From: sashiko-bot@kernel.org
To: "Daniel Borkmann" <daniel@iogearbox.net>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v5 3/8] libbpf: Drop in-loader metadata check for load-time verification
Date: Tue, 07 Jul 2026 19:52:57 +0000 [thread overview]
Message-ID: <20260707195258.0F0681F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260707193104.350066-4-daniel@iogearbox.net>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Removal of the 'excl' field from 'struct bpf_map' and the new requirement for 'fd_array_cnt > 0' on signed programs breaks backward compatibility with statically compiled userspace binaries containing BPF light skeletons generated by older versions of bpftool.
--
--- Patch [3]: [PATCH bpf-next v5 3/8] libbpf: Drop in-loader metadata check for load-time verification ---
commit 71f58a2f5fe9ee159ac24a6b1705395d7bc4519c
Author: Daniel Borkmann <daniel@iogearbox.net>
libbpf: Drop in-loader metadata check for load-time verification
The kernel now verifies the metadata at BPF_PROG_LOAD time by folding
the frozen contents of the loader's exclusive fd_array maps into the
signature, so the loader no longer checks anything itself. Generated
loaders thus carry no verification logic of their own anymore. The struct
bpf_map layout BUILD_BUG_ON()s on the kernel side are removed as well.
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index adf53f7edf287..c1a98fa367381 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -299,7 +299,6 @@ struct bpf_map_owner {
>
> struct bpf_map {
> u8 sha[SHA256_DIGEST_SIZE];
> - u32 excl;
> const struct bpf_map_ops *ops;
> struct bpf_map *inner_map_meta;
[Severity: Critical]
Does removing the excl field break backward compatibility with older
userspace binaries that contain statically compiled BPF light skeletons?
Older skeletons generated by bpftool (with gen_hash=true) include a BPF loader
that hardcodes a 4-byte read at offset 32 of struct bpf_map to verify the
signature by reading the excl field:
emit_signature_match()
...
emit(gen, BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, SHA256_DIGEST_LENGTH));
With the excl field removed, this offset now points to the 8-byte ops pointer
(on 64-bit platforms).
Will the BPF verifier's btf_struct_access() reject partial reads of pointers
and return -EACCES?
On 32-bit architectures, could this result in a pointer-to-scalar comparison
failing verification?
Will this cause existing, statically compiled binaries to unconditionally
fail to load on the new kernel?
[ ... ]
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index e898fad01aafe..358f2b0ce2bd3 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -1598,13 +1598,6 @@ static int map_create_alloc(union bpf_attr *attr, bpfptr_t uattr, struct bpf_ver
> err = -EFAULT;
> goto free_map;
> }
> -
> - /* See libbpf: emit_signature_match() */
> - BUILD_BUG_ON(offsetof(struct bpf_map, excl) != SHA256_DIGEST_SIZE);
[Severity: Critical]
Is it safe to remove this ABI contract guarantee?
Older generated loaders depend on this exact layout to successfully load.
[ ... ]
> diff --git a/tools/lib/bpf/skel_internal.h b/tools/lib/bpf/skel_internal.h
> index 74503d358bc8a..53fee53d36d51 100644
> --- a/tools/lib/bpf/skel_internal.h
> +++ b/tools/lib/bpf/skel_internal.h
[ ... ]
> @@ -400,6 +371,8 @@ static inline int bpf_load_and_run(struct bpf_load_and_run_opts *opts)
> #ifndef __KERNEL__
> attr.signature = (long) opts->signature;
> attr.signature_size = opts->signature_sz;
> + if (opts->signature)
> + attr.fd_array_cnt = 1;
[Severity: Critical]
Can relying on fd_array_cnt break old skeleton loaders?
The verifier in kernel/bpf/verifier.c:fd_array_get_map_idx() explicitly rejects
signed BPF programs that do not set fd_array_cnt:
if (env->signature) {
verbose(env, "signed program must bind maps via a continuous fd_array (fd_array_cnt)\n");
return -EACCES;
}
Since older bpftool-generated user-space stubs did not set fd_array_cnt,
will this cause all existing signed skeletons to fail to load on the new kernel?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260707193104.350066-1-daniel@iogearbox.net?part=3
next prev parent reply other threads:[~2026-07-07 19:52 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 19:30 [PATCH bpf-next v5 0/8] Verify BPF signed loader at load time Daniel Borkmann
2026-07-07 19:30 ` [PATCH bpf-next v5 1/8] bpf: Resolve and cache fd_array objects " Daniel Borkmann
2026-07-07 19:30 ` [PATCH bpf-next v5 2/8] bpf: Verify signed loader metadata " Daniel Borkmann
2026-07-07 19:55 ` sashiko-bot
2026-07-07 20:31 ` Daniel Borkmann
2026-07-07 19:30 ` [PATCH bpf-next v5 3/8] libbpf: Drop in-loader metadata check for load-time verification Daniel Borkmann
2026-07-07 19:52 ` sashiko-bot [this message]
2026-07-07 20:08 ` Daniel Borkmann
2026-07-07 19:31 ` [PATCH bpf-next v5 4/8] bpftool: Check EVP_Digest when computing excl_prog_hash Daniel Borkmann
2026-07-07 19:31 ` [PATCH bpf-next v5 5/8] bpftool: Cover loader metadata with the program signature Daniel Borkmann
2026-07-07 19:31 ` [PATCH bpf-next v5 6/8] selftests/bpf: Adjust bpf_map layout in verifier_map_ptr Daniel Borkmann
2026-07-07 19:50 ` sashiko-bot
2026-07-07 20:06 ` Daniel Borkmann
2026-07-07 19:31 ` [PATCH bpf-next v5 7/8] selftests/bpf: Verify load-time signed loader metadata Daniel Borkmann
2026-07-07 19:31 ` [PATCH bpf-next v5 8/8] Documentation/bpf: Add BPF signing and enforcement doc Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260707195258.0F0681F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox