From: sashiko-bot@kernel.org
To: "Suchit Karunakaran" <suchitkarunakaran@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH] selftests/bpf: replace bpf_probe_read_kernel with direct access
Date: Wed, 22 Apr 2026 22:05:27 +0000 [thread overview]
Message-ID: <20260422220527.C1FA4C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260422183757.15069-1-suchitkarunakaran@gmail.com>
Sashiko AI review found 2 potential issue(s):
- [Medium] BPF verifier will reject the program due to an out-of-bounds access on `SOCK_INODE(sk)->i_ino`.
- [Medium] BPF verifier will reject the program due to an invalid memory access when dereferencing `nlk->groups[0]`.
--
commit 9c46bc4644e11b2c3abf78e2ca55fa73028182f8
Author: Suchit Karunakaran <suchitkarunakaran@gmail.com>
selftests/bpf: replace bpf_probe_read_kernel with direct access
Use direct field access instead of bpf_probe_read_kernel() for
nlk->groups[0] and inode->i_ino, and clean up related code.
> diff --git a/tools/testing/selftests/bpf/progs/bpf_iter_netlink.c b/tools/testing/selftests/bpf/progs/bpf_iter_netlink.c
> index 00b2ceae81fb0..5930bf8899d21 100644
> --- a/tools/testing/selftests/bpf/progs/bpf_iter_netlink.c
> +++ b/tools/testing/selftests/bpf/progs/bpf_iter_netlink.c
> @@ -35,10 +34,7 @@ int dump_netlink(struct bpf_iter__netlink *ctx)
> if (!nlk->groups) {
> group = 0;
> } else {
> - /* FIXME: temporary use bpf_probe_read_kernel here, needs
> - * verifier support to do direct access.
> - */
> - bpf_probe_read_kernel(&group, sizeof(group), &nlk->groups[0]);
> + group = nlk->groups[0];
Does the verifier know the size of the memory pointed to by nlk->groups?
The groups field in struct netlink_sock is a pointer to a scalar
(unsigned long *). When the BPF program reads this pointer from the struct,
the verifier tracks it as a generic pointer with a known memory size of 0,
because BTF does not encode the size of the dynamically allocated array.
Will the direct array access nlk->groups[0] be rejected by the verifier's
bounds check?
> }
> BPF_SEQ_PRINTF(seq, "%-10u %08x %-8d %-8d %-5d %-8d ",
> nlk->portid, (u32)group,
> @@ -50,12 +46,7 @@ int dump_netlink(struct bpf_iter__netlink *ctx)
> if (!sk) {
> ino = 0;
> } else {
> - /* FIXME: container_of inside SOCK_INODE has a forced
> - * type conversion, and direct access cannot be used
> - * with current verifier.
> - */
> - inode = SOCK_INODE(sk);
> - bpf_probe_read_kernel(&ino, sizeof(ino), &inode->i_ino);
> + ino = SOCK_INODE(sk)->i_ino;
Will the verifier reject this as an out-of-bounds access?
The SOCK_INODE macro relies on container_of to cast a struct socket pointer
to a struct socket_alloc. In BPF, standard C pointer arithmetic does not
implicitly update the BTF type tracked by the verifier.
The verifier will still track sk as a struct socket, but with an added
offset. Because vfs_inode sits after socket in struct socket_alloc,
accessing i_ino uses an offset that exceeds sizeof(struct socket).
Should this use bpf_core_cast(sk, struct socket_alloc) to update the
verifier's tracked BTF type instead?
> }
> BPF_SEQ_PRINTF(seq, "%-8u %-8lu\n", s->sk_drops.counter, ino);
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260422183757.15069-1-suchitkarunakaran@gmail.com?part=1
prev parent reply other threads:[~2026-04-22 22:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-22 18:37 [PATCH] selftests/bpf: replace bpf_probe_read_kernel with direct access Suchit Karunakaran
2026-04-22 21:21 ` Alexei Starovoitov
2026-04-23 6:56 ` Suchit Karunakaran
2026-04-22 22:05 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260422220527.C1FA4C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
--cc=suchitkarunakaran@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox