struct bpf_struct_ops's cfi_stubs field is used as a readonly pointer but has type void *. Change its type to void const * to allow it to point to readonly global memory. Update the struct_ops implementations to declare their cfi_stubs global variables as const.
Caleb Sander Mateos (5): bpf: use const pointer for struct_ops cfi_stubs HID: bpf: make __bpf_hid_bpf_ops const sched_ext: make __bpf_ops_sched_ext_ops const net: make cfi_stubs globals const selftests/bpf: make cfi_stubs globals const
drivers/hid/bpf/hid_bpf_struct_ops.c | 2 +- include/linux/bpf.h | 2 +- kernel/bpf/bpf_struct_ops.c | 6 +++--- kernel/sched/ext.c | 2 +- net/bpf/bpf_dummy_struct_ops.c | 2 +- net/ipv4/bpf_tcp_ca.c | 2 +- net/sched/bpf_qdisc.c | 2 +- net/smc/smc_hs_bpf.c | 2 +- .../testing/selftests/bpf/test_kmods/bpf_test_no_cfi.c | 2 +- tools/testing/selftests/bpf/test_kmods/bpf_testmod.c | 10 +++++----- 10 files changed, 16 insertions(+), 16 deletions(-)
struct bpf_struct_ops's cfi_stubs field is used as a readonly pointer but has type void *. Change its type to void const * to allow it to point to readonly global memory. Change the void ** casts of cfi_stubs to void * const * accordingly.
Signed-off-by: Caleb Sander Mateos csander@purestorage.com --- include/linux/bpf.h | 2 +- kernel/bpf/bpf_struct_ops.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 4e7d72dfbcd4..d74189ea1066 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -1977,11 +1977,11 @@ struct bpf_struct_ops { void *kdata, const void *udata); int (*reg)(void *kdata, struct bpf_link *link); void (*unreg)(void *kdata, struct bpf_link *link); int (*update)(void *kdata, void *old_kdata, struct bpf_link *link); int (*validate)(void *kdata); - void *cfi_stubs; + void const *cfi_stubs; struct module *owner; const char *name; struct btf_func_model func_models[BPF_STRUCT_OPS_MAX_NR_MEMBERS]; };
diff --git a/kernel/bpf/bpf_struct_ops.c b/kernel/bpf/bpf_struct_ops.c index c43346cb3d76..42cfc3e0bc68 100644 --- a/kernel/bpf/bpf_struct_ops.c +++ b/kernel/bpf/bpf_struct_ops.c @@ -321,11 +321,11 @@ static bool is_module_member(const struct btf *btf, u32 id) return !strcmp(btf_name_by_offset(btf, t->name_off), "module"); }
int bpf_struct_ops_supported(const struct bpf_struct_ops *st_ops, u32 moff) { - void *func_ptr = *(void **)(st_ops->cfi_stubs + moff); + void *func_ptr = *(void * const *)(st_ops->cfi_stubs + moff);
return func_ptr ? 0 : -ENOTSUPP; }
int bpf_struct_ops_desc_init(struct bpf_struct_ops_desc *st_ops_desc, @@ -444,11 +444,11 @@ int bpf_struct_ops_desc_init(struct bpf_struct_ops_desc *st_ops_desc, mname, st_ops->name); err = -EINVAL; goto errout; }
- stub_func_addr = *(void **)(st_ops->cfi_stubs + moff); + stub_func_addr = *(void * const *)(st_ops->cfi_stubs + moff); err = prepare_arg_info(btf, st_ops->name, mname, func_proto, stub_func_addr, arg_info + i); if (err) goto errout; @@ -833,11 +833,11 @@ static long bpf_struct_ops_map_update_elem(struct bpf_map *map, void *key, *pksym++ = ksym;
trampoline_start = image_off; err = bpf_struct_ops_prepare_trampoline(tlinks, link, &st_ops->func_models[i], - *(void **)(st_ops->cfi_stubs + moff), + *(void * const *)(st_ops->cfi_stubs + moff), &image, &image_off, st_map->image_pages_cnt < MAX_TRAMP_IMAGE_PAGES); if (err) goto reset_unlock;
Now that struct bpf_struct_ops's cfi_stubs field is a const pointer, declare the __bpf_hid_bpf_ops global variable it points to as const. This allows the global variable to be placed in readonly memory.
Signed-off-by: Caleb Sander Mateos csander@purestorage.com --- drivers/hid/bpf/hid_bpf_struct_ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/bpf/hid_bpf_struct_ops.c b/drivers/hid/bpf/hid_bpf_struct_ops.c index 702c22fae136..30ddcf78e0ea 100644 --- a/drivers/hid/bpf/hid_bpf_struct_ops.c +++ b/drivers/hid/bpf/hid_bpf_struct_ops.c @@ -286,11 +286,11 @@ static int __hid_bpf_hw_request(struct hid_bpf_ctx *ctx, unsigned char reportnum static int __hid_bpf_hw_output_report(struct hid_bpf_ctx *ctx, u64 source) { return 0; }
-static struct hid_bpf_ops __bpf_hid_bpf_ops = { +static const struct hid_bpf_ops __bpf_hid_bpf_ops = { .hid_device_event = __hid_bpf_device_event, .hid_rdesc_fixup = __hid_bpf_rdesc_fixup, .hid_hw_request = __hid_bpf_hw_request, .hid_hw_output_report = __hid_bpf_hw_output_report, };
Now that struct bpf_struct_ops's cfi_stubs field is a const pointer, declare the __bpf_ops_sched_ext_ops global variable it points to as const. This allows the global variable to be placed in readonly memory.
Signed-off-by: Caleb Sander Mateos csander@purestorage.com --- kernel/sched/ext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c index 94164f2dec6d..af8250b64f47 100644 --- a/kernel/sched/ext.c +++ b/kernel/sched/ext.c @@ -5336,11 +5336,11 @@ static s32 sched_ext_ops__init(void) { return -EINVAL; } static void sched_ext_ops__exit(struct scx_exit_info *info) {} static void sched_ext_ops__dump(struct scx_dump_ctx *ctx) {} static void sched_ext_ops__dump_cpu(struct scx_dump_ctx *ctx, s32 cpu, bool idle) {} static void sched_ext_ops__dump_task(struct scx_dump_ctx *ctx, struct task_struct *p) {}
-static struct sched_ext_ops __bpf_ops_sched_ext_ops = { +static const struct sched_ext_ops __bpf_ops_sched_ext_ops = { .select_cpu = sched_ext_ops__select_cpu, .enqueue = sched_ext_ops__enqueue, .dequeue = sched_ext_ops__dequeue, .dispatch = sched_ext_ops__dispatch, .tick = sched_ext_ops__tick,
Now that struct bpf_struct_ops's cfi_stubs field is a const pointer, declare the __bpf_bpf_dummy_ops, __bpf_ops_tcp_congestion_ops, __bpf_ops_qdisc_ops, and __smc_bpf_hs_ctrl global variables it points to as const. This allows the global variables to be placed in readonly memory.
Signed-off-by: Caleb Sander Mateos csander@purestorage.com --- net/bpf/bpf_dummy_struct_ops.c | 2 +- net/ipv4/bpf_tcp_ca.c | 2 +- net/sched/bpf_qdisc.c | 2 +- net/smc/smc_hs_bpf.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/bpf/bpf_dummy_struct_ops.c b/net/bpf/bpf_dummy_struct_ops.c index 812457819b5a..198152dbce9a 100644 --- a/net/bpf/bpf_dummy_struct_ops.c +++ b/net/bpf/bpf_dummy_struct_ops.c @@ -296,11 +296,11 @@ static int bpf_dummy_test_2(struct bpf_dummy_ops_state *cb, int a1, unsigned sho static int bpf_dummy_test_sleepable(struct bpf_dummy_ops_state *cb) { return 0; }
-static struct bpf_dummy_ops __bpf_bpf_dummy_ops = { +static const struct bpf_dummy_ops __bpf_bpf_dummy_ops = { .test_1 = bpf_dummy_ops__test_1, .test_2 = bpf_dummy_test_2, .test_sleepable = bpf_dummy_test_sleepable, };
diff --git a/net/ipv4/bpf_tcp_ca.c b/net/ipv4/bpf_tcp_ca.c index e01492234b0b..bd2ce4ff1762 100644 --- a/net/ipv4/bpf_tcp_ca.c +++ b/net/ipv4/bpf_tcp_ca.c @@ -306,11 +306,11 @@ static void __bpf_tcp_ca_init(struct sock *sk)
static void __bpf_tcp_ca_release(struct sock *sk) { }
-static struct tcp_congestion_ops __bpf_ops_tcp_congestion_ops = { +static const struct tcp_congestion_ops __bpf_ops_tcp_congestion_ops = { .ssthresh = bpf_tcp_ca_ssthresh, .cong_avoid = bpf_tcp_ca_cong_avoid, .set_state = bpf_tcp_ca_set_state, .cwnd_event = bpf_tcp_ca_cwnd_event, .in_ack_event = bpf_tcp_ca_in_ack_event, diff --git a/net/sched/bpf_qdisc.c b/net/sched/bpf_qdisc.c index adcb618a2bfc..8f9a6440f113 100644 --- a/net/sched/bpf_qdisc.c +++ b/net/sched/bpf_qdisc.c @@ -427,11 +427,11 @@ static void Qdisc_ops__reset(struct Qdisc *sch)
static void Qdisc_ops__destroy(struct Qdisc *sch) { }
-static struct Qdisc_ops __bpf_ops_qdisc_ops = { +static const struct Qdisc_ops __bpf_ops_qdisc_ops = { .enqueue = Qdisc_ops__enqueue, .dequeue = Qdisc_ops__dequeue, .init = Qdisc_ops__init, .reset = Qdisc_ops__reset, .destroy = Qdisc_ops__destroy, diff --git a/net/smc/smc_hs_bpf.c b/net/smc/smc_hs_bpf.c index 063d23d85850..5c562e2a15be 100644 --- a/net/smc/smc_hs_bpf.c +++ b/net/smc/smc_hs_bpf.c @@ -60,11 +60,11 @@ static int __smc_bpf_stub_set_tcp_option_cond(const struct tcp_sock *tp, struct inet_request_sock *ireq) { return 1; }
-static struct smc_hs_ctrl __smc_bpf_hs_ctrl = { +static const struct smc_hs_ctrl __smc_bpf_hs_ctrl = { .syn_option = __smc_bpf_stub_set_tcp_option, .synack_option = __smc_bpf_stub_set_tcp_option_cond, };
static int smc_bpf_hs_ctrl_init(struct btf *btf) { return 0; }
Now that struct bpf_struct_ops's cfi_stubs field is a const pointer, declare the __test_no_cif_ops, __bpf_testmod_ops*, st_ops_cfi_stubs, and multi_st_ops_cfi_stubs global variables it points to as const. This tests that BPF struct_ops implementations are allowed to declare cfi_stubs global variables as const.
Signed-off-by: Caleb Sander Mateos csander@purestorage.com --- .../testing/selftests/bpf/test_kmods/bpf_test_no_cfi.c | 2 +- tools/testing/selftests/bpf/test_kmods/bpf_testmod.c | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/tools/testing/selftests/bpf/test_kmods/bpf_test_no_cfi.c b/tools/testing/selftests/bpf/test_kmods/bpf_test_no_cfi.c index 948eb3962732..1d76912f1a45 100644 --- a/tools/testing/selftests/bpf/test_kmods/bpf_test_no_cfi.c +++ b/tools/testing/selftests/bpf/test_kmods/bpf_test_no_cfi.c @@ -39,11 +39,11 @@ static void bpf_test_no_cfi_ops__fn_1(void)
static void bpf_test_no_cfi_ops__fn_2(void) { }
-static struct bpf_test_no_cfi_ops __test_no_cif_ops = { +static const struct bpf_test_no_cfi_ops __test_no_cif_ops = { .fn_1 = bpf_test_no_cfi_ops__fn_1, .fn_2 = bpf_test_no_cfi_ops__fn_2, };
static struct bpf_struct_ops test_no_cif_ops = { diff --git a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c index 90c4b1a51de6..5e460b1dbdb6 100644 --- a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c +++ b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c @@ -295,11 +295,11 @@ static int bpf_testmod_test_3(void) static int bpf_testmod_test_4(void) { return 0; }
-static struct bpf_testmod_ops3 __bpf_testmod_ops3 = { +static const struct bpf_testmod_ops3 __bpf_testmod_ops3 = { .test_1 = bpf_testmod_test_3, .test_2 = bpf_testmod_test_4, };
static void bpf_testmod_test_struct_ops3(void) @@ -1273,11 +1273,11 @@ bpf_testmod_ops__test_return_ref_kptr(int dummy, struct task_struct *task__ref, struct cgroup *cgrp) { return NULL; }
-static struct bpf_testmod_ops __bpf_testmod_ops = { +static const struct bpf_testmod_ops __bpf_testmod_ops = { .test_1 = bpf_testmod_test_1, .test_2 = bpf_testmod_test_2, .test_maybe_null = bpf_testmod_ops__test_maybe_null, .test_refcounted = bpf_testmod_ops__test_refcounted, .test_return_ref_kptr = bpf_testmod_ops__test_return_ref_kptr, @@ -1300,11 +1300,11 @@ static int bpf_dummy_reg2(void *kdata, struct bpf_link *link)
ops->test_1(); return 0; }
-static struct bpf_testmod_ops2 __bpf_testmod_ops2 = { +static const struct bpf_testmod_ops2 __bpf_testmod_ops2 = { .test_1 = bpf_testmod_test_1, };
struct bpf_struct_ops bpf_testmod_ops2 = { .verifier_ops = &bpf_testmod_verifier_ops, @@ -1547,11 +1547,11 @@ static const struct bpf_verifier_ops st_ops_verifier_ops = { .gen_prologue = st_ops_gen_prologue, .gen_epilogue = st_ops_gen_epilogue, .get_func_proto = bpf_base_func_proto, };
-static struct bpf_testmod_st_ops st_ops_cfi_stubs = { +static const struct bpf_testmod_st_ops st_ops_cfi_stubs = { .test_prologue = bpf_test_mod_st_ops__test_prologue, .test_epilogue = bpf_test_mod_st_ops__test_epilogue, .test_pro_epilogue = bpf_test_mod_st_ops__test_pro_epilogue, };
@@ -1715,11 +1715,11 @@ static void multi_st_ops_unreg(void *kdata, struct bpf_link *link) static int bpf_testmod_multi_st_ops__test_1(struct st_ops_args *args) { return 0; }
-static struct bpf_testmod_multi_st_ops multi_st_ops_cfi_stubs = { +static const struct bpf_testmod_multi_st_ops multi_st_ops_cfi_stubs = { .test_1 = bpf_testmod_multi_st_ops__test_1, };
struct bpf_struct_ops testmod_multi_st_ops = { .verifier_ops = &bpf_testmod_verifier_ops,
diff --git a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c index 90c4b1a51de6..5e460b1dbdb6 100644 --- a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c +++ b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
[ ... ]
@@ -1275,7 +1275,7 @@ bpf_testmod_ops__test_return_ref_kptr(int dummy, struct task_struct *task__ref, return NULL; }
-static struct bpf_testmod_ops __bpf_testmod_ops = { +static const struct bpf_testmod_ops __bpf_testmod_ops = { .test_1 = bpf_testmod_test_1, .test_2 = bpf_testmod_test_2,
Is it safe to make __bpf_testmod_ops const here? In bpf_testmod_init(), this struct is modified at runtime:
tramp = (void **)&__bpf_testmod_ops.tramp_1; while (tramp <= (void **)&__bpf_testmod_ops.tramp_40) *tramp++ = bpf_testmod_tramp;
Writing to a const-qualified object is undefined behavior and may cause a protection fault when the compiler places this in read-only memory. Would the module fail to load on systems where .rodata is actually read-only?
--- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20624206229
On Wed, Dec 31, 2025 at 10:04 AM bot+bpf-ci@kernel.org wrote:
diff --git a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c index 90c4b1a51de6..5e460b1dbdb6 100644 --- a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c +++ b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
[ ... ]
@@ -1275,7 +1275,7 @@ bpf_testmod_ops__test_return_ref_kptr(int dummy, struct task_struct *task__ref, return NULL; }
-static struct bpf_testmod_ops __bpf_testmod_ops = { +static const struct bpf_testmod_ops __bpf_testmod_ops = { .test_1 = bpf_testmod_test_1, .test_2 = bpf_testmod_test_2,
Is it safe to make __bpf_testmod_ops const here? In bpf_testmod_init(), this struct is modified at runtime:
tramp = (void **)&__bpf_testmod_ops.tramp_1; while (tramp <= (void **)&__bpf_testmod_ops.tramp_40) *tramp++ = bpf_testmod_tramp;Writing to a const-qualified object is undefined behavior and may cause a protection fault when the compiler places this in read-only memory. Would the module fail to load on systems where .rodata is actually read-only?
Yup, that's indeed the bug caught by KASAN. Missed this mutation at init time, I'll leave __bpf_testmod_ops as mutable.
Thanks, Caleb
AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20624206229
On Wed, Dec 31, 2025 at 10:09 AM Caleb Sander Mateos csander@purestorage.com wrote:
On Wed, Dec 31, 2025 at 10:04 AM bot+bpf-ci@kernel.org wrote:
diff --git a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c index 90c4b1a51de6..5e460b1dbdb6 100644 --- a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c +++ b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
[ ... ]
@@ -1275,7 +1275,7 @@ bpf_testmod_ops__test_return_ref_kptr(int dummy, struct task_struct *task__ref, return NULL; }
-static struct bpf_testmod_ops __bpf_testmod_ops = { +static const struct bpf_testmod_ops __bpf_testmod_ops = { .test_1 = bpf_testmod_test_1, .test_2 = bpf_testmod_test_2,
Is it safe to make __bpf_testmod_ops const here? In bpf_testmod_init(), this struct is modified at runtime:
tramp = (void **)&__bpf_testmod_ops.tramp_1; while (tramp <= (void **)&__bpf_testmod_ops.tramp_40) *tramp++ = bpf_testmod_tramp;Writing to a const-qualified object is undefined behavior and may cause a protection fault when the compiler places this in read-only memory. Would the module fail to load on systems where .rodata is actually read-only?
Yup, that's indeed the bug caught by KASAN. Missed this mutation at init time, I'll leave __bpf_testmod_ops as mutable.
No. You're missing the point. The whole patch set is no go. The pointer to cfi stub can be updated just as well.
linux-kselftest-mirror@lists.linaro.org
-
Alexei Starovoitov -
bot+bpf-ci@kernel.org -
Caleb Sander Mateos