[PATCH bpf-next v5 0/3] bpf: Warn with __bpf_trap() kfunc maybe due to uninitialized variable

[Yonghong Song <yonghong.song@linux.dev>]

Marc Suñé (Isovalent, part of Cisco) reported an issue where an
uninitialized variable caused generating bpf prog binary code not
working as expected. The reproducer is in [1] where the flags
“-Wall -Werror” are enabled, but there is no warning as the compiler
takes advantage of uninitialized variable to do aggressive optimization.
Such optimization results in a verification log:
  last insn is not an exit or jmp
User still needs to take quite some time to figure out what is
the root cause.

To give a better hint to user, __bpf_trap() kfunc is introduced
in kernel and the compiler ([2]) will encode __bpf_trap()
as needed. For example, compiler may generate 'unreachable' IR
after do optimizaiton by taking advantage of uninitialized variable,
and later bpf backend will translate such 'unreachable' IR to
__bpf_trap() func in final binary. When kernel detects
__bpf_trap(), it is able to issue much better verifier log, e.g.
  unexpected __bpf_trap() due to uninitialized variable?

  [1] https://github.com/msune/clang_bpf/blob/main/Makefile#L3
  [2] https://github.com/llvm/llvm-project/pull/131731

Changelogs:
  v4 -> v5:
    - v4: https://lore.kernel.org/bpf/20250521032047.1015381-1-yonghong.song@linux.dev/
    - Change original kfunc bpf_unreachable() to __bpf_trap().
    - Better codes for function check_special_kfunc().
  v3 -> v4:
    - v3: https://lore.kernel.org/bpf/20250519203339.2060080-1-yonghong.song@linux.dev/
    - Remove special_kfunc_set in verifier.
  v2 -> v3:
    - v2: https://lore.kernel.org/bpf/CAADnVQL9A8vB-yRjnZn8bgMrfDSO17FFBtS_xOs5w-LSq+p74g@mail.gmail.com/
    - The newer llvm patch (above [2]) added 'exit' insn if the last insn
      in the function is bpf_unreachable(). This way, check_subprogs()
      handling is unnecessary and removed.
    - Remove the big C test (above [1]) and add a simple C test and three
      inline asm tests.

  v1 -> v2:
    - v1: https://lore.kernel.org/bpf/20250511182744.1806792-1-yonghong.song@linux.dev/
    - If bpf_unreachable() is hit during check_kfunc_call(), report the
      verification failure.
    - Add three inline asm test cases.

Yonghong Song (3):
  bpf: Remove special_kfunc_set from verifier
  bpf: Warn with __bpf_trap() kfunc maybe due to uninitialized variable
  selftests/bpf: Add unit tests with __bpf_trap() kfunc

 kernel/bpf/helpers.c                          |   5 +
 kernel/bpf/verifier.c                         | 379 +++++++++---------
 .../selftests/bpf/prog_tests/verifier.c       |   2 +
 .../selftests/bpf/progs/verifier_bpf_trap.c   |  71 ++++
 4 files changed, 260 insertions(+), 197 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/progs/verifier_bpf_trap.c

-- 
2.47.1