[PATCH bpf-next 0/3] bpf: Enhance freplace compatibility

[PATCH bpf-next 0/3] bpf: Enhance freplace compatibility

[Leon Hwang]

The potential issue of kprobe_write_ctx+freplace was mentioned in
"bpf: Disallow !kprobe_write_ctx progs tail-calling kprobe_write_ctx progs" [1].

It is true issue, that the test in patch #3 verifies that kprobe_write_ctx=false
kprobe progs can be abused to modify struct pt_regs via kprobe_write_ctx=true
freplace progs.

When struct pt_regs is modified, bpf_prog_test_run_opts() gets -EFAULT instead
of 0.

test_kprobe_write_ctx:FAIL:bpf_prog_test_run_opts unexpected error: -14 (errno 14)

We will disallow freplace on kprobe programs with different kprobe_write_ctx
values.

However, xdp_has_frags does not cause such severe issue.

The issue of xdp_has_frags+freplace is that it is able to break the backwards
compatibility of XDP.

At the commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check"),
the backwards compatibility was protected against tail calls, but it missed the
freplace case, which is also able to extend XDP progs. If xdp_has_frags=true
freplace progs are allowed to attach to xdp_has_frags=false XDP progs, the
backwards compatibility is broken.

We will disallow freplace on XDP programs with different xdp_has_frags values,
like the way in bpf_prog_map_compatible().

Links:
[1] https://lore.kernel.org/bpf/CAP01T74w4KVMn9bEwpQXrk+bqcUxzb6VW1SQ_QvNy0A4EY-9Jg@mail.gmail.com/

Leon Hwang (3):
  bpf: Disallow freplace on XDP with mismatched xdp_has_frags values
  bpf: Disallow freplace on kprobe with mismatched kprobe_write_ctx
    values
  selftests/bpf: Add tests to verify freplace compatibility

 kernel/bpf/verifier.c                         |  12 ++
 .../bpf/prog_tests/freplace_compatible.c      | 124 ++++++++++++++++++
 .../selftests/bpf/progs/freplace_compatible.c |  40 ++++++
 3 files changed, 176 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/freplace_compatible.c
 create mode 100644 tools/testing/selftests/bpf/progs/freplace_compatible.c

-- 
2.53.0

[PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Leon Hwang]

xdp_has_frags was introduced by the commit
c2f2cdbeffda ("bpf: introduce BPF_F_XDP_HAS_FRAGS flag in prog_flags loading the ebpf program").

The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
was to ensure backwards compatibility against tail calls. However, it
missed that XDP progs can be extended by freplace progs, which could break
the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
allowed to attach to xdp_has_frags=false XDP progs.

To avoid breaking the backwards compatibility via freplace, disallow
freplace on XDP programs with different xdp_has_frags values.

Cc: Toke Hoiland-Jorgensen <toke@redhat.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Lorenzo Bianconi <lorenzo@kernel.org>
Fixes: c2f2cdbeffda ("bpf: introduce BPF_F_XDP_HAS_FRAGS flag in prog_flags loading the ebpf program")
Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
---
 kernel/bpf/verifier.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index cd008b146ee5..12330466d58b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -25519,6 +25519,10 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
 		 */
 		env->ops = bpf_verifier_ops[tgt_prog->type];
 		prog->expected_attach_type = tgt_prog->expected_attach_type;
+		if (prog->aux->xdp_has_frags != tgt_prog->aux->xdp_has_frags) {
+			verbose(env, "Extension program cannot have different xdp_has_frags value with target prog\n");
+			return -EINVAL;
+		}
 	}
 
 	/* store info about the attachment target that will be used later */
-- 
2.53.0

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Toke Høiland-Jørgensen]

Leon Hwang <leon.hwang@linux.dev> writes:

> xdp_has_frags was introduced by the commit
> c2f2cdbeffda ("bpf: introduce BPF_F_XDP_HAS_FRAGS flag in prog_flags loading the ebpf program").
>
> The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
> was to ensure backwards compatibility against tail calls. However, it
> missed that XDP progs can be extended by freplace progs, which could break
> the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
> allowed to attach to xdp_has_frags=false XDP progs.
>
> To avoid breaking the backwards compatibility via freplace, disallow
> freplace on XDP programs with different xdp_has_frags values.

The problem you describe is not actually a problem, though? A
frags-aware program can run on a non-frags interface just fine.

You're messing with long-standing behaviour (since 5.18!) to solve a
non-existent problem. In a way that completely breaks the frags handling
in libxdp[0]:

    Running tests from ./test-libxdp.sh
     [test_link_so]                PASS
     [test_link_a]                 PASS
     [test_old_dispatcher]         PASS
     [test_xdp_devbound]           PASS
     [test_xdp_frags]              FAIL
          Kernel supports XDP programs with frags
          check_load_frags:	FAILED
          check_load_nofrags_success:	PASSED
          check_load_nofrags_fail:	PASSED
          check_load_frags_multi:	FAILED
          check_load_mix_big:	FAILED
          check_load_mix_small:	FAILED
          Test test_xdp_frags exited with return code: 1


Please don't do that.

-Toke

[0] Run 'make test' here: https://github.com/xdp-project/xdp-tools

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Leon Hwang]

On 25/3/26 00:18, Toke Høiland-Jørgensen wrote:
> Leon Hwang <leon.hwang@linux.dev> writes:
> 
>> xdp_has_frags was introduced by the commit
>> c2f2cdbeffda ("bpf: introduce BPF_F_XDP_HAS_FRAGS flag in prog_flags loading the ebpf program").
>>
>> The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
>> was to ensure backwards compatibility against tail calls. However, it
>> missed that XDP progs can be extended by freplace progs, which could break
>> the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
>> allowed to attach to xdp_has_frags=false XDP progs.
>>
>> To avoid breaking the backwards compatibility via freplace, disallow
>> freplace on XDP programs with different xdp_has_frags values.
> 
> The problem you describe is not actually a problem, though? A
> frags-aware program can run on a non-frags interface just fine.
> 
> You're messing with long-standing behaviour (since 5.18!) to solve a
> non-existent problem. In a way that completely breaks the frags handling
> in libxdp[0]:
> 
>     Running tests from ./test-libxdp.sh
>      [test_link_so]                PASS
>      [test_link_a]                 PASS
>      [test_old_dispatcher]         PASS
>      [test_xdp_devbound]           PASS
>      [test_xdp_frags]              FAIL
>           Kernel supports XDP programs with frags
>           check_load_frags:	FAILED
>           check_load_nofrags_success:	PASSED
>           check_load_nofrags_fail:	PASSED
>           check_load_frags_multi:	FAILED
>           check_load_mix_big:	FAILED
>           check_load_mix_small:	FAILED
>           Test test_xdp_frags exited with return code: 1
> 
> 
> Please don't do that.
> 
> -Toke
> 
> [0] Run 'make test' here: https://github.com/xdp-project/xdp-tools
> 

Indeed, it failed to 'make test'.

Will drop this patch in v2, as it wasn't an issue.

Thanks,
Leon

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Toke Høiland-Jørgensen]

Leon Hwang <leon.hwang@linux.dev> writes:

> On 25/3/26 00:18, Toke Høiland-Jørgensen wrote:
>> Leon Hwang <leon.hwang@linux.dev> writes:
>> 
>>> xdp_has_frags was introduced by the commit
>>> c2f2cdbeffda ("bpf: introduce BPF_F_XDP_HAS_FRAGS flag in prog_flags loading the ebpf program").
>>>
>>> The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
>>> was to ensure backwards compatibility against tail calls. However, it
>>> missed that XDP progs can be extended by freplace progs, which could break
>>> the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
>>> allowed to attach to xdp_has_frags=false XDP progs.
>>>
>>> To avoid breaking the backwards compatibility via freplace, disallow
>>> freplace on XDP programs with different xdp_has_frags values.
>> 
>> The problem you describe is not actually a problem, though? A
>> frags-aware program can run on a non-frags interface just fine.
>> 
>> You're messing with long-standing behaviour (since 5.18!) to solve a
>> non-existent problem. In a way that completely breaks the frags handling
>> in libxdp[0]:
>> 
>>     Running tests from ./test-libxdp.sh
>>      [test_link_so]                PASS
>>      [test_link_a]                 PASS
>>      [test_old_dispatcher]         PASS
>>      [test_xdp_devbound]           PASS
>>      [test_xdp_frags]              FAIL
>>           Kernel supports XDP programs with frags
>>           check_load_frags:	FAILED
>>           check_load_nofrags_success:	PASSED
>>           check_load_nofrags_fail:	PASSED
>>           check_load_frags_multi:	FAILED
>>           check_load_mix_big:	FAILED
>>           check_load_mix_small:	FAILED
>>           Test test_xdp_frags exited with return code: 1
>> 
>> 
>> Please don't do that.
>> 
>> -Toke
>> 
>> [0] Run 'make test' here: https://github.com/xdp-project/xdp-tools
>> 
>
> Indeed, it failed to 'make test'.
>
> Will drop this patch in v2, as it wasn't an issue.

Great, thanks!

-Toke

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Jakub Kicinski]

On Tue, 24 Mar 2026 23:04:42 +0800 Leon Hwang wrote:
> The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
> was to ensure backwards compatibility against tail calls. However, it
> missed that XDP progs can be extended by freplace progs, which could break
> the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
> allowed to attach to xdp_has_frags=false XDP progs.
> 
> To avoid breaking the backwards compatibility via freplace, disallow
> freplace on XDP programs with different xdp_has_frags values.

It may be worth adding a selftest to
tools/testing/selftests/drivers/net/xdp.py
which sets MTU to 9k, tries to attach a non-frag-capable prog
if that fails attaches a frag-capable prog and then checks if
replacing the capable prog with non-capable fails.
Drivers may be buggy in this regard.

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Leon Hwang]

On 27/3/26 03:42, Jakub Kicinski wrote:
> On Tue, 24 Mar 2026 23:04:42 +0800 Leon Hwang wrote:
>> The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
>> was to ensure backwards compatibility against tail calls. However, it
>> missed that XDP progs can be extended by freplace progs, which could break
>> the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
>> allowed to attach to xdp_has_frags=false XDP progs.
>>
>> To avoid breaking the backwards compatibility via freplace, disallow
>> freplace on XDP programs with different xdp_has_frags values.
> 
> It may be worth adding a selftest to
> tools/testing/selftests/drivers/net/xdp.py
> which sets MTU to 9k, tries to attach a non-frag-capable prog
> if that fails attaches a frag-capable prog and then checks if
> replacing the capable prog with non-capable fails.
> Drivers may be buggy in this regard.

Do you mean adding these two tests to xdp.py?

1. Verify the failure of attaching non-frag-capable prog to mtu=9k
   driver.
2. Verify the failure of updating frag-capable prog with non-frag-
   capable prog via libbpf.c::bpf_link__update_program().

As for test #2, it may require a helper to attach prog then update prog
using libbpf's APIs.

Thanks,
Leon

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Jakub Kicinski]

On Fri, 27 Mar 2026 14:42:19 +0800 Leon Hwang wrote:
> > It may be worth adding a selftest to
> > tools/testing/selftests/drivers/net/xdp.py
> > which sets MTU to 9k, tries to attach a non-frag-capable prog
> > if that fails attaches a frag-capable prog and then checks if
> > replacing the capable prog with non-capable fails.
> > Drivers may be buggy in this regard.  
> 
> Do you mean adding these two tests to xdp.py?
> 
> 1. Verify the failure of attaching non-frag-capable prog to mtu=9k
>    driver.
> 2. Verify the failure of updating frag-capable prog with non-frag-
>    capable prog via libbpf.c::bpf_link__update_program().

Not directly via libbpf just ip -f link, it uses libbpf internally
but testing with  ip link is simpler. Also - there are already XDP
progs which return XDP_PASS in frag-capable and non-capable mode,
so just use those.

> As for test #2, it may require a helper to attach prog then update prog
> using libbpf's APIs.

See above.

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Leon Hwang]

On 28/3/26 08:12, Jakub Kicinski wrote:
> On Fri, 27 Mar 2026 14:42:19 +0800 Leon Hwang wrote:
>>> It may be worth adding a selftest to
>>> tools/testing/selftests/drivers/net/xdp.py
>>> which sets MTU to 9k, tries to attach a non-frag-capable prog
>>> if that fails attaches a frag-capable prog and then checks if
>>> replacing the capable prog with non-capable fails.
>>> Drivers may be buggy in this regard.  
>>
>> Do you mean adding these two tests to xdp.py?
>>
>> 1. Verify the failure of attaching non-frag-capable prog to mtu=9k
>>    driver.
>> 2. Verify the failure of updating frag-capable prog with non-frag-
>>    capable prog via libbpf.c::bpf_link__update_program().
> 
> Not directly via libbpf just ip -f link, it uses libbpf internally
> but testing with  ip link is simpler. Also - there are already XDP
> progs which return XDP_PASS in frag-capable and non-capable mode,
> so just use those.
> 

Yep, I see these XDP progs in xdp_dummy.bpf.c.

I think the option of ip cmd to update XDP prog is -force.

# ip l set dev eth0 mtu 9000
# ip l set dev eth0 xdpdrv obj xdp_dummy.bpf.o sec xdp.frags
# ip l
6: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 9000 xdp qdisc mq
master bond0 state UP mode DEFAULT group default qlen 1000
    link/ether 3a:39:5f:35:17:6c brd ff:ff:ff:ff:ff:ff permaddr
e0:9d:73:c6:7a:d6
    prog/xdp id 72 name xdp_dummy_prog_ tag 614b434cd8324ecc jited
# ip -force l set dev eth0 xdpdrv obj xdp_dummy.bpf.o sec xdp.frags
# ip l
6: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 9000 xdp qdisc mq
master bond0 state UP mode DEFAULT group default qlen 1000
    link/ether 3a:39:5f:35:17:6c brd ff:ff:ff:ff:ff:ff permaddr
e0:9d:73:c6:7a:d6
    prog/xdp id 76 name xdp_dummy_prog_ tag 614b434cd8324ecc jited
# ip l set dev eth0 mtu 1500 xdpdrv off

I'd like to post an RFC to net-next later.

Thanks,
Leon

[PATCH bpf-next 2/3] bpf: Disallow freplace on kprobe with mismatched kprobe_write_ctx values

[Leon Hwang]

uprobe programs are allowed to modify struct pt_regs.

Since the actual program type of uprobe is KPROBE, it can be abused to
modify struct pt_regs via kprobe+freplace when the kprobe attaches to
kernel functions.

For example,

SEC("?kprobe")
int kprobe(struct pt_regs *regs)
{
	return 0;
}

SEC("?freplace")
int freplace_kprobe(struct pt_regs *regs)
{
	regs->di = 0;
	return 0;
}

freplace_kprobe prog will attach to kprobe prog.
kprobe prog will attach to a kernel function.

Without this patch, when the kernel function runs, its first arg will
always be set as 0 via the freplace_kprobe prog.

To avoid the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
freplace on kprobe programs with mismatched kprobe_write_ctx values.

Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers")
Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
---
 kernel/bpf/verifier.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 12330466d58b..f8257bae6081 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6404,6 +6404,14 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off,
 		/* remember the offset of last byte accessed in ctx */
 		if (env->prog->aux->max_ctx_offset < off + size)
 			env->prog->aux->max_ctx_offset = off + size;
+		if (env->prog->type == BPF_PROG_TYPE_EXT) {
+			struct bpf_prog *dst_prog = env->prog->aux->dst_prog;
+
+			if (env->prog->aux->kprobe_write_ctx != dst_prog->aux->kprobe_write_ctx) {
+				verbose(env, "Extension program cannot have different kprobe_write_ctx value with target prog\n");
+				return -EINVAL;
+			}
+		}
 		return 0;
 	}
 
-- 
2.53.0

Re: [PATCH bpf-next 2/3] bpf: Disallow freplace on kprobe with mismatched kprobe_write_ctx values

[Jiri Olsa]

On Tue, Mar 24, 2026 at 11:04:43PM +0800, Leon Hwang wrote:
> uprobe programs are allowed to modify struct pt_regs.
> 
> Since the actual program type of uprobe is KPROBE, it can be abused to
> modify struct pt_regs via kprobe+freplace when the kprobe attaches to
> kernel functions.
> 
> For example,
> 
> SEC("?kprobe")
> int kprobe(struct pt_regs *regs)
> {
> 	return 0;
> }
> 
> SEC("?freplace")
> int freplace_kprobe(struct pt_regs *regs)
> {
> 	regs->di = 0;
> 	return 0;
> }
> 
> freplace_kprobe prog will attach to kprobe prog.
> kprobe prog will attach to a kernel function.
> 
> Without this patch, when the kernel function runs, its first arg will
> always be set as 0 via the freplace_kprobe prog.
> 
> To avoid the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
> freplace on kprobe programs with mismatched kprobe_write_ctx values.
> 
> Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers")
> Signed-off-by: Leon Hwang <leon.hwang@linux.dev>

hi,
so it's another issue in addition to that on with tail-calls [1]
do you plan to resend this fix as well?

thanks,
jirka


[1] https://lore.kernel.org/bpf/20260303150639.85007-4-leon.hwang@linux.dev/

> ---
>  kernel/bpf/verifier.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 12330466d58b..f8257bae6081 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -6404,6 +6404,14 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off,
>  		/* remember the offset of last byte accessed in ctx */
>  		if (env->prog->aux->max_ctx_offset < off + size)
>  			env->prog->aux->max_ctx_offset = off + size;
> +		if (env->prog->type == BPF_PROG_TYPE_EXT) {
> +			struct bpf_prog *dst_prog = env->prog->aux->dst_prog;
> +
> +			if (env->prog->aux->kprobe_write_ctx != dst_prog->aux->kprobe_write_ctx) {
> +				verbose(env, "Extension program cannot have different kprobe_write_ctx value with target prog\n");
> +				return -EINVAL;
> +			}
> +		}
>  		return 0;
>  	}
>  
> -- 
> 2.53.0
> 

Re: [PATCH bpf-next 2/3] bpf: Disallow freplace on kprobe with mismatched kprobe_write_ctx values

[Leon Hwang]

On 2026/3/25 20:51, Jiri Olsa wrote:
> On Tue, Mar 24, 2026 at 11:04:43PM +0800, Leon Hwang wrote:
>> uprobe programs are allowed to modify struct pt_regs.
>>
>> Since the actual program type of uprobe is KPROBE, it can be abused to
>> modify struct pt_regs via kprobe+freplace when the kprobe attaches to
>> kernel functions.
>>
>> For example,
>>
>> SEC("?kprobe")
>> int kprobe(struct pt_regs *regs)
>> {
>> 	return 0;
>> }
>>
>> SEC("?freplace")
>> int freplace_kprobe(struct pt_regs *regs)
>> {
>> 	regs->di = 0;
>> 	return 0;
>> }
>>
>> freplace_kprobe prog will attach to kprobe prog.
>> kprobe prog will attach to a kernel function.
>>
>> Without this patch, when the kernel function runs, its first arg will
>> always be set as 0 via the freplace_kprobe prog.
>>
>> To avoid the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
>> freplace on kprobe programs with mismatched kprobe_write_ctx values.
>>
>> Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers")
>> Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
> 
> hi,
> so it's another issue in addition to that on with tail-calls [1]
> do you plan to resend this fix as well?
> 
> thanks,
> jirka
> 
> 
> [1] https://lore.kernel.org/bpf/20260303150639.85007-4-leon.hwang@linux.dev/
> 
Kumar will re-post it soon.

Thanks,
Leon

Re: [PATCH bpf-next 2/3] bpf: Disallow freplace on kprobe with mismatched kprobe_write_ctx values

[Jiri Olsa]

On Tue, Mar 24, 2026 at 11:04:43PM +0800, Leon Hwang wrote:
> uprobe programs are allowed to modify struct pt_regs.
> 
> Since the actual program type of uprobe is KPROBE, it can be abused to
> modify struct pt_regs via kprobe+freplace when the kprobe attaches to
> kernel functions.
> 
> For example,
> 
> SEC("?kprobe")
> int kprobe(struct pt_regs *regs)
> {
> 	return 0;
> }
> 
> SEC("?freplace")
> int freplace_kprobe(struct pt_regs *regs)
> {
> 	regs->di = 0;
> 	return 0;
> }
> 
> freplace_kprobe prog will attach to kprobe prog.
> kprobe prog will attach to a kernel function.
> 
> Without this patch, when the kernel function runs, its first arg will
> always be set as 0 via the freplace_kprobe prog.
> 
> To avoid the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
> freplace on kprobe programs with mismatched kprobe_write_ctx values.
> 
> Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers")
> Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
> ---
>  kernel/bpf/verifier.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 12330466d58b..f8257bae6081 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -6404,6 +6404,14 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off,
>  		/* remember the offset of last byte accessed in ctx */
>  		if (env->prog->aux->max_ctx_offset < off + size)
>  			env->prog->aux->max_ctx_offset = off + size;
> +		if (env->prog->type == BPF_PROG_TYPE_EXT) {
> +			struct bpf_prog *dst_prog = env->prog->aux->dst_prog;
> +
> +			if (env->prog->aux->kprobe_write_ctx != dst_prog->aux->kprobe_write_ctx) {
> +				verbose(env, "Extension program cannot have different kprobe_write_ctx value with target prog\n");
> +				return -EINVAL;
> +			}
> +		}

would it be more clear to check this in bpf_check_attach_target,
instead of depending on actual write to context

jirka

Re: [PATCH bpf-next 2/3] bpf: Disallow freplace on kprobe with mismatched kprobe_write_ctx values

[Leon Hwang]

On 28/3/26 04:41, Jiri Olsa wrote:
> On Tue, Mar 24, 2026 at 11:04:43PM +0800, Leon Hwang wrote:
[...]
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -6404,6 +6404,14 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off,
>>  		/* remember the offset of last byte accessed in ctx */
>>  		if (env->prog->aux->max_ctx_offset < off + size)
>>  			env->prog->aux->max_ctx_offset = off + size;
>> +		if (env->prog->type == BPF_PROG_TYPE_EXT) {
>> +			struct bpf_prog *dst_prog = env->prog->aux->dst_prog;
>> +
>> +			if (env->prog->aux->kprobe_write_ctx != dst_prog->aux->kprobe_write_ctx) {
>> +				verbose(env, "Extension program cannot have different kprobe_write_ctx value with target prog\n");
>> +				return -EINVAL;
>> +			}
>> +		}
> 
> would it be more clear to check this in bpf_check_attach_target,
> instead of depending on actual write to context
> 

I've considered it.

But we can't, because bpf_check_attach_target is before check_ctx_access
at load time.

Besides, sashiko has pointed out that this check in check_ctx_access can
be bypassed when attaching to kprobe_write_ctx=false target [1].

So, I posted v2 to do the check in bpf_tracing_prog_attach at attach
time [2].

[1]
https://sashiko.dev/#/patchset/20260324150444.68166-1-leon.hwang%40linux.dev
[2] https://lore.kernel.org/bpf/20260326141718.17731-1-leon.hwang@linux.dev/

Thanks,
Leon

[PATCH bpf-next 3/3] selftests/bpf: Add tests to verify freplace compatibility

[Leon Hwang]

Add tests to verify the issues:

* xdp_has_frags: The backwards compatibility can be broken via freplace.
* kprobe_write_ctx: It can be abused to modify struct pt_regs of kernel
  functions via kprobe_write_ctx=true freplace progs.

Without the fixes, the issues are verified:

xdp_has_frags=true freplace prog is allowed to attach to
xdp_has_frags=false XDP prog.

kprobe_write_ctx=true freplace prog is allowed to attach to
kprobe_write_ctx=false kprobe prog. Then, the first arg of
bpf_fentry_test1 will be set as 0, and bpf_prog_test_run_opts() gets
-EFAULT instead of 0.

With the fixes, the issues are rejected by verifier:

 Extension program cannot have different xdp_has_frags value with target prog
 #134/1   freplace_compatible/xdp_has_frags:OK
 Extension program cannot have different kprobe_write_ctx value with target prog
 #134/2   freplace_compatible/kprobe_write_ctx:OK

Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
---
 .../bpf/prog_tests/freplace_compatible.c      | 124 ++++++++++++++++++
 .../selftests/bpf/progs/freplace_compatible.c |  40 ++++++
 2 files changed, 164 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/freplace_compatible.c
 create mode 100644 tools/testing/selftests/bpf/progs/freplace_compatible.c

diff --git a/tools/testing/selftests/bpf/prog_tests/freplace_compatible.c b/tools/testing/selftests/bpf/prog_tests/freplace_compatible.c
new file mode 100644
index 000000000000..251e17ef4e52
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/freplace_compatible.c
@@ -0,0 +1,124 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <test_progs.h>
+#include "freplace_compatible.skel.h"
+
+static void test_xdp_has_frags(void)
+{
+	struct freplace_compatible *skel_xdp, *skel_ext = NULL;
+	struct bpf_program *prog_xdp, *prog_ext;
+	struct bpf_link *link = NULL;
+	char buff[128] = {};
+	int err, prog_fd;
+	__u32 flags;
+	LIBBPF_OPTS(bpf_test_run_opts, topts,
+		.data_in = buff,
+		.data_size_in = sizeof(buff),
+		.repeat = 1,
+	);
+
+	skel_xdp = freplace_compatible__open();
+	if (!ASSERT_OK_PTR(skel_xdp, "freplace_compatible__open xdp"))
+		return;
+
+	prog_xdp = skel_xdp->progs.xdp;
+	bpf_program__set_autoload(prog_xdp, true);
+
+	err = freplace_compatible__load(skel_xdp);
+	if (!ASSERT_OK(err, "freplace_compatible__load xdp"))
+		goto out;
+
+	skel_ext = freplace_compatible__open();
+	if (!ASSERT_OK_PTR(skel_ext, "freplace_compatible__open ext"))
+		goto out;
+
+	prog_ext = skel_ext->progs.freplace_xdp;
+	bpf_program__set_autoload(prog_ext, true);
+
+	flags = bpf_program__flags(prog_ext) | BPF_F_XDP_HAS_FRAGS;
+	bpf_program__set_flags(prog_ext, flags);
+
+	prog_fd = bpf_program__fd(prog_xdp);
+	bpf_program__set_attach_target(prog_ext, prog_fd, "xdp");
+
+	err = freplace_compatible__load(skel_ext);
+	ASSERT_ERR(err, "freplace_compatible__load ext");
+
+	link = bpf_program__attach_freplace(prog_ext, prog_fd, "xdp");
+	ASSERT_ERR_PTR(link, "bpf_program__attach_freplace");
+
+	err = bpf_prog_test_run_opts(prog_fd, &topts);
+	if (!ASSERT_OK(err, "bpf_prog_test_run_opts"))
+		goto out;
+
+	ASSERT_EQ(topts.retval, XDP_PASS, "xdp retval");
+
+out:
+	bpf_link__destroy(link);
+	freplace_compatible__destroy(skel_ext);
+	freplace_compatible__destroy(skel_xdp);
+}
+
+#ifdef __x86_64__
+static void test_kprobe_write_ctx(void)
+{
+	struct freplace_compatible *skel_kprobe, *skel_ext = NULL;
+	struct bpf_program *prog_kprobe, *prog_ext, *prog_fentry;
+	struct bpf_link *link_kprobe = NULL, *link_ext = NULL;
+	int err;
+	LIBBPF_OPTS(bpf_kprobe_opts, kprobe_opts);
+	LIBBPF_OPTS(bpf_test_run_opts, topts);
+
+	skel_kprobe = freplace_compatible__open();
+	if (!ASSERT_OK_PTR(skel_kprobe, "freplace_compatible__open kprobe"))
+		return;
+
+	prog_kprobe = skel_kprobe->progs.kprobe;
+	bpf_program__set_autoload(prog_kprobe, true);
+
+	prog_fentry = skel_kprobe->progs.fentry;
+	bpf_program__set_autoload(prog_fentry, true);
+
+	err = freplace_compatible__load(skel_kprobe);
+	if (!ASSERT_OK(err, "freplace_compatible__load kprobe"))
+		goto out;
+
+	skel_ext = freplace_compatible__open();
+	if (!ASSERT_OK_PTR(skel_ext, "freplace_compatible__open ext"))
+		goto out;
+
+	prog_ext = skel_ext->progs.freplace_kprobe;
+	bpf_program__set_autoload(prog_ext, true);
+
+	bpf_program__set_attach_target(prog_ext, bpf_program__fd(prog_kprobe), "kprobe");
+
+	err = freplace_compatible__load(skel_ext);
+	ASSERT_ERR(err, "freplace_compatible__load ext");
+
+	link_ext = bpf_program__attach_freplace(prog_ext, 0, NULL);
+	ASSERT_ERR_PTR(link_ext, "bpf_program__attach_freplace");
+
+	link_kprobe = bpf_program__attach_kprobe_opts(prog_kprobe, "bpf_fentry_test1",
+						      &kprobe_opts);
+	if (!ASSERT_OK_PTR(link_kprobe, "bpf_program__attach_kprobe_opts"))
+		goto out;
+
+	err = bpf_prog_test_run_opts(bpf_program__fd(prog_fentry), &topts);
+	ASSERT_OK(err, "bpf_prog_test_run_opts");
+
+out:
+	bpf_link__destroy(link_ext);
+	bpf_link__destroy(link_kprobe);
+	freplace_compatible__destroy(skel_ext);
+	freplace_compatible__destroy(skel_kprobe);
+}
+#endif
+
+void test_freplace_compatible(void)
+{
+	if (test__start_subtest("xdp_has_frags"))
+		test_xdp_has_frags();
+#ifdef __x86_64__
+	if (test__start_subtest("kprobe_write_ctx"))
+		test_kprobe_write_ctx();
+#endif
+}
diff --git a/tools/testing/selftests/bpf/progs/freplace_compatible.c b/tools/testing/selftests/bpf/progs/freplace_compatible.c
new file mode 100644
index 000000000000..f13b4878268b
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/freplace_compatible.c
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+SEC("?xdp")
+int xdp(struct xdp_md *ctx)
+{
+	return XDP_PASS;
+}
+
+SEC("?freplace")
+int freplace_xdp(struct xdp_md *ctx)
+{
+	return 0xFF;
+}
+
+#if defined(__TARGET_ARCH_x86)
+SEC("?kprobe")
+int kprobe(struct pt_regs *regs)
+{
+	return 0;
+}
+
+SEC("?freplace")
+int freplace_kprobe(struct pt_regs *regs)
+{
+	regs->di = 0;
+	return 0;
+}
+
+SEC("?fentry/bpf_fentry_test1")
+int BPF_PROG(fentry)
+{
+	return 0;
+}
+#endif
+
+char _license[] SEC("license") = "GPL";
+
-- 
2.53.0