* [PATCH bpf-next v2 0/3] bpf: Show precise rejected function when attaching to __noreturn and deny list functions
@ 2025-07-14 12:04 KaFai Wan
2025-07-14 12:04 ` [PATCH bpf-next v2 1/3] bpf: Show precise rejected function when attaching fexit/fmod_ret to __noreturn functions KaFai Wan
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: KaFai Wan @ 2025-07-14 12:04 UTC (permalink / raw)
To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song,
yonghong.song, kpsingh, sdf, haoluo, jolsa, mykolal, shuah,
mannkafai, laoar.shao, linux-kernel, bpf, linux-kselftest,
leon.hwang
Show precise rejected function when attaching fexit/fmod_ret to __noreturn
functions.
Add log for attaching tracing programs to functions in deny list.
Add selftest for attaching tracing programs to functions in deny list.
changes:
v2:
- change verifier log message (Alexei)
- add missing Suggested-by
v1:
https://lore.kernel.org/all/20250710162717.3808020-1-mannkafai@gmail.com/
---
KaFai Wan (3):
bpf: Show precise rejected function when attaching fexit/fmod_ret to
__noreturn functions
bpf: Add log for attaching tracing programs to functions in deny list
selftests/bpf: Add selftest for attaching tracing programs to
functions in deny list
kernel/bpf/verifier.c | 5 ++++-
.../selftests/bpf/prog_tests/tracing_deny.c | 11 +++++++++++
.../testing/selftests/bpf/progs/fexit_noreturns.c | 2 +-
tools/testing/selftests/bpf/progs/tracing_deny.c | 15 +++++++++++++++
4 files changed, 31 insertions(+), 2 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/tracing_deny.c
create mode 100644 tools/testing/selftests/bpf/progs/tracing_deny.c
--
2.43.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH bpf-next v2 1/3] bpf: Show precise rejected function when attaching fexit/fmod_ret to __noreturn functions
2025-07-14 12:04 [PATCH bpf-next v2 0/3] bpf: Show precise rejected function when attaching to __noreturn and deny list functions KaFai Wan
@ 2025-07-14 12:04 ` KaFai Wan
2025-07-14 12:04 ` [PATCH bpf-next v2 2/3] bpf: Add log for attaching tracing programs to functions in deny list KaFai Wan
2025-07-14 12:04 ` [PATCH bpf-next v2 3/3] selftests/bpf: Add selftest " KaFai Wan
2 siblings, 0 replies; 6+ messages in thread
From: KaFai Wan @ 2025-07-14 12:04 UTC (permalink / raw)
To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song,
yonghong.song, kpsingh, sdf, haoluo, jolsa, mykolal, shuah,
mannkafai, laoar.shao, linux-kernel, bpf, linux-kselftest,
leon.hwang
With this change, we know the precise rejected function name when
attaching fexit/fmod_ret to __noreturn functions from log.
$ ./fexit
libbpf: prog 'fexit': BPF program load failed: -EINVAL
libbpf: prog 'fexit': -- BEGIN PROG LOAD LOG --
Attaching fexit/fmod_ret to __noreturn function 'do_exit' is rejected.
Suggested-by: Leon Hwang <leon.hwang@linux.dev>
Signed-off-by: KaFai Wan <mannkafai@gmail.com>
---
kernel/bpf/verifier.c | 3 ++-
tools/testing/selftests/bpf/progs/fexit_noreturns.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e2fcea860755..00d287814f12 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -23946,7 +23946,8 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
} else if ((prog->expected_attach_type == BPF_TRACE_FEXIT ||
prog->expected_attach_type == BPF_MODIFY_RETURN) &&
btf_id_set_contains(&noreturn_deny, btf_id)) {
- verbose(env, "Attaching fexit/fmod_ret to __noreturn functions is rejected.\n");
+ verbose(env, "Attaching fexit/fmod_ret to __noreturn function '%s' is rejected.\n",
+ tgt_info.tgt_name);
return -EINVAL;
}
diff --git a/tools/testing/selftests/bpf/progs/fexit_noreturns.c b/tools/testing/selftests/bpf/progs/fexit_noreturns.c
index 54654539f550..b1c33d958ae2 100644
--- a/tools/testing/selftests/bpf/progs/fexit_noreturns.c
+++ b/tools/testing/selftests/bpf/progs/fexit_noreturns.c
@@ -8,7 +8,7 @@
char _license[] SEC("license") = "GPL";
SEC("fexit/do_exit")
-__failure __msg("Attaching fexit/fmod_ret to __noreturn functions is rejected.")
+__failure __msg("Attaching fexit/fmod_ret to __noreturn function 'do_exit' is rejected.")
int BPF_PROG(noreturns)
{
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH bpf-next v2 2/3] bpf: Add log for attaching tracing programs to functions in deny list
2025-07-14 12:04 [PATCH bpf-next v2 0/3] bpf: Show precise rejected function when attaching to __noreturn and deny list functions KaFai Wan
2025-07-14 12:04 ` [PATCH bpf-next v2 1/3] bpf: Show precise rejected function when attaching fexit/fmod_ret to __noreturn functions KaFai Wan
@ 2025-07-14 12:04 ` KaFai Wan
2025-07-14 12:04 ` [PATCH bpf-next v2 3/3] selftests/bpf: Add selftest " KaFai Wan
2 siblings, 0 replies; 6+ messages in thread
From: KaFai Wan @ 2025-07-14 12:04 UTC (permalink / raw)
To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song,
yonghong.song, kpsingh, sdf, haoluo, jolsa, mykolal, shuah,
mannkafai, laoar.shao, linux-kernel, bpf, linux-kselftest,
leon.hwang
Show the rejected function name when attaching tracing programs to
functions in deny list.
With this change, we know why tracing programs can't attach to functions
like migrate_disable() from log.
$ ./fentry
libbpf: prog 'migrate_disable': BPF program load failed: -EINVAL
libbpf: prog 'migrate_disable': -- BEGIN PROG LOAD LOG --
Attaching tracing programs to function 'migrate_disable' is rejected.
Suggested-by: Leon Hwang <leon.hwang@linux.dev>
Signed-off-by: KaFai Wan <mannkafai@gmail.com>
---
kernel/bpf/verifier.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 00d287814f12..c24c0d57e595 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -23942,6 +23942,8 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
return ret;
} else if (prog->type == BPF_PROG_TYPE_TRACING &&
btf_id_set_contains(&btf_id_deny, btf_id)) {
+ verbose(env, "Attaching tracing programs to function '%s' is rejected.\n",
+ tgt_info.tgt_name);
return -EINVAL;
} else if ((prog->expected_attach_type == BPF_TRACE_FEXIT ||
prog->expected_attach_type == BPF_MODIFY_RETURN) &&
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH bpf-next v2 3/3] selftests/bpf: Add selftest for attaching tracing programs to functions in deny list
2025-07-14 12:04 [PATCH bpf-next v2 0/3] bpf: Show precise rejected function when attaching to __noreturn and deny list functions KaFai Wan
2025-07-14 12:04 ` [PATCH bpf-next v2 1/3] bpf: Show precise rejected function when attaching fexit/fmod_ret to __noreturn functions KaFai Wan
2025-07-14 12:04 ` [PATCH bpf-next v2 2/3] bpf: Add log for attaching tracing programs to functions in deny list KaFai Wan
@ 2025-07-14 12:04 ` KaFai Wan
2025-07-17 1:37 ` Alexei Starovoitov
2 siblings, 1 reply; 6+ messages in thread
From: KaFai Wan @ 2025-07-14 12:04 UTC (permalink / raw)
To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song,
yonghong.song, kpsingh, sdf, haoluo, jolsa, mykolal, shuah,
mannkafai, laoar.shao, linux-kernel, bpf, linux-kselftest,
leon.hwang
The reuslt:
$ tools/testing/selftests/bpf/test_progs --name=tracing_deny
#467/1 tracing_deny/migrate_disable:OK
#467 tracing_deny:OK
Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: KaFai Wan <mannkafai@gmail.com>
---
.../selftests/bpf/prog_tests/tracing_deny.c | 11 +++++++++++
tools/testing/selftests/bpf/progs/tracing_deny.c | 15 +++++++++++++++
2 files changed, 26 insertions(+)
create mode 100644 tools/testing/selftests/bpf/prog_tests/tracing_deny.c
create mode 100644 tools/testing/selftests/bpf/progs/tracing_deny.c
diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_deny.c b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c
new file mode 100644
index 000000000000..460c59a9667f
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c
@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+#include "tracing_deny.skel.h"
+
+void test_tracing_deny(void)
+{
+ /* migrate_disable depends on CONFIG_SMP */
+ if (libbpf_find_vmlinux_btf_id("migrate_disable", BPF_TRACE_FENTRY) > 0)
+ RUN_TESTS(tracing_deny);
+}
diff --git a/tools/testing/selftests/bpf/progs/tracing_deny.c b/tools/testing/selftests/bpf/progs/tracing_deny.c
new file mode 100644
index 000000000000..98ef834f0b6d
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/tracing_deny.c
@@ -0,0 +1,15 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include "bpf_misc.h"
+
+char _license[] SEC("license") = "GPL";
+
+SEC("fentry/migrate_disable")
+__failure __msg("Attaching tracing programs to function 'migrate_disable' is rejected.")
+int BPF_PROG(migrate_disable)
+{
+ return 0;
+}
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH bpf-next v2 3/3] selftests/bpf: Add selftest for attaching tracing programs to functions in deny list
2025-07-14 12:04 ` [PATCH bpf-next v2 3/3] selftests/bpf: Add selftest " KaFai Wan
@ 2025-07-17 1:37 ` Alexei Starovoitov
2025-07-17 14:18 ` KaFai Wan
0 siblings, 1 reply; 6+ messages in thread
From: Alexei Starovoitov @ 2025-07-17 1:37 UTC (permalink / raw)
To: KaFai Wan
Cc: Alexei Starovoitov, Daniel Borkmann, John Fastabend,
Andrii Nakryiko, Martin KaFai Lau, Eduard, Song Liu,
Yonghong Song, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Mykola Lysenko, Shuah Khan, Yafang Shao, LKML, bpf,
open list:KERNEL SELFTEST FRAMEWORK, Leon Hwang
On Mon, Jul 14, 2025 at 5:04 AM KaFai Wan <mannkafai@gmail.com> wrote:
>
> The reuslt:
>
> $ tools/testing/selftests/bpf/test_progs --name=tracing_deny
> #467/1 tracing_deny/migrate_disable:OK
> #467 tracing_deny:OK
> Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
>
> Signed-off-by: KaFai Wan <mannkafai@gmail.com>
> ---
> .../selftests/bpf/prog_tests/tracing_deny.c | 11 +++++++++++
> tools/testing/selftests/bpf/progs/tracing_deny.c | 15 +++++++++++++++
> 2 files changed, 26 insertions(+)
> create mode 100644 tools/testing/selftests/bpf/prog_tests/tracing_deny.c
> create mode 100644 tools/testing/selftests/bpf/progs/tracing_deny.c
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_deny.c b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c
> new file mode 100644
> index 000000000000..460c59a9667f
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c
> @@ -0,0 +1,11 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +#include <test_progs.h>
> +#include "tracing_deny.skel.h"
> +
> +void test_tracing_deny(void)
> +{
> + /* migrate_disable depends on CONFIG_SMP */
> + if (libbpf_find_vmlinux_btf_id("migrate_disable", BPF_TRACE_FENTRY) > 0)
> + RUN_TESTS(tracing_deny);
> +}
> diff --git a/tools/testing/selftests/bpf/progs/tracing_deny.c b/tools/testing/selftests/bpf/progs/tracing_deny.c
> new file mode 100644
> index 000000000000..98ef834f0b6d
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/tracing_deny.c
> @@ -0,0 +1,15 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +#include <linux/bpf.h>
> +#include <bpf/bpf_helpers.h>
> +#include <bpf/bpf_tracing.h>
> +#include "bpf_misc.h"
> +
> +char _license[] SEC("license") = "GPL";
> +
> +SEC("fentry/migrate_disable")
> +__failure __msg("Attaching tracing programs to function 'migrate_disable' is rejected.")
> +int BPF_PROG(migrate_disable)
> +{
> + return 0;
> +}
Please roll these two tiny files into existing files in progs/ and prog_tests/
directories.
Every file takes time to compile 4 times, so let's avoid unnecessary overhead.
--
pw-bot: cr
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH bpf-next v2 3/3] selftests/bpf: Add selftest for attaching tracing programs to functions in deny list
2025-07-17 1:37 ` Alexei Starovoitov
@ 2025-07-17 14:18 ` KaFai Wan
0 siblings, 0 replies; 6+ messages in thread
From: KaFai Wan @ 2025-07-17 14:18 UTC (permalink / raw)
To: Alexei Starovoitov
Cc: Alexei Starovoitov, Daniel Borkmann, John Fastabend,
Andrii Nakryiko, Martin KaFai Lau, Eduard, Song Liu,
Yonghong Song, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Mykola Lysenko, Shuah Khan, Yafang Shao, LKML, bpf,
open list:KERNEL SELFTEST FRAMEWORK, Leon Hwang
On Wed, 2025-07-16 at 18:37 -0700, Alexei Starovoitov wrote:
> On Mon, Jul 14, 2025 at 5:04 AM KaFai Wan <mannkafai@gmail.com>
> wrote:
> >
> > The reuslt:
> >
> > $ tools/testing/selftests/bpf/test_progs --name=tracing_deny
> > #467/1 tracing_deny/migrate_disable:OK
> > #467 tracing_deny:OK
> > Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
> >
> > Signed-off-by: KaFai Wan <mannkafai@gmail.com>
> > ---
> > .../selftests/bpf/prog_tests/tracing_deny.c | 11 +++++++++++
> > tools/testing/selftests/bpf/progs/tracing_deny.c | 15
> > +++++++++++++++
> > 2 files changed, 26 insertions(+)
> > create mode 100644
> > tools/testing/selftests/bpf/prog_tests/tracing_deny.c
> > create mode 100644
> > tools/testing/selftests/bpf/progs/tracing_deny.c
> >
> > diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_deny.c
> > b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c
> > new file mode 100644
> > index 000000000000..460c59a9667f
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c
> > @@ -0,0 +1,11 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +
> > +#include <test_progs.h>
> > +#include "tracing_deny.skel.h"
> > +
> > +void test_tracing_deny(void)
> > +{
> > + /* migrate_disable depends on CONFIG_SMP */
> > + if (libbpf_find_vmlinux_btf_id("migrate_disable",
> > BPF_TRACE_FENTRY) > 0)
> > + RUN_TESTS(tracing_deny);
> > +}
> > diff --git a/tools/testing/selftests/bpf/progs/tracing_deny.c
> > b/tools/testing/selftests/bpf/progs/tracing_deny.c
> > new file mode 100644
> > index 000000000000..98ef834f0b6d
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/progs/tracing_deny.c
> > @@ -0,0 +1,15 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +
> > +#include <linux/bpf.h>
> > +#include <bpf/bpf_helpers.h>
> > +#include <bpf/bpf_tracing.h>
> > +#include "bpf_misc.h"
> > +
> > +char _license[] SEC("license") = "GPL";
> > +
> > +SEC("fentry/migrate_disable")
> > +__failure __msg("Attaching tracing programs to function
> > 'migrate_disable' is rejected.")
> > +int BPF_PROG(migrate_disable)
> > +{
> > + return 0;
> > +}
>
> Please roll these two tiny files into existing files in progs/ and
> prog_tests/
> directories.
> Every file takes time to compile 4 times, so let's avoid unnecessary
> overhead.
>
Okay, will update it in v3.
> --
> pw-bot: cr
--
Thanks,
KaFai
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-07-17 14:18 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-14 12:04 [PATCH bpf-next v2 0/3] bpf: Show precise rejected function when attaching to __noreturn and deny list functions KaFai Wan
2025-07-14 12:04 ` [PATCH bpf-next v2 1/3] bpf: Show precise rejected function when attaching fexit/fmod_ret to __noreturn functions KaFai Wan
2025-07-14 12:04 ` [PATCH bpf-next v2 2/3] bpf: Add log for attaching tracing programs to functions in deny list KaFai Wan
2025-07-14 12:04 ` [PATCH bpf-next v2 3/3] selftests/bpf: Add selftest " KaFai Wan
2025-07-17 1:37 ` Alexei Starovoitov
2025-07-17 14:18 ` KaFai Wan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).