From: sashiko-bot@kernel.org
To: "Xu Kuohai" <xukuohai@huaweicloud.com>
Cc: bpf@vger.kernel.org
Subject: Re: [RFC PATCH bpf-next 04/12] bpf: Create insn_array map for bpf SDT probe
Date: Sat, 27 Jun 2026 15:18:38 +0000 [thread overview]
Message-ID: <20260627151839.F2DA71F000E9@smtp.kernel.org> (raw)
In-Reply-To: <809bd2ae46a0505a1f8fdaeacb4e1db489bfa641.1782571533.git.xukuohai@huawei.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Size of struct bpf_insn_array_value changes, breaking UAPI backwards compatibility for BPF_MAP_TYPE_INSN_ARRAY map creation.
- [High] SDT probes in shared subprograms are dropped for all but the first main program that absorbs the subprogram.
- [High] Incorrect instruction offset calculation for SDT probes located in subprograms, leading to offset corruption and verifier rejection.
--
commit 4c79777e0549d710e07ecb99bf27d3c4bb18d256
Author: Xu Kuohai <xukuohai@huawei.com>
bpf: Create insn_array map for bpf SDT probe
Create one BPF_MAP_TYPE_INSN_ARRAY map per program from the parsed
SDT entries. Each map is tagged with BPF_F_INSN_ARRAY_SDT and
populated with the instruction offset, argument count, and per-argument
registers.
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
[ ... ]
> @@ -7732,7 +7739,9 @@ struct bpf_insn_array_value {
> __u32 orig_off;
> __u32 xlated_off;
> __u32 jitted_off;
> - __u32 :32;
> + __u8 nargs; /* argument count (0..5) */
> + __u8 arg_reg[5]; /* BPF register for each argument */
> + __u8 pad[2];
> };
[Severity: High]
Does this struct size change break UAPI backwards compatibility?
Because insn_array_alloc_check() unconditionally enforces a strict size check:
kernel/bpf/bpf_insn_array.c:insn_array_alloc_check() {
u32 value_size = sizeof(struct bpf_insn_array_value);
if (attr->max_entries == 0 || attr->key_size != 4 ||
attr->value_size != value_size ||
attr->map_flags & ~BPF_F_INSN_ARRAY_SDT)
return -EINVAL;
}
Older userspace binaries calling bpf_map_create() with the old value_size
will be rejected with -EINVAL.
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
[ ... ]
> @@ -6686,6 +6692,131 @@ static int create_jt_map(struct bpf_object *obj, struct bpf_program *prog, struc
> return err;
> }
>
> +static int bpf_object__resolve_sdt_progs(struct bpf_object *obj)
> +{
> + int i, j;
> + struct bpf_light_subprog *sp;
> +
> + for (i = 0; i < obj->sdt_entry_cnt; i++) {
> + struct sdt_entry *e = &obj->sdt_entries[i];
> + struct bpf_program *prog, *subprog;
> +
> + prog = find_prog_by_sec_insn(obj, e->sec_idx, e->insn_idx);
[ ... ]
> + /* resolve subprog probe in the main prog that absorbed the subprog */
> + if (prog_is_subprog(obj, prog) && prog->absorbed_by != -1) {
> + subprog = prog;
> + prog = &obj->programs[prog->absorbed_by];
[Severity: High]
Does this logic drop SDT probes in shared subprograms for all but the first
main program that absorbed it?
By resolving the shared SDT entry exclusively to the main program indicated
by prog->absorbed_by, any tracing tools relying on SDT probes in this
subprogram will silently miss executions when the subprogram is executed
through alternate main programs.
> + for (j = 0; j < prog->subprog_cnt; j++) {
> + sp = &prog->subprogs[j];
> + if (sp->sec_insn_off == subprog->sec_insn_off) {
> + e->insn_idx = sp->sub_insn_off +
> + (e->insn_idx - sp->sec_insn_off);
> + break;
> + }
> + }
[ ... ]
> +static int bpf_object__create_sdt_maps(struct bpf_object *obj)
> +{
[ ... ]
> + /* create insn_array maps per program and populate entries */
> + for (i = 0; i < obj->sdt_entry_cnt; i++) {
> + __u32 key;
> + struct sdt_entry *e = &obj->sdt_entries[i];
> + __u32 sdt_cnt = prog_sdt[e->prog_idx].sdt_cnt;
> +
> + if (!sdt_cnt)
> + continue;
> +
> + prog = &obj->programs[e->prog_idx];
[ ... ]
> + key = prog_sdt[e->prog_idx].next_key++;
> +
> + memset(&val, 0, sizeof(val));
> + val.nargs = e->nargs;
> + val.orig_off = e->insn_idx - prog->sec_insn_off;
[Severity: High]
Can this offset calculation lead to verifier rejection later?
Earlier in bpf_object__resolve_sdt_progs(), e->insn_idx is updated to a 0-based
local offset relative to the main program.
Here in bpf_object__create_sdt_maps(), subtracting prog->sec_insn_off again
from an already localized offset will cause an integer underflow or offset
corruption if the main program's section offset is greater than 0. This will
cause the verifier to reject the BPF object.
> + memcpy(val.arg_reg, e->arg_reg, sizeof(val.arg_reg));
> +
> + err = bpf_map_update_elem(prog->sdt_map_fd, &key, &val, 0);
> + if (err)
> + goto out_free;
> + }
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1782571533.git.xukuohai@huawei.com?part=4
next prev parent reply other threads:[~2026-06-27 15:18 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-27 22:51 [RFC PATCH bpf-next 00/12] bpf: Introduce static-defined tracing probe for BPF Xu Kuohai
2026-06-27 20:51 ` [syzbot ci] " syzbot ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 01/12] libbpf: Prepare bpf SDT probe section for the linker Xu Kuohai
2026-06-27 17:05 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 02/12] libbpf: Introduce bpf SDT probe macros Xu Kuohai
2026-06-27 15:01 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 03/12] libbpf: Add bpf_sdt_notes section parser Xu Kuohai
2026-06-27 15:03 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 04/12] bpf: Create insn_array map for bpf SDT probe Xu Kuohai
2026-06-27 15:18 ` sashiko-bot [this message]
2026-06-27 15:34 ` bot+bpf-ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 05/12] bpf: Collect SDT probe BTF IDs from BTF decl tags Xu Kuohai
2026-06-27 15:20 ` sashiko-bot
2026-06-27 15:34 ` bot+bpf-ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 06/12] bpf: Add type check for SDT probe site Xu Kuohai
2026-06-27 15:04 ` sashiko-bot
2026-06-27 15:22 ` bot+bpf-ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 07/12] bpf: Record probe name in SDT map Xu Kuohai
2026-06-27 15:06 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 08/12] libbpf: Add libbpf support to load SDT observer program Xu Kuohai
2026-06-27 15:12 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 09/12] bpf: Add kernel " Xu Kuohai
2026-06-27 15:12 ` sashiko-bot
2026-06-27 15:22 ` bot+bpf-ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 10/12] bpf: Support attach and detach for " Xu Kuohai
2026-06-27 17:12 ` sashiko-bot
2026-06-27 22:51 ` [RFC PATCH bpf-next 11/12] bpf, x86: Add JIT support SDT for probe Xu Kuohai
2026-06-27 15:13 ` sashiko-bot
2026-06-27 15:22 ` bot+bpf-ci
2026-06-27 22:51 ` [RFC PATCH bpf-next 12/12] selftests/bpf: Add tests for bpf SDT probe Xu Kuohai
2026-06-27 15:25 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260627151839.F2DA71F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=xukuohai@huaweicloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.