From: Leon Hwang <leon.hwang@linux.dev>
To: sashiko@lists.linux.dev
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v4 5/8] bpf: Update per-CPU maps using BPF_F_ALL_CPUS flag
Date: Fri, 17 Apr 2026 09:54:39 +0800 [thread overview]
Message-ID: <e9a504b8-e5c9-44b6-b614-916d5173038e@linux.dev> (raw)
In-Reply-To: <20260414210235.2262BC19425@smtp.kernel.org>
On 15/4/26 05:02, sashiko-bot@kernel.org wrote:
> Sashiko AI review found 1 potential issue(s):
[...]
>> + /*
>> + * When updating per-CPU maps via the lightweight skeleton
>> + * loader, use a single value slot across all CPUs. This avoids
>> + * two potential issues when updating on an M-CPU kernel with
>> + * N cached slots (N < M), especially when N is much smaller
>> + * than M:
>> + * 1) The update may trigger a page fault when copying data from
>> + * the last slot, as the read may go beyond the allocated
>> + * buffer.
>> + * 2) The update may copy unexpected data from slots [N, M-1].
>> + */
>> + if (bpfptr_is_kernel(uattr) && bpf_map_supports_cpu_flags(map->map_type) &&
>> + !(attr->flags & (BPF_F_CPU | BPF_F_ALL_CPUS)))
>> + attr->flags |= BPF_F_ALL_CPUS;
>
> Does this unintentionally break the bpf_sys_bpf() helper API for
> BPF_PROG_TYPE_SYSCALL programs?
>
> Because bpf_sys_bpf() also wraps the pointer with KERNEL_BPFPTR,
> bpfptr_is_kernel(uattr) will evaluate to true for any eBPF program calling it.
>
> Prior to this patch, a BPF_PROG_TYPE_SYSCALL program could legitimately
> update a per-CPU map with distinct values for each CPU by providing an array
> of num_possible_cpus() elements and omitting any CPU flags, which mirrors
> standard user-space API semantics.
>
> With this change, it appears the kernel silently overrides attr->flags by
> setting BPF_F_ALL_CPUS. This truncates the internal value_size calculation
> down to a single element (map->value_size), reads only the first element
> of the BPF program's provided buffer, and incorrectly replicates it across
> all CPUs.
>
> Should this workaround for the skeleton loader be constrained to
> bpftool gen skeleton instead of mutating the core syscall handler?
>
It was my intent. Even though BPF_PROG_TYPE_SYSCALL progs could be
broken, it should be fixed when verifying the oob issue is true for
SYSCALL progs.
This patch will be dropped from this series. And, a separate patch will
be posted if the oob issue is true.
Thanks,
Leon
next prev parent reply other threads:[~2026-04-17 1:54 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 13:24 [PATCH bpf-next v4 0/8] bpf: Introduce global percpu data Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 1/8] bpf: Drop duplicate blank lines in verifier Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 2/8] bpf: Introduce global percpu data Leon Hwang
2026-04-14 14:10 ` bot+bpf-ci
2026-04-14 14:19 ` Leon Hwang
2026-04-15 2:19 ` Alexei Starovoitov
2026-04-17 1:30 ` Leon Hwang
2026-04-17 15:48 ` Leon Hwang
2026-04-17 17:03 ` Alexei Starovoitov
2026-04-20 5:24 ` Leon Hwang
2026-04-20 14:58 ` Alexei Starovoitov
2026-04-21 1:42 ` Leon Hwang
2026-04-21 1:59 ` Alexei Starovoitov
2026-04-21 14:13 ` Leon Hwang
2026-04-21 14:35 ` Alexei Starovoitov
2026-04-22 5:22 ` Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 3/8] libbpf: Probe percpu data feature Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 4/8] libbpf: Add support for global percpu data Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 5/8] bpf: Update per-CPU maps using BPF_F_ALL_CPUS flag Leon Hwang
2026-04-14 21:02 ` sashiko-bot
2026-04-17 1:54 ` Leon Hwang [this message]
2026-04-15 2:21 ` Alexei Starovoitov
2026-04-17 1:33 ` Leon Hwang
2026-04-17 16:07 ` Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 6/8] bpftool: Generate skeleton for global percpu data Leon Hwang
2026-04-14 21:26 ` sashiko-bot
2026-04-17 2:01 ` Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 7/8] selftests/bpf: Add tests to verify " Leon Hwang
2026-04-14 21:45 ` sashiko-bot
2026-04-17 2:06 ` Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 8/8] selftests/bpf: Add a test to verify bpf_iter for " Leon Hwang
2026-04-14 22:08 ` sashiko-bot
2026-04-17 2:17 ` Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e9a504b8-e5c9-44b6-b614-916d5173038e@linux.dev \
--to=leon.hwang@linux.dev \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.