From: sashiko-bot@kernel.org
To: "Leon Hwang" <leon.hwang@linux.dev>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 2/3] bpf: Check tail zero of bpf_prog_info
Date: Thu, 04 Jun 2026 15:34:13 +0000 [thread overview]
Message-ID: <20260604153414.17BF01F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604150505.99129-3-leon.hwang@linux.dev>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] ABI Breakage / UAPI Regression: Enforcing a zero-check on previously unchecked UAPI struct padding actively breaks backwards compatibility for existing userspace applications.
--
commit 5d5895c0d685510901c044426a4ec3d4faf9bea8
Author: Leon Hwang <leon.hwang@linux.dev>
bpf: Check tail zero of bpf_prog_info
This commit changes the size passed to bpf_check_uarg_tail_zero() from
sizeof(info) to offsetofend() to validate the padding bytes of struct
bpf_prog_info.
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 1007fb7c87e91..0c86a70d31c17 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -5115,10 +5115,11 @@ static int bpf_prog_get_info_by_fd(struct file *file,
> u32 info_len = attr->info.info_len;
> struct bpf_prog_kstats stats;
> char __user *uinsns;
> - u32 ulen;
> + u32 ulen, len;
> int err;
>
> - err = bpf_check_uarg_tail_zero(USER_BPFPTR(uinfo), sizeof(info), info_len);
> + len = offsetofend(struct bpf_prog_info, attach_btf_id);
> + err = bpf_check_uarg_tail_zero(USER_BPFPTR(uinfo), len, info_len);
[Severity: Critical]
Will this cause a regression for existing userspace programs?
Since struct bpf_prog_info has trailing padding due to alignment rules,
existing userspace programs allocating this struct on the stack might pass the
full sizeof(info) via info_len without explicitly zero-initializing the
trailing padding.
Previously, because expected_size was sizeof(info), the padding bytes were not
checked. With this change, bpf_check_uarg_tail_zero() will now check those
uninitialized padding bytes against zero.
If they contain stack garbage, the syscall will unexpectedly fail with -E2BIG.
Does this actively reject previously functioning userspace code?
> if (err)
> return err;
> info_len = min_t(u32, sizeof(info), info_len);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604150505.99129-1-leon.hwang@linux.dev?part=2
next prev parent reply other threads:[~2026-06-04 15:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 15:05 [PATCH bpf-next v2 0/3] bpf: Check tail zero of bpf_map_info and bpf_prog_info Leon Hwang
2026-06-04 15:05 ` [PATCH bpf-next v2 1/3] bpf: Check tail zero of bpf_map_info Leon Hwang
2026-06-04 15:45 ` bot+bpf-ci
2026-06-04 16:39 ` Alexei Starovoitov
2026-06-05 1:56 ` Leon Hwang
2026-06-04 15:05 ` [PATCH bpf-next v2 2/3] bpf: Check tail zero of bpf_prog_info Leon Hwang
2026-06-04 15:34 ` sashiko-bot [this message]
2026-06-04 15:45 ` bot+bpf-ci
2026-06-04 15:05 ` [PATCH bpf-next v2 3/3] selftests/bpf: Add tests to verify checking padding bytes for bpf_[map,prog]_info Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604153414.17BF01F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=leon.hwang@linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.