Re: [PATCH bpf v4 2/2] selftests/bpf: Add regression test for kfunc implicit arg injection

[bot+bpf-ci]

> diff --git a/tools/testing/selftests/bpf/prog_tests/test_struct_ops_assoc.c b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_assoc.c
> index 461ded722351..192fd3166f38 100644
> --- a/tools/testing/selftests/bpf/prog_tests/test_struct_ops_assoc.c
> +++ b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_assoc.c

[ ... ]

> diff --git a/tools/testing/selftests/bpf/progs/struct_ops_assoc.c b/tools/testing/selftests/bpf/progs/struct_ops_assoc.c
> index 68842e3f936b..ed0084453d56 100644
> --- a/tools/testing/selftests/bpf/progs/struct_ops_assoc.c
> +++ b/tools/testing/selftests/bpf/progs/struct_ops_assoc.c
> @@ -103,3 +103,43 @@ SEC(".struct_ops.link")
>  struct bpf_testmod_multi_st_ops st_ops_map_b = {
>  	.test_1 = (void *)test_1_b,
>  };
> +
> +/* Test for aux injection with stale register contamination.
> + *
> + * This test verifies that the kernel correctly injects the implicit
> + * bpf_prog_aux pointer for kfuncs with KF_IMPLICIT_ARGS.  The program
> + * uses inline assembly to contaminate R2 with a known magic value
> + * before calling the kfunc:
> + *
> + *   asm volatile("r2 = %[magic]" :: [magic] "ri"(0xDEAD) : "r2");
> + *
> + * The kernel must inject env->prog->aux into R2, overriding the magic
> + * value.  The kfunc compares the received aux pointer against 0xDEAD:
> + *
> + *   - aux == 0xDEAD  -> kernel failed to inject -> kfunc returns -EINVAL
> + *   - aux != 0xDEAD  -> kernel correctly injected -> kfunc returns marker
> + *
> + * 0xDEAD is chosen with bit 31 clear to avoid BPF ALU64 sign-extension
> + * when used as a 32-bit immediate.
> + */
> +int test_err_inject;
> +
> +SEC("tp_btf/sys_enter")
> +int BPF_PROG(sys_enter_prog_test_aux_inject, struct pt_regs *regs, long id)
> +{
> +	struct task_struct *task;
> +	int marker = 0x5A5A;
> +	int ret;
> +
> +	task = bpf_get_current_task_btf();
> +	if (!test_pid || task->pid != test_pid)
> +		return 0;
> +
> +	asm volatile("r2 = %[magic]" :: [magic] "ri"(0xDEAD) : "r2");
> +
> +	ret = bpf_kfunc_aux_inject_stale(marker);
> +	if (ret != marker)
> +		test_err_inject++;
> +
> +	return 0;
> +}

In v2, Yonghong Song questioned whether this selftest makes sense, given
that CI has pahole 1.31 so the test will always succeed:

https://lore.kernel.org/bpf/9cc9ce47-c45e-4878-ad3a-6e6967399ab9@xxxxxxxxx/

The commit message now acknowledges that "the specific pahole 1.30 BTF
mismatch scenario cannot be tested with CI", but it's unclear what value
this test provides if it cannot actually verify the bug condition.

Could you explain the rationale for including a test that validates the
injection mechanism works under normal conditions but cannot reproduce the
actual pahole 1.30 BTF inconsistency scenario the bug fix addresses?

[ ... ]

Unaddressed review comment from the preceding patch

The issue below applies to the preceding patch (kernel/bpf/verifier.c)
rather than this selftest, but remains unaddressed in the patch series:

In v2, Yonghong Song requested that code comments should explain the fix
is due to pahole 1.30 BTF generation issues, so the code can be removed
later when that toolchain is no longer relevant:

https://lore.kernel.org/bpf/7b3ba4a8-a785-4f70-879d-50e63d6de787@xxxxxxxxx/

The commit message in the preceding patch describes the pahole 1.30 issue
extensively, but the in-code documentation was never added in v3 or v4.

Should this documentation be added to check_kfunc_args() or
is_kfunc_arg_implicit() to explain the temporary nature of this fix?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26812478701