BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [RFC PATCH 3/4] tracing: Add disable_bpf trace option to ignore eBPF for fetchargs
Date: Wed, 01 Jul 2026 14:02:47 +0000	[thread overview]
Message-ID: <20260701140248.5EB4A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <178291355107.1566898.16400808380207816368.stgit@devnote2>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

New issues:
- [Medium] The `disable_bpf` trace option is improperly exposed to instance directories and non-BPF builds, creating a dead configuration knob that silently ignores user input.

Pre-existing issues:
- [High] The `IS_ERR()` check on the return value of `bpf_prog_select_runtime()` is broken, leading to a silent failure and an uninitialized memory leak to user-space.
- [High] An early `BPF_EXIT_INSN()` generated for memory fetch failures aborts the entire probe fetch program, leaking uninitialized memory for all subsequent arguments.
--

commit 87050ba78ea1f240fee455c53d7eb225ed51e533
Author: Masami Hiramatsu (Google) <mhiramat@kernel.org>

tracing: Add disable_bpf trace option to ignore eBPF for fetchargs
    
Add a trace option "disable_bpf" to disable BPF execution for fetchargs,
forcing the execution to fallback to the interpreter loop. This is useful
for evaluating BPF compilation performance impact.

> diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
> index 80fe152af1dd8..bf83680e0ba70 100644
> --- a/kernel/trace/trace.h
> +++ b/kernel/trace/trace.h
> @@ -1503,6 +1503,7 @@ extern int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
>  		C(PAUSE_ON_TRACE,	"pause-on-trace"),	\
>  		C(HASH_PTR,		"hash-ptr"),	/* Print hashed pointer */ \
>  		C(BITMASK_LIST,		"bitmask-list"),	\
> +		C(DISABLE_BPF,		"disable_bpf"),		\

[Severity: Medium]
Does this option need an #ifdef CONFIG_BPF_SYSCALL wrapper? It appears this
unconditionally adds the flag, making it visible even on kernels built without
BPF support.

Additionally, since trace_probe_bpf_disabled() strictly checks
global_trace.trace_flags, toggling this option inside a local trace instance
directory won't have any effect. Should this be added to
TOP_LEVEL_TRACE_FLAGS in kernel/trace/trace.c to restrict it to the global
instance?

>  		FUNCTION_FLAGS					\
>  		FGRAPH_FLAGS					\
>  		STACK_FLAGS					\

[ ... ]


This isn't a bug introduced by this patch, but I noticed a couple of problems
in the previous patch of this series in kernel/trace/trace_probe.c.

[Severity: High]
This is a pre-existing issue, but in trace_probe_compile_bpf(),
bpf_prog_select_runtime() returns errors via its err pointer argument and
always returns a valid program pointer (or the original one), not an ERR_PTR:

    prog = bpf_prog_select_runtime(prog, &err);
    if (IS_ERR(prog))
        goto out;

Because IS_ERR(prog) is always false, won't this silently attach a dummy
program (__bpf_prog_ret0_warn) to the trace probe on JIT failure? This dummy
program immediately returns 0 without fetching arguments. Since
trace_event_buffer_reserve() doesn't zero-initialize the raw ring buffer space,
does this result in leaking uninitialized memory to user-space?


[Severity: High]
This isn't a bug introduced by this patch, but also in
trace_probe_compile_bpf(), when compiling memory fetch instructions:

    insns[i++] = BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1);
    insns[i++] = BPF_EXIT_INSN();

If copy_from_kernel_nofault() returns a negative error (e.g., from an invalid
pointer), doesn't this early exit terminate the entire BPF fetch program? Since
it stops processing any subsequent arguments, and trace_event_buffer_reserve()
doesn't zero-initialize the buffer, could this leak stale kernel ring buffer
memory to user space for all subsequent un-fetched arguments?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/178291352217.1566898.14481561093843379745.stgit@devnote2?part=3

  reply	other threads:[~2026-07-01 14:02 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 13:45 [RFC PATCH 0/4] tracing/probes: Optimize fetcharg with BPF Masami Hiramatsu (Google)
2026-07-01 13:45 ` [RFC PATCH 1/4] tools/tracing: Add fetcharg performance micro-benchmark Masami Hiramatsu (Google)
2026-07-01 13:53   ` sashiko-bot
2026-07-01 13:45 ` [RFC PATCH 2/4] tracing/probes: Compile all fetchargs into a single BPF program per event Masami Hiramatsu (Google)
2026-07-01 14:06   ` sashiko-bot
2026-07-01 18:41   ` Alexei Starovoitov
2026-07-01 18:47     ` Steven Rostedt
2026-07-01 18:53       ` Alexei Starovoitov
2026-07-01 22:40     ` Masami Hiramatsu
2026-07-02  0:01       ` Alexei Starovoitov
2026-07-02  1:01         ` Masami Hiramatsu
2026-07-02 14:04         ` Steven Rostedt
2026-07-01 13:45 ` [RFC PATCH 3/4] tracing: Add disable_bpf trace option to ignore eBPF for fetchargs Masami Hiramatsu (Google)
2026-07-01 14:02   ` sashiko-bot [this message]
2026-07-01 13:46 ` [RFC PATCH 4/4] selftests/ftrace: Add a test for eBPF compiled fetchargs Masami Hiramatsu (Google)
2026-07-01 13:53   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701140248.5EB4A1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox