[PATCH bpf-next v1 0/2] BPF Streams - Fixes

[PATCH bpf-next v1 0/2] BPF Streams - Fixes

[Kumar Kartikeya Dwivedi]

This set contains some fixes for recently reported issues for BPF
streams. Please check individual patches for details.

Kumar Kartikeya Dwivedi (2):
  bpf: Fix bounds for bpf_prog_get_file_line linfo loop
  bpf: Fix improper int-to-ptr cast in dump_stack_cb

 kernel/bpf/core.c   | 4 +++-
 kernel/bpf/stream.c | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)


base-commit: 03fe01ddd1d8be7799419ea5e5f228a0186ae8c2
-- 
2.47.1

[PATCH bpf-next v1 1/2] bpf: Fix bounds for bpf_prog_get_file_line linfo loop

[Kumar Kartikeya Dwivedi]

We may overrun the bounds because linfo and jited_linfo are already
advanced to prog->aux->linfo_idx, hence we must only iterate the
remaining elements until we reach prog->aux->nr_linfo. Adjust the
nr_linfo calculation to fix this. Reported in [0].

  [0]: https://lore.kernel.org/bpf/f3527af3b0620ce36e299e97e7532d2555018de2.camel@gmail.com

Reported-by: Eduard Zingerman <eddyz87@gmail.com>
Fixes: 0e521efaf363 ("bpf: Add function to extract program source info")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
 kernel/bpf/core.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index fe8a53f3c5bc..61613785bdd0 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -3244,6 +3244,7 @@ int bpf_prog_get_file_line(struct bpf_prog *prog, unsigned long ip, const char *
 	struct bpf_line_info *linfo;
 	void **jited_linfo;
 	struct btf *btf;
+	int nr_linfo;
 
 	btf = prog->aux->btf;
 	linfo = prog->aux->linfo;
@@ -3258,8 +3259,9 @@ int bpf_prog_get_file_line(struct bpf_prog *prog, unsigned long ip, const char *
 
 	insn_start = linfo[0].insn_off;
 	insn_end = insn_start + len;
+	nr_linfo = prog->aux->nr_linfo - prog->aux->linfo_idx;
 
-	for (int i = 0; i < prog->aux->nr_linfo &&
+	for (int i = 0; i < nr_linfo &&
 	     linfo[i].insn_off >= insn_start && linfo[i].insn_off < insn_end; i++) {
 		if (jited_linfo[i] >= (void *)ip)
 			break;
-- 
2.47.1

[PATCH bpf-next v1 2/2] bpf: Fix improper int-to-ptr cast in dump_stack_cb

[Kumar Kartikeya Dwivedi]

On 32-bit platforms, we'll try to convert a u64 directly to a pointer
type which is 32-bit, which causes the compiler to complain about cast
from an integer of a different size to a pointer type. Cast to long
before casting to the pointer type to match the pointer width.

Reported-by: kernelci.org bot <bot@kernelci.org>
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Fixes: d7c431cafcb4 ("bpf: Add dump_stack() analogue to print to BPF stderr")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
 kernel/bpf/stream.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/stream.c b/kernel/bpf/stream.c
index 8c842f845245..ab592db4a4bf 100644
--- a/kernel/bpf/stream.c
+++ b/kernel/bpf/stream.c
@@ -498,11 +498,11 @@ static bool dump_stack_cb(void *cookie, u64 ip, u64 sp, u64 bp)
 		if (ret < 0)
 			goto end;
 		ctxp->err = bpf_stream_stage_printk(ctxp->ss, "%pS\n  %s @ %s:%d\n",
-						    (void *)ip, line, file, num);
+						    (void *)(long)ip, line, file, num);
 		return !ctxp->err;
 	}
 end:
-	ctxp->err = bpf_stream_stage_printk(ctxp->ss, "%pS\n", (void *)ip);
+	ctxp->err = bpf_stream_stage_printk(ctxp->ss, "%pS\n", (void *)(long)ip);
 	return !ctxp->err;
 }
 
-- 
2.47.1

Re: [PATCH bpf-next v1 2/2] bpf: Fix improper int-to-ptr cast in dump_stack_cb

[Randy Dunlap]

On 7/4/25 10:30 PM, Kumar Kartikeya Dwivedi wrote:
> On 32-bit platforms, we'll try to convert a u64 directly to a pointer
> type which is 32-bit, which causes the compiler to complain about cast
> from an integer of a different size to a pointer type. Cast to long
> before casting to the pointer type to match the pointer width.
> 
> Reported-by: kernelci.org bot <bot@kernelci.org>
> Reported-by: Randy Dunlap <rdunlap@infradead.org>
> Fixes: d7c431cafcb4 ("bpf: Add dump_stack() analogue to print to BPF stderr")
> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>

Thanks.

> ---
>  kernel/bpf/stream.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/bpf/stream.c b/kernel/bpf/stream.c
> index 8c842f845245..ab592db4a4bf 100644
> --- a/kernel/bpf/stream.c
> +++ b/kernel/bpf/stream.c
> @@ -498,11 +498,11 @@ static bool dump_stack_cb(void *cookie, u64 ip, u64 sp, u64 bp)
>  		if (ret < 0)
>  			goto end;
>  		ctxp->err = bpf_stream_stage_printk(ctxp->ss, "%pS\n  %s @ %s:%d\n",
> -						    (void *)ip, line, file, num);
> +						    (void *)(long)ip, line, file, num);
>  		return !ctxp->err;
>  	}
>  end:
> -	ctxp->err = bpf_stream_stage_printk(ctxp->ss, "%pS\n", (void *)ip);
> +	ctxp->err = bpf_stream_stage_printk(ctxp->ss, "%pS\n", (void *)(long)ip);
>  	return !ctxp->err;
>  }
>  

-- 
~Randy

Re: [PATCH bpf-next v1 1/2] bpf: Fix bounds for bpf_prog_get_file_line linfo loop

[Eduard Zingerman]

On Fri, 2025-07-04 at 22:30 -0700, Kumar Kartikeya Dwivedi wrote:
> We may overrun the bounds because linfo and jited_linfo are already
> advanced to prog->aux->linfo_idx, hence we must only iterate the
> remaining elements until we reach prog->aux->nr_linfo. Adjust the
> nr_linfo calculation to fix this. Reported in [0].
> 
>   [0]: https://lore.kernel.org/bpf/f3527af3b0620ce36e299e97e7532d2555018de2.camel@gmail.com
> 
> Reported-by: Eduard Zingerman <eddyz87@gmail.com>
> Fixes: 0e521efaf363 ("bpf: Add function to extract program source info")
> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

Nit: It would be nice to extend progs/stream.c, so that e.g.
     cond_break exhaustion is reported from a subprogram.
     I checked it locally and everything works as expected.

Re: [PATCH bpf-next v1 0/2] BPF Streams - Fixes

[patchwork-bot+netdevbpf]

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Fri,  4 Jul 2025 22:30:33 -0700 you wrote:
> This set contains some fixes for recently reported issues for BPF
> streams. Please check individual patches for details.
> 
> Kumar Kartikeya Dwivedi (2):
>   bpf: Fix bounds for bpf_prog_get_file_line linfo loop
>   bpf: Fix improper int-to-ptr cast in dump_stack_cb
> 
> [...]

Here is the summary with links:
  - [bpf-next,v1,1/2] bpf: Fix bounds for bpf_prog_get_file_line linfo loop
    https://git.kernel.org/bpf/bpf-next/c/116c8f474722
  - [bpf-next,v1,2/2] bpf: Fix improper int-to-ptr cast in dump_stack_cb
    https://git.kernel.org/bpf/bpf-next/c/bfa2bb9abd99

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html