3227205c37653614f62043616bdca40dd2", "parents": [ "65499074efaf574fef6365ac63b785a3ec98913d" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:34 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:01 2026 -0700" }, "message": "bpf: Factor fsession link to use struct bpf_tramp_node\n\nNow that we split trampoline attachment object (bpf_tramp_node) from\nthe link object (bpf_tramp_link) we can use bpf_tramp_node as fsession\u0027s\nfexit attachment object and get rid of the bpf_fsession_link object.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-10-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "65499074efaf574fef6365ac63b785a3ec98913d", "tree": "33e0f0d71621d011f6d97ff69fec4a479829a07a", "parents": [ "e6cc9ed677e622265bbd015892be58a1eece6238" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:33 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:01 2026 -0700" }, "message": "bpf: Add struct bpf_tramp_node object\n\nAdding struct bpf_tramp_node to decouple the link out of the trampoline\nattachment info.\n\nAt the moment the object for attaching bpf program to the trampoline is\n\u0027struct bpf_tramp_link\u0027:\n\n struct bpf_tramp_link {\n struct bpf_link link;\n struct hlist_node tramp_hlist;\n u64 cookie;\n }\n\nThe link holds the bpf_prog pointer and forces one link - one program\nbinding logic. In following changes we want to attach program to multiple\ntrampolines but we want to keep just one bpf_link object.\n\nSplitting struct bpf_tramp_link into:\n\n struct bpf_tramp_link {\n struct bpf_link link;\n struct bpf_tramp_node node;\n };\n\n struct bpf_tramp_node {\n struct bpf_link *link;\n struct hlist_node tramp_hlist;\n u64 cookie;\n };\n\nThe \u0027struct bpf_tramp_link\u0027 defines standard single trampoline link\nand \u0027struct bpf_tramp_node\u0027 is the attachment trampoline object with\npointer to the bpf_link object.\n\nThis will allow us to define link for multiple trampolines, like:\n\n struct bpf_tracing_multi_link {\n struct bpf_link link;\n ...\n int nodes_cnt;\n struct bpf_tracing_multi_node nodes[] __counted_by(nodes_cnt);\n };\n\nCc: Hengqi Chen \u003chengqi.chen@gmail.com\u003e\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-9-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "e6cc9ed677e622265bbd015892be58a1eece6238", "tree": "43f8f483d809be0496bf5995b1307357aeadbd4e", "parents": [ "bf4bc3e11c4195123055780b84dccfb8d2569535" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:32 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:00 2026 -0700" }, "message": "bpf: Add bpf_trampoline_add/remove_prog functions\n\nSeparate bpf_trampoline_add/remove_prog functions from\n__bpf_trampoline_link/unlink functions to be able to add/remove\ntrampoline programs without the image being updated in following\nchanges. No functional change is intended.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-8-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "bf4bc3e11c4195123055780b84dccfb8d2569535", "tree": "1d940d9f333e9aa2871f6697781f3408f63dd3b8", "parents": [ "8a35e8db740f96ec17b85db5a0f83c028c707a3e" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:31 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:00 2026 -0700" }, "message": "bpf: Move trampoline image setup into bpf_trampoline_ops callbacks\n\nMoving trampoline image setup into bpf_trampoline_ops callbacks,\nso we can have different image handling for multi attachment which\nis coming in following changes.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-7-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "8a35e8db740f96ec17b85db5a0f83c028c707a3e", "tree": "b6aa497fdda171aad043bcc596fcbfbef29d55bc", "parents": [ "e6abd4cd157bf63cd89c74f8f10abae76e7b0359" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:30 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:00 2026 -0700" }, "message": "bpf: Add struct bpf_trampoline_ops object\n\nIn following changes we will need to override ftrace direct attachment\nbehaviour. In order to do that we are adding struct bpf_trampoline_ops\nobject that defines callbacks for ftrace direct attachment:\n\n register_fentry\n unregister_fentry\n modify_fentry\n\nThe new struct bpf_trampoline_ops object is passed as an argument to\n__bpf_trampoline_link/unlink_prog functions.\n\nAt the moment the default trampoline_ops is set to the current ftrace\ndirect attachment functions, so there\u0027s no functional change for the\ncurrent code.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-6-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "e6abd4cd157bf63cd89c74f8f10abae76e7b0359", "tree": "713a31474337249d88b1cb4b86d11598ecc77613", "parents": [ "2cd298c106e00ba1d8799b022594f131703f32fa" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:29 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:00 2026 -0700" }, "message": "bpf: Use mutex lock pool for bpf trampolines\n\nAdding mutex lock pool that replaces bpf trampolines mutex.\n\nFor tracing_multi link coming in following changes we need to lock all\nthe involved trampolines during the attachment. This could mean thousands\nof mutex locks, which is not convenient.\n\nAs suggested by Andrii we can replace bpf trampolines mutex with mutex\npool, where each trampoline is hash-ed to one of the locks from the pool.\n\nIt\u0027s better to lock all the pool mutexes (32 at the moment) than\nthousands of them.\n\nThere is 48 (MAX_LOCK_DEPTH) lock limit allowed to be simultaneously\nheld by task, so we need to keep 32 mutexes (5 bits) in the pool, so\nwhen we lock them all in following changes the lockdep won\u0027t scream.\n\nRemoving the mutex_is_locked in bpf_trampoline_put, because we removed\nthe mutex from bpf_trampoline.\n\nSuggested-by: Andrii Nakryiko \u003candrii@kernel.org\u003e\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-5-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2cd298c106e00ba1d8799b022594f131703f32fa", "tree": "b3e9eddd023494379d0640ed0b79b56127ac496d", "parents": [ "af7c32365090a1a8ff981f85d7c24b344a2eaa75" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:28 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:00 2026 -0700" }, "message": "ftrace: Add add_ftrace_hash_entry function\n\nRenaming __add_hash_entry to add_ftrace_hash_entry and making it global,\nit will be used in following changes outside ftrace.c object.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-4-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "af7c32365090a1a8ff981f85d7c24b344a2eaa75", "tree": "78c851767f75e21609d56cc61cfffd76e0852e64", "parents": [ "e57f13eaab259ece7c9e8d81ba2c40c4f057ca2c" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:27 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:00 2026 -0700" }, "message": "ftrace: Add ftrace_hash_remove function\n\nAdding ftrace_hash_remove function that removes all entries\nfrom struct ftrace_hash object without freeing them.\n\nIt will be used in following changes where entries are allocated\nas part of another structure and are free-ed separately.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-3-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "e57f13eaab259ece7c9e8d81ba2c40c4f057ca2c", "tree": "0dfa171f80a6af04752a8ee2b17d4623dad274ac", "parents": [ "5b038319be442c620f774e6fc9e9283deeca1c75" ], "author": { "name": "Jiri Olsa", "email": "jolsa@kernel.org", "time": "Sat Jun 06 14:39:26 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sun Jun 07 10:03:00 2026 -0700" }, "message": "ftrace: Add ftrace_hash_count function\n\nAdding external ftrace_hash_count function so we could get hash\ncount outside of ftrace object.\n\nSigned-off-by: Jiri Olsa \u003cjolsa@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260606123955.345967-2-jolsa@kernel.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "5b038319be442c620f774e6fc9e9283deeca1c75", "tree": "7c70fe174cf6329ee8ce42f2b6b65ecec1583272", "parents": [ "f6cd665c10f1577eca9eef643c9d10ec0435fd61" ], "author": { "name": "David Windsor", "email": "dwindsor@gmail.com", "time": "Fri Jun 05 10:57:07 2026 -0400" }, "committer": { "name": "Kumar Kartikeya Dwivedi", "email": "memxor@gmail.com", "time": "Sun Jun 07 10:14:22 2026 +0200" }, "message": "bpf: Reject sleepable BPF_LSM_CGROUP programs at load time\n\nThe cgroup shim runs under rcu_read_lock_dont_migrate(), so we should\nnot attach any sleepable BPF programs there. Add support to the verifier\nto explicitly reject attempts to load sleepable BPF programs destined\nfor LSM cgroup attachment.\n\nWithout this, we get the following splat from a BPF_LSM_CGROUP\nprogram marked BPF_F_SLEEPABLE attached to file_open when it calls\nbpf_get_dentry_xattr():\n\n BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1567\n in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 34317, name: load\n preempt_count: 0, expected: 0\n RCU nest depth: 2, expected: 0\n Call Trace:\n down_read+0x76/0x480\n ext4_xattr_get+0x11f/0x700\n __vfs_getxattr+0xf0/0x150\n bpf_get_dentry_xattr+0xbb/0xf0\n bpf_prog_e76a298dac9218c6_test_open+0x6a/0x85\n __cgroup_bpf_run_lsm_current+0x326/0x840\n bpf_trampoline_6442534646+0x62/0x14d\n security_file_open+0x34/0x60\n do_dentry_open+0x340/0x1260\n vfs_open+0x7a/0x440\n path_openat+0x1bac/0x30a0\n\nlibbpf provides a .s named section variant for every sleepable\nprogram type except lsm_cgroup, reflecting that per-cgroup LSM programs\nare intended to only run in a non-sleepable context.\n\nThe above splat was obtained by bypassing libbpf by using bpf(2)\ndirectly.\n\nFixes: 69fd337a975c (\"bpf: per-cgroup lsm flavor\")\nSigned-off-by: David Windsor \u003cdwindsor@gmail.com\u003e\nAcked-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nAcked-by: Song Liu \u003csong@kernel.org\u003e\nLink: https://lore.kernel.org/bpf/20260605145707.608579-1-dwindsor@gmail.com\nSigned-off-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\n" }, { "commit": "f6cd665c10f1577eca9eef643c9d10ec0435fd61", "tree": "3a23faf49bfbf0af449081a92e80ff62b969d68c", "parents": [ "8ddce416797b7454ba1df855821b02c6e43b5a0e", "3ce6b42458f0e2176350fccf86b954d322591ff7" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sat Jun 06 16:44:47 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sat Jun 06 16:49:04 2026 -0700" }, "message": "Merge branch \u0027bpf-verifier-fix-ptr_to_flow_keys-constant-offset-oob\u0027\n\nNuoqi Gui says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf, verifier: fix PTR_TO_FLOW_KEYS constant-offset OOB\n\nA constant offset added to a PTR_TO_FLOW_KEYS register lands in\nreg-\u003evar_off, but check_flow_keys_access() bounds-checks only insn-\u003eoff\nand never folds reg-\u003evar_off.value. A BPF_PROG_TYPE_FLOW_DISSECTOR\nprogram can therefore do \"flow_keys +\u003d 0x1000; *(flow_keys + 0)\" and have\nit accepted, then read/write kernel stack past struct bpf_flow_keys at\nruntime. Patch 1 folds reg-\u003evar_off.value into the offset (and rejects\nnon-constant offsets), mirroring check_ctx_access(); patch 2 adds verifier\nselftests.\n\nThis is a regression introduced in the 7.1 development cycle by commit\n022ac0750883 (\"bpf: use reg-\u003evar_off instead of reg-\u003eoff for pointers\"),\nwhich moved the constant offset from reg-\u003eoff (folded generically before\n022ac0750883) into reg-\u003evar_off without updating the flow_keys path. No\nreleased kernel is affected: v7.0.x rejects the program above, and the bug\nreproduces only on v7.1-rc1..rc5, so no stable backport is needed.\n\nIt was first reported privately to security@kernel.org; per their guidance\nit is handled in the open as a normal regression fix. Found by manual\nverifier audit and confirmed dynamically in a disposable QEMU/KVM guest:\nthe load above is accepted, a runtime read leaked a kernel-stack pointer\n0x1000 past bpf_flow_keys, and a runtime write of a marker faulted the\nguest in net_rx_action.\n\nAn alternative -- forbidding pointer arithmetic on PTR_TO_FLOW_KEYS\noutright by dropping \"if (known) break;\" in adjust_ptr_min_max_vals() --\nwas rejected because v7.0.x accepted (and correctly bounds-checked)\nconstant arithmetic on the keys pointer; restoring the fold preserves that\nbehaviour while closing the divergence.\n\nSigned-off-by: Nuoqi Gui \u003cgnq25@mails.tsinghua.edu.cn\u003e\n---\nv2 -\u003e v3:\n - Pass existing reg/argno context into check_flow_keys_access(), avoiding\n a stale regno reference in check_mem_access().\n - Add a variable-offset selftest using bpf_get_prandom_u32().\n\nv1 -\u003e v2:\n - Target bpf-next instead of bpf (per reviewer feedback).\n - Base-commit updated to bpf-next/master.\n\nv2: https://lore.kernel.org/bpf/20260604180730.2518088-1-gnq25@mails.tsinghua.edu.cn/\nv1: https://lore.kernel.org/bpf/20260604150755.2487555-1-gnq25@mails.tsinghua.edu.cn/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260606-c3-01-v3-v3-0-97c51f592f15@mails.tsinghua.edu.cn\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "3ce6b42458f0e2176350fccf86b954d322591ff7", "tree": "3a23faf49bfbf0af449081a92e80ff62b969d68c", "parents": [ "37363191cbe8f83586ad6a818460d010070ead00" ], "author": { "name": "Nuoqi Gui", "email": "gnq25@mails.tsinghua.edu.cn", "time": "Sat Jun 06 18:50:38 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sat Jun 06 16:46:53 2026 -0700" }, "message": "selftests/bpf: add tests for PTR_TO_FLOW_KEYS offset bounds\n\nAdd verifier tests covering pointer arithmetic on a PTR_TO_FLOW_KEYS\nregister. This covers the bpf-next regression where an out-of-bounds\nconstant offset introduced as flow_keys +\u003d K and then dereferenced at\ninsn-\u003eoff 0 was accepted, while the equivalent flow_keys + K direct offset\nwas rejected.\n\nThe tests check that in-bounds constant arithmetic on the keys pointer is\nstill accepted, out-of-bounds constant arithmetic is rejected for both read\nand write, and a truly varying offset from bpf_get_prandom_u32() remains\nrejected by the existing PTR_TO_FLOW_KEYS pointer arithmetic rules.\n\nSigned-off-by: Nuoqi Gui \u003cgnq25@mails.tsinghua.edu.cn\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260606-c3-01-v3-v3-2-97c51f592f15@mails.tsinghua.edu.cn\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "37363191cbe8f83586ad6a818460d010070ead00", "tree": "56ab69d8bdedde389739ab2e1b4829622f4c9a67", "parents": [ "8ddce416797b7454ba1df855821b02c6e43b5a0e" ], "author": { "name": "Nuoqi Gui", "email": "gnq25@mails.tsinghua.edu.cn", "time": "Sat Jun 06 18:50:37 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Sat Jun 06 16:45:25 2026 -0700" }, "message": "bpf: Fold reg-\u003evar_off into PTR_TO_FLOW_KEYS bounds check\n\nConstant pointer arithmetic on a PTR_TO_FLOW_KEYS register lands the\nconstant in reg-\u003evar_off (e.g. flow_keys(imm\u003d4096)), but the\nPTR_TO_FLOW_KEYS path in check_mem_access() passes only insn-\u003eoff to\ncheck_flow_keys_access() and never folds reg-\u003evar_off.value. The\nverifier therefore accepts an access that, at runtime, dereferences past\nstruct bpf_flow_keys -- a verifier/runtime divergence that yields an\nout-of-bounds read and write of kernel stack memory.\n\nCommit 022ac0750883 (\"bpf: use reg-\u003evar_off instead of reg-\u003eoff for\npointers\") removed the generic \"off +\u003d reg-\u003eoff\" that check_mem_access()\napplied before the per-type dispatch and replaced it with per-path\nfolding of reg-\u003evar_off.value (for example the ctx path now folds the\nregister offset via check_ctx_access()). The PTR_TO_FLOW_KEYS path was\nnot given the equivalent fold, so a constant offset that used to be\nfolded and rejected is now silently accepted:\n\n before 022ac0750883: the offset stays in reg-\u003eoff and is folded\n generically, so the access is checked with off\u003d4096 and rejected.\n after 022ac0750883: the offset lands in reg-\u003evar_off, the flow_keys\n path checks off\u003d0 and accepts; at runtime the access dereferences\n base + 0x1000.\n\nFor a BPF_PROG_TYPE_FLOW_DISSECTOR program the following is accepted:\n\n r2 \u003d *(u64 *)(r1 + 144) ; R2\u003dflow_keys (PTR_TO_FLOW_KEYS)\n r2 +\u003d 0x1000 ; R2\u003dflow_keys(imm\u003d4096), accepted\n r0 \u003d *(u64 *)(r2 + 0) ; accepted, var_off.value\u003d0x1000 ignored\n\nwhile the equivalent insn-\u003eoff form\n\n r0 \u003d *(u64 *)(r2 + 0x1000)\n\nhas the same effective offset but is correctly rejected with\n\"invalid access to flow keys off\u003d4096 size\u003d8\", which isolates the defect\nto the missing var_off fold. Once attached as a flow dissector, the\naccepted program reads kernel stack past struct bpf_flow_keys (a\nkernel-stack / KASLR information leak) and can likewise write past it,\ncorrupting kernel memory.\n\nFix it by folding reg-\u003evar_off.value into the offset before the bounds\ncheck and rejecting non-constant offsets, mirroring the other pointer\ntypes (e.g. check_ctx_access()).\n\nFixes: 022ac0750883 (\"bpf: use reg-\u003evar_off instead of reg-\u003eoff for pointers\")\nSigned-off-by: Nuoqi Gui \u003cgnq25@mails.tsinghua.edu.cn\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260606-c3-01-v3-v3-1-97c51f592f15@mails.tsinghua.edu.cn\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "8ddce416797b7454ba1df855821b02c6e43b5a0e", "tree": "3276339832c9aa8f0735a189dbd936907962cd2f", "parents": [ "63a673e8a4112af267106264f50584947786845a" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Fri Jun 05 23:35:18 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 20:33:48 2026 -0700" }, "message": "selftests/bpf: Inspect the signature verdict exposed to BPF LSM\n\nAdd a minimal BPF LSM program on lsm/bpf_prog_load that, for loads on\nthe monitored thread, reads back prog-\u003eaux-\u003esig.{verdict,keyring_type,\nkeyring_serial}, and a signed_loader subtest that drives the same\ngen_loader loader through the hook twice: i) /unsigned/ where the LSM\nmust observe UNSIGNED, no keyring and serial 0; ii) /signed/ where the\nvery same insns signed against the session keyring must be observed as\nVERIFIED with a user keyring, and the recorded keyring_serial must be\nequal to the resolved session keyring serial. Loading (not running) the\nloader is sufficient since the verdict is attached at load time.\n\n # LDLIBS\u003d-static PKG_CONFIG\u003d\u0027pkg-config --static\u0027 ./vmtest.sh -- ./test_progs -t signed_loader\n [ 1.970530] clocksource: Switched to clocksource tsc\n #405/1 signed_loader/metadata_check_shape:OK\n #405/2 signed_loader/metadata_match:OK\n #405/3 signed_loader/metadata_sha_mismatch:OK\n #405/4 signed_loader/metadata_not_exclusive:OK\n #405/5 signed_loader/metadata_hash_not_computed:OK\n #405/6 signed_loader/signature_enforced:OK\n #405/7 signed_loader/signature_too_large:OK\n #405/8 signed_loader/signature_bad_keyring:OK\n #405/9 signed_loader/metadata_ctx_max_entries_ignored:OK\n #405/10 signed_loader/metadata_ctx_initial_value_ignored:OK\n #405/11 signed_loader/signature_authenticates_insns:OK\n #405/12 signed_loader/hash_requires_frozen:OK\n #405/13 signed_loader/no_update_after_freeze:OK\n #405/14 signed_loader/freeze_writable_mmap:OK\n #405/15 signed_loader/no_writable_mmap_frozen:OK\n #405/16 signed_loader/map_hash_matches_libbpf:OK\n #405/17 signed_loader/map_hash_multi_element:OK\n #405/18 signed_loader/map_hash_bad_size:OK\n #405/19 signed_loader/map_hash_unsupported_type:OK\n #405/20 signed_loader/lsm_signature_verdict:OK\n #405 signed_loader:OK\n Summary: 1/20 PASSED, 0 SKIPPED, 0 FAILED\n\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260605213518.544262-2-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "63a673e8a4112af267106264f50584947786845a", "tree": "8c931de054805a3f1baa3d347bb2e8eec52f3a77", "parents": [ "ba033497f16c24be2f8ee8c162895d686885f66f" ], "author": { "name": "KP Singh", "email": "kpsingh@kernel.org", "time": "Fri Jun 05 23:35:17 2026 +0200" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 20:33:48 2026 -0700" }, "message": "bpf: Expose signature verdict via bpf_prog_aux\n\nBPF_PROG_LOAD verifies the loader signature but does not record the\noutcome on the BPF program. [BPF] LSMs and audit can read attr-\u003esignature\nand attr-\u003ekeyring_id to infer \"was this signed, and if so, against which\nkeyring\".\n\nAdd prog-\u003eaux-\u003esig (verdict + keyring_{type,serial}), populated by\nbpf_prog_load before the LSM hook. keyring_type classifies the keyring\nthe load referenced (builtin, secondary, platform or user), while\nkeyring_serial records the serial of the keyring the signature was\nactually validated against. System keyrings carry a pseudo key pointer\nwith no user-visible serial and are reported as 0, as are unsigned loads.\nFailed verifications reject the load before the hook runs, so it observes\nonly either UNSIGNED or VERIFIED.\n\nSigned-off-by: KP Singh \u003ckpsingh@kernel.org\u003e\nCo-developed-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/r/20260605213518.544262-1-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "ba033497f16c24be2f8ee8c162895d686885f66f", "tree": "e55dce36f23886ec2c1fdbd5036489234dc14191", "parents": [ "d5e5745f8a1dfd0d026fe36eb1265268bce4988c", "42998f819256ef272b6a445310e2b64a3729a139" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 20:32:21 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 20:32:22 2026 -0700" }, "message": "Merge branch \u0027selftests-bpf-libarena-add-initial-data-structures\u0027\n\nEmil Tsalapatis says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nselftests/bpf: libarena: Add initial data structures\n\nAdd two new data structures to libarena. These data structures initially\nresided in the sched-ext repo (https://github.com/sched-ext/scx) and\nhave been adapted to the internal libarena build system. The data\nstructures are:\n\n- Red black tree: Fundamental tree data structure that can also serve\n as a base for more domain-specific data structures.\n\n- Lev-Chase deque: Queue data structure that allows efficient work\n stealing, useful in scheduling scenarios.\n\nThe data structures are accompanied by selftests that are automatically\ndiscovered by the existing libarena test_progs selftest and incorporated\nin the CI.\n\nCHANGELOG\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nv3 -\u003e v4 (https://lore.kernel.org/bpf/20260604235016.20856-1-emil@etsalapatis.com/)\n- Turn off load_acquire/store_relesase - dependent selftests for s390 (CI)\n- Various style/non-functional nits (AI)\n\nv2 -\u003e v3 (https://lore.kernel.org/bpf/20260603182727.3922-1-emil@etsalapatis.com/)\n\n- Add workaround to handle LLVM 21 and GCC 15 assignment-to-memset promotions\n that are causing verification failures for arena programs (CI)\n- Incorporate Sashiko feedback for cleanup edge cases (Sashiko)\n- Simplify some of the ordering semantics in spmc\n\nv1 -\u003e v2 (https://lore.kernel.org/bpf/20260511214100.9487-1-emil@etsalapatis.com/):\n\n- Rename tests from st_ to test_ (Alexei)\n- Removed the freelist caches from the rbtrees, previously used to defer freeing (Alexei)\n- Moved the type and function definitions to use the __arena identifier\n- Removed the typecasts during function return and directly return __arena\n pointers (Alexei)\n- Renamed queues to spmc queues to abstract away the algorithm (Alexei)\n- Adjusted the memory barriers in the spmc queue\n- Added multithreaded testing harness for libarena programs (Alexei)\n- Added parallel selftest for queues (Alexei)\n- Split least upper bound and exact find operations back into separate\n functions to prevent RB_DUPLICATE-related bug (AI)\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260605222020.5231-1-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "42998f819256ef272b6a445310e2b64a3729a139", "tree": "e55dce36f23886ec2c1fdbd5036489234dc14191", "parents": [ "57c6ace8395d53b9bae6fb21e0bd3f536342c16e" ], "author": { "name": "Emil Tsalapatis", "email": "emil@etsalapatis.com", "time": "Fri Jun 05 18:20:20 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 20:32:21 2026 -0700" }, "message": "selftests/bpf: libarena: parallel test harness and spmc parallel selftest\n\nAdd a parallel test for the SPMC Lev-Chase workstealing queue. The queue\nis built to be wait-free even when there are multiple consumers, and\nthe parallel selftest provides a signal on whether the queue behaves\ncorrectly when stress tested.\n\nTo support the test, this patch includes a test harness for parallel\nselftests. The spmc selftest acts as an example of the naming and other\nconventions expected by the harness.\n\nSigned-off-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260605222020.5231-4-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "57c6ace8395d53b9bae6fb21e0bd3f536342c16e", "tree": "cbc1deadd64f7d3b35ad58f1bc94d957aa2cc117", "parents": [ "6c3e8a4d476521bc33362e90b2569548f1adb7a4" ], "author": { "name": "Emil Tsalapatis", "email": "emil@etsalapatis.com", "time": "Fri Jun 05 18:20:19 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 20:32:21 2026 -0700" }, "message": "selftests/bpf: libarena: Add spmc queue data structure\n\nExpand libarena with a single producer multiple consumer deque data\nstructure. This is a single producer, multiple consumer lockless structure\nthat permits efficient work stealing. The structure is a Lev-Chase queue,\nso it is lock-free and wait-free.\n\nThe data structure exposes three main calls. two of them are available to\nthe thread owning the queue and one available to all threads in the program:\n\nspmc_owner_push(): Push an item to the top of the queue.\nspmc_owner_pop(): Pop an item from the top of the queue.\nspmc_steal(): Steal a thread from the bottom of the queue from\nany thread.\n\nNote that the queue is not really FIFO for all consumers, since\nnon-owners of the queue can only work steal from the bottom.\n\nSigned-off-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260605222020.5231-3-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "6c3e8a4d476521bc33362e90b2569548f1adb7a4", "tree": "742d28e4627ffaef5aea571edbc2dba01929e399", "parents": [ "d5e5745f8a1dfd0d026fe36eb1265268bce4988c" ], "author": { "name": "Emil Tsalapatis", "email": "emil@etsalapatis.com", "time": "Fri Jun 05 18:20:18 2026 -0400" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 20:32:21 2026 -0700" }, "message": "selftests/bpf: libarena: Add rbtree data structure\n\nAdd a native red-black tree data structure to libarena.\nThe data structure supports multiple APIs (key-value based,\nnode based) with which users can query and modify it. The\ntree uses the libarena memory allocator to manage its data.\n\nSigned-off-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nLink: https://lore.kernel.org/r/20260605222020.5231-2-emil@etsalapatis.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "d5e5745f8a1dfd0d026fe36eb1265268bce4988c", "tree": "a7a53370d23dfc5bc45f26d018cdd89ac9b94883", "parents": [ "39a23eee83f694da1e35a33e12c1fd0930330fd6" ], "author": { "name": "Sean Young", "email": "sean@mess.org", "time": "Fri Jun 05 16:14:16 2026 +0100" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:56:57 2026 -0700" }, "message": "selftests/bpf: Fix test_lirc test\n\nSince commit 68a99f6a0ebf (\"media: lirc: report ir receiver overflow\"),\nthe rc-loopback driver does not accept edges over 50ms, as these are\nnever seen in real life ir protocols. Fix this.\n\nSigned-off-by: Sean Young \u003csean@mess.org\u003e\nLink: https://lore.kernel.org/r/20260605151417.777614-1-sean@mess.org\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "39a23eee83f694da1e35a33e12c1fd0930330fd6", "tree": "a7e7709358cfe4e0dd3fc97d8aadfcc40aeb3e71", "parents": [ "b403670b828a757e8122ea9be6607dae6fba1263", "7913cdb54ee3271f608ad518bf8e75ad72cc3a3d" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:55:43 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:55:44 2026 -0700" }, "message": "Merge branch \u0027add-validation-for-bpf_set_retval-helper\u0027\n\nXu Kuohai says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nAdd validation for bpf_set_retval helper\n\nFrom: Xu Kuohai \u003cxukuohai@huawei.com\u003e\n\nThe bpf_set_retval() helper is used by cgroup BPF programs to set the\nreturn value of the kernel hook. The argument type for this helper is\nARG_ANYTHING. This allows setting a positive value, which no cgroup\nhook expects and can cause issues, such as the kernel panic reported\nin [1].\n\nThis series adds validation for the argument of the bpf_set_retval()\nhelper.\n\nFor BPF_LSM_CGROUP, the same validation as BPF_LSM_MAC is enforced,\ni.e. validate the argument against the LSM hook specific range, which\nis returned by bpf_lsm_get_retval_range().\n\nFor all other cgroup program types, restrict the argument to\n[-MAX_ERRNO, 0], which matches the kernel convention of 0 for success\nand negative errno for error.\n\nBPF_CGROUP_GETSOCKOPT is an exception from this restriction, since valid\ngetsockopt implementations may return positive values (e.g. optlen), as\nallowed by commit c4dcfdd406aa (\"bpf: Move getsockopt retval to struct\nbpf_cg_run_ctx\").\n\n[1] https://lore.kernel.org/all/567d3206-74a5-44e5-99c6-779c425f399e@std.uestc.edu.cn\n\nv5:\n- Use resolve_prog_type(env-\u003eprog) instead of env-\u003eprog-\u003etype for prog type checks\n- Target bpf-next tree\n\nv4: https://lore.kernel.org/bpf/20260604130458.617765-1-xukuohai@huaweicloud.com\n- Remove the return value limit for BPF_CGROUP_GETSOCKOPT type\n- Refine the range of return value of bpf_get_retval helper\n\nv3: https://lore.kernel.org/bpf/20260530101239.590395-1-xukuohai@huaweicloud.com/\n- Mark R1 as precise to prevent validation bypass via branch pruning (sashiko)\n\nv2: https://lore.kernel.org/bpf/20260530055557.549474-1-xukuohai@huaweicloud.com/\n- Extend validation from LSM cgroup BPF type to all cgroup BPF types (sashiko)\n\nv1: https://lore.kernel.org/bpf/20260523085806.417723-1-xukuohai@huaweicloud.com/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260605140243.664590-1-xukuohai@huaweicloud.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "7913cdb54ee3271f608ad518bf8e75ad72cc3a3d", "tree": "a7e7709358cfe4e0dd3fc97d8aadfcc40aeb3e71", "parents": [ "b1f7f67b74c2e29e9c83f7952290a3c7f156bf9a" ], "author": { "name": "Xu Kuohai", "email": "xukuohai@huawei.com", "time": "Fri Jun 05 14:02:43 2026 +0000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:55:43 2026 -0700" }, "message": "selftests/bpf: Add tests for bpf_set_retval validation\n\nAdd verifier tests to validate bpf_set_retval argument for cgroup\nprogram types.\n\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e #v1\nSigned-off-by: Xu Kuohai \u003cxukuohai@huawei.com\u003e\nLink: https://lore.kernel.org/r/20260605140243.664590-4-xukuohai@huaweicloud.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b1f7f67b74c2e29e9c83f7952290a3c7f156bf9a", "tree": "1c47e774e78eb3b572e5488e83f1000ed5825148", "parents": [ "6fa2839893e3db43566e623f12805daeca64d9c4" ], "author": { "name": "Xu Kuohai", "email": "xukuohai@huawei.com", "time": "Fri Jun 05 14:02:42 2026 +0000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:55:43 2026 -0700" }, "message": "bpf: Add validation for bpf_set_retval argument\n\nThe bpf_set_retval() helper is used by cgroup BPF programs to set the\nreturn value of the target hook. The argument type for this helper is\nARG_ANYTHING. This allows setting a positive value, which no cgroup\nhook expects and can cause issues, such as:\n\n- BPF_LSM_CGROUP: a positive value from bpf_lsm_socket_create bypasses\n the err \u003c 0 check in __sock_create(), leaving the socket object\n unallocated. The positive return value is then propagated to the\n syscall entry __sys_socket(), which also bypasses the IS_ERR() guard\n and ultimately causes a NULL pointer dereference.\n\n- BPF_CGROUP_DEVICE: a positive value can be returned through cgroup\n device bpf prog -\u003e devcgroup_check_permission() -\u003e bdev_permission()\n -\u003e bdev_file_open_by_dev(), where ERR_PTR(positive) produces a pointer\n that IS_ERR() does not catch, leading to a wild pointer dereference.\n\n- BPF_CGROUP_SOCK: a positive value can be returned through cgroup sock\n bpf prog -\u003e __cgroup_bpf_run_filter_sk() -\u003e inet_create() -\u003e\n __sock_create(), where inet_create() frees the newly allocated sk\n via sk_common_release() and sets sock-\u003esk \u003d NULL on the non-zero\n return, but __sock_create() only checks err \u003c 0 for cleanup, so a\n positive retval bypasses cleanup and returns a socket with NULL sk\n to userspace, triggering a NULL pointer dereference on subsequent\n socket operations.\n\n- BPF_CGROUP_SYSCTL: a positive value can be returned through the cgroup\n bpf prog -\u003e __cgroup_bpf_run_filter_sysctl() -\u003e proc_sys_call_handler(),\n where a non-zero return bypasses the normal sysctl proc_handler and is\n returned directly to userspace as return value of read() or write()\n syscall.\n\nSo add validation for the argument of the bpf_set_retval() helper.\n\nFor BPF_LSM_CGROUP, enforce the LSM hook specific range returned by\nbpf_lsm_get_retval_range().\n\nFor all other cgroup program types, restrict the argument to\n[-MAX_ERRNO, 0], which matches the kernel convention of 0 for success\nand negative errno for error.\n\nBPF_CGROUP_GETSOCKOPT is an exception, since valid getsockopt\nimplementations may return positive values, as allowed by commit\nc4dcfdd406aa (\"bpf: Move getsockopt retval to struct bpf_cg_run_ctx\").\n\nAlso refine the return value range of bpf_get_retval() so that\nvalues returned by bpf_get_retval() can be passed directly to\nbpf_set_retval() without extra manual bounds checking.\n\nFixes: b44123b4a3dc (\"bpf: Add cgroup helpers bpf_{get,set}_retval to get/set syscall return value\")\nFixes: 69fd337a975c (\"bpf: per-cgroup lsm flavor\")\nReported-by: Quan Sun \u003c2022090917019@std.uestc.edu.cn\u003e\nCloses: https://lore.kernel.org/all/567d3206-74a5-44e5-99c6-779c425f399e@std.uestc.edu.cn\nSigned-off-by: Xu Kuohai \u003cxukuohai@huawei.com\u003e\nLink: https://lore.kernel.org/r/20260605140243.664590-3-xukuohai@huaweicloud.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "6fa2839893e3db43566e623f12805daeca64d9c4", "tree": "7cd5e41ad8779b8d4b72ce8bc5e719e225cdc7ca", "parents": [ "b403670b828a757e8122ea9be6607dae6fba1263" ], "author": { "name": "Xu Kuohai", "email": "xukuohai@huawei.com", "time": "Fri Jun 05 14:02:41 2026 +0000" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:55:43 2026 -0700" }, "message": "selftests/bpf: Restrict bpf_set_retval argument in sk_bypass_prot_mem\n\nTest sk_bypass_prot_mem passes an unchecked value as argument to helper\nbpf_set_retval(). The argument can be outside the valid range enforced\nby the strict retval validation added in the next patch.\n\nRestrict the argument to -EFAULT when it is outside the valid range, so\nthe test will not be rejected by the verifier when retval validation\nis enforced.\n\nSigned-off-by: Xu Kuohai \u003cxukuohai@huawei.com\u003e\nLink: https://lore.kernel.org/r/20260605140243.664590-2-xukuohai@huaweicloud.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b403670b828a757e8122ea9be6607dae6fba1263", "tree": "8e4d6d03ca4516422b0b05508e1f031ee82af96f", "parents": [ "f091801c85a5991cb4acacfb5b15daa265b674dd", "2566c3b24219c5b30e35205cba029ff34ff7c78b" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:54:35 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:54:36 2026 -0700" }, "message": "Merge branch \u0027bpf-fix-sysctl-new-value-handling-in-__cgroup_bpf_run_filter_sysctl\u0027\n\nDawei Feng says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: fix sysctl new-value handling in __cgroup_bpf_run_filter_sysctl\n\nThis series fixes three bugs in the sysctl write-buffer replacement path\nof __cgroup_bpf_run_filter_sysctl(). It resolves a kvzalloc()/kfree()\nmismatch, adds a missing NUL terminator to the replacement string, and\nupdates a stale return value check to safely restore the replacement\nfunctionality.\n\nPatch Summary:\n- patch 1 NUL-terminates the replaced sysctl value\n- patch 2 uses kvfree() for the replaced sysctl write buffer\n- patch 3 restores sysctl new-value replacement\n\nChangelog:\nv2 -\u003e v3:\n- reordered patches 1 and 2\n- added the missing Reviewed-by/Acked-by tags to patches 2 and 3\n- fixed the incorrect Fixes tag in patch 3\n- simplified the dynamic test logs in patch 1 and 2, and updated\n titles\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260603105317.944304-1-dawei.feng@seu.edu.cn\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "2566c3b24219c5b30e35205cba029ff34ff7c78b", "tree": "8e4d6d03ca4516422b0b05508e1f031ee82af96f", "parents": [ "4c21b5927d4364bfe7365f2700da5fea0ed0d004" ], "author": { "name": "Dawei Feng", "email": "dawei.feng@seu.edu.cn", "time": "Wed Jun 03 18:53:17 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:54:35 2026 -0700" }, "message": "bpf: Restore sysctl new-value from 1 to 0\n\nCommit 4e63acdff864 (\"bpf: Introduce bpf_sysctl_{get,set}_new_value\nhelpers\") changed the success return value to 0, but failed to update the\ncorresponding check in __cgroup_bpf_run_filter_sysctl(). Since\nbpf_prog_run_array_cg() now returns 0 on success, the legacy ret \u003d\u003d 1\ncondition is never satisfied. As a result, the modified value is ignored,\nand bpf_sysctl_set_new_value() fails to replace the write buffer.\n\nFix this by checking for a return value of 0 instead, so cgroup/sysctl\nprograms can correctly replace the pending sysctl buffer.\n\nThis bug was discovered during a manual code review. Tested via a\ncgroup/sysctl BPF reproducer overriding writes to a target sysctl.\nPre-fix, bpf_sysctl_set_new_value(\"foo\") was silently ignored: the write\nreturned 8192 and the value remained \"600\". Post-fix, the BPF replacement\nbuffer properly propagates: the write returns 3 and the value updates to\n\"foo\".\n\nFixes: f10d05966196 (\"bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean\")\nCc: stable@vger.kernel.org\n\nAcked-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nSigned-off-by: Zilin Guan \u003czilin@seu.edu.cn\u003e\nSigned-off-by: Dawei Feng \u003cdawei.feng@seu.edu.cn\u003e\nReviewed-by: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\nAcked-by: Xu Kuohai \u003cxukuohai@huawei.com\u003e\nLink: https://lore.kernel.org/r/20260603105317.944304-4-dawei.feng@seu.edu.cn\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "4c21b5927d4364bfe7365f2700da5fea0ed0d004", "tree": "295a1e57b5fcfef84cdc3617ce29da5c8cce7d7e", "parents": [ "a66e3b5bacf38d6ab29fa05a9754f7a114485605" ], "author": { "name": "Dawei Feng", "email": "dawei.feng@seu.edu.cn", "time": "Wed Jun 03 18:53:16 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:54:35 2026 -0700" }, "message": "bpf: use kvfree() for replaced sysctl write buffer\n\nproc_sys_call_handler() allocates its temporary sysctl buffer with\nkvzalloc() and passes it to __cgroup_bpf_run_filter_sysctl(). Since\nkvzalloc() may fall back to vmalloc() for large allocations, freeing\nthat buffer with kfree() is wrong and can corrupt memory.\n\nUse kvfree() to safely handle both kmalloc and kvzalloc()/vmalloc\nallocations.\n\nThe bug was first flagged by an experimental analysis tool we are\ndeveloping for kernel memory-management bugs while analyzing\nv6.13-rc1. The tool is still under development and is not yet publicly\navailable. Manual inspection confirms that the bug is still\npresent in v7.1-rc5.\n\nReproduced the bug based on v7.1-rc4 in a QEMU x86_64 guest booted with\nKASAN and CONFIG_FAILSLAB enabled. To exercise the replacement path, the\ntest tree also included the accompanying fix for the stale ret \u003d\u003d 1\ncheck in __cgroup_bpf_run_filter_sysctl(). The reproducer confines\nfailslab injections to the proc_sys_call_handler() range, uses\nstacktrace-depth\u003d32, and injects fail-nth\u003d1 while writing 8191 bytes to\n/proc/sys/kernel/domainname from a task in the target cgroup. Under\nthat setup, fail-nth\u003d1 triggered the fault:\n\n BUG: unable to handle page fault for address: ffffeb0200024d48\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 SMP KASAN NOPTI\n CPU: 2 UID: 0 PID: 209 Comm: repro_proc_sys_ Not tainted 7.1.0-rc4-00686-g97625979a5d4 PREEMPT(lazy)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:kfree+0x6e/0x510\n ...\n Call Trace:\n \u003cTASK\u003e\n ? __cgroup_bpf_run_filter_sysctl+0x626/0xc30\n __cgroup_bpf_run_filter_sysctl+0x74d/0xc30\n ? __pfx___cgroup_bpf_run_filter_sysctl+0x10/0x10\n ? srso_return_thunk+0x5/0x5f\n ? __kvmalloc_node_noprof+0x345/0x870\n ? proc_sys_call_handler+0x250/0x480\n ? srso_return_thunk+0x5/0x5f\n proc_sys_call_handler+0x3a2/0x480\n ? __pfx_proc_sys_call_handler+0x10/0x10\n ? srso_return_thunk+0x5/0x5f\n ? selinux_file_permission+0x39f/0x500\n ? srso_return_thunk+0x5/0x5f\n ? lock_is_held_type+0x9e/0x120\n vfs_write+0x98e/0x1000\n ...\n \u003c/TASK\u003e\n\nWith this fix applied on top of the same test setup, rerunning the\nreproducer with fail-nth\u003d1 yields no corresponding Oops reports.\n\nFixes: 4508943794ef (\"proc: use kvzalloc for our kernel buffer\")\nCc: stable@vger.kernel.org\n\nReviewed-by: Emil Tsalapatis \u003cemil@etsalapatis.com\u003e\nReviewed-by: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\nAcked-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nSigned-off-by: Zilin Guan \u003czilin@seu.edu.cn\u003e\nSigned-off-by: Dawei Feng \u003cdawei.feng@seu.edu.cn\u003e\nLink: https://lore.kernel.org/r/20260603105317.944304-3-dawei.feng@seu.edu.cn\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a66e3b5bacf38d6ab29fa05a9754f7a114485605", "tree": "d1a7ee56a9940149f8f3ed70d0359f662723d727", "parents": [ "f091801c85a5991cb4acacfb5b15daa265b674dd" ], "author": { "name": "Dawei Feng", "email": "dawei.feng@seu.edu.cn", "time": "Wed Jun 03 18:53:15 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:54:35 2026 -0700" }, "message": "bpf: NUL-terminate replaced sysctl value\n\nWhen writing to sysctls, proc_sys_call_handler() guarantees that the\nbuffer passed to proc handlers is NUL-terminated. If\nbpf_sysctl_set_new_value() replaces the pending sysctl value, it can\nhand a replacement buffer directly to proc handlers. However, the\nhelper currently copies only buf_len bytes into that buffer without\nappending a NUL terminator, leaving downstream parsers vulnerable to\nout-of-bounds access.\n\nFix this by appending a \u0027\\0\u0027 after the replaced value to restore the\nexpected sysctl semantics. Since the helper already rejects buf_len\ngreater than PAGE_SIZE - 1, there is always room for the extra byte.\n\nReproduced in a QEMU x86_64 guest booted with KASAN while exercising\nthe sysctl replacement path with a cgroup/sysctl BPF program. The\nreproducer targets `/proc/sys/net/core/flow_limit_cpu_bitmap`, fills\nthe original user write buffer with non-zero bytes, and overrides the\nsysctl value so the replacement buffer lacks a terminating NUL. Under\nthat setup, the pre-fix kernel reported:\n\n BUG: KASAN: slab-out-of-bounds in strnchrnul+0x72/0x90\n Read of size 1 at addr ffff88800de57000 by task repro_patch3/66\n CPU: 0 UID: 0 PID: 66 Comm: repro_patch3 Not tainted 7.1.0-rc3-00269-g8370ca1f87cc #6 PREEMPT(lazy)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x68/0xa0\n print_report+0xcb/0x5e0\n ? __virt_addr_valid+0x21d/0x3f0\n ? strnchrnul+0x72/0x90\n ? strnchrnul+0x72/0x90\n kasan_report+0xca/0x100\n ? strnchrnul+0x72/0x90\n strnchrnul+0x72/0x90\n bitmap_parse+0x37/0x2e0\n flow_limit_cpu_sysctl+0xc6/0x840\n ? __pfx_flow_limit_cpu_sysctl+0x10/0x10\n ? __kvmalloc_node_noprof+0x5ba/0x870\n proc_sys_call_handler+0x31d/0x480\n ? __pfx_proc_sys_call_handler+0x10/0x10\n ? selinux_file_permission+0x39f/0x500\n ? lock_is_held_type+0x9e/0x120\n vfs_write+0x98e/0x1000\n ...\n \u003c/TASK\u003e\n The buggy address is located 0 bytes to the right of\n allocated 4096-byte region [ffff88800de56000, ffff88800de57000)\nWith this fix applied, rerunning the same sysctl-targeted path yields\nno corresponding KASAN reports.\n\nSigned-off-by: Zilin Guan \u003czilin@seu.edu.cn\u003e\nSigned-off-by: Dawei Feng \u003cdawei.feng@seu.edu.cn\u003e\nAcked-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260603105317.944304-2-dawei.feng@seu.edu.cn\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "f091801c85a5991cb4acacfb5b15daa265b674dd", "tree": "cb52c1a1b1dee121775e00f179e1be8ec24adc72", "parents": [ "b9845290525cf19d29f3a0d06ae3feb923f60e4c", "5477d55f351fea3eeb2c5c77a9224eed0fd4d6a9" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:28:29 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:28:29 2026 -0700" }, "message": "Merge branch \u0027bpf-update-transport_header-when-encapsulating-udp-tunnel-in-lwt\u0027\n\nLeon Hwang says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: Update transport_header when encapsulating UDP tunnel in lwt\n\nCurrently, bpf_lwt_push_ip_encap() does not update skb-\u003etransport_header.\nWhen a driver, e.g. ice, reuses the stale skb-\u003etransport_header to\noffload checksum computation to NIC hardware, VxLAN packets encapsulated\nby bpf_lwt_push_encap() helper may be dropped due to incorrect checksum.\n\nUpdate skb-\u003etransport_header in bpf_lwt_push_ip_encap() whenever the\nencapsulated packet uses UDP, so checksum offload works correctly.\n\nChanges:\nv3 -\u003e v4:\n* Address comments from Emil:\n * Make the logic of skb_set_transport_header() clearer in patch #1.\n * Fold the code of fexit_lwt_push_ip_encap() into test_lwt_ip_encap.c in\n patch #2.\n * Resolve assorted issues of test in patch #2.\n* v3: https://lore.kernel.org/bpf/20260601150203.20352-1-leon.hwang@linux.dev/\n\nv2 -\u003e v3:\n* Drop patch #1 and #2 of v2 that aim to resolve potential issues\n reported by sashiko (per Alexei).\n* Check target IP version and UDP tunnel in test (per sashiko).\n* v2: https://lore.kernel.org/bpf/20260529151351.69911-1-leon.hwang@linux.dev/\n\nv1 -\u003e v2:\n* Address sashiko\u0027s reviews:\n * Fix TOCTOU issue in lwt to avoid changing hdr after checks.\n * Add check iph-\u003eihl \u003c 5 in lwt to avoid infinite-loop in MIPS driver.\n * Update comment style in selftests with BPF comment style.\n* v1: https://lore.kernel.org/bpf/20260525142650.2569-1-leon.hwang@linux.dev/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260602150931.49629-1-leon.hwang@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "5477d55f351fea3eeb2c5c77a9224eed0fd4d6a9", "tree": "cb52c1a1b1dee121775e00f179e1be8ec24adc72", "parents": [ "82d7d0adbc678064543e9d254864f6b4ea4a388c" ], "author": { "name": "Leon Hwang", "email": "leon.hwang@linux.dev", "time": "Tue Jun 02 23:09:31 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:28:29 2026 -0700" }, "message": "selftests/bpf: Add tests to verify the fix of encapsulating VxLAN in lwt\n\nAdd two tests to verify the transport header of skb has been set when\nencapsulate VxLAN using bpf_lwt_push_encap() helper.\n\n1. VxLAN over IPv4.\n2. VxLAN over IPv6.\n\nWithout the fix, the tests would fail:\n\n lwt_ip_encap_vxlan:FAIL:transport_hdr offset unexpected transport_hdr offset: actual 70 !\u003d expected 20\n #208 lwt_ip_encap_vxlan_ipv4:FAIL\n lwt_ip_encap_vxlan:FAIL:transport_hdr offset unexpected transport_hdr offset: actual 110 !\u003d expected 40\n #209 lwt_ip_encap_vxlan_ipv6:FAIL\n\nThe unexpected offsets are: outer encap headers\n(IPv4: iphdr+udp+vxlan+eth \u003d 50 bytes, IPv6: ipv6hdr+udp+vxlan+eth \u003d 70 bytes)\nplus the inner IP header (20 or 40 bytes), because without the fix\ntransport_header still points at the inner transport layer instead of the\nouter UDP header.\n\nAssisted-by: Claude:claude-sonnet-4-6\nCc: Leon Hwang \u003cleon.huangfu@shopee.com\u003e\nSigned-off-by: Leon Hwang \u003cleon.hwang@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260602150931.49629-3-leon.hwang@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "82d7d0adbc678064543e9d254864f6b4ea4a388c", "tree": "5420abdf68d3ab937442faa379038a55299d20fc", "parents": [ "b9845290525cf19d29f3a0d06ae3feb923f60e4c" ], "author": { "name": "Leon Hwang", "email": "leon.hwang@linux.dev", "time": "Tue Jun 02 23:09:30 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:28:28 2026 -0700" }, "message": "bpf: Update transport_header when encapsulating UDP tunnel in lwt\n\nCurrently, bpf_lwt_push_ip_encap() does not update skb-\u003etransport_header.\nWhen a driver, e.g. ice, reuses the stale skb-\u003etransport_header to\noffload checksum computation to NIC hardware, VxLAN packets encapsulated\nby bpf_lwt_push_encap() helper may be dropped due to incorrect checksum.\n\nUpdate skb-\u003etransport_header in bpf_lwt_push_ip_encap() whenever the\nencapsulated packet uses UDP, so checksum offload works correctly.\n\nFixes: 52f278774e79 (\"bpf: implement BPF_LWT_ENCAP_IP mode in bpf_lwt_push_encap\")\nCc: Leon Hwang \u003cleon.huangfu@shopee.com\u003e\nSigned-off-by: Leon Hwang \u003cleon.hwang@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260602150931.49629-2-leon.hwang@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b9845290525cf19d29f3a0d06ae3feb923f60e4c", "tree": "10d38a84624b2a60caa3d05cc9f32b41bc18428d", "parents": [ "a1f1acf6a1491394d57e9635e47ccfcf8381f265", "6d13ddb1d46525931d2324d9358721eb3c495d72" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:26:18 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:26:18 2026 -0700" }, "message": "Merge branch \u0027risc-v-jit-support-for-bpf_get_current_task-_btf\u0027\n\nVarun R Mallya says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nRISC-V JIT support for bpf_get_current_task/_btf\n\nThese two patches add support for the bpf_get_current_task and\nbpf_get_current_task_btf kfuncs in RISC-V JIT and add a selftest.\n\nThe first patch adds support for cpu and feature detection on\nthe JIT disassembly helper function as RISC-V JITed code was not\nbeing disassembled using `LLVMCreateDisasm` as it was missing the\n\"+c\" CPU feature and JITed code contained RISC-V Compressed (C)\nExtension. This patch generalizes that to detect CPU features and\nenables testing on more RISC-V JIT work ahead.\n\nThe second patch, which actually adds this support has been benchmarked\non QEMU RISC-V and shows significant improvements.\nIt was benchmarked using a simple loop inside a bpf program that ran\nbpf_get_current_task() and execution time was measured. It used\nbpf_prog_test_run_opts() to repeatedly trigger the BPF program. The loop\nran in 1 second intervals and it kept firing bpf_prog_test_run_opts() as\nfast as possible until a second had elapsed and then reported statistics.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260602205847.102825-1-varunrmallya@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "6d13ddb1d46525931d2324d9358721eb3c495d72", "tree": "10d38a84624b2a60caa3d05cc9f32b41bc18428d", "parents": [ "557d0cc3f2520feba45360beeafb93203b3230e0" ], "author": { "name": "Varun R Mallya", "email": "varunrmallya@gmail.com", "time": "Wed Jun 03 02:28:47 2026 +0530" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:26:18 2026 -0700" }, "message": "bpf, riscv: inline bpf_get_current_task() and bpf_get_current_task_btf()\n\nOn RISC-V, the current task pointer is stored in the thread pointer\nregister (tp). Emit a single `mv a5, tp` instead of a full helper\ncall for BPF_FUNC_get_current_task and BPF_FUNC_get_current_task_btf.\n\nRegister bpf_jit_inlines_helper_call() entries for both helpers so the\nverifier treats them as inlined, and add the expected `mv a5, tp`\nannotation to the riscv64 selftests.\n\nThe following show changes before and after this patch.\n\nBefore patch:\n\n auipc t1,0x817a # load upper PC-relative address\n jalr -2004(t1) # call bpf_get_current_task helper\n mv a5,a0 # move return value to BPF_REG_0\n\nAfter patch:\n\n mv a5,tp # directly: a5 \u003d current (tp \u003d thread pointer)\n\nBenchmark (bpf_prog_test_run wrapping bpf_get_current_task in loop,\nbatch\u003d100, 10s, QEMU RISC-V):\n\n | runs/sec | helper-calls/sec | ns/call\n -------------+-----------+------------------+---------\n Before patch | 173,490 | 17,349,090 | 57\n After patch | 320,497 | 32,049,780 | 31\n -------------+-----------+------------------+---------\n Improvement | +84.7% | +84.7% | -45.6%\n\nSigned-off-by: Varun R Mallya \u003cvarunrmallya@gmail.com\u003e\nAcked-by: Björn Töpel \u003cbjorn@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260602205847.102825-3-varunrmallya@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "557d0cc3f2520feba45360beeafb93203b3230e0", "tree": "4369cded9381a48947d7a4400f4f4ee9f19c4358", "parents": [ "a1f1acf6a1491394d57e9635e47ccfcf8381f265" ], "author": { "name": "Varun R Mallya", "email": "varunrmallya@gmail.com", "time": "Wed Jun 03 02:28:46 2026 +0530" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:26:18 2026 -0700" }, "message": "selftests/bpf: use host CPU features in JIT disassembler\n\nPass the host CPU name and feature string to\nLLVMCreateDisasmCPUFeatures() instead of using LLVMCreateDisasm(), so\nthe disassembler correctly decodes CPU-specific instructions and\nextensions such as RISC-V compressed and vector instructions.\n\nSigned-off-by: Varun R Mallya \u003cvarunrmallya@gmail.com\u003e\nReviewed-by: Björn Töpel \u003cbjorn@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260602205847.102825-2-varunrmallya@gmail.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a1f1acf6a1491394d57e9635e47ccfcf8381f265", "tree": "6c596237f76f8a3736224db46042116625d29665", "parents": [ "bbb5e2e31a5476d376ce1d0004c6168585fe1a7f", "d47e67a487bfb6952a7831a6b36b7a90534c6044" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:21:24 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:21:24 2026 -0700" }, "message": "Merge branch \u0027bpf-check-tail-zero-of-bpf_map_info-and-bpf_prog_info\u0027\n\nLeon Hwang says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbpf: Check tail zero of bpf_map_info and bpf_prog_info\n\nCheck the tail bytes of bpf_map_info and bpf_prog_info due to padding\nwhen getting map info and prog info via BPF_OBJ_GET_INFO_BY_FD, which\nwas discussed in the thread\n\"bpf: Check tail zero of bpf_common_attr using offsetofend\" [1].\n\nLinks:\n[1] https://lore.kernel.org/bpf/20260518145446.6794-2-leon.hwang@linux.dev/\n\nChanges:\nv2 -\u003e v3:\n* Add \"__u32 :32\" to bpf_map_info and bpf_prog_info (per Alexei).\n* v2: https://lore.kernel.org/bpf/20260604150505.99129-1-leon.hwang@linux.dev/\n\nv1 -\u003e v2:\n* Collect Acked-by tags from Mykyta, thanks.\n* Update Fixes tag in patch #2 (per bot+bpf-ci)\n* v1: https://lore.kernel.org/bpf/20260603144518.67065-1-leon.hwang@linux.dev/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260605155249.20772-1-leon.hwang@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "d47e67a487bfb6952a7831a6b36b7a90534c6044", "tree": "6c596237f76f8a3736224db46042116625d29665", "parents": [ "786be2b05980a5828e67fc564ad7517e2adbe9bd" ], "author": { "name": "Leon Hwang", "email": "leon.hwang@linux.dev", "time": "Fri Jun 05 23:52:49 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:21:24 2026 -0700" }, "message": "selftests/bpf: Add tests to verify checking padding bytes for bpf_[map,prog]_info\n\nAdd two tests to verify that the tail padding 4 bytes of struct\nbpf_map_info and bpf_prog_info are checked in syscall.c using\nbpf_check_uarg_tail_zero().\n\nSigned-off-by: Leon Hwang \u003cleon.hwang@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260605155249.20772-4-leon.hwang@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "786be2b05980a5828e67fc564ad7517e2adbe9bd", "tree": "c8e6011301957af4f246a977d940a6f3bd8df2ce", "parents": [ "e2a49fdb1beed150125b4104c90eb2a96ec7f63a" ], "author": { "name": "Leon Hwang", "email": "leon.hwang@linux.dev", "time": "Fri Jun 05 23:52:48 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:21:24 2026 -0700" }, "message": "bpf: Check tail zero of bpf_prog_info\n\nSince there\u0027re 4 bytes padding at the end of struct bpf_prog_info, they\nwon\u0027t be checked by bpf_check_uarg_tail_zero().\n\npahole -C bpf_prog_info ./vmlinux\nstruct bpf_prog_info {\n\t...\n\t__u32 attach_btf_obj_id; /* 220 4 */\n\t__u32 attach_btf_id; /* 224 4 */\n\n\t/* size: 232, cachelines: 4, members: 38 */\n\t/* sum members: 224 */\n\t/* sum bitfield members: 1 bits, bit holes: 1, sum bit holes: 31 bits */\n\t/* padding: 4 */\n\t/* forced alignments: 9 */\n\t/* last cacheline: 40 bytes */\n} __attribute__((__aligned__(8)));\n\nIf a future kernel extension adds a new 4-byte field, older userspace\nprograms allocating this structure on the stack might inadvertently pass\nuninitialized stack garbage into the new field, permanently breaking\nbackward compatibility. -- sashiko [1]\n\nFix it by changing sizeof(info) to\noffsetofend(struct bpf_prog_info, attach_btf_id).\n\nAnd, add \"__u32 :32\" to the tail of struct bpf_prog_info.\n\n[1] https://lore.kernel.org/bpf/20260513224823.6494FC19425@smtp.kernel.org/\n\nFixes: aba64c7da983 (\"bpf: Add verified_insns to bpf_prog_info and fdinfo\")\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Leon Hwang \u003cleon.hwang@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260605155249.20772-3-leon.hwang@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "e2a49fdb1beed150125b4104c90eb2a96ec7f63a", "tree": "81cd63b4a46259e013b857436bb5847c77b39399", "parents": [ "bbb5e2e31a5476d376ce1d0004c6168585fe1a7f" ], "author": { "name": "Leon Hwang", "email": "leon.hwang@linux.dev", "time": "Fri Jun 05 23:52:47 2026 +0800" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 15:21:24 2026 -0700" }, "message": "bpf: Check tail zero of bpf_map_info\n\nSince there\u0027re 4 bytes padding at the end of struct bpf_map_info, they\nwon\u0027t be checked by bpf_check_uarg_tail_zero().\n\npahole -C bpf_map_info ./vmlinux\nstruct bpf_map_info {\n\t...\n\t__u64 hash __attribute__((__aligned__(8))); /* 88 8 */\n\t__u32 hash_size; /* 96 4 */\n\n\t/* size: 104, cachelines: 2, members: 18 */\n\t/* padding: 4 */\n\t/* forced alignments: 1 */\n\t/* last cacheline: 40 bytes */\n} __attribute__((__aligned__(8)));\n\nIf a future kernel extension adds a new 4-byte field, older userspace\nprograms allocating this structure on the stack might inadvertently pass\nuninitialized stack garbage into the new field, permanently breaking\nbackward compatibility. -- sashiko [1]\n\nFix it by changing sizeof(info) to\noffsetofend(struct bpf_map_info, hash_size).\n\nAnd, add \"__u32 :32\" to the tail of struct bpf_map_info.\n\n[1] https://lore.kernel.org/bpf/20260513224823.6494FC19425@smtp.kernel.org/\n\nFixes: ea2e6467ac36 (\"bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD\")\nAcked-by: Mykyta Yatsenko \u003cyatsenko@meta.com\u003e\nSigned-off-by: Leon Hwang \u003cleon.hwang@linux.dev\u003e\nLink: https://lore.kernel.org/r/20260605155249.20772-2-leon.hwang@linux.dev\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "bbb5e2e31a5476d376ce1d0004c6168585fe1a7f", "tree": "e43740b986b92b289c5c2eec2d847b3b4530b0a3", "parents": [ "4a7910ee060d8ce55612f5b3cc267f3a265a3cec", "3ca6543464f8f396eee018399b5e266196b0a9a7" ], "author": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:58 2026 -0700" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:21:18 2026 -0700" }, "message": "Merge branch \u0027selftests-bpf-tolerate-partial-builds-across-kernel-configs\u0027\n\nRicardo B. Marliere says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nselftests/bpf: Tolerate partial builds across kernel configs\n\nCurrently the BPF selftests can only be built by using the minimum kernel\nconfiguration defined in tools/testing/selftests/bpf/config*. This poses a\nproblem in distribution kernels that may have some of the flags disabled or\nset as module. For example, we have been running the tests regularly in\nopenSUSE Tumbleweed [1] [2] but to work around this fact we created a\nspecial package [3] that build the tests against an auxiliary vmlinux with\nthe BPF Kconfig. We keep a list of known issues that may happen due to,\namongst other things, configuration mismatches [4] [5].\n\nThe maintenance of this package is far from ideal, especially for\nenterprise kernels. The goal of this series is to enable the common usecase\nof running the following in any system:\n\n```sh\nmake -C tools/testing/selftests install \\\n SKIP_TARGETS\u003d \\\n TARGETS\u003dbpf \\\n BPF_STRICT_BUILD\u003d0 \\\n O\u003d/lib/modules/$(uname -r)/build\n```\n\nAs an example, the following script targeting a minimal config can be used\nfor testing:\n\n```sh\nmake defconfig\nscripts/config --file .config \\\n --enable DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT \\\n --enable DEBUG_INFO_BTF \\\n --enable BPF_SYSCALL \\\n --enable BPF_JIT\nmake olddefconfig\nmake -j$(nproc)\nmake -j$(nproc) -C tools/testing/selftests install \\\n SKIP_TARGETS\u003d \\\n TARGETS\u003dbpf \\\n BPF_STRICT_BUILD\u003d0\n```\n\nThis produces a test_progs binary with 592 subtests, against the total of\n727. Many of them will still fail or be skipped at runtime due to lack of\nsymbols, but at least there will be a clear way of building the tests.\n\n[1]: https://openqa.opensuse.org/tests/5811715\n[2]: https://openqa.opensuse.org/tests/5811730\n[3]: https://src.opensuse.org/rmarliere/kselftests\n[4]: https://github.com/openSUSE/kernel-qe/blob/main/kselftests_known_issues.yaml\n[5]: https://openqa.opensuse.org/tests/5811730/logfile?filename\u003drun_kselftests-config_mismatches.txt\n---\nChanges in v12:\n- Rebase from 11 to 8 commits: split the test_kmods KDIR patch into a\n pure KDIR fix (no PERMISSIVE) and a separate tolerance patch; squash\n the BPF_STRICT_BUILD toggle with its first PERMISSIVE user; squash\n the four test_progs partial-build patches into one; move the install\n fix to immediately follow the first PERMISSIVE user\n- Link to v11: https://patch.msgid.link/20260430-selftests-bpf_misconfig-v11-0-e11f7a8c4fdc@suse.com\n\nChanges in v11:\n- Gate the BTFIDS pretty-print on $(filter 1,$(V)) so V\u003d0 and V\u003d2 still\n print the marker; only V\u003d1 suppresses it (patch 6)\n- Use asm volatile (\"\") in the uprobe_multi_func_{1,2,3} weak stubs to\n match the strong definitions in prog_tests/uprobe_multi_test.c\n (patch 10)\n- Link to v10: https://patch.msgid.link/20260430-selftests-bpf_misconfig-v10-0-cd302a31af16@suse.com\n\nChanges in v10:\n- Drop $(wildcard $^) from the bench link recipe so cc fails cleanly on\n the first missing input and the || fallback emits one SKIP-LINK line\n instead of a wall of undefined-reference errors; also makes make -n\n accurate (patch 9)\n- Include \u003calloca.h\u003e in testing_helpers.c for alloca() (patch 10)\n- Link to v9: https://patch.msgid.link/20260429-selftests-bpf_misconfig-v9-0-c311f06b4791@suse.com\n\nChanges in v9:\n- Also pass KBUILD_OUTPUT\u003d$(KMOD_O_VALID) when invoking kbuild so an\n inherited command-line KBUILD_OUTPUT cannot disagree with O\u003d (patch 2)\n- Note BPFOBJ remains a normal prereq intentionally (patch 5)\n- Sub-shell isolate cd/CC and use $@ for $(RM); gate the BTFIDS\n pretty-print on $(V) so verbose mode does not double-print (patch 6)\n- Restrict permissive compile-failure tolerance and partial-link to\n test_progs%; runners with strong cross-object references (test_maps)\n keep strict semantics (patches 6 and 8)\n- Link to v8: https://patch.msgid.link/20260428-selftests-bpf_misconfig-v8-0-bf02cf97dbcb@suse.com\n\nChanges in v8:\n- In permissive mode, keep source changes to already-built tests\n triggering relinks, while using recipe-time $(wildcard ...) to pick\n up fresh .test.o files without duplicate linker inputs (patch 8)\n- Resolve relative O\u003d/KBUILD_OUTPUT before recursing into test_kmods,\n and only treat it as a kernel build dir when it contains\n Module.symvers (patch 2)\n- Note in the commit message that PERMISSIVE-mode bisecting here needs\n the next two patches (patch 6)\n- Clarify in the commit message that order-only skeleton prereqs do not\n break the new-skel-via-local-header case (patch 5)\n- Exclude not-built tests from the success count so summary and JSON\n report them only as skipped (patch 7)\n- Tighten commit messages for accuracy and clarity\n- Link to v7: https://patch.msgid.link/20260416-selftests-bpf_misconfig-v7-0-a078e18012e4@suse.com\n\nChanges in v7:\n- Use $(abspath) for KMOD_O so relative O\u003d paths resolve correctly\n when make -C changes directory (patch 2)\n- Guard make clean against missing KDIR unconditionally; there is\n nothing to clean when kernel headers are absent (patch 2)\n- Drop explicit $(TRUNNER_TEST_OBJS) from linker filter in strict mode;\n $^ already contains them as normal prerequisites (patch 8)\n- Link to v6: https://patch.msgid.link/20260416-selftests-bpf_misconfig-v6-0-7efeab504af1@suse.com\n\nChanges in v6:\n- Add --ignore-missing-args to -extras rsync so out-of-tree permissive\n builds do not abort when .ko files are absent (patch 2)\n- Use $(abspath) for KMOD_O so relative O\u003d paths resolve correctly\n when make -C changes directory (patch 2)\n- Guard make clean against missing KDIR unconditionally so cleaning\n does not abort when kernel headers are absent (patch 2)\n- Remove stale skeleton headers in early-exit paths when .bpf.o is\n missing on incremental builds (patch 3)\n- Fix strict-mode skeleton rules: use \u0026\u0026 before temp file cleanup so\n bpftool failures are not masked by rm -f exit code (patch 3)\n- Track test filter selection separately from not_built so -t/-n flags\n are respected for unbuilt tests (patch 7)\n- Make TRUNNER_TEST_OBJS order-only only in permissive mode, preserving\n incremental relinking in strict builds (patch 8)\n- Drop explicit $(TRUNNER_TEST_OBJS) from linker filter in strict mode;\n they are already in $^ as normal prerequisites (patch 8)\n- Reorder: move skip-unbuilt-tests patch before partial-linking patch\n for bisectability\n- Link to v5: https://patch.msgid.link/20260415-selftests-bpf_misconfig-v5-0-03d0a52a898a@suse.com\n\nChanges in v5:\n- Add BPF_STRICT_BUILD toggle as patch 1 so every subsequent patch\n gates tolerance behind PERMISSIVE from the start, making the series\n bisectable with strict-by-default at every point\n- Fix O\u003d commit message; make parent cp conditional (patch 2)\n- Tolerate linked skeleton failures (patch 3)\n- Skip feature detection for emit_tests (patch 4)\n- Clarify bench is all-or-nothing in commit message (patch 8)\n- Move stack_mprotect() to testing_helpers.c, drop weak stubs (patch 9)\n- Report not-built tests as \"SKIP (not built)\" in output (patch 10)\n- Drop overly broad 2\u003e/dev/null || true from install rsync; rely solely\n on --ignore-missing-args which already handles absent files (patch 11)\n- Link to v4: https://patch.msgid.link/20260406-selftests-bpf_misconfig-v4-0-9914f50efdf7@suse.com\n\nChanges in v4:\n- Drop the test_kmods kselftest module flow patch: lib.mk gen_mods_dir\n invokes $(MAKE) -C $(TEST_GEN_MODS_DIR) without forwarding\n RESOLVE_BTFIDS, breaking ASAN and GCC BPF CI builds (Makefile.modfinal\n cannot find resolve_btfids in the kbuild output tree)\n- Link to v3:\n https://patch.msgid.link/20260406-selftests-bpf_misconfig-v3-0-587a1114263c@suse.com\n\nChanges in v3:\n- Split test_kmods patch into two: fix KDIR handling (O\u003d passthrough,\n EXTRA_CFLAGS/EXTRA_LDFLAGS clearing) and wire into lib.mk via\n TEST_GEN_MODS_DIR\n- Pass O\u003d through to the kernel module build so artifacts land in the\n output tree, not the source tree\n- Clear EXTRA_CFLAGS and EXTRA_LDFLAGS when invoking the kernel build to\n prevent host flags (e.g. -static) leaking into module compilation\n- Replace the bespoke test_kmods pattern rule with lib.mk module\n infrastructure (TEST_GEN_MODS_DIR); lib.mk now drives build and clean\n lifecycle\n- Make the .ko copy step resilient: emit SKIP instead of failing when a\n module is absent\n- Expand the uprobe weak stub comment in bpf_cookie.c to explain why\n noinline is required\n- Link to v2:\n https://patch.msgid.link/20260403-selftests-bpf_misconfig-v2-0-f06700380a9d@suse.com\n\nChanges in v2:\n- Skip test_kmods build/clean when KDIR directory does not exist\n- Use `Module.symvers` instead of `.config` for in-tree detection\n- Fix skeleton order-only prereqs commit message\n- Guard BTFIDS step when .test.o is absent\n- Add `__weak stack_mprotect()` stubs in `bpf_cookie.c` and `iters.c`\n- Link to v1:\n https://patch.msgid.link/20260401-selftests-bpf_misconfig-v1-0-3ae42c0af76f@suse.com\n\nAssisted-by: {codex,claude}\nTested-by: Alan Maguire \u003calan.maguire@oracle.com\u003e\nSigned-off-by: Ricardo B. Marliere \u003crbm@suse.com\u003e\n\n---\nRicardo B. Marlière (11):\n selftests/bpf: Add BPF_STRICT_BUILD toggle\n selftests/bpf: Fix test_kmods KDIR to honor O\u003d and distro kernels\n selftests/bpf: Tolerate BPF and skeleton generation failures\n selftests/bpf: Avoid rebuilds when running emit_tests\n selftests/bpf: Make skeleton headers order-only prerequisites of .test.d\n selftests/bpf: Tolerate test file compilation failures\n selftests/bpf: Skip tests whose objects were not built\n selftests/bpf: Allow test_progs to link with a partial object set\n selftests/bpf: Tolerate benchmark build failures\n selftests/bpf: Provide weak definitions for cross-test functions\n selftests/bpf: Tolerate missing files during install\n\n tools/testing/selftests/bpf/Makefile | 177 ++++++++++++++-------\n .../testing/selftests/bpf/prog_tests/bpf_cookie.c | 17 +-\n tools/testing/selftests/bpf/prog_tests/iters.c | 2 -\n tools/testing/selftests/bpf/prog_tests/test_lsm.c | 22 ---\n tools/testing/selftests/bpf/test_kmods/Makefile | 30 +++-\n tools/testing/selftests/bpf/test_progs.c | 53 +++++-\n tools/testing/selftests/bpf/test_progs.h | 1 +\n tools/testing/selftests/bpf/testing_helpers.c | 18 +++\n tools/testing/selftests/bpf/testing_helpers.h | 1 +\n 9 files changed, 226 insertions(+), 95 deletions(-)\n---\nbase-commit: b93c55b4932dd7e32dca8cf34a3443cc87a02906\nchange-id: 20260401-selftests-bpf_misconfig-4c33ef5c56da\n\nBest regards,\n--\nRicardo B. Marlière \u003crbm@suse.com\u003e\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260602-selftests-bpf_misconfig-v12-0-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "3ca6543464f8f396eee018399b5e266196b0a9a7", "tree": "e43740b986b92b289c5c2eec2d847b3b4530b0a3", "parents": [ "b85e63cb65f96df373b034cc347b0e18231cb0d5" ], "author": { "name": "Ricardo B. Marlière", "email": "rbm@suse.com", "time": "Tue Jun 02 10:03:00 2026 -0300" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:58 2026 -0700" }, "message": "selftests/bpf: Tolerate missing files during install\n\nWith partial builds, some TEST_GEN_FILES entries can be absent at install\ntime. rsync treats missing source arguments as fatal and aborts kselftest\ninstallation.\n\nOverride INSTALL_SINGLE_RULE in selftests/bpf to use --ignore-missing-args,\nwhile keeping the existing bpf-specific INSTALL_RULE extension logic. Also\nadd --ignore-missing-args to the TEST_INST_SUBDIRS rsync loop so that\nsubdirectories with no .bpf.o files (e.g. when a test runner flavor was\nskipped) do not abort installation.\n\nNote that the INSTALL_SINGLE_RULE override applies globally to all file\ncategories including static source files (TEST_PROGS, TEST_FILES). These\nare version-controlled and should always be present, so the practical risk\nis negligible.\n\nSigned-off-by: Ricardo B. Marlière \u003crbm@suse.com\u003e\nLink: https://lore.kernel.org/r/20260602-selftests-bpf_misconfig-v12-11-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "b85e63cb65f96df373b034cc347b0e18231cb0d5", "tree": "c0af6c40693995892eeb35f0539093a0084baa87", "parents": [ "f813a4d6877e9197f6e85120c144738e3c1c3b80" ], "author": { "name": "Ricardo B. Marlière", "email": "rbm@suse.com", "time": "Tue Jun 02 10:02:59 2026 -0300" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:58 2026 -0700" }, "message": "selftests/bpf: Provide weak definitions for cross-test functions\n\nSome test files reference functions defined in other translation units that\nmay not be compiled when skeletons are missing. Replace forward\ndeclarations of uprobe_multi_func_{1,2,3}() with weak no-op stubs so the\nlinker resolves them regardless of which objects are present.\n\nThe stub bodies are `asm volatile (\"\")` rather than empty, matching the\nshape of the strong definitions in prog_tests/uprobe_multi_test.c. This\nkeeps the weak and strong sides on the same footing for the optimiser\n(noinline + asm-barrier), which is the form upstream already relies on\nfor these functions.\n\nMove stack_mprotect() from test_lsm.c into testing_helpers.c so it is\nalways available. The previous weak-stub approach returned 0, which would\ncause callers expecting -1/EPERM to fail their assertions\ndeterministically. Having the real implementation in a shared utility\navoids this problem entirely.\n\nInclude \u003calloca.h\u003e for alloca() so the build does not rely on glibc\u0027s\nimplicit declaration via \u003cstdlib.h\u003e.\n\nSigned-off-by: Ricardo B. Marlière \u003crbm@suse.com\u003e\nLink: https://lore.kernel.org/r/20260602-selftests-bpf_misconfig-v12-10-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "f813a4d6877e9197f6e85120c144738e3c1c3b80", "tree": "90d9ef9c9a770dd6e8adcf126268115a51f2debd", "parents": [ "af490669fd339988765d87de9dd1b25e62ec64cf" ], "author": { "name": "Ricardo B. Marlière", "email": "rbm@suse.com", "time": "Tue Jun 02 10:02:58 2026 -0300" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:58 2026 -0700" }, "message": "selftests/bpf: Tolerate benchmark build failures\n\nBenchmark objects depend on skeletons that may be missing when some BPF\nprograms fail to build. In that case, benchmark object compilation or final\nbench linking should not abort the full selftests/bpf build.\n\nKeep both steps non-fatal, emit SKIP-BENCH or SKIP-LINK, and remove failed\noutputs so stale objects or binaries are not reused by later incremental\nbuilds. Note that because bench.c statically references every benchmark via\nextern symbols, partial linking is not possible: if any single benchmark\nobject fails, the entire bench binary is skipped. This is by design -- the\nerror handler catches all compilation failures including genuine ones, but\nthose are caught by full-config CI runs.\n\nSigned-off-by: Ricardo B. Marlière \u003crbm@suse.com\u003e\nLink: https://lore.kernel.org/r/20260602-selftests-bpf_misconfig-v12-9-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "af490669fd339988765d87de9dd1b25e62ec64cf", "tree": "3adde52aa55d4a917c42208d6c1d51853f50291c", "parents": [ "aeb73a9f301de4f0df7c858ea465a7a9f5d09fd7" ], "author": { "name": "Ricardo B. Marlière", "email": "rbm@suse.com", "time": "Tue Jun 02 10:02:57 2026 -0300" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:58 2026 -0700" }, "message": "selftests/bpf: Allow test_progs to link with a partial object set\n\nWhen individual test files are skipped due to compilation failures, their\n.test.o files are absent. The linker step currently lists all expected\n.test.o files as explicit prerequisites, so make considers any missing one\nan error.\n\nIn permissive mode, declare the test objects that already exist on disk\n(via parse-time $(wildcard ...)) as normal prerequisites of the binary so\nthat modifications to a test source still trigger a relink, and keep the\nfull TRUNNER_TEST_OBJS list as order-only prerequisites so that initial\nfresh builds still produce them and missing objects do not abort the link.\nThe recipe filter is split per mode: in permissive mode it combines a\nrecipe-time $(wildcard ...) (which catches objects freshly produced via\nthe order-only path on a fresh build) with $(filter-out\n$(TRUNNER_TEST_OBJS),$^) (which keeps the non-test inputs from $^ but\ndrops the parse-time wildcard duplicates). This avoids passing the same\n.test.o twice to the linker while still presenting test objects before\nlibbpf.a so that GNU ld, which scans static archives left-to-right, pulls\nin archive members referenced exclusively by test objects (e.g.\nring_buffer__new from ringbuf.c). In default (strict) mode the recipe\nremains the simple $(filter %.a %.o,$^) since TRUNNER_TEST_OBJS is part\nof $^ exactly once.\n\nGate the partial-link behavior on $(if $(filter test_progs%,$1),...) so\nit only applies to test_progs and its flavors. test_maps and similar\nrunners using strong cross-object references would link-fail with a\npartial set and intentionally retain strict link semantics.\n\nNote: adding a brand-new test_*.c file in permissive mode requires\nremoving the binary (or a clean rebuild) before the new test is linked\nin, because the parse-time $(wildcard ...) is evaluated when the Makefile\nis read and will not yet see the new .test.o. This is acceptable since\npermissive mode targets tolerant CI builds rather than incremental\ndevelopment.\n\nSigned-off-by: Ricardo B. Marlière \u003crbm@suse.com\u003e\nLink: https://lore.kernel.org/r/20260602-selftests-bpf_misconfig-v12-8-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "aeb73a9f301de4f0df7c858ea465a7a9f5d09fd7", "tree": "73f69eae633cc83849f5b5c273e498f829dbb783", "parents": [ "9c4de137a9a5280c95515e83e97838826603ea93" ], "author": { "name": "Ricardo B. Marlière", "email": "rbm@suse.com", "time": "Tue Jun 02 10:02:56 2026 -0300" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:58 2026 -0700" }, "message": "selftests/bpf: Skip tests whose objects were not built\n\nWhen both run_test and run_serial_test are NULL (because the corresponding\n.test.o was not compiled), mark the test as not built instead of fatally\naborting.\n\nReport these tests as \"SKIP (not built)\" in per-test output and include\nthem in the skip count so they remain visible in CI results and JSON\noutput. The summary line shows the not-built count when nonzero:\n\n Summary: 50/55 PASSED, 5 SKIPPED (3 not built), 0 FAILED\n\nTests filtered out by -t/-n remain invisible as before; only genuinely\nunbuilt tests are surfaced.\n\nSigned-off-by: Ricardo B. Marlière \u003crbm@suse.com\u003e\nLink: https://lore.kernel.org/r/20260602-selftests-bpf_misconfig-v12-7-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "9c4de137a9a5280c95515e83e97838826603ea93", "tree": "e0a79f83c241307408145e91ca2b540b455fef75", "parents": [ "5498e47741c8a742f730bf9996234bdae1c08ccc" ], "author": { "name": "Ricardo B. Marlière", "email": "rbm@suse.com", "time": "Tue Jun 02 10:02:55 2026 -0300" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:58 2026 -0700" }, "message": "selftests/bpf: Tolerate test file compilation failures\n\nIndividual test files may fail to compile when headers or kernel features\nrequired by that test are absent. Currently this aborts the entire build.\n\nMake the per-test compilation non-fatal: remove the output object on\nfailure and print a SKIP-TEST marker to stderr. Guard the BTFIDS\npost-processing step so it is skipped when the object file is absent. The\nlinker step will later ignore absent objects, allowing the remaining tests\nto build and run.\n\nGroup cd and CC in a sub-shell so a cd failure cannot leak into the\nerror-handling branch and operate in the original working directory; use\n$@ (absolute path) for $(RM) so it cannot match an unrelated file there.\n\nReplace the $(call msg,...) in the BTFIDS block with a plain printf\n(the msg macro expands to @printf, which is a make-recipe construct and\nis invalid inside a shell if-then-fi body) and gate the printf on\n$(filter 1,$(V)) so verbose mode (V\u003d1) does not double-print the line\nthat the recipe shell already echoes; non-verbose modes (V unset, V\u003d0,\nV\u003d2, ...) still print the BTFIDS marker, matching the convention of the\nshared msg macro.\n\nRestrict tolerance to test_progs and its flavors via an inlined\n$(if $(filter test_progs%,$1),$(if $(PERMISSIVE),...)) check: runners\nwith strong cross-object references (e.g. test_maps) would link-fail\nwith a partial object set, so they keep strict semantics even when\nBPF_STRICT_BUILD\u003d0. The check is inlined rather than stored in a helper\nvariable so $1 is substituted at $(call) time and the per-runner result\nis baked into each recipe.\n\nNote on bisectability: this change is gated entirely behind PERMISSIVE\nfor test_progs%, so default builds (BPF_STRICT_BUILD!\u003d0) compile and\nrun identically at every commit in the series. Bisecting in PERMISSIVE\nmode at this commit still requires the next two patches (\"selftests/bpf:\nSkip tests whose objects were not built\" and \"selftests/bpf: Allow\ntest_progs to link with a partial object set\") to avoid the linker\nrejecting missing objects and the runtime aborting on NULL function\npointers.\n\nSigned-off-by: Ricardo B. Marlière \u003crbm@suse.com\u003e\nLink: https://lore.kernel.org/r/20260602-selftests-bpf_misconfig-v12-6-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "5498e47741c8a742f730bf9996234bdae1c08ccc", "tree": "e61516074b63f2153a636b5a47f2f1939246c8ab", "parents": [ "a97bfc9aae076f49f0bcad713bde02b87553b995" ], "author": { "name": "Ricardo B. Marlière", "email": "rbm@suse.com", "time": "Tue Jun 02 10:02:54 2026 -0300" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:58 2026 -0700" }, "message": "selftests/bpf: Make skeleton headers order-only prerequisites of .test.d\n\nThe .test.d dependency files are generated by the C preprocessor and list\nthe headers each test file actually #includes. Skeleton headers appear in\nthose generated lists, so the .test.o -\u003e .skel.h dependency is already\ntracked by the .d file content.\n\nMaking skeletons order-only prerequisites of .test.d means that a missing\nor skipped skeleton does not prevent .test.d generation, and regenerating a\nskeleton does not force .test.d to be recreated. This avoids unnecessary\nrecompilation and, more importantly, avoids build errors when a skeleton\nwas intentionally skipped due to a BPF compilation failure.\n\n$$(BPFOBJ) is intentionally kept as a normal prerequisite: a libbpf\nrebuild legitimately invalidates .test.d, since libbpf header changes\ncan affect the headers .test.o sees. Only the skeleton headers are\nmoved to order-only.\n\nNote that adding a new BPF skeleton via a modified existing local header\nstill works correctly: GNU make builds order-only prerequisites that do\nnot exist (the order-only qualifier only suppresses timestamp-driven\nrebuilds, not existence-driven builds), so a brand-new .skel.h listed in\nTRUNNER_BPF_SKELS is generated even when .test.d is otherwise up to date.\nThe modified local header invalidates .test.o through the previously\nincluded .d content, forcing a recompile that regenerates .test.d with\nthe new .skel.h dependency captured by gcc -MMD.\n\nSigned-off-by: Ricardo B. Marlière \u003crbm@suse.com\u003e\nLink: https://lore.kernel.org/r/20260602-selftests-bpf_misconfig-v12-5-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "a97bfc9aae076f49f0bcad713bde02b87553b995", "tree": "474ea8de8f4123ef8db2c942d3ba07ea1a6740ed", "parents": [ "c476bdf27657c6ea4a447c18de169c7bdcdd419d" ], "author": { "name": "Ricardo B. Marlière", "email": "rbm@suse.com", "time": "Tue Jun 02 10:02:53 2026 -0300" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:58 2026 -0700" }, "message": "selftests/bpf: Avoid rebuilds when running emit_tests\n\nemit_tests is used while installing selftests to generate the kselftest\nlist. Pulling in .d files for this goal can trigger BPF rebuild rules and\nmix build output into list generation.\n\nSkip dependency file inclusion for emit_tests, like clean goals, so list\ngeneration stays side-effect free. Also add emit_tests to\nNON_CHECK_FEAT_TARGETS so that feature detection is skipped; without this,\nMakefile.feature\u0027s $(info) output leaks into stdout and corrupts the test\nlist captured by the top-level selftests Makefile.\n\nSigned-off-by: Ricardo B. Marlière \u003crbm@suse.com\u003e\nLink: https://lore.kernel.org/r/20260602-selftests-bpf_misconfig-v12-4-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "c476bdf27657c6ea4a447c18de169c7bdcdd419d", "tree": "f46ed7d26dfa8a2fbbff5b316fe2743f48727503", "parents": [ "9779193e871b144e34ec4a3e50109b3778a51a69" ], "author": { "name": "Ricardo B. Marlière", "email": "rbm@suse.com", "time": "Tue Jun 02 10:02:52 2026 -0300" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:58 2026 -0700" }, "message": "selftests/bpf: Tolerate BPF and skeleton generation failures\n\nSome BPF programs cannot be built on distro kernels because required BTF\ntypes or features are missing. A single failure currently aborts the\nselftests/bpf build.\n\nMake BPF object and skeleton generation best effort in permissive mode:\nemit SKIP-BPF or SKIP-SKEL to stderr, remove failed outputs so downstream\nrules can detect absence, and continue with remaining tests. Apply the same\ntolerance to linked skeletons (TRUNNER_BPF_SKELS_LINKED), which depend on\nmultiple .bpf.o files and abort the build when any dependency is missing.\n\nNote that progress messages (GEN-SKEL, LINK-BPF) are also redirected to\nstderr as a side effect of rewriting the recipes into single-shell\npipelines; the $(call msg,...) macro is a make-recipe construct that cannot\nbe used inside an \u0026\u0026-chained shell command sequence.\n\nSigned-off-by: Ricardo B. Marlière \u003crbm@suse.com\u003e\nLink: https://lore.kernel.org/r/20260602-selftests-bpf_misconfig-v12-3-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" }, { "commit": "9779193e871b144e34ec4a3e50109b3778a51a69", "tree": "4c2d8cec76768fe7c65f29b6497c7cb10326febb", "parents": [ "a6850fa388f6f6ff365b3b72cb71e6d9a8a614ed" ], "author": { "name": "Ricardo B. Marlière", "email": "rbm@suse.com", "time": "Tue Jun 02 10:02:51 2026 -0300" }, "committer": { "name": "Alexei Starovoitov", "email": "ast@kernel.org", "time": "Fri Jun 05 14:20:57 2026 -0700" }, "message": "selftests/bpf: Fix test_kmods KDIR to honor O\u003d and distro kernels\n\ntest_kmods/Makefile always pointed KDIR at the kernel source tree root,\nignoring O\u003d and KBUILD_OUTPUT. On distro kernels where the source tree has\nnot been built, the Makefile had no fallback and would fail\nunconditionally.\n\nWhen O\u003d or KBUILD_OUTPUT is set and points at a prepared kernel build\ndirectory (one containing Module.symvers), pass it through so kbuild can\nlocate the correct build infrastructure (scripts, Kconfig, etc.). Note\nthat the module artifacts themselves still land in the M\u003d directory,\nwhich is test_kmods/; O\u003d only controls where kbuild finds its build\ninfrastructure. Fall back to /lib/modules/$(uname -r)/build when neither\nan explicit valid build directory nor an in-tree Module.symvers is\npresent.\n\nA selftests-only O\u003d value (one that does not contain Module.symvers, e.g.\na private output directory) is intentionally not treated as a kernel\nbuild directory. Without this guard, a user invoking\n\"make -C tools/testing/selftests/bpf O\u003d/tmp/out\" would have test_kmods\ntry to use /tmp/out as the kernel build dir and fail.\n\nThe parent bpf/Makefile resolves O\u003d and KBUILD_OUTPUT to absolute paths\nbefore invoking the test_kmods sub-make. Without this, $(abspath ...)\ninside test_kmods/Makefile would resolve relative paths against the\nsub-make\u0027s CWD (test_kmods/) rather than the user\u0027s invocation directory.\n\nWhen O\u003d is passed to kbuild, also pass KBUILD_OUTPUT\u003d$(KMOD_O_VALID)\nexplicitly. The parent invocation lifts KBUILD_OUTPUT into MAKEFLAGS as\na command-line variable, which would otherwise suppress kbuild\u0027s own\n\"KBUILD_OUTPUT :\u003d $(O)\" assignment and cause it to use the inherited\nKBUILD_OUTPUT instead of the validated O\u003d.\n\nGuard both all and clean against a missing KDIR so the step is silently\nskipped rather than fatal. Make the parent Makefile\u0027s cp conditional so it\ndoes not abort when modules were not built.\n\nSigned-off-by: Ricardo B. Marlière \u003crbm@suse.com\u003e\nLink: https://lore.kernel.org/r/20260602-selftests-bpf_misconfig-v12-2-27f898b3ba26@suse.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\n" } ], "next": "a6850fa388f6f6ff365b3b72cb71e6d9a8a614ed" }