summaryrefslogtreecommitdiff
path: root/tools/testing/selftests/bpf/progs
AgeCommit message (Collapse)Author
12 hoursMerge branch 'master' of ↵Mark Brown
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
12 hoursMerge branch 'for-next' of ↵Mark Brown
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git
15 hoursMerge branch 'vfs.all' of ↵Mark Brown
https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git # Conflicts: # fs/bpf_fs_kfuncs.c # tools/testing/selftests/filesystems/.gitignore # tools/testing/selftests/filesystems/Makefile
33 hoursselftests/bpf: Verify load-time signed loader metadataDaniel Borkmann
The signed gen_loader no longer checks its metadata map from within BPF; the kernel does it at BPF_PROG_LOAD by folding the loader's frozen exclusive fd_array maps into the signature. Exercise that path end to end. Extend with more test cases (e.g. map-less program, asserting the LSM admission hook observes BPF_SIG_UNSIGNED and BPF_SIG_VERIFIED), and retire the subtests that asserted the old in-loader check, which no longer exists. # LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t signed_loader [...] #412/1 signed_loader/loadtime_no_map:OK #412/2 signed_loader/loadtime_with_map:OK #412/3 signed_loader/metadata_match:OK #412/4 signed_loader/signature_enforced:OK #412/5 signed_loader/signed_nonexcl_fd_array_rejected:OK #412/6 signed_loader/signed_unfrozen_fd_array_rejected:OK #412/7 signed_loader/signed_nonarray_fd_array_rejected:OK #412/8 signed_loader/signed_btf_fd_array_rejected:OK #412/9 signed_loader/signed_module_kfunc_rejected:OK #412/10 signed_loader/signature_failure_logs:OK #412/11 signed_loader/signature_too_large:OK #412/12 signed_loader/signature_zero_size:OK #412/13 signed_loader/signature_bad_keyring:OK #412/14 signed_loader/metadata_ctx_max_entries_ignored:OK #412/15 signed_loader/metadata_ctx_initial_value_ignored:OK #412/16 signed_loader/signature_authenticates_insns:OK #412/17 signed_loader/signature_authenticates_metadata:OK #412/18 signed_loader/hash_requires_frozen:OK #412/19 signed_loader/no_update_after_freeze:OK #412/20 signed_loader/freeze_writable_mmap:OK #412/21 signed_loader/no_writable_mmap_frozen:OK #412/22 signed_loader/map_hash_matches_libbpf:OK #412/23 signed_loader/map_hash_multi_element:OK #412/24 signed_loader/map_hash_bad_size:OK #412/25 signed_loader/map_hash_unsupported_type:OK #412/26 signed_loader/lsm_signature_verdict:OK #412/27 signed_loader/signed_no_fd_array:OK #412/28 signed_loader/signed_map_by_fd_rejected:OK #412/29 signed_loader/signed_sparse_fd_array_rejected:OK #412 signed_loader:OK Summary: 1/29 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20260708075343.358712-8-daniel@iogearbox.net Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
33 hoursselftests/bpf: Adjust bpf_map layout in verifier_map_ptrDaniel Borkmann
With write-only excl member removed from struct bpf_map, ops moves to offset 32 and inner_map_meta to offset 40. Update the expected verifier message for the former and retarget the latter at the sha byte array, so the beyond-member-end rejection path stays covered: # LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t verifier_map_ptr [...] #619/5 verifier_map_ptr/bpf_map_ptr: read non-existent field rejected:OK #619/6 verifier_map_ptr/bpf_map_ptr: read non-existent field rejected @unpriv:OK #619/7 verifier_map_ptr/bpf_map_ptr: read beyond sha field rejected:OK #619/8 verifier_map_ptr/bpf_map_ptr: read beyond sha field rejected @unpriv:OK #619/9 verifier_map_ptr/bpf_map_ptr: read ops field accepted:OK #619/10 verifier_map_ptr/bpf_map_ptr: read ops field accepted @unpriv:OK [...] #620 verifier_map_ptr_mixing:OK Summary: 2/20 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20260708075343.358712-7-daniel@iogearbox.net Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
42 hoursMerge branch 'perf/core' into perf/merge, to ease CI testingIngo Molnar
Signed-off-by: Ingo Molnar <mingo@kernel.org>
43 hoursselftests/bpf: Add untrusted BTF write regressionKumar Kartikeya Dwivedi
Add a TCP congestion-control struct_ops load test for a write through a BTF pointer produced by bpf_rdonly_cast(). The test expects the verifier to reject the program before the TCP CA btf_struct_access callback can whitelist the tcp_sock field write. Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Signed-off-by: Eduard Zingerman <eddyz87@gmail.com> Reviewed-by: Amery Hung <ameryhung@gmail.com> Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
2 daysselftests/bpf: Test cases for missing spill typesEduard Zingerman
A few selftests checking that the verifier represents spills for the following pointer types w/o losing precision: - PTR_TO_INSN - PTR_TO_TP_BUFFER - CONST_PTR_TO_DYNPTR Signed-off-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/bpf/20260707-missing-spillable-types-v1-2-44a92121dc41@gmail.com Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
2 daysselftests/bpf: Drop tc/xdp/flow_dissector/socket_filter sockmap mutation testsSechang Lim
tc, xdp, socket_filter and flow_dissector programs can no longer update or delete a sockmap. Adjust the tests: - verifier_sockmap_mutate: the tc, xdp, socket_filter and flow_dissector cases now expect __failure with "cannot update sockmap in this context". - sockmap_basic: drop "sockmap update" / "sockhash update", which load a SEC("tc") program that copies a sock between maps. - fexit_bpf2bpf: drop "func_sockmap_update", whose freplace program updates a sockmap in the tc cls_redirect context. Remove the now-unused test_sockmap_update.c and freplace_cls_redirect.c. Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/bpf/20260630145410.3648099-3-rhkrqnwk98@gmail.com Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
2 daysselftests/bpf: Add test for bpf_get_smp_processor_idMaxim Khmelevskii
Add a test which checks on each CPU that the bpf_get_smp_processor_id BPF helper is returning the correct CPU number. Signed-off-by: Maxim Khmelevskii <max@linux.ibm.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com> Link: https://lore.kernel.org/bpf/20260703125648.919196-6-max@linux.ibm.com Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
2 daysselftests/bpf: Cover MEM_ALLOC access past object boundsYiyang Chen
Add a linked_list negative loader case for a program-BTF type whose last member is a zero-length flexible array. The program writes through the first flexible-array element of an object allocated by bpf_obj_new(). The verifier should reject the access when the BTF walk reaches beyond the static size of the allocated object. Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/bpf/e36fd5d2f4047809f0e5da46a7077083297e64db.1782807039.git.chenyy23@mails.tsinghua.edu.cn Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
6 daysselftests/bpf: Add tests for uprobe nop10 red zone clobberingAndrii Nakryiko
The uprobe nop5 optimization used to replace a 5-byte NOP with a 5-byte CALL to a trampoline. The CALL pushes a return address onto the stack at [rsp-8], clobbering whatever was stored there. On x86-64, the red zone is the 128 bytes below rsp that user code may use for temporary storage without adjusting rsp. Compilers can place USDT argument operands there, generating specs like "8@-8(%rbp)" when rbp == rsp. With the CALL-based optimization, the return address overwrites that argument before the BPF-side USDT argument fetch runs. Add two tests for this case. The uprobe_syscall subtest stores known values at -8(%rsp), -16(%rsp), and -24(%rsp), executes an optimized nop10 uprobe, and verifies the red-zone data is still intact. The USDT subtest triggers a probe in a function where the compiler places three USDT operands in the red zone and verifies that all 10 optimized invocations deliver the expected argument values to BPF. On an unfixed kernel, the first hit goes through the INT3 path and later hits use the optimized CALL path, so the red-zone checks fail after optimization. [ updates to use nop10 ] Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Jiri Olsa <jolsa@kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://patch.msgid.link/20260703114917.238144-13-jolsa@kernel.org
6 daysMerge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 7.2-rc2Daniel Borkmann
Cross-merge BPF and other fixes after downstream PR. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
7 daysMerge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfLinus Torvalds
Pull BPF fixes from Daniel Borkmann: - Initialize task local storage before fork bails out to free the task (Jann Horn) - Fix insn_aux_data leak on verifier error path (KaFai Wan) - Reject BPF inode storage map creation when BPF LSM is uninitialized (Matt Bobrowski) - Mask pseudo pointer values in verifier logs when pointer leaks are not allowed (Nuoqi Gui) - Harden BPF JIT against spraying via IBPB flush (Pawan Gupta) - Reject a skb-modifying SK_SKB stream parser since the latter is only meant to measure the next message (Sechang Lim) - Fix bpf_refcount_acquire to reject refcounted allocation arguments with a non-zero fixed offset (Yiyang Chen) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf: Prefer dirty packs for eBPF allocations bpf: Prefer packs that won't trigger an IBPB flush on allocation bpf: Skip redundant IBPB in pack allocator bpf: Restrict JIT predictor flush to cBPF x86/bugs: Enable IBPB flush on BPF JIT allocation bpf: Support for hardening against JIT spraying bpf: Reject BPF_MAP_TYPE_INODE_STORAGE creation if BPF LSM is uninitialized bpf,fork: wipe ->bpf_storage before bailouts that access it bpf: Fix insn_aux_data leak on verifier err_free_env path selftests/bpf: Cover pseudo-BTF ksym log masking bpf: Mask pseudo pointer values in verifier logs selftests/bpf: Cover refcount acquire node offsets bpf: Reject offset refcount acquire arguments selftests/bpf: test rejection of a packet-modifying SK_SKB stream parser bpf, sockmap: reject a packet-modifying SK_SKB stream parser selftests/bpf: don't modify the skb in the strparser parser prog
8 daysselftests/bpf: Fix test_maps sockmap failureJiayuan Chen
test_maps fails in the sockmap test because sockmap_verdict_prog.c drops the packet when the first 8 bytes are not directly accessible: if (data + 8 > data_end) return SK_DROP; The blamed commit removed bpf_skb_pull_data() from the stream parser program so that the parser no longer modifies the skb. That was needed, but it also removed an implicit side effect: bpf_skb_pull_data() linearized enough of the skb for later direct packet access. In this test, the send side goes through the sockmap SK_MSG path. The skb can have skb->len == 20 while its linear area is empty, so the verdict program sees data == data_end and drops the packet even though the payload length is sufficient. Keep the parser read-only, and pull the first 8 bytes in the verdict program before reading or writing them. Reload data/data_end after bpf_skb_pull_data() as required. Fixes: 22a0cc10dacb ("selftests/bpf: don't modify the skb in the strparser parser prog") Reported-by: Ihor Solodrai <ihor.solodrai@linux.dev> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20260701071501.39628-1-jiayuan.chen@linux.dev Closes: https://lore.kernel.org/bpf/e3a91acd-2b4d-4e93-a3bb-a0e9ee5ede0f@linux.dev/
8 daysselftests/bpf: Mask socket type flags in mptcpify progGuillaume Maudoux
The mptcpify BPF prog upgrades eligible TCP sockets to MPTCP, but only when the socket type is exactly SOCK_STREAM. Its update_socket_protocol() hook runs on the raw type from userspace, before the socket core masks it with SOCK_TYPE_MASK, so the type may still carry SOCK_CLOEXEC or SOCK_NONBLOCK in its upper bits and the equality check fails. As a result, a socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0) -- what common libraries do by default -- is silently left as plain TCP. This was hit in practice with curl. Since mptcpify.c is referenced as example code for enabling MPTCP transparently, the same mistake is likely to be copied into real deployments where it fails the same way and is hard to diagnose. Mask the type before comparing, mirroring the socket core. Extend the test to also create the server with SOCK_CLOEXEC set; the same masking is applied to start_server_addr() so a flagged type still listens. Fixes: ddba122428a7 ("selftests/bpf: Add mptcpify test") Signed-off-by: Guillaume Maudoux <layus.on@gmail.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://lore.kernel.org/bpf/20260630095723.564392-1-layus.on@gmail.com
8 daysselftests/bpf: Add tracing_multi link info testsJiri Olsa
Adding tracing_multi link info tests that follow the kprobe_multi and uprobe_multi tests logic. Assisted-by: Codex:GPT-5 Signed-off-by: Jiri Olsa <jolsa@kernel.org> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20260629212208.895962-3-jolsa@kernel.org
8 daysselftests/bpf: Verify no non-zeroed kernel heap memory exposureLeon Hwang
When lookup element from those per-CPU maps, which have special field in their values and their value size is not equal to roundup(value_sz, 8), the padding size of temporary non-zeroed kernel heap memory allocated by kvmalloc should not be exposed to user space. Without the fix: test_map_uninit_mem_exposure:FAIL:zeroed tail bytes unexpected memory mismatch actual: 2B 2B 2B 2B expected: 00 00 00 00 Assisted-by: Codex:gpt-5.5 Signed-off-by: Leon Hwang <leon.hwang@linux.dev> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20260624155115.85196-3-leon.hwang@linux.dev
11 daysselftests/bpf: Add test for bpf_sock_read_xattr() kfuncChristian Brauner
Add a selftest that loads the kfunc in sleepable and non-sleepable lsm/socket_connect programs and checks that a value set via fsetxattr() on a socket is read back. Link: https://patch.msgid.link/20260617-work-bpf-sock-xattr-v1-2-a1276f7c9da3@kernel.org Reviewed-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
13 daysMerge tag 'loongarch-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson Pull LoongArch updates from Huacai Chen: - Add THREAD_INFO_IN_TASK implementation - Add build salt to the vDSO - Add some BPF JIT inline helpers - Update DTS for I2C clocks and clock-frequency - Some bug fixes and other small changes * tag 'loongarch-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson: selftests/bpf: Test jited inline of bpf_get_smp_processor_id() for LoongArch selftests/bpf: Test jited inline of bpf_get_current_task() for LoongArch selftests/bpf: Add __arch_loongarch to limit test cases for LoongArch selftests/bpf: Add get_preempt_count() support for LoongArch LoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K2000 LoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K1000 LoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K0500 LoongArch: BPF: Inline bpf_get_smp_processor_id() helper LoongArch: BPF: Inline bpf_get_current_task/_btf() helpers LoongArch: BPF: Fix off-by-one error in tail call LoongArch: BPF: Fix outdated tail call comments LoongArch: Add build salt to the vDSO LoongArch: Fix nr passing in set_direct_map_valid_noflush() LoongArch: Fix missing dirty page tracking in {pte,pmd}_wrprotect() LoongArch: Move struct kimage forward declaration before use LoongArch: Report dying CPU to RCU in stop_this_cpu() LoongArch: Add PIO for early access before ACPI PCI root register LoongArch: Add THREAD_INFO_IN_TASK implementation
2026-06-25selftests/bpf: Add kfunc set test to resolve_btfidsIhor Solodrai
Extend the resolve_btfids selftest to cover kfunc sets defined with BTF_KFUNCS_START/BTF_KFUNCS_END. The test verifies that resolve_btfids correctly processes BTF_ID_FLAGS, resolves function IDs, and checks the kfunc set is sorted. Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Acked-by: Jiri Olsa <jolsa@kernel.org> Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/r/20260624005546.1818483-5-ihor.solodrai@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: Cover pseudo-BTF ksym log maskingNuoqi Gui
Add verifier_unpriv coverage for a raw socket-filter load of the bpf_prog_active typed ksym. The test verifies that the unprivileged load remains accepted and that the verbose verifier log prints the ldimm64 immediate as 0x0 instead of exposing a nonzero kernel address. Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Link: https://lore.kernel.org/r/20260623-f01-13-pseudo-btf-id-cap-bpf-v2-2-a190ebb8f3e2@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
2026-06-25selftests/bpf: Cover stack reads from zero spillsWoojin Ji
Add verifier_var_off coverage for variable-offset stack reads from spilled scalar constant zero values. Cover single-slot and cross-slot spilled zero reads, a sub-8-byte spill with neighbouring STACK_ZERO bytes, and a sub-8-byte spill with neighbouring STACK_MISC bytes that must not be treated as zero. Add verifier_spill_fill coverage for a fixed-offset stack read spanning both STACK_ZERO bytes and scalar const-zero STACK_SPILL bytes. Use verifier log assertions to check both the zero result and the precision backtracking trail. Assisted-by: opencode:gpt-5.5 Signed-off-by: Woojin Ji <random6.xyz@gmail.com> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/r/20260625-bpf-stack-var-off-zero-v1-v3-2-a068210a761b@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: Cover refcount acquire node offsetsYiyang Chen
Add regression coverage for bpf_refcount_acquire() on graph-node-derived pointers. The rejected case passes a popped list node pointer directly to bpf_refcount_acquire(), which must fail because the pointer carries a non-zero fixed offset. Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/bf2a2033ced272106292de4465b8ef3fb991c912.1782192383.git.chenyy23@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: test rejection of a packet-modifying SK_SKB stream parserSechang Lim
Verify that attaching an SK_SKB stream parser that can modify the packet is rejected, while a read-only parser still attaches. Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Link: https://lore.kernel.org/r/20260620024423.4141004-4-rhkrqnwk98@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: don't modify the skb in the strparser parser progSechang Lim
sockmap_parse_prog.c is attached as an SK_SKB stream parser and modifies the skb: it calls bpf_skb_pull_data() and writes a byte into the packet. A stream parser runs on strparser's message head and must not modify it. A resize frees the frag_list segments strparser still tracks, leading to a use-after-free. Make the parser read-only. It only needs to return the message length, which keeps it attaching once packet-modifying parsers are rejected. Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Link: https://lore.kernel.org/r/20260620024423.4141004-2-rhkrqnwk98@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25selftests/bpf: Add tests for bpf_redirect_peer with BPF_F_EGRESSJordan Rife
Extend redirect tests to cover bpf_redirect_peer(BPF_F_EGRESS). SRC redirects to DST using bpf_redirect_peer(BPF_F_EGRESS) then traffic is hairpinned into DST using bpf_redirect. Signed-off-by: Jordan Rife <jordan@jrife.io> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Paul Chaignon <paul.chaignon@gmail.com> Link: https://lore.kernel.org/r/20260618182035.43811-3-jordan@jrife.io Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-25Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfLinus Torvalds
Pull bpf fixes from Alexei Starovoitov: - Fix effective prog array index with BPF_F_PREORDER (Amery Hung) - Zero-initialize the fib lookup flow struct (Avinash Duduskar) - Disable xfrm_decode_session hook attachment (Bradley Morgan) - Allow type tag BTF records to succeed other modifier records (Emil Tsalapatis) - Fix build_id caching in stack_map_get_build_id_offset() (Ihor Solodrai) - Add missing access_ok call to copy_user_syms (Jiri Olsa) - Fix stack slot index in nospec checks (Nuoqi Gui) - Preserve pointer spill metadata during half-slot cleanup (Nuoqi Gui) - Fix partial copy of non-linear test_run output (Sun Jian) - Fix BPF_PROG_ASSOC_STRUCT_OPS last field check (Thiébaud Weksteen) - Reset register bounds before narrowing retval range (Tristan Madani) - Fix vmlinux BTF leak in bpftool cgroup commands (Yichong Chen) - Guard error writes in conntrack kfuncs (Yiyang Chen) * tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf: Disable xfrm_decode_session hook attachment selftests/bpf: Add test for stale bounds on LSM retval context load bpf: Reset register bounds before narrowing retval range in check_mem_access() selftests/bpf: Cover small conntrack opts error writes bpf: Guard conntrack opts error writes selftests/bpf: Cover half-slot cleanup of pointer spills bpf: Preserve pointer spill metadata during half-slot cleanup selftests/bpf: Test cgroup link replace with BPF_F_PREORDER bpf: Fix effective prog array index with BPF_F_PREORDER bpf: Fix BPF_PROG_ASSOC_STRUCT_OPS last field check bpf: zero-initialize the fib lookup flow struct bpftool: Fix vmlinux BTF leak in cgroup commands bpf: Add missing access_ok call to copy_user_syms bpf: Allow type tag BTF records to succeed other modifier records bpf: Emit verbose message when prog-specific btf_struct_access rejects a write bpf: Fix build_id caching in stack_map_get_build_id_offset() bpf: Fix partial copy of non-linear test_run output selftests/bpf: Cover stack nospec slot indexing bpf: Fix stack slot index in nospec checks
2026-06-25Merge tag 'net-7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from netfilter and IPsec. Current release - regressions: - do not acquire dev->tx_global_lock in netdev_watchdog_up() - ethtool: keep rtnl_lock for ops using ethtool_op_get_link() - fix deadlock in nested UP notifier events Current release - new code bugs: - eth: - cn20k: fix subbank free list indexing for search order - airoha: fix BQL underflow in shared QDMA TX ring Previous releases - regressions: - netfilter: - flowtable: fix offloaded ct timeout never being extended - nf_conncount: prevent connlimit drops for early confirmed ct Previous releases - always broken: - require CAP_NET_ADMIN in the originating netns when modifying cross-netns devices - report NAPI thread PID in the caller's pid namespace - mac802154: fix dirty frag in in-place crypto for IOT radios - sctp: hold socket lock when dumping endpoints in sctp_diag, avoid an overflow - eth: gve: fix header buffer corruption with header-split and HW-GRO - af_key: initialize alg_key_len for IPComp states, prevent OOB read" * tag 'net-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (213 commits) selftests: bonding: add a test for VLAN propagation over a bonded real device vlan: defer real device state propagation to netdev_work net: add the driver-facing netdev_work scheduling API net: turn the rx_mode work into a generic netdev_work facility net: ethtool: keep rtnl_lock for ops using ethtool_op_get_link() rxrpc: Fix rxrpc_rotate_tx_rotate() to check there's something to rotate rxrpc: Fix leak of released call in recvmsg(MSG_PEEK) rxrpc: Fix socket notification race rxrpc: Fix potential infinite loop in rxrpc_recvmsg() rxrpc: Fix oob challenge leak in cleanup after notification failure rxrpc: Fix the reception of a reply packet before data transmission afs: Fix uncancelled rxrpc OOB message handler afs: Fix further netns teardown to cancel the preallocation charger rxrpc: Fix double unlock in rxrpc_recvmsg() rxrpc: Fix leak of connection from OOB challenge rxrpc: Fix ACKALL packet handling net: hns3: differentiate autoneg default values between copper and fiber net: hns3: fix permanent link down deadlock after reset net: hns3: refactor MAC autoneg and speed configuration net: hns3: unify copper port ksettings configuration path ...
2026-06-25selftests/bpf: Test jited inline of bpf_get_smp_processor_id() for LoongArchTiezhu Yang
Add the testcase for the jited inline of bpf_get_smp_processor_id(), only for LoongArch currently. Here is the test result on LoongArch: $ sudo ./test_progs -t verifier_jit_inline #604/1 verifier_jit_inline/inline_bpf_get_current_task:OK #604/2 verifier_jit_inline/inline_bpf_get_smp_processor_id:OK #604 verifier_jit_inline:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2026-06-25selftests/bpf: Test jited inline of bpf_get_current_task() for LoongArchTiezhu Yang
Add the jited inline instruction of bpf_get_current_task() for LoongArch to pass the test case. Before: $ sudo ./test_progs -t verifier_jit_inline #604/1 verifier_jit_inline/inline_bpf_get_current_task:SKIP #604 verifier_jit_inline:SKIP Summary: 1/0 PASSED, 1 SKIPPED, 0 FAILED After: $ sudo ./test_progs -t verifier_jit_inline #604/1 verifier_jit_inline/inline_bpf_get_current_task:OK #604 verifier_jit_inline:OK Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2026-06-25selftests/bpf: Add __arch_loongarch to limit test cases for LoongArchTiezhu Yang
Make it possible to limit certain tests to LoongArch, just like it is already done for x86_64, arm64, riscv64, and s390x. This is a follow up patch of: commit ee7fe84468b1 ("selftests/bpf: __arch_* macro to limit test cases to specific archs") commit 1e4e6b9e260d ("selftests/bpf: Add __arch_s390x macro") Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
2026-06-23selftests/bpf: Add LWT encap tests for skb metadataJakub Sitnicki
Test that an LWT encapsulation does not silently corrupt XDP metadata sitting in the skb headroom. Exercise all three LWT dispatch paths: - BPF LWT xmit prog reserves headroom on the LWT .xmit redirect, - mpls pushes an MPLS label on the LWT .xmit redirect, - seg6 in encap mode runs on the LWT .input redirect, - ioam6 encap inserts an IOAM Hop-by-Hop option on LWT .output redirect. Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://patch.msgid.link/20260619-bpf-lwt-drop-skb-metadata-v3-2-71d6a33ab76b@cloudflare.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-22selftests/bpf: Add test for stale bounds on LSM retval context loadTristan Madani
Add a verifier test that catches the stale-bounds issue fixed in the previous patch. The test sets r6 = 0 to create known bounds, then loads the LSM hook return value into r6 from the context. Without the fix, the verifier intersects the retval range with the stale bounds and incorrectly narrows r6 to a single value, pruning the fall-through branch as dead code and missing the div-by-zero. Suggested-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/r/20260622230123.3695446-3-tristmd@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-22selftests/bpf: Cover small conntrack opts error writesYiyang Chen
Add a conntrack kfunc regression check for opts__sz values that do not cover opts->error. The BPF program initializes opts->error with a guard value, calls the lookup and allocation kfuncs with opts__sz set to sizeof(opts->netns_id), and verifies that the guard is still intact after the kfunc returns NULL. Without the conntrack wrapper guard, the kfunc error path overwrites that guard with -EINVAL even though the verifier checked only the first four bytes of the options object. Fixes: b4c2b9593a1c ("net/netfilter: Add unstable CT lookup helpers for XDP and TC-BPF") Fixes: d7e79c97c00c ("net: netfilter: Add kfuncs to allocate and insert CT") Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn> Link: https://lore.kernel.org/r/007dfd0341cd84560e4795a2a951cc56d4adff1d.1781765747.git.chenyy23@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-22selftests/bpf: Cover half-slot cleanup of pointer spillsNuoqi Gui
Add a verifier regression test for a pointer spill whose high half is cleaned dead while the low half remains live. Force checkpoint creation with BPF_F_TEST_STATE_FREQ and assert the verifier log reaches the checkpoint and the subsequent 32-bit fill before rejecting the partial fill from a non-scalar spill. Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Link: https://lore.kernel.org/r/20260617-f01-06-half-slot-pointer-spill-v2-2-42b9cdc3cf64@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-21selftests/bpf: Cover stack nospec slot indexingNuoqi Gui
Add a verifier test for the fixed-offset stack write case where two 4-byte stores initialize opposite halves of the same stack slot. The test runs through the unprivileged loader lane and expects both half-slot writes to emit nospec in the translated program. Acked-by: Luis Gerhorst <luis.gerhorst@fau.de> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Link: https://lore.kernel.org/r/20260618-f01-11-stack-nospec-slot-index-v3-2-780297041721@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-17Merge tag 'bpf-next-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next Pull bpf updates from Alexei Starovoitov: "Major changes: - Recover from BPF arena page faults using a scratch page and add ptep_try_set() for lockless empty-slot installs on x86 and arm64. This allows BPF kfuncs to access arena pointers directly. The 'arena_direct_access' stable branch was created for this work and was pulled into sched-ext and bpf-next trees (Tejun Heo, Kumar Kartikeya Dwivedi) - Lift old restriction and support 6+ arguments in BPF programs and kfuncs on x86 and arm64 (Yonghong Song, Puranjay Mohan) Other features and fixes: - Add 24-bit BTF vlen and reclaim unused bits in the BTF UAPI to ease addition of new BTF kinds (Alan Maguire) - Raise the maximum BPF call chain depth from 8 to 16 frames (Alexei Starovoitov) - Refactor object relationship tracking in the verifier and fix a dynptr use-after-free bug (Amery Hung) - Harden the signed program loader and reject exclusive maps as inner maps (Daniel Borkmann) - Replace the verifier min/max bounds fields with a circular number (cnum) representation and improve 32->64 bit range refinements (Eduard Zingerman) - Introduce the arena library and runtime (libarena) with a buddy allocator, rbtree and SPMC queue data structures, ASAN support and a parallel test harness. Allow subprograms to return arena pointers and switch to a BTF type-tag based __arena annotation (Emil Tsalapatis) - Cache build IDs in the sleepable stackmap path and avoid faultable build ID reads under mm locks (Ihor Solodrai) - Introduce the tracing_multi link to attach a single BPF program to many kernel functions at once. Allow specifying the uprobe_multi target via FD (Jiri Olsa) - Extend the bpf_list family of kfuncs with bpf_list_add/del(), and bpf_list_is_first/is_last/empty() (Kaitao Cheng) - Extend the BPF syscall with common attributes support for prog_load, btf_load and map_create (Leon Hwang) - Wrap rhashtable as BPF map (Mykyta Yatsenko, Herbert Xu) - Add sleepable support for tracepoint programs and fix deadlocks in LRU map due to NMI reentry (Mykyta Yatsenko) - Fix OOB access in bpf_flow_keys, fix nullness analysis of inner arrays, enforce write checks for global subprograms (Nuoqi Gui) - Report the maximum combined stack depth and print a breakdown of instructions processed per subprogram (Paul Chaignon) - Add an XDP load-balancer benchmark and arm64 JIT support for stack arguments (Puranjay Mohan) - Add kfuncs to traverse over wakeup_sources (Samuel Wu) - Allow sleepable BPF programs to use LPM trie maps directly (Vlad Poenaru) - Many more fixes and cleanups across the verifier, BTF, sockmap, devmap, bpffs, security hooks, s390/riscv/loongarch JITs, rqspinlock, libbpf, bpftool, selftests" * tag 'bpf-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next: (336 commits) selftests/bpf: Work around llvm stack overflow in crypto progs selftests/bpf: add test for bpf_msg_pop_data() overflow bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check sockmap: Fix use-after-free in udp_bpf_recvmsg() bpf, sockmap: keep sk_msg copy state in sync bpf, sockmap: Fix wrong rsge offset in bpf_msg_push_data() bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data() selftsets/bpf: Retry map update on helper_fill_hashmap() selftests/bpf: Add test for sleepable lsm_cgroup rejection selftests/bpf: Add test to verify the fix for bpf_setsockopt() helper bpf: Fix bpf_get/setsockopt to tos for ipv4-mapped ipv6 socket selftests/bpf: Avoid static LLVM linking for cross builds selftests/bpf: Use common CFLAGS for urandom_read selftests/bpf: Initialize operation name before use tools/bpf: build: Append extra cflags libbpf: Initialize CFLAGS before including Makefile.include bpftool: Append extra host flags bpftool: Avoid adding EXTRA_CFLAGS to HOST_CFLAGS bpftool: Pass host flags to bootstrap libbpf selftests/bpf: correct CONFIG_PPC64 macro name in comment ...
2026-06-16selftests/bpf: drop the unused kTLS program from test_sockmapJakub Kicinski
With the sockmap + kTLS tests gone, the BPF-side support in test_sockmap is dead: the tls_sock_map map and bpf_prog3 (which redirected skbs into it) are no longer referenced. Remove them, along with the now-unused bpf_write_pass() helper. bpf_prog3 was progs[2], so renumber the progs[] users in test_sockmap.c: the sockops program drops to progs[2] and the sk_msg tx programs to progs[3..7]. Shrink the map/prog arrays from 9 to 8 and drop the tls_sock_map entry (the last one) from map_names[] to match. Link: https://patch.msgid.link/20260614014102.461064-5-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-16selftests/bpf: remove sockmap + ktls testsJakub Kicinski
The combination of sockmap and TLS is no longer supported - installing the TLS ULP on a sockmap socket (and vice versa) is now rejected. Remove the tests that exercise the combination along with their BPF program; the file covered nothing but sockmap sockets holding kTLS contexts. Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://patch.msgid.link/20260614014102.461064-4-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-15selftests/bpf: Work around llvm stack overflow in crypto progsAlexei Starovoitov
clang 23 fails to build crypto_bench.c and crypto_sanity.c with "BPF stack limit exceeded". The progs fill a 408-byte bpf_crypto_params on the stack and pass it to bpf_crypto_ctx_create(). clang 23 copies the byte-aligned cipher/key globals into it one byte at a time through the stack, and keeps more than one copy of the struct around. Together that blows the 512-byte limit. Align the source arrays to 8 bytes so the copy is word-wise, and move params off the stack into a static .bss var. static keeps it out of the skeleton, where bpf_crypto_params is an incomplete type. Either change alone is not enough. Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: add test for bpf_msg_pop_data() overflowSechang Lim
Add a test in sockmap_basic.c that calls bpf_msg_pop_data() with a length close to U32_MAX, which overflows the start + len bounds check. The sk_msg program records the return value over a sendmsg and the test checks that the call is rejected with -EINVAL. Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Cc: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://lore.kernel.org/r/20260615021959.140010-7-jiayuan.chen@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: Add test for sleepable lsm_cgroup rejectionDavid Windsor
Confirm the verifier rejects loading a sleepable BPF_LSM_CGROUP program, as introduced in commit 5b038319be44 ("bpf: Reject sleepable BPF_LSM_CGROUP programs at load time"). Signed-off-by: David Windsor <dwindsor@gmail.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260611143549.703914-1-dwindsor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: Add test to verify the fix for bpf_setsockopt() helperLeon Hwang
Verify the fix by: 1. Attach cgroup sockops prog. 2. Build a tcp connection using ipv4 addr in ipv6 socket. 3. Verify the return value of bpf_setsockopt() helper. Assisted-by: Codex:gpt-5.5-xhigh Signed-off-by: Leon Hwang <leon.hwang@linux.dev> Link: https://lore.kernel.org/r/20260613162443.60515-3-leon.hwang@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14selftests/bpf: correct CONFIG_PPC64 macro name in commentEthan Nelson-Moore
A comment in tools/testing/selftests/bpf/progs/test_fill_link_info.c incorrectly refers to CONFIG_PPC6 instead of CONFIG_PPC64. Correct it. Discovered while searching for CONFIG_* symbols referenced in code but not defined in any Kconfig file. Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com> Link: https://lore.kernel.org/r/20260610044023.225820-1-enelsonmoore@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-14bpf: Raise maximum call chain depth to 16 framesAlexei Starovoitov
Bump MAX_CALL_FRAMES from 8 to 16 to allow deeper call chains that Rust-BPF requires and update selftests. Link: https://lore.kernel.org/r/20260613180755.29671-1-alexei.starovoitov@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-12selftests/bpf: Add retval test for bool and errno LSM cgroup hooksXu Kuohai
Add test to check the return value when a BPF program exits with 0 for a boolean and an errno LSM hook. For each hook, two BPF programs are attached. The first program returns 0 without calling bpf_set_retval() to exercise the return value translation logic, while the second program reads the retval via bpf_get_retval(). Signed-off-by: Xu Kuohai <xukuohai@huawei.com> Link: https://lore.kernel.org/r/20260610201724.733943-3-xukuohai@huaweicloud.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-10selftests/bpf: Cover tail-call cgroup storage prog-array checksLin Ma
Add tail-call selftests for prog-array ownership when cgroup storage is in use. Verify that loading succeeds when callers and callees reuse the owner's cgroup storage map, and that loading fails for a different storage map and for the A(storage) -> B(no storage) -> C(storage) bridge case addressed in the previous commit. Also verify that a storage-less leaf program which cannot perform tail calls itself is still allowed to join a storage-owned prog array, while a storage-less tail-caller is rejected also at map update time. # LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t tailcalls [...] #475/25 tailcalls/tailcall_freplace:OK #475/26 tailcalls/tailcall_bpf2bpf_freplace:OK #475/27 tailcalls/tailcall_failure:OK #475/28 tailcalls/reject_tail_call_spin_lock:OK #475/29 tailcalls/reject_tail_call_rcu_lock:OK #475/30 tailcalls/reject_tail_call_preempt_lock:OK #475/31 tailcalls/reject_tail_call_ref:OK #475/32 tailcalls/tailcall_sleepable:OK #475/33 tailcalls/tailcall_cgrp_storage:OK #475/34 tailcalls/tailcall_cgrp_storage_diff_storage:OK #475/35 tailcalls/tailcall_cgrp_storage_no_storage:OK #475/36 tailcalls/tailcall_cgrp_storage_no_storage_leaf:OK #475/37 tailcalls/tailcall_cgrp_storage_no_storage_bridge:OK #475 tailcalls:OK Summary: 1/37 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Lin Ma <malin89@huawei.com> Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com> Signed-off-by: Jingguo Tan <tanjingguo@huawei.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260610105539.705887-2-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-10selftests/bpf: Fix bpf_iter/task_vma testYonghong Song
For selftest bpf_iter/task_vma, I got a failure like below on my qemu run: test_task_vma_common:FAIL:compare_output unexpected compare_output: actual '561593546000-561593585000r--p0000000000:241256579534/root/devshare/bpf-next/tools/testing/selftests/bpf/test_progs' != expected '561593546000-561593585000r--p0000000000:245551546830/root/devshare/bpf-next/tools/testing/selftests/bpf/test_progs' Further debugging found out file->f_inode->i_ino value may exceed 32bit, e.g., i_ino = 0x14c2eae35, but the format string is '%u'. This caused inode mismatch between bpf iter and proc result. Fix the issue by using format string '%llu' to accommodate 64bit i_ino. Fixes: e8168840e16c ("selftests/bpf: Add test for bpf_iter_task_vma") Signed-off-by: Yonghong Song <yonghong.song@linux.dev> Acked-by: Leon Hwang <leon.hwang@linux.dev> Link: https://lore.kernel.org/r/20260610051831.1346659-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-09selftests/bpf: Exercise kptr map update lifetimeKumar Kartikeya Dwivedi
Add focused map_kptr coverage for BPF-side map updates that touch values containing referenced kptrs. The new syscall programs stash the testmod refcounted object in an array map, a preallocated hash map, and a no-prealloc hash map, then update the same map from BPF. The refcount must remain elevated after the update, while the userspace runner destroys the skeleton and reuses the existing refcount wait to confirm map teardown releases the kptr. Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/r/20260609202548.3571690-5-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>