Hi Linus, The following changes since commit fac04efc5c793dccbd07e2d59af9f90b7fc0dca4: Linux 6.13-rc2 (2024-12-08 14:03:39 -0800) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git tags/bpf-fixes for you to fetch changes up to c83508da5620ef89232cb614fb9e02dfdfef2b8f: bpf: Avoid deadlock caused by nested kprobe and fentry bpf programs (2024-12-14 09:49:27 -0800) ---------------------------------------------------------------- BPF fixes: - Fix a bug in the BPF verifier to track changes to packet data property for global functions (Eduard Zingerman) - Fix a theoretical BPF prog_array use-after-free in RCU handling of __uprobe_perf_func (Jann Horn) - Fix BPF tracing to have an explicit list of tracepoints and their arguments which need to be annotated as PTR_MAYBE_NULL (Kumar Kartikeya Dwivedi) - Fix a logic bug in the bpf_remove_insns code where a potential error would have been wrongly propagated (Anton Protopopov) - Avoid deadlock scenarios caused by nested kprobe and fentry BPF programs (Priya Bala Govindasamy) - Fix a bug in BPF verifier which was missing a size check for BTF-based context access (Kumar Kartikeya Dwivedi) - Fix a crash found by syzbot through an invalid BPF prog_array access in perf_event_detach_bpf_prog (Jiri Olsa) - Fix several BPF sockmap bugs including a race causing a refcount imbalance upon element replace (Michal Luczaj) - Fix a use-after-free from mismatching BPF program/attachment RCU flavors (Jann Horn) Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx> ---------------------------------------------------------------- Alexei Starovoitov (3): Merge branch 'bpf-track-changes_pkt_data-property-for-global-functions' Merge branch 'add-missing-size-check-for-btf-based-ctx-access' Merge branch 'explicit-raw_tp-null-arguments' Anton Protopopov (1): bpf: fix potential error return Eduard Zingerman (10): bpf: add find_containing_subprog() utility function bpf: refactor bpf_helper_changes_pkt_data to use helper number bpf: track changes_pkt_data property for global functions selftests/bpf: test for changing packet data from global functions bpf: check changes_pkt_data property for extension programs selftests/bpf: freplace tests for tracking of changes_packet_data bpf: consider that tail calls invalidate packet pointers selftests/bpf: validate that tail call invalidates packet pointers bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs selftests/bpf: extend changes_pkt_data with cases w/o subprograms Jann Horn (2): bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() Jiri Olsa (1): bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog Kumar Kartikeya Dwivedi (5): bpf: Check size for BTF-based ctx access of pointer members selftests/bpf: Add test for narrow ctx load for pointer args bpf: Revert "bpf: Mark raw_tp arguments with PTR_MAYBE_NULL" bpf: Augment raw_tp arguments with PTR_MAYBE_NULL selftests/bpf: Add tests for raw_tp NULL args Michal Luczaj (3): bpf, sockmap: Fix update element with same bpf, sockmap: Fix race between element replace and close() selftests/bpf: Extend test for sockmap update with same Priya Bala Govindasamy (1): bpf: Avoid deadlock caused by nested kprobe and fentry bpf programs include/linux/bpf.h | 20 +-- include/linux/bpf_verifier.h | 1 + include/linux/filter.h | 2 +- kernel/bpf/Makefile | 6 + kernel/bpf/btf.c | 149 ++++++++++++++++++- kernel/bpf/core.c | 8 +- kernel/bpf/verifier.c | 160 ++++++++++----------- kernel/trace/bpf_trace.c | 11 ++ kernel/trace/trace_uprobe.c | 6 +- net/core/filter.c | 65 ++++----- net/core/sock_map.c | 6 +- .../selftests/bpf/prog_tests/changes_pkt_data.c | 107 ++++++++++++++ .../testing/selftests/bpf/prog_tests/raw_tp_null.c | 3 + .../selftests/bpf/prog_tests/sockmap_basic.c | 8 +- .../testing/selftests/bpf/progs/changes_pkt_data.c | 39 +++++ .../bpf/progs/changes_pkt_data_freplace.c | 18 +++ tools/testing/selftests/bpf/progs/raw_tp_null.c | 19 ++- .../testing/selftests/bpf/progs/raw_tp_null_fail.c | 24 ++++ tools/testing/selftests/bpf/progs/tc_bpf2bpf.c | 2 + .../selftests/bpf/progs/test_tp_btf_nullable.c | 6 +- .../selftests/bpf/progs/verifier_btf_ctx_access.c | 40 +++++- .../testing/selftests/bpf/progs/verifier_d_path.c | 4 +- tools/testing/selftests/bpf/progs/verifier_sock.c | 56 ++++++++ 23 files changed, 596 insertions(+), 164 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/changes_pkt_data.c create mode 100644 tools/testing/selftests/bpf/progs/changes_pkt_data.c create mode 100644 tools/testing/selftests/bpf/progs/changes_pkt_data_freplace.c create mode 100644 tools/testing/selftests/bpf/progs/raw_tp_null_fail.c