[PATCHv3 perf/core 0/6] uprobe,bpf: Allow to change app registers from uprobe registers

[PATCHv3 perf/core 0/6] uprobe,bpf: Allow to change app registers from uprobe registers

[Jiri Olsa]

hi,
we recently had several requests for tetragon to be able to change
user application function return value or divert its execution through
instruction pointer change.

This patchset adds support for uprobe program to change app's registers
including instruction pointer.

v3 changes:
- deny attach of kprobe,multi with kprobe_write_ctx set [Alexei]
- added more tests for denied kprobe attachment

thanks,
jirka


---
Jiri Olsa (6):
      bpf: Allow uprobe program to change context registers
      uprobe: Do not emulate/sstep original instruction when ip is changed
      selftests/bpf: Add uprobe context registers changes test
      selftests/bpf: Add uprobe context ip register change test
      selftests/bpf: Add kprobe write ctx attach test
      selftests/bpf: Add kprobe multi write ctx attach test

 include/linux/bpf.h                                        |   1 +
 kernel/events/core.c                                       |   4 +++
 kernel/events/uprobes.c                                    |   7 +++++
 kernel/trace/bpf_trace.c                                   |   7 +++--
 tools/testing/selftests/bpf/prog_tests/attach_probe.c      |  28 +++++++++++++++++
 tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c |  27 ++++++++++++++++
 tools/testing/selftests/bpf/prog_tests/uprobe.c            | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 tools/testing/selftests/bpf/progs/kprobe_write_ctx.c       |  22 +++++++++++++
 tools/testing/selftests/bpf/progs/test_uprobe.c            |  38 +++++++++++++++++++++++
 9 files changed, 287 insertions(+), 3 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/progs/kprobe_write_ctx.c

[PATCHv3 perf/core 1/6] bpf: Allow uprobe program to change context registers

[Jiri Olsa]

Currently uprobe (BPF_PROG_TYPE_KPROBE) program can't write to the
context registers data. While this makes sense for kprobe attachments,
for uprobe attachment it might make sense to be able to change user
space registers to alter application execution.

Since uprobe and kprobe programs share the same type (BPF_PROG_TYPE_KPROBE),
we can't deny write access to context during the program load. We need
to check on it during program attachment to see if it's going to be
kprobe or uprobe.

Storing the program's write attempt to context and checking on it
during the attachment.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 include/linux/bpf.h      | 1 +
 kernel/events/core.c     | 4 ++++
 kernel/trace/bpf_trace.c | 7 +++++--
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index cc700925b802..404a30cde84e 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -1619,6 +1619,7 @@ struct bpf_prog_aux {
 	bool priv_stack_requested;
 	bool changes_pkt_data;
 	bool might_sleep;
+	bool kprobe_write_ctx;
 	u64 prog_array_member_cnt; /* counts how many times as member of prog_array */
 	struct mutex ext_mutex; /* mutex for is_extended and prog_array_member_cnt */
 	struct bpf_arena *arena;
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 28de3baff792..c3f37b266fc4 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11238,6 +11238,10 @@ static int __perf_event_set_bpf_prog(struct perf_event *event,
 	if (prog->kprobe_override && !is_kprobe)
 		return -EINVAL;
 
+	/* Writing to context allowed only for uprobes. */
+	if (prog->aux->kprobe_write_ctx && !is_uprobe)
+		return -EINVAL;
+
 	if (is_tracepoint || is_syscall_tp) {
 		int off = trace_event_get_offsets(event->tp_event);
 
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 3ae52978cae6..dfb19e773afa 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1521,8 +1521,6 @@ static bool kprobe_prog_is_valid_access(int off, int size, enum bpf_access_type
 {
 	if (off < 0 || off >= sizeof(struct pt_regs))
 		return false;
-	if (type != BPF_READ)
-		return false;
 	if (off % size != 0)
 		return false;
 	/*
@@ -1532,6 +1530,7 @@ static bool kprobe_prog_is_valid_access(int off, int size, enum bpf_access_type
 	if (off + size > sizeof(struct pt_regs))
 		return false;
 
+	prog->aux->kprobe_write_ctx |= type == BPF_WRITE;
 	return true;
 }
 
@@ -2913,6 +2912,10 @@ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
 	if (!is_kprobe_multi(prog))
 		return -EINVAL;
 
+	/* Writing to context is not allowed for kprobes. */
+	if (prog->aux->kprobe_write_ctx)
+		return -EINVAL;
+
 	flags = attr->link_create.kprobe_multi.flags;
 	if (flags & ~BPF_F_KPROBE_MULTI_RETURN)
 		return -EINVAL;
-- 
2.51.0

[PATCHv3 perf/core 2/6] uprobe: Do not emulate/sstep original instruction when ip is changed

[Jiri Olsa]

If uprobe handler changes instruction pointer we still execute single
step) or emulate the original instruction and increment the (new) ip
with its length.

This makes the new instruction pointer bogus and application will
likely crash on illegal instruction execution.

If user decided to take execution elsewhere, it makes little sense
to execute the original instruction, so let's skip it.

Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 kernel/events/uprobes.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 996a81080d56..4f46018e507e 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -2768,6 +2768,13 @@ static void handle_swbp(struct pt_regs *regs)
 	/* Try to optimize after first hit. */
 	arch_uprobe_optimize(&uprobe->arch, bp_vaddr);
 
+	/*
+	 * If user decided to take execution elsewhere, it makes little sense
+	 * to execute the original instruction, so let's skip it.
+	 */
+	if (instruction_pointer(regs) != bp_vaddr)
+		goto out;
+
 	if (arch_uprobe_skip_sstep(&uprobe->arch, regs))
 		goto out;
 
-- 
2.51.0

[PATCHv3 perf/core 3/6] selftests/bpf: Add uprobe context registers changes test

[Jiri Olsa]

Adding test to check we can change common register values through
uprobe program.

It's x86_64 specific test.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 .../testing/selftests/bpf/prog_tests/uprobe.c | 114 +++++++++++++++++-
 .../testing/selftests/bpf/progs/test_uprobe.c |  24 ++++
 2 files changed, 137 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/uprobe.c b/tools/testing/selftests/bpf/prog_tests/uprobe.c
index cf3e0e7a64fa..19dd900df188 100644
--- a/tools/testing/selftests/bpf/prog_tests/uprobe.c
+++ b/tools/testing/selftests/bpf/prog_tests/uprobe.c
@@ -2,6 +2,7 @@
 /* Copyright (c) 2023 Hengqi Chen */
 
 #include <test_progs.h>
+#include <asm/ptrace.h>
 #include "test_uprobe.skel.h"
 
 static FILE *urand_spawn(int *pid)
@@ -33,7 +34,7 @@ static int urand_trigger(FILE **urand_pipe)
 	return exit_code;
 }
 
-void test_uprobe(void)
+static void test_uprobe_attach(void)
 {
 	LIBBPF_OPTS(bpf_uprobe_opts, uprobe_opts);
 	struct test_uprobe *skel;
@@ -93,3 +94,114 @@ void test_uprobe(void)
 		pclose(urand_pipe);
 	test_uprobe__destroy(skel);
 }
+
+#ifdef __x86_64__
+__naked __maybe_unused unsigned long uprobe_regs_change_trigger(void)
+{
+	asm volatile (
+		"ret\n"
+	);
+}
+
+static __naked void uprobe_regs_change(struct pt_regs *before, struct pt_regs *after)
+{
+	asm volatile (
+		"movq %r11,  48(%rdi)\n"
+		"movq %r10,  56(%rdi)\n"
+		"movq  %r9,  64(%rdi)\n"
+		"movq  %r8,  72(%rdi)\n"
+		"movq %rax,  80(%rdi)\n"
+		"movq %rcx,  88(%rdi)\n"
+		"movq %rdx,  96(%rdi)\n"
+		"movq %rsi, 104(%rdi)\n"
+		"movq %rdi, 112(%rdi)\n"
+
+		/* save 2nd argument */
+		"pushq %rsi\n"
+		"call uprobe_regs_change_trigger\n"
+
+		/* save  return value and load 2nd argument pointer to rax */
+		"pushq %rax\n"
+		"movq 8(%rsp), %rax\n"
+
+		"movq %r11,  48(%rax)\n"
+		"movq %r10,  56(%rax)\n"
+		"movq  %r9,  64(%rax)\n"
+		"movq  %r8,  72(%rax)\n"
+		"movq %rcx,  88(%rax)\n"
+		"movq %rdx,  96(%rax)\n"
+		"movq %rsi, 104(%rax)\n"
+		"movq %rdi, 112(%rax)\n"
+
+		/* restore return value and 2nd argument */
+		"pop %rax\n"
+		"pop %rsi\n"
+
+		"movq %rax,  80(%rsi)\n"
+		"ret\n"
+	);
+}
+
+static void regs_common(void)
+{
+	struct pt_regs before = {}, after = {}, expected = {
+		.rax = 0xc0ffe,
+		.rcx = 0xbad,
+		.rdx = 0xdead,
+		.r8  = 0x8,
+		.r9  = 0x9,
+		.r10 = 0x10,
+		.r11 = 0x11,
+		.rdi = 0x12,
+		.rsi = 0x13,
+	};
+	LIBBPF_OPTS(bpf_uprobe_opts, uprobe_opts);
+	struct test_uprobe *skel;
+
+	skel = test_uprobe__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "skel_open"))
+		return;
+
+	skel->bss->my_pid = getpid();
+	skel->bss->regs = expected;
+
+	uprobe_opts.func_name = "uprobe_regs_change_trigger";
+	skel->links.test_regs_change = bpf_program__attach_uprobe_opts(skel->progs.test_regs_change,
+							    -1,
+							    "/proc/self/exe",
+							    0 /* offset */,
+							    &uprobe_opts);
+	if (!ASSERT_OK_PTR(skel->links.test_regs_change, "bpf_program__attach_uprobe_opts"))
+		goto cleanup;
+
+	uprobe_regs_change(&before, &after);
+
+	ASSERT_EQ(after.rax, expected.rax, "ax");
+	ASSERT_EQ(after.rcx, expected.rcx, "cx");
+	ASSERT_EQ(after.rdx, expected.rdx, "dx");
+	ASSERT_EQ(after.r8,  expected.r8,  "r8");
+	ASSERT_EQ(after.r9,  expected.r9,  "r9");
+	ASSERT_EQ(after.r10, expected.r10, "r10");
+	ASSERT_EQ(after.r11, expected.r11, "r11");
+	ASSERT_EQ(after.rdi, expected.rdi, "rdi");
+	ASSERT_EQ(after.rsi, expected.rsi, "rsi");
+
+cleanup:
+	test_uprobe__destroy(skel);
+}
+
+static void test_uprobe_regs_change(void)
+{
+	if (test__start_subtest("regs_change_common"))
+		regs_common();
+}
+#else
+static void test_uprobe_regs_change(void) { }
+#endif
+
+void test_uprobe(void)
+{
+	if (test__start_subtest("attach"))
+		test_uprobe_attach();
+	test_uprobe_regs_change();
+}
diff --git a/tools/testing/selftests/bpf/progs/test_uprobe.c b/tools/testing/selftests/bpf/progs/test_uprobe.c
index 896c88a4960d..9437bd76a437 100644
--- a/tools/testing/selftests/bpf/progs/test_uprobe.c
+++ b/tools/testing/selftests/bpf/progs/test_uprobe.c
@@ -59,3 +59,27 @@ int BPF_UPROBE(test4)
 	test4_result = 1;
 	return 0;
 }
+
+#if defined(__TARGET_ARCH_x86)
+struct pt_regs regs;
+
+SEC("uprobe")
+int BPF_UPROBE(test_regs_change)
+{
+	pid_t pid = bpf_get_current_pid_tgid() >> 32;
+
+	if (pid != my_pid)
+		return 0;
+
+	ctx->ax  = regs.ax;
+	ctx->cx  = regs.cx;
+	ctx->dx  = regs.dx;
+	ctx->r8  = regs.r8;
+	ctx->r9  = regs.r9;
+	ctx->r10 = regs.r10;
+	ctx->r11 = regs.r11;
+	ctx->di  = regs.di;
+	ctx->si  = regs.si;
+	return 0;
+}
+#endif
-- 
2.51.0

[PATCHv3 perf/core 4/6] selftests/bpf: Add uprobe context ip register change test

[Jiri Olsa]

Adding test to check we can change the application execution
through instruction pointer change through uprobe program.

It's x86_64 specific test.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 .../testing/selftests/bpf/prog_tests/uprobe.c | 42 +++++++++++++++++++
 .../testing/selftests/bpf/progs/test_uprobe.c | 14 +++++++
 2 files changed, 56 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/uprobe.c b/tools/testing/selftests/bpf/prog_tests/uprobe.c
index 19dd900df188..86404476c1da 100644
--- a/tools/testing/selftests/bpf/prog_tests/uprobe.c
+++ b/tools/testing/selftests/bpf/prog_tests/uprobe.c
@@ -190,10 +190,52 @@ static void regs_common(void)
 	test_uprobe__destroy(skel);
 }
 
+static noinline unsigned long uprobe_regs_change_ip_1(void)
+{
+	return 0xc0ffee;
+}
+
+static noinline unsigned long uprobe_regs_change_ip_2(void)
+{
+	return 0xdeadbeef;
+}
+
+static void regs_ip(void)
+{
+	LIBBPF_OPTS(bpf_uprobe_opts, uprobe_opts);
+	struct test_uprobe *skel;
+	unsigned long ret;
+
+	skel = test_uprobe__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "skel_open"))
+		return;
+
+	skel->bss->my_pid = getpid();
+	skel->bss->ip = (unsigned long) uprobe_regs_change_ip_2;
+
+	uprobe_opts.func_name = "uprobe_regs_change_ip_1";
+	skel->links.test_regs_change_ip = bpf_program__attach_uprobe_opts(
+						skel->progs.test_regs_change_ip,
+						-1,
+						"/proc/self/exe",
+						0 /* offset */,
+						&uprobe_opts);
+	if (!ASSERT_OK_PTR(skel->links.test_regs_change_ip, "bpf_program__attach_uprobe_opts"))
+		goto cleanup;
+
+	ret = uprobe_regs_change_ip_1();
+	ASSERT_EQ(ret, 0xdeadbeef, "ret");
+
+cleanup:
+	test_uprobe__destroy(skel);
+}
+
 static void test_uprobe_regs_change(void)
 {
 	if (test__start_subtest("regs_change_common"))
 		regs_common();
+	if (test__start_subtest("regs_change_ip"))
+		regs_ip();
 }
 #else
 static void test_uprobe_regs_change(void) { }
diff --git a/tools/testing/selftests/bpf/progs/test_uprobe.c b/tools/testing/selftests/bpf/progs/test_uprobe.c
index 9437bd76a437..12f4065fca20 100644
--- a/tools/testing/selftests/bpf/progs/test_uprobe.c
+++ b/tools/testing/selftests/bpf/progs/test_uprobe.c
@@ -82,4 +82,18 @@ int BPF_UPROBE(test_regs_change)
 	ctx->si  = regs.si;
 	return 0;
 }
+
+unsigned long ip;
+
+SEC("uprobe")
+int BPF_UPROBE(test_regs_change_ip)
+{
+	pid_t pid = bpf_get_current_pid_tgid() >> 32;
+
+	if (pid != my_pid)
+		return 0;
+
+	ctx->ip = ip;
+	return 0;
+}
 #endif
-- 
2.51.0

[PATCHv3 perf/core 5/6] selftests/bpf: Add kprobe write ctx attach test

[Jiri Olsa]

Adding test to check we can't attach standard kprobe program that
writes to the context.

It's x86_64 specific test.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 .../selftests/bpf/prog_tests/attach_probe.c   | 28 +++++++++++++++++++
 .../selftests/bpf/progs/kprobe_write_ctx.c    | 15 ++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/progs/kprobe_write_ctx.c

diff --git a/tools/testing/selftests/bpf/prog_tests/attach_probe.c b/tools/testing/selftests/bpf/prog_tests/attach_probe.c
index cabc51c2ca6b..9e77e5da7097 100644
--- a/tools/testing/selftests/bpf/prog_tests/attach_probe.c
+++ b/tools/testing/selftests/bpf/prog_tests/attach_probe.c
@@ -3,6 +3,7 @@
 #include "test_attach_kprobe_sleepable.skel.h"
 #include "test_attach_probe_manual.skel.h"
 #include "test_attach_probe.skel.h"
+#include "kprobe_write_ctx.skel.h"
 
 /* this is how USDT semaphore is actually defined, except volatile modifier */
 volatile unsigned short uprobe_ref_ctr __attribute__((unused)) __attribute((section(".probes")));
@@ -201,6 +202,31 @@ static void test_attach_kprobe_long_event_name(void)
 	test_attach_probe_manual__destroy(skel);
 }
 
+#ifdef __x86_64__
+/* attach kprobe/kretprobe long event name testings */
+static void test_attach_kprobe_write_ctx(void)
+{
+	struct kprobe_write_ctx *skel = NULL;
+	struct bpf_link *link = NULL;
+
+	skel = kprobe_write_ctx__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "kprobe_write_ctx__open_and_load"))
+		return;
+
+	link = bpf_program__attach_kprobe_opts(skel->progs.kprobe_write_ctx,
+					     "bpf_fentry_test1", NULL);
+	if (!ASSERT_ERR_PTR(link, "bpf_program__attach_kprobe_opts"))
+		bpf_link__destroy(link);
+
+	kprobe_write_ctx__destroy(skel);
+}
+#else
+static void test_attach_kprobe_write_ctx(void)
+{
+	test__skip();
+}
+#endif
+
 static void test_attach_probe_auto(struct test_attach_probe *skel)
 {
 	struct bpf_link *uprobe_err_link;
@@ -406,6 +432,8 @@ void test_attach_probe(void)
 		test_attach_uprobe_long_event_name();
 	if (test__start_subtest("kprobe-long_name"))
 		test_attach_kprobe_long_event_name();
+	if (test__start_subtest("kprobe-write-ctx"))
+		test_attach_kprobe_write_ctx();
 
 cleanup:
 	test_attach_probe__destroy(skel);
diff --git a/tools/testing/selftests/bpf/progs/kprobe_write_ctx.c b/tools/testing/selftests/bpf/progs/kprobe_write_ctx.c
new file mode 100644
index 000000000000..4621a5bef4e2
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/kprobe_write_ctx.c
@@ -0,0 +1,15 @@
+// SPDX-License-Identifier: GPL-2.0
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+char _license[] SEC("license") = "GPL";
+
+#if defined(__TARGET_ARCH_x86)
+SEC("kprobe")
+int kprobe_write_ctx(struct pt_regs *ctx)
+{
+	ctx->ax = 0;
+	return 0;
+}
+#endif
-- 
2.51.0

[PATCHv3 perf/core 6/6] selftests/bpf: Add kprobe multi write ctx attach test

[Jiri Olsa]

Adding test to check we can't attach kprobe multi program
that writes to the context.

It's x86_64 specific test.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 .../bpf/prog_tests/kprobe_multi_test.c        | 27 +++++++++++++++++++
 .../selftests/bpf/progs/kprobe_write_ctx.c    |  7 +++++
 2 files changed, 34 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
index e19ef509ebf8..bc52389217e2 100644
--- a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
+++ b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
@@ -7,6 +7,7 @@
 #include "kprobe_multi_session.skel.h"
 #include "kprobe_multi_session_cookie.skel.h"
 #include "kprobe_multi_verifier.skel.h"
+#include "kprobe_write_ctx.skel.h"
 #include "bpf/libbpf_internal.h"
 #include "bpf/hashmap.h"
 
@@ -753,6 +754,30 @@ static void test_attach_override(void)
 	kprobe_multi_override__destroy(skel);
 }
 
+#ifdef __x86_64__
+static void test_attach_write_ctx(void)
+{
+	struct kprobe_write_ctx *skel = NULL;
+	struct bpf_link *link = NULL;
+
+	skel = kprobe_write_ctx__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "kprobe_write_ctx__open_and_load"))
+		return;
+
+	link = bpf_program__attach_kprobe_opts(skel->progs.kprobe_multi_write_ctx,
+						     "bpf_fentry_test1", NULL);
+	if (!ASSERT_ERR_PTR(link, "bpf_program__attach_kprobe_opts"))
+		bpf_link__destroy(link);
+
+	kprobe_write_ctx__destroy(skel);
+}
+#else
+static void test_attach_write_ctx(void)
+{
+	test__skip();
+}
+#endif
+
 void serial_test_kprobe_multi_bench_attach(void)
 {
 	if (test__start_subtest("kernel"))
@@ -792,5 +817,7 @@ void test_kprobe_multi_test(void)
 		test_session_cookie_skel_api();
 	if (test__start_subtest("unique_match"))
 		test_unique_match();
+	if (test__start_subtest("attach_write_ctx"))
+		test_attach_write_ctx();
 	RUN_TESTS(kprobe_multi_verifier);
 }
diff --git a/tools/testing/selftests/bpf/progs/kprobe_write_ctx.c b/tools/testing/selftests/bpf/progs/kprobe_write_ctx.c
index 4621a5bef4e2..f77aef0474d3 100644
--- a/tools/testing/selftests/bpf/progs/kprobe_write_ctx.c
+++ b/tools/testing/selftests/bpf/progs/kprobe_write_ctx.c
@@ -12,4 +12,11 @@ int kprobe_write_ctx(struct pt_regs *ctx)
 	ctx->ax = 0;
 	return 0;
 }
+
+SEC("kprobe.multi")
+int kprobe_multi_write_ctx(struct pt_regs *ctx)
+{
+	ctx->ax = 0;
+	return 0;
+}
 #endif
-- 
2.51.0

Re: [PATCHv3 perf/core 0/6] uprobe,bpf: Allow to change app registers from uprobe registers

[Andrii Nakryiko]

On Tue, Sep 9, 2025 at 8:39 AM Jiri Olsa <jolsa@kernel.org> wrote:
>
> hi,
> we recently had several requests for tetragon to be able to change
> user application function return value or divert its execution through
> instruction pointer change.
>
> This patchset adds support for uprobe program to change app's registers
> including instruction pointer.
>
> v3 changes:
> - deny attach of kprobe,multi with kprobe_write_ctx set [Alexei]
> - added more tests for denied kprobe attachment
>
> thanks,
> jirka
>
>
> ---
> Jiri Olsa (6):
>       bpf: Allow uprobe program to change context registers
>       uprobe: Do not emulate/sstep original instruction when ip is changed
>       selftests/bpf: Add uprobe context registers changes test
>       selftests/bpf: Add uprobe context ip register change test
>       selftests/bpf: Add kprobe write ctx attach test
>       selftests/bpf: Add kprobe multi write ctx attach test
>

For the series:

Acked-by: Andrii Nakryiko <andrii@kernel.org>

Question is which tree will this go through? Most changes are in BPF,
so probably bpf-next, right?

>  include/linux/bpf.h                                        |   1 +
>  kernel/events/core.c                                       |   4 +++
>  kernel/events/uprobes.c                                    |   7 +++++
>  kernel/trace/bpf_trace.c                                   |   7 +++--
>  tools/testing/selftests/bpf/prog_tests/attach_probe.c      |  28 +++++++++++++++++
>  tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c |  27 ++++++++++++++++
>  tools/testing/selftests/bpf/prog_tests/uprobe.c            | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  tools/testing/selftests/bpf/progs/kprobe_write_ctx.c       |  22 +++++++++++++
>  tools/testing/selftests/bpf/progs/test_uprobe.c            |  38 +++++++++++++++++++++++
>  9 files changed, 287 insertions(+), 3 deletions(-)
>  create mode 100644 tools/testing/selftests/bpf/progs/kprobe_write_ctx.c

Re: [PATCHv3 perf/core 1/6] bpf: Allow uprobe program to change context registers

[Andrii Nakryiko]

On Tue, Sep 9, 2025 at 8:39 AM Jiri Olsa <jolsa@kernel.org> wrote:
>
> Currently uprobe (BPF_PROG_TYPE_KPROBE) program can't write to the
> context registers data. While this makes sense for kprobe attachments,
> for uprobe attachment it might make sense to be able to change user
> space registers to alter application execution.
>
> Since uprobe and kprobe programs share the same type (BPF_PROG_TYPE_KPROBE),
> we can't deny write access to context during the program load. We need
> to check on it during program attachment to see if it's going to be
> kprobe or uprobe.
>
> Storing the program's write attempt to context and checking on it
> during the attachment.
>
> Signed-off-by: Jiri Olsa <jolsa@kernel.org>
> ---
>  include/linux/bpf.h      | 1 +
>  kernel/events/core.c     | 4 ++++
>  kernel/trace/bpf_trace.c | 7 +++++--
>  3 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index cc700925b802..404a30cde84e 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -1619,6 +1619,7 @@ struct bpf_prog_aux {
>         bool priv_stack_requested;
>         bool changes_pkt_data;
>         bool might_sleep;
> +       bool kprobe_write_ctx;
>         u64 prog_array_member_cnt; /* counts how many times as member of prog_array */
>         struct mutex ext_mutex; /* mutex for is_extended and prog_array_member_cnt */
>         struct bpf_arena *arena;
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 28de3baff792..c3f37b266fc4 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -11238,6 +11238,10 @@ static int __perf_event_set_bpf_prog(struct perf_event *event,
>         if (prog->kprobe_override && !is_kprobe)
>                 return -EINVAL;
>
> +       /* Writing to context allowed only for uprobes. */
> +       if (prog->aux->kprobe_write_ctx && !is_uprobe)
> +               return -EINVAL;
> +
>         if (is_tracepoint || is_syscall_tp) {
>                 int off = trace_event_get_offsets(event->tp_event);
>
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 3ae52978cae6..dfb19e773afa 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -1521,8 +1521,6 @@ static bool kprobe_prog_is_valid_access(int off, int size, enum bpf_access_type
>  {
>         if (off < 0 || off >= sizeof(struct pt_regs))
>                 return false;
> -       if (type != BPF_READ)
> -               return false;
>         if (off % size != 0)
>                 return false;
>         /*
> @@ -1532,6 +1530,7 @@ static bool kprobe_prog_is_valid_access(int off, int size, enum bpf_access_type
>         if (off + size > sizeof(struct pt_regs))
>                 return false;
>
> +       prog->aux->kprobe_write_ctx |= type == BPF_WRITE;

nit: minor preference for

if (type == BPF_WRITE)
    prog->aux->kprobe_write_ctx = true;


>         return true;
>  }
>
> @@ -2913,6 +2912,10 @@ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
>         if (!is_kprobe_multi(prog))
>                 return -EINVAL;
>
> +       /* Writing to context is not allowed for kprobes. */
> +       if (prog->aux->kprobe_write_ctx)
> +               return -EINVAL;
> +
>         flags = attr->link_create.kprobe_multi.flags;
>         if (flags & ~BPF_F_KPROBE_MULTI_RETURN)
>                 return -EINVAL;
> --
> 2.51.0
>

Re: [PATCHv3 perf/core 0/6] uprobe,bpf: Allow to change app registers from uprobe registers

[Ihor Solodrai]

On 9/9/25 9:41 AM, Andrii Nakryiko wrote:
> On Tue, Sep 9, 2025 at 8:39 AM Jiri Olsa <jolsa@kernel.org> wrote:
>>
>> hi,
>> we recently had several requests for tetragon to be able to change
>> user application function return value or divert its execution through
>> instruction pointer change.
>>
>> This patchset adds support for uprobe program to change app's registers
>> including instruction pointer.
>>
>> v3 changes:
>> - deny attach of kprobe,multi with kprobe_write_ctx set [Alexei]
>> - added more tests for denied kprobe attachment
>>
>> thanks,
>> jirka
>>
>>
>> ---
>> Jiri Olsa (6):
>>        bpf: Allow uprobe program to change context registers
>>        uprobe: Do not emulate/sstep original instruction when ip is changed
>>        selftests/bpf: Add uprobe context registers changes test
>>        selftests/bpf: Add uprobe context ip register change test
>>        selftests/bpf: Add kprobe write ctx attach test
>>        selftests/bpf: Add kprobe multi write ctx attach test
>>
> 
> For the series:
> 
> Acked-by: Andrii Nakryiko <andrii@kernel.org>
> 
> Question is which tree will this go through? Most changes are in BPF,
> so probably bpf-next, right?

Hi Jiri.

This series does not apply to current bpf-next, see below.

Could you please respin it with bpf-next tag?
E.g. "[PATCH v4 bpf-next 0/6] ..."

Thanks!

$ git log -1 --oneline
a578b54a8ad2 (HEAD -> master, origin/master, origin/HEAD, 
kernel-patches/bpf-next) Merge branch 
'bpf-report-arena-faults-to-bpf-streams'
$ b4 am 20250909123857.315599-1-jolsa@kernel.org
[...]
$ git am 
./v3_20250909_jolsa_uprobe_bpf_allow_to_change_app_registers_from_uprobe_registers.mbx
Applying: bpf: Allow uprobe program to change context registers
Applying: uprobe: Do not emulate/sstep original instruction when ip is 
changed
error: patch failed: kernel/events/uprobes.c:2768
error: kernel/events/uprobes.c: patch does not apply
Patch failed at 0002 uprobe: Do not emulate/sstep original instruction 
when ip is changed
[...]

> 
>>   include/linux/bpf.h                                        |   1 +
>>   kernel/events/core.c                                       |   4 +++
>>   kernel/events/uprobes.c                                    |   7 +++++
>>   kernel/trace/bpf_trace.c                                   |   7 +++--
>>   tools/testing/selftests/bpf/prog_tests/attach_probe.c      |  28 +++++++++++++++++
>>   tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c |  27 ++++++++++++++++
>>   tools/testing/selftests/bpf/prog_tests/uprobe.c            | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>>   tools/testing/selftests/bpf/progs/kprobe_write_ctx.c       |  22 +++++++++++++
>>   tools/testing/selftests/bpf/progs/test_uprobe.c            |  38 +++++++++++++++++++++++
>>   9 files changed, 287 insertions(+), 3 deletions(-)
>>   create mode 100644 tools/testing/selftests/bpf/progs/kprobe_write_ctx.c

Re: [PATCHv3 perf/core 0/6] uprobe,bpf: Allow to change app registers from uprobe registers

[Jiri Olsa]

On Fri, Sep 12, 2025 at 01:28:55PM -0700, Ihor Solodrai wrote:
> On 9/9/25 9:41 AM, Andrii Nakryiko wrote:
> > On Tue, Sep 9, 2025 at 8:39 AM Jiri Olsa <jolsa@kernel.org> wrote:
> > > 
> > > hi,
> > > we recently had several requests for tetragon to be able to change
> > > user application function return value or divert its execution through
> > > instruction pointer change.
> > > 
> > > This patchset adds support for uprobe program to change app's registers
> > > including instruction pointer.
> > > 
> > > v3 changes:
> > > - deny attach of kprobe,multi with kprobe_write_ctx set [Alexei]
> > > - added more tests for denied kprobe attachment
> > > 
> > > thanks,
> > > jirka
> > > 
> > > 
> > > ---
> > > Jiri Olsa (6):
> > >        bpf: Allow uprobe program to change context registers
> > >        uprobe: Do not emulate/sstep original instruction when ip is changed
> > >        selftests/bpf: Add uprobe context registers changes test
> > >        selftests/bpf: Add uprobe context ip register change test
> > >        selftests/bpf: Add kprobe write ctx attach test
> > >        selftests/bpf: Add kprobe multi write ctx attach test
> > > 
> > 
> > For the series:
> > 
> > Acked-by: Andrii Nakryiko <andrii@kernel.org>
> > 
> > Question is which tree will this go through? Most changes are in BPF,
> > so probably bpf-next, right?
> 
> Hi Jiri.
> 
> This series does not apply to current bpf-next, see below.
> 
> Could you please respin it with bpf-next tag?
> E.g. "[PATCH v4 bpf-next 0/6] ..."
> 

hi,
the uprobe change it needs to be on top of the optimized uprobes (tip/perf/core)
but the bpf selftests patches could be applied on bpf-next/master and disabled
in CI until tip/perf/core changes are merged in?

thanks,
jirka


> Thanks!
> 
> $ git log -1 --oneline
> a578b54a8ad2 (HEAD -> master, origin/master, origin/HEAD,
> kernel-patches/bpf-next) Merge branch
> 'bpf-report-arena-faults-to-bpf-streams'
> $ b4 am 20250909123857.315599-1-jolsa@kernel.org
> [...]
> $ git am ./v3_20250909_jolsa_uprobe_bpf_allow_to_change_app_registers_from_uprobe_registers.mbx
> Applying: bpf: Allow uprobe program to change context registers
> Applying: uprobe: Do not emulate/sstep original instruction when ip is
> changed
> error: patch failed: kernel/events/uprobes.c:2768
> error: kernel/events/uprobes.c: patch does not apply
> Patch failed at 0002 uprobe: Do not emulate/sstep original instruction when
> ip is changed
> [...]
> 
> > 
> > >   include/linux/bpf.h                                        |   1 +
> > >   kernel/events/core.c                                       |   4 +++
> > >   kernel/events/uprobes.c                                    |   7 +++++
> > >   kernel/trace/bpf_trace.c                                   |   7 +++--
> > >   tools/testing/selftests/bpf/prog_tests/attach_probe.c      |  28 +++++++++++++++++
> > >   tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c |  27 ++++++++++++++++
> > >   tools/testing/selftests/bpf/prog_tests/uprobe.c            | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
> > >   tools/testing/selftests/bpf/progs/kprobe_write_ctx.c       |  22 +++++++++++++
> > >   tools/testing/selftests/bpf/progs/test_uprobe.c            |  38 +++++++++++++++++++++++
> > >   9 files changed, 287 insertions(+), 3 deletions(-)
> > >   create mode 100644 tools/testing/selftests/bpf/progs/kprobe_write_ctx.c
> 

Re: [PATCHv3 perf/core 0/6] uprobe,bpf: Allow to change app registers from uprobe registers

[Ihor Solodrai]

On 9/12/25 1:55 PM, Jiri Olsa wrote:
> On Fri, Sep 12, 2025 at 01:28:55PM -0700, Ihor Solodrai wrote:
>> On 9/9/25 9:41 AM, Andrii Nakryiko wrote:
>>> On Tue, Sep 9, 2025 at 8:39 AM Jiri Olsa <jolsa@kernel.org> wrote:
>>>>
>>>> hi,
>>>> we recently had several requests for tetragon to be able to change
>>>> user application function return value or divert its execution through
>>>> instruction pointer change.
>>>>
>>>> This patchset adds support for uprobe program to change app's registers
>>>> including instruction pointer.
>>>>
>>>> v3 changes:
>>>> - deny attach of kprobe,multi with kprobe_write_ctx set [Alexei]
>>>> - added more tests for denied kprobe attachment
>>>>
>>>> thanks,
>>>> jirka
>>>>
>>>>
>>>> ---
>>>> Jiri Olsa (6):
>>>>         bpf: Allow uprobe program to change context registers
>>>>         uprobe: Do not emulate/sstep original instruction when ip is changed
>>>>         selftests/bpf: Add uprobe context registers changes test
>>>>         selftests/bpf: Add uprobe context ip register change test
>>>>         selftests/bpf: Add kprobe write ctx attach test
>>>>         selftests/bpf: Add kprobe multi write ctx attach test
>>>>
>>>
>>> For the series:
>>>
>>> Acked-by: Andrii Nakryiko <andrii@kernel.org>
>>>
>>> Question is which tree will this go through? Most changes are in BPF,
>>> so probably bpf-next, right?
>>
>> Hi Jiri.
>>
>> This series does not apply to current bpf-next, see below.
>>
>> Could you please respin it with bpf-next tag?
>> E.g. "[PATCH v4 bpf-next 0/6] ..."
>>
> 
> hi,
> the uprobe change it needs to be on top of the optimized uprobes (tip/perf/core)
> but the bpf selftests patches could be applied on bpf-next/master and disabled
> in CI until tip/perf/core changes are merged in?

Currently the series isn't even picked up by CI properly because it
doesn't apply. It's not that the tests are failing.

If there is a dependency on external (to bpf-next) commit, we could
add it as a temporary CI patch or just wait for it to be merged in.

But if you can make this series applicable to bpf-next without
tip/perf/core changes, you can do that and add relevant tests to
`tools/testing/selftests/bpf/DENYLIST`. It's important to not forget
to remove them later though.

> 
> thanks,
> jirka
> 
> 
>> Thanks!
>>
>> $ git log -1 --oneline
>> a578b54a8ad2 (HEAD -> master, origin/master, origin/HEAD,
>> kernel-patches/bpf-next) Merge branch
>> 'bpf-report-arena-faults-to-bpf-streams'
>> $ b4 am 20250909123857.315599-1-jolsa@kernel.org
>> [...]
>> $ git am ./v3_20250909_jolsa_uprobe_bpf_allow_to_change_app_registers_from_uprobe_registers.mbx
>> Applying: bpf: Allow uprobe program to change context registers
>> Applying: uprobe: Do not emulate/sstep original instruction when ip is
>> changed
>> error: patch failed: kernel/events/uprobes.c:2768
>> error: kernel/events/uprobes.c: patch does not apply
>> Patch failed at 0002 uprobe: Do not emulate/sstep original instruction when
>> ip is changed
>> [...]
>>
>>>
>>>>    include/linux/bpf.h                                        |   1 +
>>>>    kernel/events/core.c                                       |   4 +++
>>>>    kernel/events/uprobes.c                                    |   7 +++++
>>>>    kernel/trace/bpf_trace.c                                   |   7 +++--
>>>>    tools/testing/selftests/bpf/prog_tests/attach_probe.c      |  28 +++++++++++++++++
>>>>    tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c |  27 ++++++++++++++++
>>>>    tools/testing/selftests/bpf/prog_tests/uprobe.c            | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>>>>    tools/testing/selftests/bpf/progs/kprobe_write_ctx.c       |  22 +++++++++++++
>>>>    tools/testing/selftests/bpf/progs/test_uprobe.c            |  38 +++++++++++++++++++++++
>>>>    9 files changed, 287 insertions(+), 3 deletions(-)
>>>>    create mode 100644 tools/testing/selftests/bpf/progs/kprobe_write_ctx.c
>>

Re: [PATCHv3 perf/core 0/6] uprobe,bpf: Allow to change app registers from uprobe registers

[Andrii Nakryiko]

On Fri, Sep 12, 2025 at 1:55 PM Jiri Olsa <olsajiri@gmail.com> wrote:
>
> On Fri, Sep 12, 2025 at 01:28:55PM -0700, Ihor Solodrai wrote:
> > On 9/9/25 9:41 AM, Andrii Nakryiko wrote:
> > > On Tue, Sep 9, 2025 at 8:39 AM Jiri Olsa <jolsa@kernel.org> wrote:
> > > >
> > > > hi,
> > > > we recently had several requests for tetragon to be able to change
> > > > user application function return value or divert its execution through
> > > > instruction pointer change.
> > > >
> > > > This patchset adds support for uprobe program to change app's registers
> > > > including instruction pointer.
> > > >
> > > > v3 changes:
> > > > - deny attach of kprobe,multi with kprobe_write_ctx set [Alexei]
> > > > - added more tests for denied kprobe attachment
> > > >
> > > > thanks,
> > > > jirka
> > > >
> > > >
> > > > ---
> > > > Jiri Olsa (6):
> > > >        bpf: Allow uprobe program to change context registers
> > > >        uprobe: Do not emulate/sstep original instruction when ip is changed
> > > >        selftests/bpf: Add uprobe context registers changes test
> > > >        selftests/bpf: Add uprobe context ip register change test
> > > >        selftests/bpf: Add kprobe write ctx attach test
> > > >        selftests/bpf: Add kprobe multi write ctx attach test
> > > >
> > >
> > > For the series:
> > >
> > > Acked-by: Andrii Nakryiko <andrii@kernel.org>
> > >
> > > Question is which tree will this go through? Most changes are in BPF,
> > > so probably bpf-next, right?
> >
> > Hi Jiri.
> >
> > This series does not apply to current bpf-next, see below.
> >
> > Could you please respin it with bpf-next tag?
> > E.g. "[PATCH v4 bpf-next 0/6] ..."
> >
>
> hi,
> the uprobe change it needs to be on top of the optimized uprobes (tip/perf/core)

Is this what you happened to base it on (and thus diff context has
that arch_uprobe_optimize), or those changes are needed for correct
functioning?

It seems like some conflict is inevitable, but on uprobe side it's two
lines of code that would need to be put after arch_uprobe_optimize
(instead of handler_chain), while on BPF side it's a bit more
invasive.

So unless tip/perf/core changes are mandatory for correct functioning,
I'd say let's rebase on top of bpf-next and handle that trivial merge
conflict during merge window?

> but the bpf selftests patches could be applied on bpf-next/master and disabled
> in CI until tip/perf/core changes are merged in?
>
> thanks,
> jirka
>
>
> > Thanks!
> >
> > $ git log -1 --oneline
> > a578b54a8ad2 (HEAD -> master, origin/master, origin/HEAD,
> > kernel-patches/bpf-next) Merge branch
> > 'bpf-report-arena-faults-to-bpf-streams'
> > $ b4 am 20250909123857.315599-1-jolsa@kernel.org
> > [...]
> > $ git am ./v3_20250909_jolsa_uprobe_bpf_allow_to_change_app_registers_from_uprobe_registers.mbx
> > Applying: bpf: Allow uprobe program to change context registers
> > Applying: uprobe: Do not emulate/sstep original instruction when ip is
> > changed
> > error: patch failed: kernel/events/uprobes.c:2768
> > error: kernel/events/uprobes.c: patch does not apply
> > Patch failed at 0002 uprobe: Do not emulate/sstep original instruction when
> > ip is changed
> > [...]
> >
> > >
> > > >   include/linux/bpf.h                                        |   1 +
> > > >   kernel/events/core.c                                       |   4 +++
> > > >   kernel/events/uprobes.c                                    |   7 +++++
> > > >   kernel/trace/bpf_trace.c                                   |   7 +++--
> > > >   tools/testing/selftests/bpf/prog_tests/attach_probe.c      |  28 +++++++++++++++++
> > > >   tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c |  27 ++++++++++++++++
> > > >   tools/testing/selftests/bpf/prog_tests/uprobe.c            | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
> > > >   tools/testing/selftests/bpf/progs/kprobe_write_ctx.c       |  22 +++++++++++++
> > > >   tools/testing/selftests/bpf/progs/test_uprobe.c            |  38 +++++++++++++++++++++++
> > > >   9 files changed, 287 insertions(+), 3 deletions(-)
> > > >   create mode 100644 tools/testing/selftests/bpf/progs/kprobe_write_ctx.c
> >

Re: [PATCHv3 perf/core 0/6] uprobe,bpf: Allow to change app registers from uprobe registers

[Jiri Olsa]

On Mon, Sep 15, 2025 at 01:10:33PM -0700, Andrii Nakryiko wrote:
> On Fri, Sep 12, 2025 at 1:55 PM Jiri Olsa <olsajiri@gmail.com> wrote:
> >
> > On Fri, Sep 12, 2025 at 01:28:55PM -0700, Ihor Solodrai wrote:
> > > On 9/9/25 9:41 AM, Andrii Nakryiko wrote:
> > > > On Tue, Sep 9, 2025 at 8:39 AM Jiri Olsa <jolsa@kernel.org> wrote:
> > > > >
> > > > > hi,
> > > > > we recently had several requests for tetragon to be able to change
> > > > > user application function return value or divert its execution through
> > > > > instruction pointer change.
> > > > >
> > > > > This patchset adds support for uprobe program to change app's registers
> > > > > including instruction pointer.
> > > > >
> > > > > v3 changes:
> > > > > - deny attach of kprobe,multi with kprobe_write_ctx set [Alexei]
> > > > > - added more tests for denied kprobe attachment
> > > > >
> > > > > thanks,
> > > > > jirka
> > > > >
> > > > >
> > > > > ---
> > > > > Jiri Olsa (6):
> > > > >        bpf: Allow uprobe program to change context registers
> > > > >        uprobe: Do not emulate/sstep original instruction when ip is changed
> > > > >        selftests/bpf: Add uprobe context registers changes test
> > > > >        selftests/bpf: Add uprobe context ip register change test
> > > > >        selftests/bpf: Add kprobe write ctx attach test
> > > > >        selftests/bpf: Add kprobe multi write ctx attach test
> > > > >
> > > >
> > > > For the series:
> > > >
> > > > Acked-by: Andrii Nakryiko <andrii@kernel.org>
> > > >
> > > > Question is which tree will this go through? Most changes are in BPF,
> > > > so probably bpf-next, right?
> > >
> > > Hi Jiri.
> > >
> > > This series does not apply to current bpf-next, see below.
> > >
> > > Could you please respin it with bpf-next tag?
> > > E.g. "[PATCH v4 bpf-next 0/6] ..."
> > >
> >
> > hi,
> > the uprobe change it needs to be on top of the optimized uprobes (tip/perf/core)
> 
> Is this what you happened to base it on (and thus diff context has
> that arch_uprobe_optimize), or those changes are needed for correct
> functioning?

yes

> 
> It seems like some conflict is inevitable, but on uprobe side it's two
> lines of code that would need to be put after arch_uprobe_optimize
> (instead of handler_chain), while on BPF side it's a bit more
> invasive.
> 
> So unless tip/perf/core changes are mandatory for correct functioning,
> I'd say let's rebase on top of bpf-next and handle that trivial merge
> conflict during merge window?

ok, sounds good, will rebase/resend

thanks,
jirka

Re: [PATCHv3 perf/core 1/6] bpf: Allow uprobe program to change context registers

[Jiri Olsa]

On Tue, Sep 09, 2025 at 12:41:36PM -0400, Andrii Nakryiko wrote:
> On Tue, Sep 9, 2025 at 8:39 AM Jiri Olsa <jolsa@kernel.org> wrote:
> >
> > Currently uprobe (BPF_PROG_TYPE_KPROBE) program can't write to the
> > context registers data. While this makes sense for kprobe attachments,
> > for uprobe attachment it might make sense to be able to change user
> > space registers to alter application execution.
> >
> > Since uprobe and kprobe programs share the same type (BPF_PROG_TYPE_KPROBE),
> > we can't deny write access to context during the program load. We need
> > to check on it during program attachment to see if it's going to be
> > kprobe or uprobe.
> >
> > Storing the program's write attempt to context and checking on it
> > during the attachment.
> >
> > Signed-off-by: Jiri Olsa <jolsa@kernel.org>
> > ---
> >  include/linux/bpf.h      | 1 +
> >  kernel/events/core.c     | 4 ++++
> >  kernel/trace/bpf_trace.c | 7 +++++--
> >  3 files changed, 10 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > index cc700925b802..404a30cde84e 100644
> > --- a/include/linux/bpf.h
> > +++ b/include/linux/bpf.h
> > @@ -1619,6 +1619,7 @@ struct bpf_prog_aux {
> >         bool priv_stack_requested;
> >         bool changes_pkt_data;
> >         bool might_sleep;
> > +       bool kprobe_write_ctx;
> >         u64 prog_array_member_cnt; /* counts how many times as member of prog_array */
> >         struct mutex ext_mutex; /* mutex for is_extended and prog_array_member_cnt */
> >         struct bpf_arena *arena;
> > diff --git a/kernel/events/core.c b/kernel/events/core.c
> > index 28de3baff792..c3f37b266fc4 100644
> > --- a/kernel/events/core.c
> > +++ b/kernel/events/core.c
> > @@ -11238,6 +11238,10 @@ static int __perf_event_set_bpf_prog(struct perf_event *event,
> >         if (prog->kprobe_override && !is_kprobe)
> >                 return -EINVAL;
> >
> > +       /* Writing to context allowed only for uprobes. */
> > +       if (prog->aux->kprobe_write_ctx && !is_uprobe)
> > +               return -EINVAL;
> > +
> >         if (is_tracepoint || is_syscall_tp) {
> >                 int off = trace_event_get_offsets(event->tp_event);
> >
> > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > index 3ae52978cae6..dfb19e773afa 100644
> > --- a/kernel/trace/bpf_trace.c
> > +++ b/kernel/trace/bpf_trace.c
> > @@ -1521,8 +1521,6 @@ static bool kprobe_prog_is_valid_access(int off, int size, enum bpf_access_type
> >  {
> >         if (off < 0 || off >= sizeof(struct pt_regs))
> >                 return false;
> > -       if (type != BPF_READ)
> > -               return false;
> >         if (off % size != 0)
> >                 return false;
> >         /*
> > @@ -1532,6 +1530,7 @@ static bool kprobe_prog_is_valid_access(int off, int size, enum bpf_access_type
> >         if (off + size > sizeof(struct pt_regs))
> >                 return false;
> >
> > +       prog->aux->kprobe_write_ctx |= type == BPF_WRITE;
> 
> nit: minor preference for
> 
> if (type == BPF_WRITE)
>     prog->aux->kprobe_write_ctx = true;

ok, will change

jirka

> 
> 
> >         return true;
> >  }
> >
> > @@ -2913,6 +2912,10 @@ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
> >         if (!is_kprobe_multi(prog))
> >                 return -EINVAL;
> >
> > +       /* Writing to context is not allowed for kprobes. */
> > +       if (prog->aux->kprobe_write_ctx)
> > +               return -EINVAL;
> > +
> >         flags = attr->link_create.kprobe_multi.flags;
> >         if (flags & ~BPF_F_KPROBE_MULTI_RETURN)
> >                 return -EINVAL;
> > --
> > 2.51.0
> >