[PATCH bpf-next 0/3] bpf: Enhance freplace compatibility

[PATCH bpf-next 0/3] bpf: Enhance freplace compatibility

[Leon Hwang]

The potential issue of kprobe_write_ctx+freplace was mentioned in
"bpf: Disallow !kprobe_write_ctx progs tail-calling kprobe_write_ctx progs" [1].

It is true issue, that the test in patch #3 verifies that kprobe_write_ctx=false
kprobe progs can be abused to modify struct pt_regs via kprobe_write_ctx=true
freplace progs.

When struct pt_regs is modified, bpf_prog_test_run_opts() gets -EFAULT instead
of 0.

test_kprobe_write_ctx:FAIL:bpf_prog_test_run_opts unexpected error: -14 (errno 14)

We will disallow freplace on kprobe programs with different kprobe_write_ctx
values.

However, xdp_has_frags does not cause such severe issue.

The issue of xdp_has_frags+freplace is that it is able to break the backwards
compatibility of XDP.

At the commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check"),
the backwards compatibility was protected against tail calls, but it missed the
freplace case, which is also able to extend XDP progs. If xdp_has_frags=true
freplace progs are allowed to attach to xdp_has_frags=false XDP progs, the
backwards compatibility is broken.

We will disallow freplace on XDP programs with different xdp_has_frags values,
like the way in bpf_prog_map_compatible().

Links:
[1] https://lore.kernel.org/bpf/CAP01T74w4KVMn9bEwpQXrk+bqcUxzb6VW1SQ_QvNy0A4EY-9Jg@mail.gmail.com/

Leon Hwang (3):
  bpf: Disallow freplace on XDP with mismatched xdp_has_frags values
  bpf: Disallow freplace on kprobe with mismatched kprobe_write_ctx
    values
  selftests/bpf: Add tests to verify freplace compatibility

 kernel/bpf/verifier.c                         |  12 ++
 .../bpf/prog_tests/freplace_compatible.c      | 124 ++++++++++++++++++
 .../selftests/bpf/progs/freplace_compatible.c |  40 ++++++
 3 files changed, 176 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/freplace_compatible.c
 create mode 100644 tools/testing/selftests/bpf/progs/freplace_compatible.c

-- 
2.53.0

[PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Leon Hwang]

xdp_has_frags was introduced by the commit
c2f2cdbeffda ("bpf: introduce BPF_F_XDP_HAS_FRAGS flag in prog_flags loading the ebpf program").

The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
was to ensure backwards compatibility against tail calls. However, it
missed that XDP progs can be extended by freplace progs, which could break
the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
allowed to attach to xdp_has_frags=false XDP progs.

To avoid breaking the backwards compatibility via freplace, disallow
freplace on XDP programs with different xdp_has_frags values.

Cc: Toke Hoiland-Jorgensen <toke@redhat.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Lorenzo Bianconi <lorenzo@kernel.org>
Fixes: c2f2cdbeffda ("bpf: introduce BPF_F_XDP_HAS_FRAGS flag in prog_flags loading the ebpf program")
Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
---
 kernel/bpf/verifier.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index cd008b146ee5..12330466d58b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -25519,6 +25519,10 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
 		 */
 		env->ops = bpf_verifier_ops[tgt_prog->type];
 		prog->expected_attach_type = tgt_prog->expected_attach_type;
+		if (prog->aux->xdp_has_frags != tgt_prog->aux->xdp_has_frags) {
+			verbose(env, "Extension program cannot have different xdp_has_frags value with target prog\n");
+			return -EINVAL;
+		}
 	}
 
 	/* store info about the attachment target that will be used later */
-- 
2.53.0

[PATCH bpf-next 2/3] bpf: Disallow freplace on kprobe with mismatched kprobe_write_ctx values

[Leon Hwang]

uprobe programs are allowed to modify struct pt_regs.

Since the actual program type of uprobe is KPROBE, it can be abused to
modify struct pt_regs via kprobe+freplace when the kprobe attaches to
kernel functions.

For example,

SEC("?kprobe")
int kprobe(struct pt_regs *regs)
{
	return 0;
}

SEC("?freplace")
int freplace_kprobe(struct pt_regs *regs)
{
	regs->di = 0;
	return 0;
}

freplace_kprobe prog will attach to kprobe prog.
kprobe prog will attach to a kernel function.

Without this patch, when the kernel function runs, its first arg will
always be set as 0 via the freplace_kprobe prog.

To avoid the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
freplace on kprobe programs with mismatched kprobe_write_ctx values.

Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers")
Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
---
 kernel/bpf/verifier.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 12330466d58b..f8257bae6081 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6404,6 +6404,14 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off,
 		/* remember the offset of last byte accessed in ctx */
 		if (env->prog->aux->max_ctx_offset < off + size)
 			env->prog->aux->max_ctx_offset = off + size;
+		if (env->prog->type == BPF_PROG_TYPE_EXT) {
+			struct bpf_prog *dst_prog = env->prog->aux->dst_prog;
+
+			if (env->prog->aux->kprobe_write_ctx != dst_prog->aux->kprobe_write_ctx) {
+				verbose(env, "Extension program cannot have different kprobe_write_ctx value with target prog\n");
+				return -EINVAL;
+			}
+		}
 		return 0;
 	}
 
-- 
2.53.0

[PATCH bpf-next 3/3] selftests/bpf: Add tests to verify freplace compatibility

[Leon Hwang]

Add tests to verify the issues:

* xdp_has_frags: The backwards compatibility can be broken via freplace.
* kprobe_write_ctx: It can be abused to modify struct pt_regs of kernel
  functions via kprobe_write_ctx=true freplace progs.

Without the fixes, the issues are verified:

xdp_has_frags=true freplace prog is allowed to attach to
xdp_has_frags=false XDP prog.

kprobe_write_ctx=true freplace prog is allowed to attach to
kprobe_write_ctx=false kprobe prog. Then, the first arg of
bpf_fentry_test1 will be set as 0, and bpf_prog_test_run_opts() gets
-EFAULT instead of 0.

With the fixes, the issues are rejected by verifier:

 Extension program cannot have different xdp_has_frags value with target prog
 #134/1   freplace_compatible/xdp_has_frags:OK
 Extension program cannot have different kprobe_write_ctx value with target prog
 #134/2   freplace_compatible/kprobe_write_ctx:OK

Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
---
 .../bpf/prog_tests/freplace_compatible.c      | 124 ++++++++++++++++++
 .../selftests/bpf/progs/freplace_compatible.c |  40 ++++++
 2 files changed, 164 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/freplace_compatible.c
 create mode 100644 tools/testing/selftests/bpf/progs/freplace_compatible.c

diff --git a/tools/testing/selftests/bpf/prog_tests/freplace_compatible.c b/tools/testing/selftests/bpf/prog_tests/freplace_compatible.c
new file mode 100644
index 000000000000..251e17ef4e52
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/freplace_compatible.c
@@ -0,0 +1,124 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <test_progs.h>
+#include "freplace_compatible.skel.h"
+
+static void test_xdp_has_frags(void)
+{
+	struct freplace_compatible *skel_xdp, *skel_ext = NULL;
+	struct bpf_program *prog_xdp, *prog_ext;
+	struct bpf_link *link = NULL;
+	char buff[128] = {};
+	int err, prog_fd;
+	__u32 flags;
+	LIBBPF_OPTS(bpf_test_run_opts, topts,
+		.data_in = buff,
+		.data_size_in = sizeof(buff),
+		.repeat = 1,
+	);
+
+	skel_xdp = freplace_compatible__open();
+	if (!ASSERT_OK_PTR(skel_xdp, "freplace_compatible__open xdp"))
+		return;
+
+	prog_xdp = skel_xdp->progs.xdp;
+	bpf_program__set_autoload(prog_xdp, true);
+
+	err = freplace_compatible__load(skel_xdp);
+	if (!ASSERT_OK(err, "freplace_compatible__load xdp"))
+		goto out;
+
+	skel_ext = freplace_compatible__open();
+	if (!ASSERT_OK_PTR(skel_ext, "freplace_compatible__open ext"))
+		goto out;
+
+	prog_ext = skel_ext->progs.freplace_xdp;
+	bpf_program__set_autoload(prog_ext, true);
+
+	flags = bpf_program__flags(prog_ext) | BPF_F_XDP_HAS_FRAGS;
+	bpf_program__set_flags(prog_ext, flags);
+
+	prog_fd = bpf_program__fd(prog_xdp);
+	bpf_program__set_attach_target(prog_ext, prog_fd, "xdp");
+
+	err = freplace_compatible__load(skel_ext);
+	ASSERT_ERR(err, "freplace_compatible__load ext");
+
+	link = bpf_program__attach_freplace(prog_ext, prog_fd, "xdp");
+	ASSERT_ERR_PTR(link, "bpf_program__attach_freplace");
+
+	err = bpf_prog_test_run_opts(prog_fd, &topts);
+	if (!ASSERT_OK(err, "bpf_prog_test_run_opts"))
+		goto out;
+
+	ASSERT_EQ(topts.retval, XDP_PASS, "xdp retval");
+
+out:
+	bpf_link__destroy(link);
+	freplace_compatible__destroy(skel_ext);
+	freplace_compatible__destroy(skel_xdp);
+}
+
+#ifdef __x86_64__
+static void test_kprobe_write_ctx(void)
+{
+	struct freplace_compatible *skel_kprobe, *skel_ext = NULL;
+	struct bpf_program *prog_kprobe, *prog_ext, *prog_fentry;
+	struct bpf_link *link_kprobe = NULL, *link_ext = NULL;
+	int err;
+	LIBBPF_OPTS(bpf_kprobe_opts, kprobe_opts);
+	LIBBPF_OPTS(bpf_test_run_opts, topts);
+
+	skel_kprobe = freplace_compatible__open();
+	if (!ASSERT_OK_PTR(skel_kprobe, "freplace_compatible__open kprobe"))
+		return;
+
+	prog_kprobe = skel_kprobe->progs.kprobe;
+	bpf_program__set_autoload(prog_kprobe, true);
+
+	prog_fentry = skel_kprobe->progs.fentry;
+	bpf_program__set_autoload(prog_fentry, true);
+
+	err = freplace_compatible__load(skel_kprobe);
+	if (!ASSERT_OK(err, "freplace_compatible__load kprobe"))
+		goto out;
+
+	skel_ext = freplace_compatible__open();
+	if (!ASSERT_OK_PTR(skel_ext, "freplace_compatible__open ext"))
+		goto out;
+
+	prog_ext = skel_ext->progs.freplace_kprobe;
+	bpf_program__set_autoload(prog_ext, true);
+
+	bpf_program__set_attach_target(prog_ext, bpf_program__fd(prog_kprobe), "kprobe");
+
+	err = freplace_compatible__load(skel_ext);
+	ASSERT_ERR(err, "freplace_compatible__load ext");
+
+	link_ext = bpf_program__attach_freplace(prog_ext, 0, NULL);
+	ASSERT_ERR_PTR(link_ext, "bpf_program__attach_freplace");
+
+	link_kprobe = bpf_program__attach_kprobe_opts(prog_kprobe, "bpf_fentry_test1",
+						      &kprobe_opts);
+	if (!ASSERT_OK_PTR(link_kprobe, "bpf_program__attach_kprobe_opts"))
+		goto out;
+
+	err = bpf_prog_test_run_opts(bpf_program__fd(prog_fentry), &topts);
+	ASSERT_OK(err, "bpf_prog_test_run_opts");
+
+out:
+	bpf_link__destroy(link_ext);
+	bpf_link__destroy(link_kprobe);
+	freplace_compatible__destroy(skel_ext);
+	freplace_compatible__destroy(skel_kprobe);
+}
+#endif
+
+void test_freplace_compatible(void)
+{
+	if (test__start_subtest("xdp_has_frags"))
+		test_xdp_has_frags();
+#ifdef __x86_64__
+	if (test__start_subtest("kprobe_write_ctx"))
+		test_kprobe_write_ctx();
+#endif
+}
diff --git a/tools/testing/selftests/bpf/progs/freplace_compatible.c b/tools/testing/selftests/bpf/progs/freplace_compatible.c
new file mode 100644
index 000000000000..f13b4878268b
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/freplace_compatible.c
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+SEC("?xdp")
+int xdp(struct xdp_md *ctx)
+{
+	return XDP_PASS;
+}
+
+SEC("?freplace")
+int freplace_xdp(struct xdp_md *ctx)
+{
+	return 0xFF;
+}
+
+#if defined(__TARGET_ARCH_x86)
+SEC("?kprobe")
+int kprobe(struct pt_regs *regs)
+{
+	return 0;
+}
+
+SEC("?freplace")
+int freplace_kprobe(struct pt_regs *regs)
+{
+	regs->di = 0;
+	return 0;
+}
+
+SEC("?fentry/bpf_fentry_test1")
+int BPF_PROG(fentry)
+{
+	return 0;
+}
+#endif
+
+char _license[] SEC("license") = "GPL";
+
-- 
2.53.0

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Toke Høiland-Jørgensen]

Leon Hwang <leon.hwang@linux.dev> writes:

> xdp_has_frags was introduced by the commit
> c2f2cdbeffda ("bpf: introduce BPF_F_XDP_HAS_FRAGS flag in prog_flags loading the ebpf program").
>
> The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
> was to ensure backwards compatibility against tail calls. However, it
> missed that XDP progs can be extended by freplace progs, which could break
> the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
> allowed to attach to xdp_has_frags=false XDP progs.
>
> To avoid breaking the backwards compatibility via freplace, disallow
> freplace on XDP programs with different xdp_has_frags values.

The problem you describe is not actually a problem, though? A
frags-aware program can run on a non-frags interface just fine.

You're messing with long-standing behaviour (since 5.18!) to solve a
non-existent problem. In a way that completely breaks the frags handling
in libxdp[0]:

    Running tests from ./test-libxdp.sh
     [test_link_so]                PASS
     [test_link_a]                 PASS
     [test_old_dispatcher]         PASS
     [test_xdp_devbound]           PASS
     [test_xdp_frags]              FAIL
          Kernel supports XDP programs with frags
          check_load_frags:	FAILED
          check_load_nofrags_success:	PASSED
          check_load_nofrags_fail:	PASSED
          check_load_frags_multi:	FAILED
          check_load_mix_big:	FAILED
          check_load_mix_small:	FAILED
          Test test_xdp_frags exited with return code: 1


Please don't do that.

-Toke

[0] Run 'make test' here: https://github.com/xdp-project/xdp-tools

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Leon Hwang]

On 25/3/26 00:18, Toke Høiland-Jørgensen wrote:
> Leon Hwang <leon.hwang@linux.dev> writes:
> 
>> xdp_has_frags was introduced by the commit
>> c2f2cdbeffda ("bpf: introduce BPF_F_XDP_HAS_FRAGS flag in prog_flags loading the ebpf program").
>>
>> The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
>> was to ensure backwards compatibility against tail calls. However, it
>> missed that XDP progs can be extended by freplace progs, which could break
>> the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
>> allowed to attach to xdp_has_frags=false XDP progs.
>>
>> To avoid breaking the backwards compatibility via freplace, disallow
>> freplace on XDP programs with different xdp_has_frags values.
> 
> The problem you describe is not actually a problem, though? A
> frags-aware program can run on a non-frags interface just fine.
> 
> You're messing with long-standing behaviour (since 5.18!) to solve a
> non-existent problem. In a way that completely breaks the frags handling
> in libxdp[0]:
> 
>     Running tests from ./test-libxdp.sh
>      [test_link_so]                PASS
>      [test_link_a]                 PASS
>      [test_old_dispatcher]         PASS
>      [test_xdp_devbound]           PASS
>      [test_xdp_frags]              FAIL
>           Kernel supports XDP programs with frags
>           check_load_frags:	FAILED
>           check_load_nofrags_success:	PASSED
>           check_load_nofrags_fail:	PASSED
>           check_load_frags_multi:	FAILED
>           check_load_mix_big:	FAILED
>           check_load_mix_small:	FAILED
>           Test test_xdp_frags exited with return code: 1
> 
> 
> Please don't do that.
> 
> -Toke
> 
> [0] Run 'make test' here: https://github.com/xdp-project/xdp-tools
> 

Indeed, it failed to 'make test'.

Will drop this patch in v2, as it wasn't an issue.

Thanks,
Leon

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Toke Høiland-Jørgensen]

Leon Hwang <leon.hwang@linux.dev> writes:

> On 25/3/26 00:18, Toke Høiland-Jørgensen wrote:
>> Leon Hwang <leon.hwang@linux.dev> writes:
>> 
>>> xdp_has_frags was introduced by the commit
>>> c2f2cdbeffda ("bpf: introduce BPF_F_XDP_HAS_FRAGS flag in prog_flags loading the ebpf program").
>>>
>>> The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
>>> was to ensure backwards compatibility against tail calls. However, it
>>> missed that XDP progs can be extended by freplace progs, which could break
>>> the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
>>> allowed to attach to xdp_has_frags=false XDP progs.
>>>
>>> To avoid breaking the backwards compatibility via freplace, disallow
>>> freplace on XDP programs with different xdp_has_frags values.
>> 
>> The problem you describe is not actually a problem, though? A
>> frags-aware program can run on a non-frags interface just fine.
>> 
>> You're messing with long-standing behaviour (since 5.18!) to solve a
>> non-existent problem. In a way that completely breaks the frags handling
>> in libxdp[0]:
>> 
>>     Running tests from ./test-libxdp.sh
>>      [test_link_so]                PASS
>>      [test_link_a]                 PASS
>>      [test_old_dispatcher]         PASS
>>      [test_xdp_devbound]           PASS
>>      [test_xdp_frags]              FAIL
>>           Kernel supports XDP programs with frags
>>           check_load_frags:	FAILED
>>           check_load_nofrags_success:	PASSED
>>           check_load_nofrags_fail:	PASSED
>>           check_load_frags_multi:	FAILED
>>           check_load_mix_big:	FAILED
>>           check_load_mix_small:	FAILED
>>           Test test_xdp_frags exited with return code: 1
>> 
>> 
>> Please don't do that.
>> 
>> -Toke
>> 
>> [0] Run 'make test' here: https://github.com/xdp-project/xdp-tools
>> 
>
> Indeed, it failed to 'make test'.
>
> Will drop this patch in v2, as it wasn't an issue.

Great, thanks!

-Toke

Re: [PATCH bpf-next 2/3] bpf: Disallow freplace on kprobe with mismatched kprobe_write_ctx values

[Jiri Olsa]

On Tue, Mar 24, 2026 at 11:04:43PM +0800, Leon Hwang wrote:
> uprobe programs are allowed to modify struct pt_regs.
> 
> Since the actual program type of uprobe is KPROBE, it can be abused to
> modify struct pt_regs via kprobe+freplace when the kprobe attaches to
> kernel functions.
> 
> For example,
> 
> SEC("?kprobe")
> int kprobe(struct pt_regs *regs)
> {
> 	return 0;
> }
> 
> SEC("?freplace")
> int freplace_kprobe(struct pt_regs *regs)
> {
> 	regs->di = 0;
> 	return 0;
> }
> 
> freplace_kprobe prog will attach to kprobe prog.
> kprobe prog will attach to a kernel function.
> 
> Without this patch, when the kernel function runs, its first arg will
> always be set as 0 via the freplace_kprobe prog.
> 
> To avoid the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
> freplace on kprobe programs with mismatched kprobe_write_ctx values.
> 
> Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers")
> Signed-off-by: Leon Hwang <leon.hwang@linux.dev>

hi,
so it's another issue in addition to that on with tail-calls [1]
do you plan to resend this fix as well?

thanks,
jirka


[1] https://lore.kernel.org/bpf/20260303150639.85007-4-leon.hwang@linux.dev/

> ---
>  kernel/bpf/verifier.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 12330466d58b..f8257bae6081 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -6404,6 +6404,14 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off,
>  		/* remember the offset of last byte accessed in ctx */
>  		if (env->prog->aux->max_ctx_offset < off + size)
>  			env->prog->aux->max_ctx_offset = off + size;
> +		if (env->prog->type == BPF_PROG_TYPE_EXT) {
> +			struct bpf_prog *dst_prog = env->prog->aux->dst_prog;
> +
> +			if (env->prog->aux->kprobe_write_ctx != dst_prog->aux->kprobe_write_ctx) {
> +				verbose(env, "Extension program cannot have different kprobe_write_ctx value with target prog\n");
> +				return -EINVAL;
> +			}
> +		}
>  		return 0;
>  	}
>  
> -- 
> 2.53.0
> 

Re: [PATCH bpf-next 2/3] bpf: Disallow freplace on kprobe with mismatched kprobe_write_ctx values

[Leon Hwang]

On 2026/3/25 20:51, Jiri Olsa wrote:
> On Tue, Mar 24, 2026 at 11:04:43PM +0800, Leon Hwang wrote:
>> uprobe programs are allowed to modify struct pt_regs.
>>
>> Since the actual program type of uprobe is KPROBE, it can be abused to
>> modify struct pt_regs via kprobe+freplace when the kprobe attaches to
>> kernel functions.
>>
>> For example,
>>
>> SEC("?kprobe")
>> int kprobe(struct pt_regs *regs)
>> {
>> 	return 0;
>> }
>>
>> SEC("?freplace")
>> int freplace_kprobe(struct pt_regs *regs)
>> {
>> 	regs->di = 0;
>> 	return 0;
>> }
>>
>> freplace_kprobe prog will attach to kprobe prog.
>> kprobe prog will attach to a kernel function.
>>
>> Without this patch, when the kernel function runs, its first arg will
>> always be set as 0 via the freplace_kprobe prog.
>>
>> To avoid the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
>> freplace on kprobe programs with mismatched kprobe_write_ctx values.
>>
>> Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers")
>> Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
> 
> hi,
> so it's another issue in addition to that on with tail-calls [1]
> do you plan to resend this fix as well?
> 
> thanks,
> jirka
> 
> 
> [1] https://lore.kernel.org/bpf/20260303150639.85007-4-leon.hwang@linux.dev/
> 
Kumar will re-post it soon.

Thanks,
Leon

Re: [PATCH bpf-next 1/3] bpf: Disallow freplace on XDP with mismatched xdp_has_frags values

[Jakub Kicinski]

On Tue, 24 Mar 2026 23:04:42 +0800 Leon Hwang wrote:
> The commit f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
> was to ensure backwards compatibility against tail calls. However, it
> missed that XDP progs can be extended by freplace progs, which could break
> the backwards compatibility, e.g. xdp_has_frags=true freplace progs are
> allowed to attach to xdp_has_frags=false XDP progs.
> 
> To avoid breaking the backwards compatibility via freplace, disallow
> freplace on XDP programs with different xdp_has_frags values.

It may be worth adding a selftest to
tools/testing/selftests/drivers/net/xdp.py
which sets MTU to 9k, tries to attach a non-frag-capable prog
if that fails attaches a frag-capable prog and then checks if
replacing the capable prog with non-capable fails.
Drivers may be buggy in this regard.