Re: [PATCH bpf-next v2 2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Yuyang Huang" <yuyanghuang@google.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries
Date: Sun, 31 May 2026 01:11:10 +0000	[thread overview]
Message-ID: <20260531011110.F22BA1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260531004748.3567875-3-yuyanghuang@google.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] The selftest validates and enshrines an ABI-breaking kernel behavior where BPF_PROG_QUERY rejects valid queries from older user-space binaries with -EFAULT.
--

commit a51bd156081fb623564c01426a789df272b5e924
Author: Yuyang Huang <yuyanghuang@google.com>

selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries

This commit adds a selftest to verify that BPF_PROG_QUERY rejects queries
with a user-declared size below the size covering query.revision with
-EFAULT. It also ensures the query succeeds when given the full size.

> diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c b/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c
> new file mode 100644
> index 0000000000000..4fbe56cb29d4a
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c
> @@ -0,0 +1,65 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2026 Google LLC */
> +#include <linux/bpf.h>

[ ... ]

> +#define OLD_QUERY_SIZE		offsetofend(union bpf_attr, query.prog_cnt)
> +#define FULL_QUERY_SIZE		offsetofend(union bpf_attr, query.revision)
> +
> +static void test_query_size_boundaries(void)
> +{

[ ... ]

> +	memset(&attr, 0, sizeof(attr));
> +	attr.query.target_fd = cg_fd;
> +	attr.query.attach_type = BPF_CGROUP_INET_INGRESS;
> +
> +	err = syscall(__NR_bpf, BPF_PROG_QUERY, &attr, OLD_QUERY_SIZE);
> +	ASSERT_EQ(err, -1, "query_old_size_fails");
> +	ASSERT_EQ(errno, EFAULT, "query_old_size_efault");

[Severity: Critical]
Does this selftest validate an ABI-breaking kernel behavior where
BPF_PROG_QUERY rejects valid queries from older user-space binaries with
-EFAULT?

Older user-space applications (like an older bpftool) compiled with older
headers will supply a smaller bpf_attr size up to query.prog_cnt.
Previously, the kernel would accept this size, but this test now enforces
that the kernel rejects these historically valid queries unconditionally.

Should the kernel conditionally copy to query.revision only if the
user-provided size is large enough, rather than breaking backwards
compatibility for existing binaries?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260531004748.3567875-1-yuyanghuang@google.com?part=2

next prev parent reply	other threads:[~2026-05-31  1:11 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-31  0:47 [PATCH bpf-next v2 0/2] bpf: Align syscall writeback behavior with user-declared size Yuyang Huang
2026-05-31  0:47 ` [PATCH bpf-next v2 1/2] bpf: reject BPF_PROG_QUERY with short uattr size Yuyang Huang
2026-05-31  0:59   ` sashiko-bot
2026-05-31  1:37     ` Yuyang Huang
2026-05-31  3:01     ` Alexei Starovoitov
2026-05-31  3:12       ` Yuyang Huang
2026-05-31  0:47 ` [PATCH bpf-next v2 2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries Yuyang Huang
2026-05-31  1:11   ` sashiko-bot [this message]
2026-05-31  1:44     ` Yuyang Huang
2026-05-31  1:28   ` bot+bpf-ci

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260531011110.F22BA1F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=yuyanghuang@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.