[PATCH bpf-next 1/2] bpf: Emit struct bpf_xdp_sock type in vmlinux BTF

[PATCH bpf-next 1/2] bpf: Emit struct bpf_xdp_sock type in vmlinux BTF

[Amery Hung]

Similar to other BPF UAPI struct, force emit BTF of struct bpf_xdp_sock
so that it is defined in vmlinux.h.

In a later patch, a selftest will use vmlinux.h to get the definition of
struct bpf_xdp_sock instead of bpf.h.

Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
 net/core/filter.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/core/filter.c b/net/core/filter.c
index b20d59bb19b8..2af0a5f1d748 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -7439,6 +7439,8 @@ u32 bpf_xdp_sock_convert_ctx_access(enum bpf_access_type type,
 				      offsetof(struct xdp_sock, FIELD)); \
 	} while (0)
 
+	BTF_TYPE_EMIT(struct bpf_xdp_sock);
+
 	switch (si->off) {
 	case offsetof(struct bpf_xdp_sock, queue_id):
 		BPF_XDP_SOCK_GET(queue_id);
-- 
2.47.3

[PATCH bpf-next 2/2] selftests/bpf: Test changing packet data from global functions with a kfunc

[Amery Hung]

The verifier should invalidate all packet pointers after a packet data
changing kfunc is called. So, similar to commit 3f23ee5590d9
("selftests/bpf: test for changing packet data from global functions"),
test changing packet data from global functions to make sure packet
pointers are indeed invalidated.

Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
 .../selftests/bpf/progs/verifier_sock.c       | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/progs/verifier_sock.c b/tools/testing/selftests/bpf/progs/verifier_sock.c
index bf88c644eb30..0bed5715c9e1 100644
--- a/tools/testing/selftests/bpf/progs/verifier_sock.c
+++ b/tools/testing/selftests/bpf/progs/verifier_sock.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0
 /* Converted from tools/testing/selftests/bpf/verifier/sock.c */
 
-#include <linux/bpf.h>
+#include "vmlinux.h"
 #include <bpf/bpf_helpers.h>
 #include "bpf_misc.h"
 
@@ -1068,6 +1068,34 @@ int invalidate_pkt_pointers_from_global_func(struct __sk_buff *sk)
 	return TCX_PASS;
 }
 
+__noinline
+long xdp_pull_data2(struct xdp_md *x, __u32 len)
+{
+	return bpf_xdp_pull_data(x, len);
+}
+
+__noinline
+long xdp_pull_data1(struct xdp_md *x, __u32 len)
+{
+	return xdp_pull_data2(x, len);
+}
+
+/* global function calls bpf_xdp_pull_data(), which invalidates packet
+ * pointers established before global function call.
+ */
+SEC("xdp")
+__failure __msg("invalid mem access")
+int invalidate_xdp_pkt_pointers_from_global_func(struct xdp_md *x)
+{
+	int *p = (void *)(long)x->data;
+
+	if ((void *)(p + 1) > (void *)(long)x->data_end)
+		return TCX_DROP;
+	xdp_pull_data1(x, 0);
+	*p = 42; /* this is unsafe */
+	return TCX_PASS;
+}
+
 __noinline
 int tail_call(struct __sk_buff *sk)
 {
-- 
2.47.3

Re: [PATCH bpf-next 1/2] bpf: Emit struct bpf_xdp_sock type in vmlinux BTF

[patchwork-bot+netdevbpf]

Hello:

This series was applied to bpf/bpf-next.git (master)
by Martin KaFai Lau <martin.lau@kernel.org>:

On Thu, 25 Sep 2025 10:00:12 -0700 you wrote:
> Similar to other BPF UAPI struct, force emit BTF of struct bpf_xdp_sock
> so that it is defined in vmlinux.h.
> 
> In a later patch, a selftest will use vmlinux.h to get the definition of
> struct bpf_xdp_sock instead of bpf.h.
> 
> Signed-off-by: Amery Hung <ameryhung@gmail.com>
> 
> [...]

Here is the summary with links:
  - [bpf-next,1/2] bpf: Emit struct bpf_xdp_sock type in vmlinux BTF
    https://git.kernel.org/bpf/bpf-next/c/bc8712f2b525
  - [bpf-next,2/2] selftests/bpf: Test changing packet data from global functions with a kfunc
    https://git.kernel.org/bpf/bpf-next/c/9b5c111c3cd6

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH bpf-next 2/2] selftests/bpf: Test changing packet data from global functions with a kfunc

[Martin KaFai Lau]

On 9/25/25 10:00 AM, Amery Hung wrote:
> The verifier should invalidate all packet pointers after a packet data
> changing kfunc is called. So, similar to commit 3f23ee5590d9
> ("selftests/bpf: test for changing packet data from global functions"),
> test changing packet data from global functions to make sure packet
> pointers are indeed invalidated.

Applied. Thanks.

> +__noinline
> +long xdp_pull_data2(struct xdp_md *x, __u32 len)
> +{
> +	return bpf_xdp_pull_data(x, len);

This tested the mark_subprog_changes_pkt_data() in visit_insn().

afaik, it does not test the clear_all_pkt_pointers() in check_"k"func_call(). 
Unlike the existing "changes_data" helpers, it is the first kfunc doing it. 
Although we know that it should work after fixing the xdp_native.bpf.c :), it is 
still good to have a regression test for it. Probably another xdp prog in 
verifier_sock.c that does bpf_xdp_pull_data() in the main prog. Please follow up.


> +}
> +
> +__noinline
> +long xdp_pull_data1(struct xdp_md *x, __u32 len)
> +{
> +	return xdp_pull_data2(x, len);
> +}
> +
> +/* global function calls bpf_xdp_pull_data(), which invalidates packet
> + * pointers established before global function call.
> + */
> +SEC("xdp")
> +__failure __msg("invalid mem access")
> +int invalidate_xdp_pkt_pointers_from_global_func(struct xdp_md *x)
> +{
> +	int *p = (void *)(long)x->data;
> +
> +	if ((void *)(p + 1) > (void *)(long)x->data_end)
> +		return TCX_DROP;
> +	xdp_pull_data1(x, 0);
> +	*p = 42; /* this is unsafe */
> +	return TCX_PASS;

I fixed this to XDP_PASS as we discussed offline.

> +}
> +
>   __noinline
>   int tail_call(struct __sk_buff *sk)
>   {

Re: [PATCH bpf-next 2/2] selftests/bpf: Test changing packet data from global functions with a kfunc

[Amery Hung]

On Thu, Sep 25, 2025 at 2:58 PM Martin KaFai Lau <martin.lau@linux.dev> wrote:
>
> On 9/25/25 10:00 AM, Amery Hung wrote:
> > The verifier should invalidate all packet pointers after a packet data
> > changing kfunc is called. So, similar to commit 3f23ee5590d9
> > ("selftests/bpf: test for changing packet data from global functions"),
> > test changing packet data from global functions to make sure packet
> > pointers are indeed invalidated.
>
> Applied. Thanks.
>
> > +__noinline
> > +long xdp_pull_data2(struct xdp_md *x, __u32 len)
> > +{
> > +     return bpf_xdp_pull_data(x, len);
>
> This tested the mark_subprog_changes_pkt_data() in visit_insn().
>
> afaik, it does not test the clear_all_pkt_pointers() in check_"k"func_call().
> Unlike the existing "changes_data" helpers, it is the first kfunc doing it.
> Although we know that it should work after fixing the xdp_native.bpf.c :), it is
> still good to have a regression test for it. Probably another xdp prog in
> verifier_sock.c that does bpf_xdp_pull_data() in the main prog. Please follow up.
>

I will add another test in verifier_sock.c.

>
> > +}
> > +
> > +__noinline
> > +long xdp_pull_data1(struct xdp_md *x, __u32 len)
> > +{
> > +     return xdp_pull_data2(x, len);
> > +}
> > +
> > +/* global function calls bpf_xdp_pull_data(), which invalidates packet
> > + * pointers established before global function call.
> > + */
> > +SEC("xdp")
> > +__failure __msg("invalid mem access")
> > +int invalidate_xdp_pkt_pointers_from_global_func(struct xdp_md *x)
> > +{
> > +     int *p = (void *)(long)x->data;
> > +
> > +     if ((void *)(p + 1) > (void *)(long)x->data_end)
> > +             return TCX_DROP;
> > +     xdp_pull_data1(x, 0);
> > +     *p = 42; /* this is unsafe */
> > +     return TCX_PASS;
>
> I fixed this to XDP_PASS as we discussed offline.
>

Thank you!

> > +}
> > +
> >   __noinline
> >   int tail_call(struct __sk_buff *sk)
> >   {
>