From: Leon Hwang <leon.hwang@linux.dev>
To: bot+bpf-ci@kernel.org, bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org,
yonghong.song@linux.dev, john.fastabend@gmail.com,
kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com,
jolsa@kernel.org, shuah@kernel.org, brauner@kernel.org,
oleg@redhat.com, sforshee@kernel.org, yuichtsu@amazon.com,
aalbersh@redhat.com, willemb@google.com,
kerneljasonxing@gmail.com, paul.chaignon@gmail.com,
yatsenko@meta.com, memxor@gmail.com, a.s.protopopov@gmail.com,
ameryhung@gmail.com, rongtao@cestc.cn,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
linux-kselftest@vger.kernel.org, kernel-patches-bot@fb.com,
martin.lau@kernel.org, clm@meta.com, ihor.solodrai@linux.dev
Subject: Re: [RESEND PATCH bpf-next v4 3/9] bpf: Refactor reporting log_true_size for prog_load
Date: Wed, 7 Jan 2026 13:52:48 +0800 [thread overview]
Message-ID: <372fbef8-6f47-4167-8568-eb39f9332d49@linux.dev> (raw)
In-Reply-To: <53542ad28c0d27ffcfcf9ea325fb6a77eeb3d569e17a6fad9d95685b5ea25467@mail.kernel.org>
On 7/1/26 01:44, bot+bpf-ci@kernel.org wrote:
>> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
>> index 8f464b847405..1739601fb7bd 100644
>> --- a/kernel/bpf/syscall.c
>> +++ b/kernel/bpf/syscall.c
>
> [ ... ]
>
>> @@ -6160,12 +6160,22 @@ static int prog_assoc_struct_ops(union bpf_attr *attr)
>> return ret;
>> }
>>
>> +static int copy_prog_load_log_true_size(union bpf_attr *attr, bpfptr_t uattr, unsigned int size)
>> +{
>> + if (size >= offsetofend(union bpf_attr, log_true_size) &&
>> + copy_to_bpfptr_offset(uattr, offsetof(union bpf_attr, log_true_size),
>> + &attr->log_true_size, sizeof(attr->log_true_size)))
>> + return -EFAULT;
>> +
>> + return 0;
>> +}
>> +
>> static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr, unsigned int size,
>> bpfptr_t uattr_common, unsigned int size_common)
>> {
>> struct bpf_common_attr common_attrs;
>> union bpf_attr attr;
>> - int err;
>> + int err, ret;
>
> [ ... ]
>
>> @@ -6215,7 +6225,10 @@ static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr, unsigned int size,
>> err = map_freeze(&attr);
>> break;
>> case BPF_PROG_LOAD:
>> - err = bpf_prog_load(&attr, uattr, size);
>> + attr.log_true_size = 0;
>> + err = bpf_prog_load(&attr, uattr);
>> + ret = copy_prog_load_log_true_size(&attr, uattr, size);
>> + err = ret ? ret : err;
> ^^^^^^^^^^^^^^^^^^^^
>
> If bpf_prog_load() succeeds, it returns a positive file descriptor.
> Then if copy_prog_load_log_true_size() fails with -EFAULT, this line
> overwrites err with -EFAULT, losing the FD value.
>
> The BPF program has already been loaded and the FD allocated at this
> point. Since the FD is never returned to userspace, the program
> remains loaded but unreachable - could this leak the BPF program?
>
Indeed, the normal FD could be leaked if 'ret == -EFAULT'.
I'll address it in the next revision.
Thanks,
Leon
> In the previous code, the copy_to_bpfptr_offset() happened inside
> bpf_check() before the program was fully committed:
>
> if (uattr_size >= offsetofend(...) &&
> copy_to_bpfptr_offset(...)) {
> ret = -EFAULT;
> goto err_release_maps;
> }
>
> This goto caused bpf_check() to return an error, preventing the FD
> allocation in bpf_prog_load(). Moving the copy outside changes the
> semantics - the FD can now be allocated before a copy failure occurs.
>
>> + break;
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20756616585
next prev parent reply other threads:[~2026-01-07 5:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-06 17:20 [RESEND PATCH bpf-next v4 0/9] bpf: Extend bpf syscall with common attributes support Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 1/9] " Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 2/9] libbpf: Add support for extended bpf syscall Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 3/9] bpf: Refactor reporting log_true_size for prog_load Leon Hwang
2026-01-06 17:44 ` bot+bpf-ci
2026-01-07 5:52 ` Leon Hwang [this message]
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 4/9] bpf: Add common attr support " Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 5/9] bpf: Refactor reporting btf_log_true_size for btf_load Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 6/9] bpf: Add common attr support " Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 7/9] bpf: Add common attr support for map_create Leon Hwang
2026-01-06 17:44 ` bot+bpf-ci
2026-01-07 5:56 ` Leon Hwang
2026-01-07 6:20 ` Alexei Starovoitov
2026-01-07 6:31 ` Leon Hwang
2026-01-09 21:08 ` Alexei Starovoitov
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 8/9] libbpf: " Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 9/9] selftests/bpf: Add tests to verify map create failure log Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=372fbef8-6f47-4167-8568-eb39f9332d49@linux.dev \
--to=leon.hwang@linux.dev \
--cc=a.s.protopopov@gmail.com \
--cc=aalbersh@redhat.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kernel-patches-bot@fb.com \
--cc=kerneljasonxing@gmail.com \
--cc=kpsingh@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=oleg@redhat.com \
--cc=paul.chaignon@gmail.com \
--cc=rongtao@cestc.cn \
--cc=sdf@fomichev.me \
--cc=sforshee@kernel.org \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=willemb@google.com \
--cc=yatsenko@meta.com \
--cc=yonghong.song@linux.dev \
--cc=yuichtsu@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.