From: Leon Hwang <leon.hwang@linux.dev>
To: bot+bpf-ci@kernel.org
Cc: Leon Hwang <leon.hwang@linux.dev>,
bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net,
john.fastabend@gmail.com, andrii@kernel.org,
martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org,
yonghong.song@linux.dev, kpsingh@kernel.org, sdf@fomichev.me,
haoluo@google.com, jolsa@kernel.org, shuah@kernel.org,
brauner@kernel.org, sforshee@kernel.org, yuichtsu@amazon.com,
aalbersh@redhat.com, willemb@google.com,
kerneljasonxing@gmail.com, chen.dylane@linux.dev,
yatsenko@meta.com, memxor@gmail.com, a.s.protopopov@gmail.com,
ameryhung@gmail.com, rongtao@cestc.cn,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
linux-kselftest@vger.kernel.org, kernel-patches-bot@fb.com,
martin.lau@kernel.org, clm@meta.com, ihor.solodrai@linux.dev
Subject: Re: [PATCH bpf-next v12 6/8] bpf: Add syscall common attributes support for map_create
Date: Wed, 22 Apr 2026 13:44:27 +0800 [thread overview]
Message-ID: <20260422054429.389475-1-leon.hwang@linux.dev> (raw)
In-Reply-To: <caa1b9f532b97e8cbcf9b2c00fc5d39d038066d08993ab4c12bba5a6cf971528@mail.kernel.org>
On Mon, 20 Apr 2026 14:56:33 +0000 (UTC), bot+bpf-ci@kernel.org wrote:
>> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
>> index dbe321aa8591..34500f81db6e 100644
>> --- a/include/linux/bpf_verifier.h
>> +++ b/include/linux/bpf_verifier.h
>> @@ -710,6 +710,9 @@ struct bpf_log_attr {
>> int bpf_log_attr_init(struct bpf_log_attr *log, u64 log_buf, u32 log_size, u32 log_level,
>> u32 offsetof_log_true_size, bpfptr_t uattr, struct bpf_common_attr *common,
>> bpfptr_t uattr_common, u32 size_common);
>> +struct bpf_verifier_log *bpf_log_attr_create_vlog(struct bpf_log_attr *attr_log,
>> + struct bpf_common_attr *common, bpfptr_t uattr,
>> + u32 size);
>> int bpf_log_attr_finalize(struct bpf_log_attr *attr, struct bpf_verifier_log *log);
>>
>> #define BPF_MAX_SUBPROGS 256
>> diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
>> index dffe3a0180a7..5a977a52ef61 100644
>> --- a/kernel/bpf/log.c
>> +++ b/kernel/bpf/log.c
>> @@ -860,6 +860,36 @@ int bpf_log_attr_init(struct bpf_log_attr *log, u64 log_buf, u32 log_size, u32 l
>> return 0;
>> }
>>
>> +
NIT: should drop this dup blank line.
>> +struct bpf_verifier_log *bpf_log_attr_create_vlog(struct bpf_log_attr *attr_log,
>> + struct bpf_common_attr *common, bpfptr_t uattr,
>> + u32 size)
>> +{
>> + struct bpf_verifier_log *log;
>> + int err;
>> +
>> + memset(attr_log, 0, sizeof(*attr_log));
>> + attr_log->uattr = uattr;
>> + if (size >= offsetofend(struct bpf_common_attr, log_true_size))
>> + attr_log->offsetof_true_size = offsetof(struct bpf_common_attr, log_true_size);
>> +
>> + if (!common->log_buf)
>> + return NULL;
>
> Does this skip validation that bpf_log_attr_init() performs?
>
> The sibling helper bpf_log_attr_init() validates struct bpf_common_attr
> fields via bpf_verifier_log_attr_valid() unconditionally:
>
> kernel/bpf/log.c:bpf_log_attr_init() {
> if (!bpf_verifier_log_attr_valid(common->log_level, ubuf_common, common->log_size) ||
> !bpf_verifier_log_attr_valid(log_level, ubuf, log_size))
> return -EINVAL;
> }
>
> This returns -EINVAL for combinations like (log_buf==0 && log_size!=0)
> or (log_buf==0 && log_level!=0), enforced by:
>
> kernel/bpf/log.c:bpf_verifier_log_attr_valid() {
> /* ubuf and len_total should both be specified (or not) together */
> if (!!log_buf != !!log_size)
> return false;
> if (log_buf && log_level == 0)
> return false;
> if (log_level & ~BPF_LOG_MASK)
> return false;
> if (log_size > UINT_MAX >> 2)
> return false;
> }
>
> When bpf_log_attr_create_vlog() returns early because common->log_buf == 0,
> these four checks are skipped entirely. When common->log_buf != 0, the
> checks run later via bpf_vlog_init().
>
> This creates an ABI validation inconsistency: BPF_PROG_LOAD and BPF_BTF_LOAD
> reject (log_buf==0 && log_size!=0) with -EINVAL, but BPF_MAP_CREATE
> silently accepts it. Userspace passing the same invalid attribute
> combination receives different results depending on the syscall command.
>
> Should bpf_log_attr_create_vlog() call
> bpf_verifier_log_attr_valid(common->log_level, u64_to_user_ptr(common->log_buf), common->log_size)
> before the early return, and return ERR_PTR(-EINVAL) on failure?
>
It was intentional.
Like the bpf_log(log, ...) use in this patch, if log_buf is not provided,
there's nowhere to store the log msg. Thereafter, no need to alloc the log
object.
It seems cheap to alloc the 1KiB+ log object. So it would be fine to drop
this early check, and let bpf_vlog_init() validate them instead.
Thanks,
Leon
>> +
[...]
next prev parent reply other threads:[~2026-04-22 5:44 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 14:17 [PATCH bpf-next v12 0/8] bpf: Extend BPF syscall with common attributes support Leon Hwang
2026-04-20 14:17 ` [PATCH bpf-next v12 1/8] " Leon Hwang
2026-04-20 14:17 ` [PATCH bpf-next v12 2/8] libbpf: Add support for extended BPF syscall Leon Hwang
2026-04-20 14:17 ` [PATCH bpf-next v12 3/8] bpf: Refactor reporting log_true_size for prog_load Leon Hwang
2026-04-20 14:18 ` [PATCH bpf-next v12 4/8] bpf: Add syscall common attributes support " Leon Hwang
2026-04-20 14:18 ` [PATCH bpf-next v12 5/8] bpf: Add syscall common attributes support for btf_load Leon Hwang
2026-04-20 14:56 ` bot+bpf-ci
2026-04-22 5:28 ` Leon Hwang
2026-04-20 14:18 ` [PATCH bpf-next v12 6/8] bpf: Add syscall common attributes support for map_create Leon Hwang
2026-04-20 14:56 ` bot+bpf-ci
2026-04-22 5:44 ` Leon Hwang [this message]
2026-04-20 14:18 ` [PATCH bpf-next v12 7/8] libbpf: " Leon Hwang
2026-04-20 14:18 ` [PATCH bpf-next v12 8/8] selftests/bpf: Add tests to verify map create failure log Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260422054429.389475-1-leon.hwang@linux.dev \
--to=leon.hwang@linux.dev \
--cc=a.s.protopopov@gmail.com \
--cc=aalbersh@redhat.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=chen.dylane@linux.dev \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kernel-patches-bot@fb.com \
--cc=kerneljasonxing@gmail.com \
--cc=kpsingh@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=rongtao@cestc.cn \
--cc=sdf@fomichev.me \
--cc=sforshee@kernel.org \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=willemb@google.com \
--cc=yatsenko@meta.com \
--cc=yonghong.song@linux.dev \
--cc=yuichtsu@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.