[RFC PATCH bpf-next 0/2] bpf: Fix updating attached freplace to PROG_ARRAY map

[RFC PATCH bpf-next 0/2] bpf: Fix updating attached freplace to PROG_ARRAY map

[Leon Hwang]

When I try to run selftests to confirm that I fix the tailcall hierarchy
issue[0], it hits a kernel NULL pointer dereference BUG.

[309049.036402] BUG: kernel NULL pointer dereference, address: 0000000000000004
[309049.036419] #PF: supervisor read access in kernel mode
[309049.036426] #PF: error_code(0x0000) - not-present page
[309049.036432] PGD 0 P4D 0
[309049.036437] Oops: 0000 [#1] PREEMPT SMP NOPTI
[309049.036444] CPU: 2 PID: 788148 Comm: test_progs Not tainted 6.8.0-31-generic #31-Ubuntu
[309049.036465] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
[309049.036477] RIP: 0010:bpf_prog_map_compatible+0x2a/0x140
[309049.036488] Code: 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 49 89 fe 41 55 41 54 53 44 8b 6e 04 48 89 f3 41 83 fd 1c 75 0c 48 8b 46 38 48 8b 40 70 <44> 8b 68 04 f6 43 03 01 75 1c 48 8b 43 38 44 0f b6 a0 89 00 00 00
[309049.036505] RSP: 0018:ffffb2e080fd7ce0 EFLAGS: 00010246
[309049.036513] RAX: 0000000000000000 RBX: ffffb2e0807c1000 RCX: 0000000000000000
[309049.036521] RDX: 0000000000000000 RSI: ffffb2e0807c1000 RDI: ffff990290259e00
[309049.036528] RBP: ffffb2e080fd7d08 R08: 0000000000000000 R09: 0000000000000000
[309049.036536] R10: 0000000000000000 R11: 0000000000000000 R12: ffff990290259e00
[309049.036543] R13: 000000000000001c R14: ffff990290259e00 R15: ffff99028e29c400
[309049.036551] FS:  00007b82cbc28140(0000) GS:ffff9903b3f00000(0000) knlGS:0000000000000000
[309049.036559] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[309049.036566] CR2: 0000000000000004 CR3: 0000000101286002 CR4: 00000000003706f0
[309049.036573] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[309049.036581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[309049.036588] Call Trace:
[309049.036592]  <TASK>
[309049.036597]  ? show_regs+0x6d/0x80
[309049.036604]  ? __die+0x24/0x80
[309049.036619]  ? page_fault_oops+0x99/0x1b0
[309049.036628]  ? do_user_addr_fault+0x2ee/0x6b0
[309049.036634]  ? exc_page_fault+0x83/0x1b0
[309049.036641]  ? asm_exc_page_fault+0x27/0x30
[309049.036649]  ? bpf_prog_map_compatible+0x2a/0x140
[309049.036656]  prog_fd_array_get_ptr+0x2c/0x70
[309049.036664]  bpf_fd_array_map_update_elem+0x37/0x130
[309049.036671]  bpf_map_update_value+0x1d3/0x260
[309049.036677]  map_update_elem+0x1fa/0x360
[309049.036683]  __sys_bpf+0x54c/0xa10
[309049.036689]  __x64_sys_bpf+0x1a/0x30
[309049.036694]  x64_sys_call+0x1936/0x25c0
[309049.036700]  do_syscall_64+0x7f/0x180
[309049.036706]  ? do_syscall_64+0x8c/0x180
[309049.036712]  ? do_syscall_64+0x8c/0x180
[309049.036717]  ? irqentry_exit+0x43/0x50
[309049.036723]  ? common_interrupt+0x54/0xb0
[309049.036729]  entry_SYSCALL_64_after_hwframe+0x73/0x7b

It causes by these two commits:

- commit 1c123c567fb1 ("bpf: Resolve fext program type when checking map compatibility")
- commit 3aac1ead5eb6 ("bpf: Move prog->aux->linked_prog and trampoline into bpf_link on attach")

After freplace attachment, 'prog->aux->dst_prog' is set as NULL. Then,
when to update freplace prog to PROG_ARRAY map, 'resolve_prog_type()'
resolves freplace prog type by 'prog->aux->dst_prog->type'. Finally, the
BUG hits.

This patchset resolves freplace prog type by
'prog->aux->saved_dst_prog_type' to avoid the BUG.

However, it does not resolve this issue thoroughly, because the prog type
of freplace prog is not stable as freplace prog can attach to different
types of prog.

So, I raise an RFC PATCH to discuss how to resolve it thoroughly.

Links:
[0] https://lore.kernel.org/bpf/6203dd01-789d-f02c-5293-def4c1b18aef@gmail.com/

Leon Hwang (2):
  bpf: Fix updating attached freplace to PROG_ARRAY map
  selftests/bpf: Add testcase for updating attached freplace prog to
    PROG_ARRAY map

 include/linux/bpf_verifier.h                  |  2 +-
 .../selftests/bpf/prog_tests/tailcalls.c      | 82 +++++++++++++++++++
 .../selftests/bpf/progs/tailcall_freplace.c   | 34 ++++++++
 .../testing/selftests/bpf/progs/tc_bpf2bpf.c  | 21 +++++
 4 files changed, 138 insertions(+), 1 deletion(-)
 create mode 100644 tools/testing/selftests/bpf/progs/tailcall_freplace.c
 create mode 100644 tools/testing/selftests/bpf/progs/tc_bpf2bpf.c


base-commit: c939103fc8ef1df0984b8665f157ff88e51373fe
-- 
2.44.0

[RFC PATCH bpf-next 1/2] bpf: Fix updating attached freplace to PROG_ARRAY map

[Leon Hwang]

Since commit 1c123c567fb138eb ("bpf: Resolve fext program type when
checking map compatibility"), freplace prog can be used as tail-callee.

However, when freplace prog has been attached and then updates to
PROG_ARRAY map, it will panic, because the updating checks prog type of
freplace prog by 'prog->aux->dst_prog->type' and 'prog->aux->dst_prog' of
freplace prog is NULL.

[309049.036402] BUG: kernel NULL pointer dereference, address: 0000000000000004
[309049.036419] #PF: supervisor read access in kernel mode
[309049.036426] #PF: error_code(0x0000) - not-present page
[309049.036432] PGD 0 P4D 0
[309049.036437] Oops: 0000 [#1] PREEMPT SMP NOPTI
[309049.036444] CPU: 2 PID: 788148 Comm: test_progs Not tainted 6.8.0-31-generic #31-Ubuntu
[309049.036465] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
[309049.036477] RIP: 0010:bpf_prog_map_compatible+0x2a/0x140
[309049.036488] Code: 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 49 89 fe 41 55 41 54 53 44 8b 6e 04 48 89 f3 41 83 fd 1c 75 0c 48 8b 46 38 48 8b 40 70 <44> 8b 68 04 f6 43 03 01 75 1c 48 8b 43 38 44 0f b6 a0 89 00 00 00
[309049.036505] RSP: 0018:ffffb2e080fd7ce0 EFLAGS: 00010246
[309049.036513] RAX: 0000000000000000 RBX: ffffb2e0807c1000 RCX: 0000000000000000
[309049.036521] RDX: 0000000000000000 RSI: ffffb2e0807c1000 RDI: ffff990290259e00
[309049.036528] RBP: ffffb2e080fd7d08 R08: 0000000000000000 R09: 0000000000000000
[309049.036536] R10: 0000000000000000 R11: 0000000000000000 R12: ffff990290259e00
[309049.036543] R13: 000000000000001c R14: ffff990290259e00 R15: ffff99028e29c400
[309049.036551] FS:  00007b82cbc28140(0000) GS:ffff9903b3f00000(0000) knlGS:0000000000000000
[309049.036559] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[309049.036566] CR2: 0000000000000004 CR3: 0000000101286002 CR4: 00000000003706f0
[309049.036573] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[309049.036581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[309049.036588] Call Trace:
[309049.036592]  <TASK>
[309049.036597]  ? show_regs+0x6d/0x80
[309049.036604]  ? __die+0x24/0x80
[309049.036619]  ? page_fault_oops+0x99/0x1b0
[309049.036628]  ? do_user_addr_fault+0x2ee/0x6b0
[309049.036634]  ? exc_page_fault+0x83/0x1b0
[309049.036641]  ? asm_exc_page_fault+0x27/0x30
[309049.036649]  ? bpf_prog_map_compatible+0x2a/0x140
[309049.036656]  prog_fd_array_get_ptr+0x2c/0x70
[309049.036664]  bpf_fd_array_map_update_elem+0x37/0x130
[309049.036671]  bpf_map_update_value+0x1d3/0x260
[309049.036677]  map_update_elem+0x1fa/0x360
[309049.036683]  __sys_bpf+0x54c/0xa10
[309049.036689]  __x64_sys_bpf+0x1a/0x30
[309049.036694]  x64_sys_call+0x1936/0x25c0
[309049.036700]  do_syscall_64+0x7f/0x180
[309049.036706]  ? do_syscall_64+0x8c/0x180
[309049.036712]  ? do_syscall_64+0x8c/0x180
[309049.036717]  ? irqentry_exit+0x43/0x50
[309049.036723]  ? common_interrupt+0x54/0xb0
[309049.036729]  entry_SYSCALL_64_after_hwframe+0x73/0x7b

Why 'prog->aux->dst_prog' of freplace prog is NULL? It causes by commit 3aac1ead5eb6
("bpf: Move prog->aux->linked_prog and trampoline into bpf_link on attach").

As 'prog->aux->dst_prog' of freplace prog is set as NULL when attach,
freplace prog does not have stable prog type. But when to update
freplace prog to PROG_ARRAY map, it requires checking prog type. They are
conflict in theory.

This patch is unable to resolve this issue thoroughly. It resolves prog
type of freplace prog by 'prog->aux->saved_dst_prog_type' to avoid panic.

Fixes: 1c123c567fb1 ("bpf: Resolve fext program type when checking map compatibility")
Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
---
 include/linux/bpf_verifier.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 50aa87f8d77ff..b648a96ca310b 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -845,7 +845,7 @@ static inline u32 type_flag(u32 type)
 static inline enum bpf_prog_type resolve_prog_type(const struct bpf_prog *prog)
 {
 	return prog->type == BPF_PROG_TYPE_EXT ?
-		prog->aux->dst_prog->type : prog->type;
+		prog->aux->saved_dst_prog_type : prog->type;
 }
 
 static inline bool bpf_prog_check_recur(const struct bpf_prog *prog)
-- 
2.44.0

Re: [RFC PATCH bpf-next 1/2] bpf: Fix updating attached freplace to PROG_ARRAY map

[Leon Hwang]

On 2024/6/2 20:24, Leon Hwang wrote:
> Since commit 1c123c567fb138eb ("bpf: Resolve fext program type when
> checking map compatibility"), freplace prog can be used as tail-callee.
> 
> However, when freplace prog has been attached and then updates to
> PROG_ARRAY map, it will panic, because the updating checks prog type of
> freplace prog by 'prog->aux->dst_prog->type' and 'prog->aux->dst_prog' of
> freplace prog is NULL.
> 
> [309049.036402] BUG: kernel NULL pointer dereference, address: 0000000000000004
> [309049.036419] #PF: supervisor read access in kernel mode
> [309049.036426] #PF: error_code(0x0000) - not-present page
> [309049.036432] PGD 0 P4D 0
> [309049.036437] Oops: 0000 [#1] PREEMPT SMP NOPTI
> [309049.036444] CPU: 2 PID: 788148 Comm: test_progs Not tainted 6.8.0-31-generic #31-Ubuntu
> [309049.036465] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
> [309049.036477] RIP: 0010:bpf_prog_map_compatible+0x2a/0x140
> [309049.036488] Code: 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 49 89 fe 41 55 41 54 53 44 8b 6e 04 48 89 f3 41 83 fd 1c 75 0c 48 8b 46 38 48 8b 40 70 <44> 8b 68 04 f6 43 03 01 75 1c 48 8b 43 38 44 0f b6 a0 89 00 00 00
> [309049.036505] RSP: 0018:ffffb2e080fd7ce0 EFLAGS: 00010246
> [309049.036513] RAX: 0000000000000000 RBX: ffffb2e0807c1000 RCX: 0000000000000000
> [309049.036521] RDX: 0000000000000000 RSI: ffffb2e0807c1000 RDI: ffff990290259e00
> [309049.036528] RBP: ffffb2e080fd7d08 R08: 0000000000000000 R09: 0000000000000000
> [309049.036536] R10: 0000000000000000 R11: 0000000000000000 R12: ffff990290259e00
> [309049.036543] R13: 000000000000001c R14: ffff990290259e00 R15: ffff99028e29c400
> [309049.036551] FS:  00007b82cbc28140(0000) GS:ffff9903b3f00000(0000) knlGS:0000000000000000
> [309049.036559] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [309049.036566] CR2: 0000000000000004 CR3: 0000000101286002 CR4: 00000000003706f0
> [309049.036573] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [309049.036581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [309049.036588] Call Trace:
> [309049.036592]  <TASK>
> [309049.036597]  ? show_regs+0x6d/0x80
> [309049.036604]  ? __die+0x24/0x80
> [309049.036619]  ? page_fault_oops+0x99/0x1b0
> [309049.036628]  ? do_user_addr_fault+0x2ee/0x6b0
> [309049.036634]  ? exc_page_fault+0x83/0x1b0
> [309049.036641]  ? asm_exc_page_fault+0x27/0x30
> [309049.036649]  ? bpf_prog_map_compatible+0x2a/0x140
> [309049.036656]  prog_fd_array_get_ptr+0x2c/0x70
> [309049.036664]  bpf_fd_array_map_update_elem+0x37/0x130
> [309049.036671]  bpf_map_update_value+0x1d3/0x260
> [309049.036677]  map_update_elem+0x1fa/0x360
> [309049.036683]  __sys_bpf+0x54c/0xa10
> [309049.036689]  __x64_sys_bpf+0x1a/0x30
> [309049.036694]  x64_sys_call+0x1936/0x25c0
> [309049.036700]  do_syscall_64+0x7f/0x180
> [309049.036706]  ? do_syscall_64+0x8c/0x180
> [309049.036712]  ? do_syscall_64+0x8c/0x180
> [309049.036717]  ? irqentry_exit+0x43/0x50
> [309049.036723]  ? common_interrupt+0x54/0xb0
> [309049.036729]  entry_SYSCALL_64_after_hwframe+0x73/0x7b
> 
> Why 'prog->aux->dst_prog' of freplace prog is NULL? It causes by commit 3aac1ead5eb6
> ("bpf: Move prog->aux->linked_prog and trampoline into bpf_link on attach").
> 
> As 'prog->aux->dst_prog' of freplace prog is set as NULL when attach,
> freplace prog does not have stable prog type. But when to update
> freplace prog to PROG_ARRAY map, it requires checking prog type. They are
> conflict in theory.
> 
> This patch is unable to resolve this issue thoroughly. It resolves prog
> type of freplace prog by 'prog->aux->saved_dst_prog_type' to avoid panic.
> 
> Fixes: 1c123c567fb1 ("bpf: Resolve fext program type when checking map compatibility")
> Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
> ---
>  include/linux/bpf_verifier.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
> index 50aa87f8d77ff..b648a96ca310b 100644
> --- a/include/linux/bpf_verifier.h
> +++ b/include/linux/bpf_verifier.h
> @@ -845,7 +845,7 @@ static inline u32 type_flag(u32 type)
>  static inline enum bpf_prog_type resolve_prog_type(const struct bpf_prog *prog)
>  {
>  	return prog->type == BPF_PROG_TYPE_EXT ?
> -		prog->aux->dst_prog->type : prog->type;
> +		prog->aux->saved_dst_prog_type : prog->type;
>  }
>  
>  static inline bool bpf_prog_check_recur(const struct bpf_prog *prog)

Hi,

If no better idea to discuss, I'll respin the PATCH.

And then, I'm planning to fix another tailcall issue caused by
1c123c567fb1 ("bpf: Resolve fext program type when checking map
compatibility"), which is able to produce panic:

[   15.310490] BUG: TASK stack guard page was hit at (____ptrval____)
(stack is (____ptrval____)..(____ptrval____))
[   15.310490] Oops: stack guard page: 0000 [#1] PREEMPT SMP NOPTI
[   15.310490] CPU: 1 PID: 89 Comm: test_progs Tainted: G           OE
   6.10.0-rc6-g026dcdae8d3e-dirty #72
[   15.310490] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX,
1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   15.310490] RIP: 0010:bpf_prog_3a140cef239a4b4f_subprog_tail+0x14/0x53
[   15.310490] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 f3 0f 1e
fa <50> 50 53 41 55 48 89 fb 49 bd 00 2a 46 82 98 9c ff ff 48 89 df 4c
[   15.310490] RSP: 0018:ffffb500c0aa0000 EFLAGS: 00000202
[   15.310490] RAX: ffffb500c0aa0028 RBX: ffff9c98808b7e00 RCX:
0000000000008cb5
[   15.310490] RDX: 0000000000000000 RSI: ffff9c9882462a00 RDI:
ffff9c98808b7e00
[   15.310490] RBP: ffffb500c0aa0000 R08: 0000000000000000 R09:
0000000000000000
[   15.310490] R10: 0000000000000001 R11: 0000000000000000 R12:
ffffb500c01af000
[   15.310490] R13: ffffb500c01cd000 R14: 0000000000000000 R15:
0000000000000000
[   15.310490] FS:  00007f133b665140(0000) GS:ffff9c98bbd00000(0000)
knlGS:0000000000000000
[   15.310490] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.310490] CR2: ffffb500c0a9fff8 CR3: 0000000102478000 CR4:
00000000000006f0
[   15.310490] Call Trace:
[   15.310490]  <#DF>
[   15.310490]  ? die+0x36/0x90
[   15.310490]  ? handle_stack_overflow+0x4d/0x60
[   15.310490]  ? exc_double_fault+0x117/0x1a0
[   15.310490]  ? asm_exc_double_fault+0x23/0x30
[   15.310490]  ? bpf_prog_3a140cef239a4b4f_subprog_tail+0x14/0x53
[   15.310490]  </#DF>
[   15.310490]  <TASK>
[   15.310490]  bpf_prog_85781a698094722f_entry+0x4c/0x64
[   15.310490]  bpf_prog_1c515f389a9059b4_entry2+0x19/0x1b
[   15.310490]  ...
[   15.310490]  bpf_prog_85781a698094722f_entry+0x4c/0x64
[   15.310490]  bpf_prog_1c515f389a9059b4_entry2+0x19/0x1b
[   15.310490]  bpf_test_run+0x210/0x370
[   15.310490]  ? bpf_test_run+0x128/0x370
[   15.310490]  bpf_prog_test_run_skb+0x388/0x7a0
[   15.310490]  __sys_bpf+0xdbf/0x2c40
[   15.310490]  ? clockevents_program_event+0x52/0xf0
[   15.310490]  ? lock_release+0xbf/0x290
[   15.310490]  __x64_sys_bpf+0x1e/0x30
[   15.310490]  do_syscall_64+0x68/0x140
[   15.310490]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   15.310490] RIP: 0033:0x7f133b52725d
[   15.310490] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8b bb 0d 00 f7 d8 64 89 01 48
[   15.310490] RSP: 002b:00007ffddbc10258 EFLAGS: 00000206 ORIG_RAX:
0000000000000141
[   15.310490] RAX: ffffffffffffffda RBX: 00007ffddbc10828 RCX:
00007f133b52725d
[   15.310490] RDX: 0000000000000050 RSI: 00007ffddbc102a0 RDI:
000000000000000a
[   15.310490] RBP: 00007ffddbc10270 R08: 0000000000000000 R09:
00007ffddbc102a0
[   15.310490] R10: 0000000000000064 R11: 0000000000000206 R12:
0000000000000004
[   15.310490] R13: 0000000000000000 R14: 0000558ec4c24890 R15:
00007f133b6ed000
[   15.310490]  </TASK>
[   15.310490] Modules linked in: bpf_testmod(OE)
[   15.310490] ---[ end trace 0000000000000000 ]---
[   15.310490] RIP: 0010:bpf_prog_3a140cef239a4b4f_subprog_tail+0x14/0x53
[   15.310490] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 f3 0f 1e
fa <50> 50 53 41 55 48 89 fb 49 bd 00 2a 46 82 98 9c ff ff 48 89 df 4c
[   15.310490] RSP: 0018:ffffb500c0aa0000 EFLAGS: 00000202
[   15.310490] RAX: ffffb500c0aa0028 RBX: ffff9c98808b7e00 RCX:
0000000000008cb5
[   15.310490] RDX: 0000000000000000 RSI: ffff9c9882462a00 RDI:
ffff9c98808b7e00
[   15.310490] RBP: ffffb500c0aa0000 R08: 0000000000000000 R09:
0000000000000000
[   15.310490] R10: 0000000000000001 R11: 0000000000000000 R12:
ffffb500c01af000
[   15.310490] R13: ffffb500c01cd000 R14: 0000000000000000 R15:
0000000000000000
[   15.310490] FS:  00007f133b665140(0000) GS:ffff9c98bbd00000(0000)
knlGS:0000000000000000
[   15.310490] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.310490] CR2: ffffb500c0a9fff8 CR3: 0000000102478000 CR4:
00000000000006f0
[   15.310490] Kernel panic - not syncing: Fatal exception in interrupt
[   15.310490] Kernel Offset: 0x30000000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)

Thanks,
Leon

Re: [RFC PATCH bpf-next 1/2] bpf: Fix updating attached freplace to PROG_ARRAY map

[Alexei Starovoitov]

On Mon, Jul 22, 2024 at 7:43 AM Leon Hwang <hffilwlqm@gmail.com> wrote:
>
>
> Hi,
>
> If no better idea to discuss, I'll respin the PATCH.
>
> And then, I'm planning to fix another tailcall issue caused by
> 1c123c567fb1 ("bpf: Resolve fext program type when checking map
> compatibility"), which is able to produce panic:

Pls go ahead. Don't delay.

[RFC PATCH bpf-next 2/2] selftests/bpf: Add testcase for updating attached freplace prog to PROG_ARRAY map

[Leon Hwang]

Add a selftest to confirm the issue, panic when update attached freplace
prog to PROG_ARRAY map, has been fixed.

cd tools/testing/selftests/bpf; ./test_progs -t tailcall
324/18  tailcalls/tailcall_freplace:OK
324     tailcalls:OK
Summary: 1/18 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
---
 .../selftests/bpf/prog_tests/tailcalls.c      | 82 +++++++++++++++++++
 .../selftests/bpf/progs/tailcall_freplace.c   | 34 ++++++++
 .../testing/selftests/bpf/progs/tc_bpf2bpf.c  | 21 +++++
 3 files changed, 137 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/progs/tailcall_freplace.c
 create mode 100644 tools/testing/selftests/bpf/progs/tc_bpf2bpf.c

diff --git a/tools/testing/selftests/bpf/prog_tests/tailcalls.c b/tools/testing/selftests/bpf/prog_tests/tailcalls.c
index 59993fc9c0d7e..d0c6f0d2a4233 100644
--- a/tools/testing/selftests/bpf/prog_tests/tailcalls.c
+++ b/tools/testing/selftests/bpf/prog_tests/tailcalls.c
@@ -3,6 +3,8 @@
 #include <test_progs.h>
 #include <network_helpers.h>
 #include "tailcall_poke.skel.h"
+#include "tailcall_freplace.skel.h"
+#include "tc_bpf2bpf.skel.h"
 
 
 /* test_tailcall_1 checks basic functionality by patching multiple locations
@@ -1187,6 +1189,84 @@ static void test_tailcall_poke(void)
 	tailcall_poke__destroy(call);
 }
 
+static void test_tailcall_freplace(void)
+{
+	struct tailcall_freplace *skel = NULL;
+	struct tc_bpf2bpf *tgt_skel = NULL;
+	struct bpf_link *freplace = NULL;
+	struct bpf_map *data_map;
+	int prog_fd, data_fd;
+	char buff[128] = {};
+	__u32 key = 0;
+	int err, val;
+
+	LIBBPF_OPTS(bpf_test_run_opts, topts,
+		    .data_in = buff,
+		    .data_size_in = sizeof(buff),
+		    .repeat = 1,
+	);
+
+	skel = tailcall_freplace__open();
+	if (!ASSERT_OK_PTR(skel, "open skel"))
+		goto out;
+
+	tgt_skel = tc_bpf2bpf__open_and_load();
+	if (!ASSERT_OK_PTR(tgt_skel, "open tgt_skel"))
+		goto out;
+
+	err = bpf_program__set_attach_target(skel->progs.entry,
+					     bpf_program__fd(tgt_skel->progs.entry),
+					     "subprog");
+	if (!ASSERT_OK(err, "set_attach_target"))
+		goto out;
+
+	err = tailcall_freplace__load(skel);
+	if (!ASSERT_OK(err, "load skel"))
+		goto out;
+
+	freplace = bpf_program__attach_freplace(skel->progs.entry,
+						bpf_program__fd(tgt_skel->progs.entry),
+						"subprog");
+	if (!ASSERT_OK_PTR(freplace, "attatch_freplace"))
+		goto out;
+
+	prog_fd = bpf_program__fd(skel->progs.entry);
+	if (!ASSERT_GE(prog_fd, 0, "prog_fd"))
+		goto out;
+
+	err = bpf_map_update_elem(bpf_map__fd(skel->maps.jmp_table), &key,
+				  &prog_fd, BPF_ANY);
+	if (!ASSERT_OK(err, "update jmp_table"))
+		goto out;
+
+	prog_fd = bpf_program__fd(tgt_skel->progs.entry);
+	if (!ASSERT_GE(prog_fd, 0, "prog_fd"))
+		goto out;
+
+	err = bpf_prog_test_run_opts(prog_fd, &topts);
+	ASSERT_OK(err, "test_run");
+	ASSERT_EQ(topts.retval, 1, "test_run retval");
+
+	data_map = bpf_object__find_map_by_name(skel->obj, ".bss");
+	if (!ASSERT_FALSE(!data_map || !bpf_map__is_internal(data_map),
+			  "find .bss map"))
+		goto out;
+
+	data_fd = bpf_map__fd(data_map);
+	if (!ASSERT_GE(data_fd, 0, ".bss map_fd"))
+		goto out;
+
+	key = 0;
+	err = bpf_map_lookup_elem(data_fd, &key, &val);
+	ASSERT_OK(err, "tailcall count");
+	ASSERT_EQ(val, 34, "tailcall count");
+
+out:
+	bpf_link__destroy(freplace);
+	tc_bpf2bpf__destroy(tgt_skel);
+	tailcall_freplace__destroy(skel);
+}
+
 void test_tailcalls(void)
 {
 	if (test__start_subtest("tailcall_1"))
@@ -1223,4 +1303,6 @@ void test_tailcalls(void)
 		test_tailcall_bpf2bpf_fentry_entry();
 	if (test__start_subtest("tailcall_poke"))
 		test_tailcall_poke();
+	if (test__start_subtest("tailcall_freplace"))
+		test_tailcall_freplace();
 }
diff --git a/tools/testing/selftests/bpf/progs/tailcall_freplace.c b/tools/testing/selftests/bpf/progs/tailcall_freplace.c
new file mode 100644
index 0000000000000..fe25343e9d2fa
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/tailcall_freplace.c
@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include "bpf_legacy.h"
+
+struct {
+	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+	__uint(max_entries, 1);
+	__uint(key_size, sizeof(__u32));
+	__uint(value_size, sizeof(__u32));
+} jmp_table SEC(".maps");
+
+int count = 0;
+
+__noinline int
+subprog(struct __sk_buff *skb)
+{
+	volatile int ret = 1;
+
+	count++;
+
+	bpf_tail_call_static(skb, &jmp_table, 0);
+
+	return ret;
+}
+
+SEC("freplace")
+int entry(struct __sk_buff *skb)
+{
+	return subprog(skb);
+}
+
+char __license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c b/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c
new file mode 100644
index 0000000000000..54abda6c3246e
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/tc_bpf2bpf.c
@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include "bpf_legacy.h"
+
+__noinline int
+subprog(struct __sk_buff *skb)
+{
+	volatile int ret = 1;
+
+	return ret;
+}
+
+SEC("tc")
+int entry(struct __sk_buff *skb)
+{
+	return subprog(skb);
+}
+
+char __license[] SEC("license") = "GPL";
-- 
2.44.0