Re: [PATCH bpf-next v2 1/2] bpf: Fix abuse of kprobe_write_ctx via freplace

Next message: Matthieu Baerts: "Re: [PATCH net v4] mptcp: fix soft lockup in mptcp_recvmsg()"
Previous message: Konstantin Khorenko: "[PATCH 0/1] Fix kernel build failure with CONFIG_GCOV_PROFILE_ALL=y"
In reply to: Jiri Olsa: "Re: [PATCH bpf-next v2 1/2] bpf: Fix abuse of kprobe_write_ctx via freplace"
Next in thread: Leon Hwang: "[PATCH bpf-next v2 2/2] selftests/bpf: Add test to verify the fix of kprobe_write_ctx abuse"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Leon Hwang

Date: Mon Mar 30 2026 - 10:02:49 EST

On 2026/3/30 17:28, Jiri Olsa wrote:
> On Thu, Mar 26, 2026 at 10:17:17PM +0800, Leon Hwang wrote:
[...]
>> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
>> index 51ade3cde8bb..1dd2ea076d8b 100644
>> --- a/kernel/bpf/syscall.c
>> +++ b/kernel/bpf/syscall.c
>> @@ -3733,6 +3733,11 @@ static int bpf_tracing_prog_attach(struct bpf_prog *prog,
>> tr = prog->aux->dst_trampoline;
>> tgt_prog = prog->aux->dst_prog;
>> }
>
> could you please put some comment in here explaining the check, with that
>

Sure, will add such comment:

/*
* It is to prevent modifying struct pt_regs via kprobe_write_ctx=true
* freplace prog. Without this check, kprobe_write_ctx=true freplace
* prog is allowed to attach to kprobe_write_ctx=false kprobe prog, and
* then modify the registers of the kprobe prog's target kernel
* function.
*
* This also blocks the combination of uprobe+freplace, because it is
* unable to recognize the use of the tgt_prog as an uprobe or a kprobe
* by tgt_prog itself. At attach time, uprobe/kprobe is recognized by
* the target perf event flags in __perf_event_set_bpf_prog().
*/

> Acked-by: Jiri Olsa <jolsa@xxxxxxxxxx>
>

Thanks for your review.

Thanks,
Leon