From: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
To: sashiko@lists.linux.dev, Alan Maguire <alan.maguire@oracle.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next 5/6] selftests/bpf: Test BTF sanitization rejection for invalid vlen
Date: Wed, 15 Apr 2026 17:03:17 +0100 [thread overview]
Message-ID: <235f4a5d-c5fc-4980-a075-284e966c4fc6@gmail.com> (raw)
In-Reply-To: <20260414222624.A722AC19425@smtp.kernel.org>
On 4/14/26 11:26 PM, sashiko-bot@kernel.org wrote:
> Sashiko AI review found 3 potential issue(s):
> - [Low] Leaking the BTF object on unexpected success of sanitization.
> - [Low] Lack of error checks for BTF construction calls.
> - [Low] Using `BTF_MAX_VLEN` as the `byte_sz` argument in `btf__add_datasec()`.
> --
>
> commit 9c5af444155b34aa840793bf185bc0c0aaa04f3f
> Author: Alan Maguire <alan.maguire@oracle.com>
>
> selftests/bpf: Test BTF sanitization rejection for invalid vlen
>
> This patch adds a selftest to verify that BTF objects with extended vlen
> are properly rejected by kernels that do not support the extended feature.
> It simulates the lack of support using the feature cache and checks if
> sanitization fails when the vlen limit is surpassed.
>
>> diff --git a/tools/testing/selftests/bpf/prog_tests/btf_sanitize.c b/tools/testing/selftests/bpf/prog_tests/btf_sanitize.c
>> index 652b51efafc27..f41cea5a769a2 100644
>> --- a/tools/testing/selftests/bpf/prog_tests/btf_sanitize.c
>> +++ b/tools/testing/selftests/bpf/prog_tests/btf_sanitize.c
> [ ... ]
>> @@ -95,3 +95,65 @@ void test_btf_sanitize_layout(void)
>> +static void test_btf_sanitize_extended(void)
>> +{
> [ ... ]
>> + btf = btf__new_empty();
>> + if (!ASSERT_OK_PTR(btf, "empty_btf"))
>> + goto out;
>> + btf__add_int(btf, "int", 4, BTF_INT_SIGNED);
>> + btf__add_var(btf, "var1", 0, 1);
>
> Are we missing error checks on these btf__add_*() calls?
>
> If any of these allocations silently fail, the test might proceed with an
> incomplete BTF object that hasn't actually surpassed the vlen limit. This
> would cause the subsequent bpf_object__sanitize_btf() call to unexpectedly
> succeed, failing the test for the wrong reason.
>
>> + btf__add_datasec(btf, "datasec1", BTF_MAX_VLEN);
>
> Is it intentional to use BTF_MAX_VLEN for the byte_sz argument here?
>
> BTF_MAX_VLEN is a bitmask representing the maximum number of items, not a byte
> size. Using a proper calculated byte size like 0x10000 * 4 might be clearer.
>
>> + for (i = 0; i <= 0xffff; i++)
>> + btf__add_datasec_var_info(btf, 2, i * 4, 4);
>> +
>> + /* Sanitization should fail here as vlen surpasses unextended limit. */
>> + sanitized = bpf_object__sanitize_btf(skel->obj, btf);
>> + if (!ASSERT_ERR_PTR(sanitized, "bpf_object__sanitize_btf_should_fail")) {
>> + sanitized = NULL;
>
> If the first bpf_object__sanitize_btf() call unexpectedly succeeds, sanitized
> will hold a valid pointer.
>
> Doesn't setting it to NULL before the goto out path leak the memory, since
> btf__free(sanitized) will be called with a NULL pointer at the end of the
> function?
>
This is no leak, but setting to NULL is not needed, because btf__free()
checks IS_ERR_OR_NULL(btf).
>> + goto out;
>> + }
>> + /* Now switch extended feature on and ensure success. */
>
next prev parent reply other threads:[~2026-04-15 16:03 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 19:50 [PATCH bpf-next 0/6] btf: Extend vlen, kind in struct btf_type Alan Maguire
2026-04-14 19:50 ` [PATCH bpf-next 1/6] bpf: Extend BTF UAPI vlen, kinds to use unused bits Alan Maguire
2026-04-14 20:42 ` bot+bpf-ci
2026-04-14 21:11 ` sashiko-bot
2026-04-15 15:48 ` Mykyta Yatsenko
2026-04-14 19:50 ` [PATCH bpf-next 2/6] libbpf: Adjust btf_vlen() to return a __u32 Alan Maguire
2026-04-14 21:39 ` sashiko-bot
2026-04-14 19:50 ` [PATCH bpf-next 3/6] libbpf: Add feature for kernel extended vlen/kind support Alan Maguire
2026-04-14 20:29 ` bot+bpf-ci
2026-04-14 21:58 ` sashiko-bot
2026-04-15 1:56 ` Alexei Starovoitov
2026-04-15 15:57 ` Mykyta Yatsenko
2026-04-16 8:57 ` Alan Maguire
2026-04-16 14:15 ` Alexei Starovoitov
2026-04-14 19:50 ` [PATCH bpf-next 4/6] bpftool: Support 24-bit vlen Alan Maguire
2026-04-14 22:12 ` sashiko-bot
2026-04-14 19:50 ` [PATCH bpf-next 5/6] selftests/bpf: Test BTF sanitization rejection for invalid vlen Alan Maguire
2026-04-14 22:26 ` sashiko-bot
2026-04-15 16:03 ` Mykyta Yatsenko [this message]
2026-04-14 19:50 ` [PATCH bpf-next 6/6] selftests/bpf: Fix up btf/invalid test for extended kind Alan Maguire
2026-04-14 22:32 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=235f4a5d-c5fc-4980-a075-284e966c4fc6@gmail.com \
--to=mykyta.yatsenko5@gmail.com \
--cc=alan.maguire@oracle.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox