From: Leon Hwang <leon.hwang@linux.dev>
To: bot+bpf-ci@kernel.org, bpf@vger.kernel.org
Cc: ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net,
yonghong.song@linux.dev, song@kernel.org, eddyz87@gmail.com,
qmo@kernel.org, dxu@dxuuu.xyz, kernel-patches-bot@fb.com,
martin.lau@kernel.org, clm@meta.com, ihor.solodrai@linux.dev
Subject: Re: [PATCH bpf-next v4 2/8] bpf: Introduce global percpu data
Date: Tue, 14 Apr 2026 22:19:22 +0800 [thread overview]
Message-ID: <fef2c9a0-c609-49f4-a165-890aaecfbfd8@linux.dev> (raw)
In-Reply-To: <72dbcacc4cf2e76dc9de3c045e2fe1f3454d8880197b0db92c7d994ca82dcab0@mail.kernel.org>
On 2026/4/14 22:10, bot+bpf-ci@kernel.org wrote:
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 1757c5720503..8ec24d63a2c4 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -6362,7 +6362,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
>> if (tnum_is_const(reg->var_off) &&
>> bpf_map_is_rdonly(map) &&
>> map->ops->map_direct_value_addr &&
>> - map->map_type != BPF_MAP_TYPE_INSN_ARRAY) {
>> + map->map_type != BPF_MAP_TYPE_INSN_ARRAY &&
>> + map->map_type != BPF_MAP_TYPE_PERCPU_ARRAY) {
>
> This correctly prevents constant folding of percpu array values in
> check_mem_access(). However, should the same exclusion also be
> added to const_reg_xfer() in kernel/bpf/const_fold.c?
>
> That function has a parallel constant folding path via
> bpf_map_direct_read() that only excludes BPF_MAP_TYPE_INSN_ARRAY:
>
> kernel/bpf/const_fold.c:const_reg_xfer() {
> ...
> case BPF_LDX:
> ...
> if (!bpf_map_is_rdonly(map) ||
> !map->ops->map_direct_value_addr ||
> map->map_type == BPF_MAP_TYPE_INSN_ARRAY ||
> off < 0 || off + size > map->value_size ||
> bpf_map_direct_read(map, off, size, &val, is_ldsx)) {
> *dst = unknown;
> break;
> }
> ...
> }
>
> Since percpu_array_map_ops now has map_direct_value_addr set,
> bpf_map_direct_read() would dereference the raw percpu base pointer
> directly, rather than the actual per-cpu address. For a frozen
> read-only percpu array, the constant-folded value could differ from
> what the program reads at runtime after the BPF_MOV64_PERCPU_REG
> fixup converts the address to the correct per-cpu copy.
>
> In the v3 series, bpf_map_direct_read() itself had a guard
> (map->map_type != BPF_MAP_TYPE_ARRAY), which protected all callers.
> The v4 moved this to caller-side checks but appears to have missed
> const_reg_xfer().
>
>
Correct.
Will add a guard in bpf_map_direct_read() in the next revision:
if (map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY)
return -EINVAL;
Thanks,
Leon
next prev parent reply other threads:[~2026-04-14 14:19 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 13:24 [PATCH bpf-next v4 0/8] bpf: Introduce global percpu data Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 1/8] bpf: Drop duplicate blank lines in verifier Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 2/8] bpf: Introduce global percpu data Leon Hwang
2026-04-14 14:10 ` bot+bpf-ci
2026-04-14 14:19 ` Leon Hwang [this message]
2026-04-15 2:19 ` Alexei Starovoitov
2026-04-17 1:30 ` Leon Hwang
2026-04-17 15:48 ` Leon Hwang
2026-04-17 17:03 ` Alexei Starovoitov
2026-04-14 13:24 ` [PATCH bpf-next v4 3/8] libbpf: Probe percpu data feature Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 4/8] libbpf: Add support for global percpu data Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 5/8] bpf: Update per-CPU maps using BPF_F_ALL_CPUS flag Leon Hwang
2026-04-14 21:02 ` sashiko-bot
2026-04-17 1:54 ` Leon Hwang
2026-04-15 2:21 ` Alexei Starovoitov
2026-04-17 1:33 ` Leon Hwang
2026-04-17 16:07 ` Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 6/8] bpftool: Generate skeleton for global percpu data Leon Hwang
2026-04-14 21:26 ` sashiko-bot
2026-04-17 2:01 ` Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 7/8] selftests/bpf: Add tests to verify " Leon Hwang
2026-04-14 21:45 ` sashiko-bot
2026-04-17 2:06 ` Leon Hwang
2026-04-14 13:24 ` [PATCH bpf-next v4 8/8] selftests/bpf: Add a test to verify bpf_iter for " Leon Hwang
2026-04-14 22:08 ` sashiko-bot
2026-04-17 2:17 ` Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fef2c9a0-c609-49f4-a165-890aaecfbfd8@linux.dev \
--to=leon.hwang@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=dxu@dxuuu.xyz \
--cc=eddyz87@gmail.com \
--cc=ihor.solodrai@linux.dev \
--cc=kernel-patches-bot@fb.com \
--cc=martin.lau@kernel.org \
--cc=qmo@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox