Re: [PATCH bpf-next v3 2/6] verifier: parse BTF type tags for function arguments

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Emil Tsalapatis" <emil@etsalapatis.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v3 2/6] verifier: parse BTF type tags for function arguments
Date: Tue, 02 Jun 2026 01:05:06 +0000	[thread overview]
Message-ID: <20260602010506.F2F3B1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260602004120.17087-3-emil@etsalapatis.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] The `btf_scan_type_tags` function unconditionally rejects any `type_tag` other than "arena", breaking previously valid BPF programs.
--

commit 1b7f5032b014c339265f4b7f34961a16eb4c5894
Author: Emil Tsalapatis <emil@etsalapatis.com>

verifier: parse BTF type tags for function arguments

The BTF parsing logic for function arguments goes through
the arguments' decl tags, but does not go into their type
tags. Add type tag parsing for function arguments.

> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 17d4ab0a82068..c6a930aca67ec 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c

[ ... ]

> +static int btf_scan_type_tags(struct bpf_verifier_env *env,
> +			      const struct btf *btf, u32 type_id,
> +			      u32 *tags)
> +{
> +	const struct btf_type *t;
> +
> +	/* Find the first pointer type in the chain. */
> +	t = btf_type_skip_modifiers(btf, type_id, NULL);
> +	if (!t || !btf_type_is_ptr(t))
> +		return 0;
> +
> +	/* We got a pointer, get all associated type tags. */
> +	t = btf_type_by_id(btf, t->type);
> +	while (t && btf_type_is_type_tag(t)) {
> +		const char *tag = __btf_name_by_offset(btf, t->name_off);
> +
> +		if (strcmp(tag, "arena") == 0) {
> +			*tags |= ARG_TAG_ARENA;
> +		} else {
> +			bpf_log(&env->log, "function signature member has unsupported type tag '%s'\n",
> +				tag);
> +			return -EOPNOTSUPP;
> +		}

[Severity: Critical]
Will this unconditionally reject any type tags other than "arena", causing
previously valid BPF programs to fail verification?

Since tags like "user", "rcu", or "percpu" are commonly used in kernel
headers, and were previously skipped by btf_type_skip_modifiers(), returning
-EOPNOTSUPP here will propagate through btf_prepare_func_args() and abort
loading global subprograms that use these type tags.

Could this break backward compatibility for existing userspace programs?

> +
> +		t = btf_type_by_id(btf, t->type);
> +	}
> +
> +	return 0;
> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260602004120.17087-1-emil@etsalapatis.com?part=2

next prev parent reply	other threads:[~2026-06-02  1:05 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-02  0:41 [PATCH bpf-next v3 0/6] Minimize annotations for arena programs Emil Tsalapatis
2026-06-02  0:41 ` [PATCH bpf-next v3 1/6] selftests/bpf: libarena: Add "arena" BTF type tag to __arena qualifier Emil Tsalapatis
2026-06-02  0:41 ` [PATCH bpf-next v3 2/6] verifier: parse BTF type tags for function arguments Emil Tsalapatis
2026-06-02  1:05   ` sashiko-bot [this message]
2026-06-02  1:05     ` Emil Tsalapatis
2026-06-02  1:26   ` bot+bpf-ci
2026-06-02  0:41 ` [PATCH bpf-next v3 3/6] bpf: Allow subprogs to return arena pointers Emil Tsalapatis
2026-06-02  1:20   ` sashiko-bot
2026-06-02  0:41 ` [PATCH bpf-next v3 4/6] selftests/bpf: Remove __arg_arena from the codebase Emil Tsalapatis
2026-06-02  1:31   ` sashiko-bot
2026-06-02  0:41 ` [PATCH bpf-next v3 5/6] selftests/bpf: libarena: Directly return arena pointers from functions Emil Tsalapatis
2026-06-02  1:45   ` sashiko-bot
2026-06-02  0:41 ` [PATCH bpf-next v3 6/6] selftests/bpf: Add tests for the new type-tag based __arena identifier Emil Tsalapatis
2026-06-02  2:00 ` [PATCH bpf-next v3 0/6] Minimize annotations for arena programs patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260602010506.F2F3B1F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=emil@etsalapatis.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.