Re: [PATCH] selftests/bpf: replace bpf_probe_read_kernel with direct access

[sashiko-bot@kernel.org]

Sashiko AI review found 2 potential issue(s):
- [Medium] BPF verifier will reject the program due to an out-of-bounds access on `SOCK_INODE(sk)->i_ino`.
- [Medium] BPF verifier will reject the program due to an invalid memory access when dereferencing `nlk->groups[0]`.
--

commit 9c46bc4644e11b2c3abf78e2ca55fa73028182f8
Author: Suchit Karunakaran <suchitkarunakaran@gmail.com>

selftests/bpf: replace bpf_probe_read_kernel with direct access

Use direct field access instead of bpf_probe_read_kernel() for
nlk->groups[0] and inode->i_ino, and clean up related code.

> diff --git a/tools/testing/selftests/bpf/progs/bpf_iter_netlink.c b/tools/testing/selftests/bpf/progs/bpf_iter_netlink.c
> index 00b2ceae81fb0..5930bf8899d21 100644
> --- a/tools/testing/selftests/bpf/progs/bpf_iter_netlink.c
> +++ b/tools/testing/selftests/bpf/progs/bpf_iter_netlink.c
> @@ -35,10 +34,7 @@ int dump_netlink(struct bpf_iter__netlink *ctx)
>  	if (!nlk->groups)  {
>  		group = 0;
>  	} else {
> -		/* FIXME: temporary use bpf_probe_read_kernel here, needs
> -		 * verifier support to do direct access.
> -		 */
> -		bpf_probe_read_kernel(&group, sizeof(group), &nlk->groups[0]);
> +		group = nlk->groups[0];

Does the verifier know the size of the memory pointed to by nlk->groups?

The groups field in struct netlink_sock is a pointer to a scalar
(unsigned long *). When the BPF program reads this pointer from the struct,
the verifier tracks it as a generic pointer with a known memory size of 0,
because BTF does not encode the size of the dynamically allocated array.

Will the direct array access nlk->groups[0] be rejected by the verifier's
bounds check?

>  	}
>  	BPF_SEQ_PRINTF(seq, "%-10u %08x %-8d %-8d %-5d %-8d ",
>  		       nlk->portid, (u32)group,
> @@ -50,12 +46,7 @@ int dump_netlink(struct bpf_iter__netlink *ctx)
>  	if (!sk) {
>  		ino = 0;
>  	} else {
> -		/* FIXME: container_of inside SOCK_INODE has a forced
> -		 * type conversion, and direct access cannot be used
> -		 * with current verifier.
> -		 */
> -		inode = SOCK_INODE(sk);
> -		bpf_probe_read_kernel(&ino, sizeof(ino), &inode->i_ino);
> +		ino = SOCK_INODE(sk)->i_ino;

Will the verifier reject this as an out-of-bounds access?

The SOCK_INODE macro relies on container_of to cast a struct socket pointer
to a struct socket_alloc. In BPF, standard C pointer arithmetic does not
implicitly update the BTF type tracked by the verifier.

The verifier will still track sk as a struct socket, but with an added
offset. Because vfs_inode sits after socket in struct socket_alloc,
accessing i_ino uses an offset that exceeds sizeof(struct socket).

Should this use bpf_core_cast(sk, struct socket_alloc) to update the
verifier's tracked BTF type instead?

>  	}
>  	BPF_SEQ_PRINTF(seq, "%-8u %-8lu\n", s->sk_drops.counter, ino);
>

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260422183757.15069-1-suchitkarunakaran@gmail.com?part=1