[PATCH bpf-next v2 0/3] bpf: Show precise rejected function when attaching to __noreturn and deny list functions
Show precise rejected function when attaching fexit/fmod_ret to __noreturn functions. Add log for attaching tracing programs to functions in deny list. Add selftest for attaching tracing programs to functions in deny list.
changes: v2: - change verifier log message (Alexei) - add missing Suggested-by
v1: https://lore.kernel.org/all/20250710162717.3808020-1-mannkafai@gmail.com/
--- KaFai Wan (3): bpf: Show precise rejected function when attaching fexit/fmod_ret to __noreturn functions bpf: Add log for attaching tracing programs to functions in deny list selftests/bpf: Add selftest for attaching tracing programs to functions in deny list
kernel/bpf/verifier.c | 5 ++++- .../selftests/bpf/prog_tests/tracing_deny.c | 11 +++++++++++ .../testing/selftests/bpf/progs/fexit_noreturns.c | 2 +- tools/testing/selftests/bpf/progs/tracing_deny.c | 15 +++++++++++++++ 4 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/tracing_deny.c create mode 100644 tools/testing/selftests/bpf/progs/tracing_deny.c
With this change, we know the precise rejected function name when attaching fexit/fmod_ret to __noreturn functions from log.
$ ./fexit libbpf: prog 'fexit': BPF program load failed: -EINVAL libbpf: prog 'fexit': -- BEGIN PROG LOAD LOG -- Attaching fexit/fmod_ret to __noreturn function 'do_exit' is rejected.
Suggested-by: Leon Hwang leon.hwang@linux.dev Signed-off-by: KaFai Wan mannkafai@gmail.com --- kernel/bpf/verifier.c | 3 ++- tools/testing/selftests/bpf/progs/fexit_noreturns.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index e2fcea860755..00d287814f12 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -23946,7 +23946,8 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) } else if ((prog->expected_attach_type == BPF_TRACE_FEXIT || prog->expected_attach_type == BPF_MODIFY_RETURN) && btf_id_set_contains(&noreturn_deny, btf_id)) { - verbose(env, "Attaching fexit/fmod_ret to __noreturn functions is rejected.\n"); + verbose(env, "Attaching fexit/fmod_ret to __noreturn function '%s' is rejected.\n", + tgt_info.tgt_name); return -EINVAL; }
diff --git a/tools/testing/selftests/bpf/progs/fexit_noreturns.c b/tools/testing/selftests/bpf/progs/fexit_noreturns.c index 54654539f550..b1c33d958ae2 100644 --- a/tools/testing/selftests/bpf/progs/fexit_noreturns.c +++ b/tools/testing/selftests/bpf/progs/fexit_noreturns.c @@ -8,7 +8,7 @@ char _license[] SEC("license") = "GPL";
SEC("fexit/do_exit") -__failure __msg("Attaching fexit/fmod_ret to __noreturn functions is rejected.") +__failure __msg("Attaching fexit/fmod_ret to __noreturn function 'do_exit' is rejected.") int BPF_PROG(noreturns) { return 0;
Show the rejected function name when attaching tracing programs to functions in deny list.
With this change, we know why tracing programs can't attach to functions like migrate_disable() from log.
$ ./fentry libbpf: prog 'migrate_disable': BPF program load failed: -EINVAL libbpf: prog 'migrate_disable': -- BEGIN PROG LOAD LOG -- Attaching tracing programs to function 'migrate_disable' is rejected.
Suggested-by: Leon Hwang leon.hwang@linux.dev Signed-off-by: KaFai Wan mannkafai@gmail.com --- kernel/bpf/verifier.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 00d287814f12..c24c0d57e595 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -23942,6 +23942,8 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) return ret; } else if (prog->type == BPF_PROG_TYPE_TRACING && btf_id_set_contains(&btf_id_deny, btf_id)) { + verbose(env, "Attaching tracing programs to function '%s' is rejected.\n", + tgt_info.tgt_name); return -EINVAL; } else if ((prog->expected_attach_type == BPF_TRACE_FEXIT || prog->expected_attach_type == BPF_MODIFY_RETURN) &&
The reuslt:
$ tools/testing/selftests/bpf/test_progs --name=tracing_deny #467/1 tracing_deny/migrate_disable:OK #467 tracing_deny:OK Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: KaFai Wan mannkafai@gmail.com --- .../selftests/bpf/prog_tests/tracing_deny.c | 11 +++++++++++ tools/testing/selftests/bpf/progs/tracing_deny.c | 15 +++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/tracing_deny.c create mode 100644 tools/testing/selftests/bpf/progs/tracing_deny.c
diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_deny.c b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c new file mode 100644 index 000000000000..460c59a9667f --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <test_progs.h> +#include "tracing_deny.skel.h" + +void test_tracing_deny(void) +{ + /* migrate_disable depends on CONFIG_SMP */ + if (libbpf_find_vmlinux_btf_id("migrate_disable", BPF_TRACE_FENTRY) > 0) + RUN_TESTS(tracing_deny); +} diff --git a/tools/testing/selftests/bpf/progs/tracing_deny.c b/tools/testing/selftests/bpf/progs/tracing_deny.c new file mode 100644 index 000000000000..98ef834f0b6d --- /dev/null +++ b/tools/testing/selftests/bpf/progs/tracing_deny.c @@ -0,0 +1,15 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <linux/bpf.h> +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_tracing.h> +#include "bpf_misc.h" + +char _license[] SEC("license") = "GPL"; + +SEC("fentry/migrate_disable") +__failure __msg("Attaching tracing programs to function 'migrate_disable' is rejected.") +int BPF_PROG(migrate_disable) +{ + return 0; +}
On Mon, Jul 14, 2025 at 5:04 AM KaFai Wan mannkafai@gmail.com wrote:
The reuslt:
$ tools/testing/selftests/bpf/test_progs --name=tracing_deny #467/1 tracing_deny/migrate_disable:OK #467 tracing_deny:OK Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: KaFai Wan mannkafai@gmail.com
.../selftests/bpf/prog_tests/tracing_deny.c | 11 +++++++++++ tools/testing/selftests/bpf/progs/tracing_deny.c | 15 +++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/tracing_deny.c create mode 100644 tools/testing/selftests/bpf/progs/tracing_deny.c
diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_deny.c b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c new file mode 100644 index 000000000000..460c59a9667f --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0
+#include <test_progs.h> +#include "tracing_deny.skel.h"
+void test_tracing_deny(void) +{
/* migrate_disable depends on CONFIG_SMP */if (libbpf_find_vmlinux_btf_id("migrate_disable", BPF_TRACE_FENTRY) > 0)RUN_TESTS(tracing_deny);+} diff --git a/tools/testing/selftests/bpf/progs/tracing_deny.c b/tools/testing/selftests/bpf/progs/tracing_deny.c new file mode 100644 index 000000000000..98ef834f0b6d --- /dev/null +++ b/tools/testing/selftests/bpf/progs/tracing_deny.c @@ -0,0 +1,15 @@ +// SPDX-License-Identifier: GPL-2.0
+#include <linux/bpf.h> +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_tracing.h> +#include "bpf_misc.h"
+char _license[] SEC("license") = "GPL";
+SEC("fentry/migrate_disable") +__failure __msg("Attaching tracing programs to function 'migrate_disable' is rejected.") +int BPF_PROG(migrate_disable) +{
return 0;+}
Please roll these two tiny files into existing files in progs/ and prog_tests/ directories. Every file takes time to compile 4 times, so let's avoid unnecessary overhead.
-- pw-bot: cr
On Wed, 2025-07-16 at 18:37 -0700, Alexei Starovoitov wrote:
On Mon, Jul 14, 2025 at 5:04 AM KaFai Wan mannkafai@gmail.com wrote:
The reuslt:
$ tools/testing/selftests/bpf/test_progs --name=tracing_deny #467/1 tracing_deny/migrate_disable:OK #467 tracing_deny:OK Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: KaFai Wan mannkafai@gmail.com
.../selftests/bpf/prog_tests/tracing_deny.c | 11 +++++++++++ tools/testing/selftests/bpf/progs/tracing_deny.c | 15 +++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/tracing_deny.c create mode 100644 tools/testing/selftests/bpf/progs/tracing_deny.c
diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_deny.c b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c new file mode 100644 index 000000000000..460c59a9667f --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/tracing_deny.c @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: GPL-2.0
+#include <test_progs.h> +#include "tracing_deny.skel.h"
+void test_tracing_deny(void) +{ + /* migrate_disable depends on CONFIG_SMP */ + if (libbpf_find_vmlinux_btf_id("migrate_disable", BPF_TRACE_FENTRY) > 0) + RUN_TESTS(tracing_deny); +} diff --git a/tools/testing/selftests/bpf/progs/tracing_deny.c b/tools/testing/selftests/bpf/progs/tracing_deny.c new file mode 100644 index 000000000000..98ef834f0b6d --- /dev/null +++ b/tools/testing/selftests/bpf/progs/tracing_deny.c @@ -0,0 +1,15 @@ +// SPDX-License-Identifier: GPL-2.0
+#include <linux/bpf.h> +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_tracing.h> +#include "bpf_misc.h"
+char _license[] SEC("license") = "GPL";
+SEC("fentry/migrate_disable") +__failure __msg("Attaching tracing programs to function 'migrate_disable' is rejected.") +int BPF_PROG(migrate_disable) +{ + return 0; +}
Please roll these two tiny files into existing files in progs/ and prog_tests/ directories. Every file takes time to compile 4 times, so let's avoid unnecessary overhead.
Okay, will update it in v3.
-- pw-bot: cr
linux-kselftest-mirror@lists.linaro.org
-
Alexei Starovoitov -
KaFai Wan