linux kernel patch summaries, generated daily
Activity on June 1st was dominated by Daniel Borkmann's v2 gen_loader fix series (7 patches), which tightens security invariants around exclusive maps in the BPF signed program loader by preventing them from being inserted as inner maps and enforcing that metadata maps be exclusive. Yuyang Huang posted v3 of a fix for an out-of-bounds write in BPF_PROG_QUERY, and Tejun Heo submitted a standalone arena page-allocation correctness fix.
bpf: Reject exclusive maps as inner maps in map-in-map
Prevents exclusive maps (maps that enforce single-owner semantics in the signed BPF loader) from being used as inner maps inside map-in-map structures. Without this restriction a program could bypass the exclusivity guarantee because map-in-map lookup can hand out references to inner maps without going through the signed loader's ownership checks. This is the first kernel-side patch in Borkmann's v2 "More gen_loader fixes" series of 7, which also adds corresponding libbpf enforcement and selftests.
libbpf: Reject non-exclusive metadata maps in the signed loader
Adds a check in libbpf's gen_loader code to reject metadata maps that are not marked exclusive, preventing unsigned or world-writable maps from being embedded in a signed program's metadata section. This pairs with the kernel-side exclusivity enforcement to close an integrity gap in the signed loader pipeline. It is patch 3/7 of the same v2 series.
bpf: fix BPF_PROG_QUERY OOB write and cgroup backward compat
Fixes an out-of-bounds write in the BPF_PROG_QUERY syscall path that occurs when a user passes a uattr struct smaller than the current kernel layout expects. The fix writes back only up to the user-declared size rather than the full kernel-internal struct size, and also preserves backward compatibility for cgroup queries that rely on older result layouts. This is patch 1/2 of the v3 revision, replacing the narrower fix in v2.
bpf: Overwrite scratch PTE when allocating arena pages
Fixes a bug in bpf_arena page allocation where scratch PTEs were left stale rather than being overwritten when a real backing page is faulted in. Stale scratch PTEs could cause BPF arena programs to see incorrect memory mappings after allocation, leading to subtle memory corruption. The fix is a targeted single-patch correction to the arena page fault handler.
selftests/bpf: Add arena invalid node id test
Adds a selftest that exercises BPF arena's validation of node IDs, verifying that the kernel correctly rejects operations on out-of-range or invalid node IDs. Arena node ID validation is a safety property that prevents out-of-bounds memory access through arena pointers. This is a standalone single-patch selftest addition with no kernel changes.
Generated 2026-06-02T00:00:00Z
Activity this period centered on advancing BPF arena memory management from two directions: Alexei Starovoitov introduced SLUB-backed allocator kfuncs for bpf_arena, bridging the kernel slab allocator into arena-resident programs, while Emil Tsalapatis continued reducing arena annotation overhead by teaching the verifier to infer arena pointer types via BTF type tags. A separate fix from Yuyang Huang addressed an OOB write in BPF_PROG_QUERY and corrected cgroup backward-compatibility behavior.
slab: Introduce kmem_cache_alloc_arena_nolock and kfree_arena_nolock
Introduces two new slab primitives, kmem_cache_alloc_arena_nolock and kfree_arena_nolock, that allocate and free slab objects without holding the slab lock. These are the foundational pieces enabling the bpf_arena SLUB-backed allocator, where BPF programs manage their own concurrency guarantees. The lock-free contract is safe here because arena programs operate under BPF's existing memory model constraints. This is patch 1 of 4 in the series 'bpf,slab: Introduce bpf_arena_alloc() kfuncs'.
bpf,slab: Add slub-backed allocator for bpf_arena
Wires up the new lock-free slab primitives as a SLUB-backed allocator for bpf_arena, allowing BPF programs to call bpf_arena_alloc() kfuncs that return arena-resident pointers backed by real slab caches. This enables efficient, type-safe heap allocation within arena programs without resorting to custom bump allocators or per-CPU pools. The allocator respects arena address space constraints and interoperates with existing arena pointer tracking in the verifier.
selftests/bpf: libarena: Add "arena" BTF type tag to __arena qualifier
Attaches the 'arena' BTF type tag to the __arena pointer qualifier in libarena so that the type information survives into the compiled BPF object. This is the foundation for the rest of the 'Minimize annotations for arena programs' series, giving the verifier something concrete to read when inferring whether a pointer lives in arena memory. Removing the need for explicit __arg_arena annotations at call sites is the payoff downstream.
verifier: parse BTF type tags for function arguments
Extends the BPF verifier to read BTF type tags on function argument types, enabling annotation-free arena pointer passing between subprograms. Previously the verifier required explicit __arg_arena markers at every call site; now it can derive the same information from the 'arena' BTF tag attached by the updated __arena qualifier. This is a meaningful ergonomics improvement for complex arena-heavy programs with many internal helper functions.
bpf: Allow subprogs to return arena pointers
Teaches the verifier to accept arena pointers as return values from BPF subprograms, completing the annotation-minimization work for inter-subprogram arena data flow. Previously only scalar and PTR_TO_MAP_VALUE returns were tracked cleanly; this change adds arena-tagged pointer returns so callers know the returned pointer is arena-resident without additional hints. The companion selftests remove all remaining __arg_arena annotations from the libarena test suite.
bpf: fix BPF_PROG_QUERY OOB write and cgroup backward compat
Fixes an out-of-bounds write in BPF_PROG_QUERY where the kernel could write past the end of a user-supplied attribute buffer if the user declared a shorter uattr size than the kernel expected. The patch aligns writeback to respect the user-declared size boundary and restores backward-compatible behavior for cgroup queries that predates the current attr layout. This is the v3 revision, replacing the earlier approach of outright rejecting short uattr sizes with a safer truncation strategy.
Generated 2026-06-01T11:00:00Z
The May 29–30 period was dominated by verifier and arena memory work. Amery Hung posted a v6 13-patch series refactoring verifier object relationship tracking and fixing a dynptr use-after-free bug. Alexei Starovoitov submitted a SLUB-backed allocator for bpf_arena, while Emil Tsalapatis worked to reduce annotation overhead for arena programs.
bpf: Refactor object relationship tracking and fix dynptr UAF bug
This patch is the centerpiece of a v6 13-patch series refactoring how the BPF verifier tracks relationships between referenced objects. It introduces a unified object relationship model and fixes a use-after-free bug where a dynptr could be accessed after its underlying object had been released. The change lays the groundwork for more correct lifetime enforcement across dynptrs, slices, and kptrs. It also prepares the verifier to properly handle object relationships when programs clone or derive new dynptrs from existing ones.
bpf: Unify dynptr handling in the verifier
Part of the same verifier refactor series, this patch consolidates the previously scattered dynptr verification logic into a single code path. Prior to this change, dynptr argument validation was duplicated between helper and kfunc call sites, creating inconsistency and maintenance burden. The unification ensures that dynptr state checks — such as validity, type constraints, and reference counts — are applied uniformly regardless of how a dynptr is passed. This directly supports the series' broader goal of unified referenced-object tracking.
slab: Introduce kmem_cache_alloc_arena_nolock and kfree_arena_nolock
This patch adds two new slab allocator entry points — kmem_cache_alloc_arena_nolock() and kfree_arena_nolock() — intended for use from BPF programs running under the bpf_arena memory model. Because BPF programs operate without standard kernel locking guarantees in certain contexts, these variants skip the normal per-CPU or node locks and use arena-specific synchronization instead. This is the foundational slab-layer change enabling the SLUB-backed bpf_arena allocator introduced later in the series. It is part of a v2 repost that clarifies the locking model relative to v1.
bpf,slab: Add slub-backed allocator for bpf_arena
This patch wires up the new slab entry points to implement a proper SLUB-backed object allocator for bpf_arena, exposing it as a set of bpf_arena_alloc() kfuncs callable from BPF programs. Previously bpf_arena relied on page-granularity allocation; this change allows BPF programs to perform sub-page, cache-friendly allocations backed by kernel slab caches. The allocator integrates with the existing bpf_arena virtual memory region and participates in the arena's lifetime management. Selftests are added in a companion patch.
verifier: parse BTF type tags for function arguments
This patch extends the BPF verifier to read BTF type tags on function arguments, enabling annotation-driven type semantics for pointers passed into and returned from BPF subprograms. The motivation is to allow the verifier to infer that a pointer is an arena pointer based solely on its BTF tag, without requiring explicit __arg_arena annotations scattered throughout the source. This is a prerequisite for the rest of Emil's series, which eliminates the need for most manual arena annotations in BPF programs and selftests.
bpf: Allow subprogs to return arena pointers
Building on the BTF type tag parsing introduced earlier in the series, this patch allows BPF subprograms to return arena-tagged pointers without requiring the caller to re-annotate the result. Previously, arena pointer provenance was lost at subprogram call boundaries, forcing developers to add annotations at every return site. The change makes arena semantics flow naturally through function call graphs, significantly reducing boilerplate in complex arena-using programs.
libbpf: Skip endianness swap when loader generation failed
This standalone fix prevents libbpf from attempting an endianness byte-swap on BPF instructions when the skeleton loader generation step has already failed. Previously, a failed loader generation could leave internal state partially initialized, causing a subsequent endianness swap to operate on garbage data or trigger an out-of-bounds access. The fix adds an early-exit check so the swap is skipped entirely on the error path. It is a companion to a related series by the same author cleaning up loader generation error handling.
bpf: MAINTAINERS: Update bpf maintainers
A single-patch update to the kernel MAINTAINERS file reflecting changes in the BPF subsystem maintainer list. Such updates document who is responsible for reviewing and merging patches to the bpf and bpf-next trees, and are important for routing contributor inquiries and patch submissions correctly. This kind of administrative patch is routine but noteworthy as a signal of evolving subsystem stewardship.
Generated 2026-05-31T00:00:00Z
The day was dominated by two major multi-patch series: Amery Hung's v6 13-patch refactor of verifier object relationship tracking that also fixes a dynptr use-after-free bug, and Mykyta Yatsenko's v5 11-patch introduction of a resizable BPF hash map backed by the kernel's rhashtable infrastructure. Additional work addressed LRU map NMI/tracepoint re-entry deadlocks, mmap locking correctness in BPF arena teardown, libbpf error-path cleanup, arm64 JIT redundancy, and verifier hardening against oversized global subprogram arguments.
bpf: Refactor object relationship tracking and fix dynptr UAF bug
The central patch of a 13-patch v6 series refactoring how the BPF verifier tracks relationships between referenced objects such as dynptrs and kptrs. It fixes a use-after-free bug where a dynptr could be accessed after its underlying object had been released by unifying release handling under a common object-relationship framework. The refactor improves correctness of liveness and release-order analysis across inlined and called subprograms. Companion patches unify dynptr handling, fix ref-counting across call frames, and add selftests covering the newly caught UAF scenarios.
bpf: Implement resizable hashmap basic functions
Core implementation patch from a v5 11-patch series introducing a new BPF_MAP_TYPE_RHASH map type backed by the kernel's rhashtable infrastructure. This patch provides lookup, update, and delete operations for the resizable hash map, which automatically grows and shrinks as elements are inserted or removed, eliminating the need to pre-size maps at creation time. The series also adds special-field support, BPF iterator integration, libbpf API support, bpftool documentation, and selftests including benchmark comparisons.
bpf: Fix NMI/tracepoint re-entry deadlock on lru locks
RFC patch fixing a deadlock that occurs when an NMI or tracepoint fires while an LRU hash map's spinlock is held and the handler also attempts to access an LRU map. The fix converts LRU map locking to rqspinlock (raw queued spinlock), which is safe for NMI re-entry because it does not disable interrupts in a way that causes deadlock under re-entry. The series includes updated documentation diagrams for LRU map state transitions and a stress test that exercises the recovery paths under concurrent NMI load.
bpf: Take mmap_lock in zap_pages()
Fixes a missing mmap_lock acquisition in zap_pages(), which is called when BPF arena memory mappings are torn down. Without holding the lock, a concurrent page fault into the arena could race with the zap operation and observe inconsistent page table state, potentially causing memory corruption or a crash. This is a targeted correctness fix for BPF arena (mmap-backed) memory management introduced in recent kernel versions.
libbpf: Also reset {insn,data}_cur on realloc failure
Final patch of a 3-patch libbpf cleanup series ensuring that insn_cur and data_cur pointers in the BPF loader program generator are reset to NULL when a realloc call fails. Without the reset, error-path code could dereference a stale freed pointer. The series also drops a redundant self-loop in emit_check_err and skips the program hash computation step when loader generation has already failed earlier, avoiding unnecessary work on an invalid program.
bpf: reject overlarge global subprog argument sizes
v3 verifier patch adding a check to reject BPF programs whose global subprograms declare argument sizes exceeding the maximum allowed stack frame size. Previously such programs could trigger out-of-bounds arithmetic during argument size calculations in the verifier before the normal stack depth limit was enforced. The fix adds an early validation step that aligns argument size constraints with existing per-frame stack depth limits.
bpf, arm64: Fix redundant MOV and clarify stack arg comments
Removes a redundant MOV instruction in the arm64 BPF JIT's stack argument handling path where a register was being reloaded with a value it already contained. The patch also rewrites accompanying comments to more accurately describe the arm64 calling convention for stack-passed arguments. A companion selftest patch adds a test case that uses at least 10 arguments to ensure the stack argument path is exercised on arm64, where the first 8 arguments are passed in registers.
selftests/bpf: ignore call depth accounting for retbleed in verifier tests
Adjusts BPF verifier selftests to tolerate the additional call depth overhead introduced by retbleed mitigations on x86. When retbleed mitigations are active the kernel inserts call-depth accounting thunks that consume extra call stack depth, causing tests that assert specific call depth counts to fail on mitigated kernels. The patch updates the affected tests to skip or relax call depth assertions when running under a retbleed-mitigated configuration.
Generated 2026-05-30T00:00:00Z
A busy two-day window dominated by Jiri Olsa's long-running tracing_multi link series (v6, 29 patches), which introduces a new BPF link type allowing a single link to attach a tracing program to multiple kernel functions atomically. Eduard Zingerman followed up with a v3 RFC improving verifier diagnostics when the 1M-instruction budget is exhausted, adding callchain profiling and loop-hierarchy analysis to help developers understand why verification explodes.
bpf: Add support for tracing multi link
Core patch (13/29) of the tracing_multi link series that introduces BPF_TRACE_MULTI_KPROBE and BPF_TRACE_MULTI_KRETPROBE attach types, letting a single BPF link cover hundreds of kernel functions in one syscall. The implementation reuses the existing multi-kprobe infrastructure and adds a new bpf_link_ops backend. Companion patches refactor the trampoline layer with bpf_trampoline_ops callbacks and a mutex-lock pool to support concurrent attachment. Full libbpf API and selftest coverage is included in the series.
bpf: report hot simulated callchains when 1M instructions limit is met
Part of an RFC series (v3) that dramatically improves the BPF verifier's error output when the 1M-instruction limit is hit. This patch profiles the verifier's simulated execution to surface the hottest call chains — the loops or call paths consuming the most instruction budget. Combined with earlier patches in the series that compute loop hierarchy and print register diffs, developers can now pinpoint which part of their program causes budget exhaustion rather than guessing from a bare error message.
bpf: Allow subprogs to return arena pointers
Part of a 5-patch series aiming to reduce the annotation burden for BPF arena programs. This patch teaches the verifier to accept arena pointer return types from subprograms, removing the need for explicit casts at every call site. An earlier patch in the series extends BTF type-tag parsing for function arguments so the verifier can infer arena ownership from the __arena qualifier. Together they allow arena-heavy programs to be written in a more natural C style.
bpf: reject overlarge global subprog argument sizes
Third revision of a standalone verifier fix that rejects global subprogram arguments whose aggregate size exceeds what the BPF calling convention can safely pass. Without this check, an oversized argument could silently truncate or corrupt data at the callee boundary. The fix adds an explicit size validation pass during global subprogram verification before register setup, preventing a class of hard-to-diagnose runtime bugs.
bpf: Fix bpf_arena_handle_page_fault() redefinition without CONFIG_BPF_SYSCALL
One-liner fix from Tejun Heo addressing a compile error where bpf_arena_handle_page_fault() was defined twice when CONFIG_BPF_SYSCALL is disabled. The duplicate definition was introduced by a recent arena patch and breaks kernel configs that enable BPF JIT or tracing without the full BPF syscall. The fix guards the second definition with the appropriate ifdef.
x86/ftrace: relocate %rip-relative percpu refs in dynamic trampolines
Fixes a subtle bug in x86 dynamic BPF trampolines where %rip-relative accesses to per-CPU variables were not being relocated when the trampoline image was copied to a new memory location. This could produce incorrect per-CPU reads in trampoline code that references kernel per-CPU data, leading to silent data corruption or crashes on SMP systems. The patch adds relocation logic for this specific addressing mode during trampoline image finalization.
bpf: Use hlist_nulls_replace_rcu() when updating htab elements
Correctness fix for the BPF hash map (htab) update path that switches from an open-coded RCU list splice to the proper hlist_nulls_replace_rcu() helper. The existing code could allow a reader traversing the nulls-terminated list to see a stale terminator during an in-place element replacement, producing a use-after-free or premature loop termination. Using the dedicated helper ensures the nulls marker is updated atomically with the pointer swap.
Generated 2026-05-29T00:30:00Z
Activity on bpf-next for May 26-27 was dominated by Jiri Olsa's sixth revision of the `tracing_multi` link series — a 29-patch effort enabling a single BPF fentry/fexit program to attach to multiple kernel functions through one link file descriptor. Eduard Zingerman posted three rapid RFC revisions improving verifier diagnostics when the 1M-instruction budget is exhausted, adding hot callchain reporting and loop hierarchy analysis. Additional highlights include a new `bpf_icmp_send` kfunc reaching version 7, reduced annotation burden for BPF arena programs, a BPF struct_ops interface for memory cgroup customization, and an RCU correctness fix for hash table updates.
bpf: Add support for tracing multi link
Introduces the core `tracing_multi` link type, allowing a single BPF fentry/fexit/fmod_ret program to be attached to multiple kernel functions simultaneously via one link file descriptor. Previously, attaching to N functions required N separate links; this new type collapses that into a single operation backed by a shared trampoline. The implementation builds on new `bpf_trampoline_ops` callbacks and `bpf_tramp_node` abstractions introduced earlier in the same series. Support for session semantics, per-attachment cookies, and fdinfo introspection is also included in the overall 29-patch series. This is the sixth version, addressing accumulated review feedback.
bpf: Add multi tracing attach types
Defines the new `BPF_TRACE_MULTI_*` attach type constants that form the UAPI surface for the `tracing_multi` link, extending kernel-internal routing so that programs using these types are dispatched to the new link creation path. The attach types plug into the verifier's program type validation, ensuring programs are checked against BTF-typed function signatures before any multi-attachment is allowed. This patch is a prerequisite for the core tracing_multi link creation and trampoline management code that follows it in the series.
bpf: report hot simulated callchains when 1M instructions limit is met
When the BPF verifier exhausts its 1-million-instruction budget it currently emits a generic error with little actionable detail; this patch adds logic to identify and report the hottest simulated callchains — the control-flow paths that consumed the most verification steps. Tracking is done by recording simulation depth at each explored state and surfacing the top offenders in the verifier log, giving developers a concrete starting point for reducing program complexity. A companion patch in the series adds register-difference summaries for those hot callchains. This is version 3 of the RFC, iterating on the data-collection heuristics based on mailing list feedback.
bpf: Allow subprogs to return arena pointers
Extends the BPF verifier to propagate arena-pointer classification across subprogram (helper function) boundaries, allowing callees to return `arena`-tagged pointers without requiring explicit `__arena` annotations at every call site. Previously the arena memory region marker was dropped at subprogram boundaries, forcing developers to annotate all intermediary functions manually and cluttering otherwise clean code. The fix parses BTF type tags on function return types and threads the arena classification through the call-return path in the verifier. Part of a five-patch series aimed at minimising annotation overhead for BPF arena programs.
Adds a new `bpf_icmp_send` kfunc that allows BPF programs attached to tc, cgroup_skb, and related hooks to synthesize and inject ICMP error messages in response to observed traffic. The implementation reuses existing netfilter `nf_reject` utilities — moved to core IPv4/IPv6 in earlier patches of the series — and handles both IPv4 ICMPv4 and IPv6 ICMPv6 destinations. A recursion guard prevents re-entrant ICMP generation. Version 7 of the series includes selftest coverage for cgroup_skb (IPv4 and IPv6), tc attach points, and the recursion prevention path.
mm: memcontrol: Add BPF struct_ops for memory controller
Introduces a `memcg_bpf_ops` struct_ops interface that allows BPF programs to customise memory cgroup behaviour, including priority-based memory protection and asynchronous page reclaim policies, without requiring kernel patches. Memory controller hooks are exposed as BPF struct_ops callbacks, so operators can implement per-cgroup-hierarchy policies in BPF and load them at runtime. The series also adds a `bpf_try_to_free_mem_cgroup_pages` kfunc for triggering reclaim from BPF context, and extends `bpf_link_create` to pass flags for struct_ops attachment. This seventh RFC iteration incorporates feedback on hierarchy support and libbpf API design.
bpf: Use hlist_nulls_replace_rcu() when updating htab elements
Fixes an RCU correctness issue in the BPF hash table map where element updates used the standard hlist replacement helper instead of `hlist_nulls_replace_rcu()`, which is required for nulls-terminated lists traversed under RCU read locks. Without the nulls-aware variant a concurrent reader walking the list could fail to observe the sentinel value and loop indefinitely or access freed memory. The fix is a targeted replacement that aligns hash table element updates with the RCU guarantees already provided elsewhere in the htab code.
libbpf: Add __NR_bpf definition for LoongArch
Adds the missing `__NR_bpf` syscall number constant for the LoongArch architecture to libbpf's internal syscall fallback header, enabling the BPF userspace library to invoke the bpf(2) syscall on LoongArch systems whose system headers do not expose this definition. LoongArch is a RISC ISA developed by Loongson Technology that is supported in the mainline Linux kernel. This small portability fix completes libbpf's architecture coverage for LoongArch, mirroring similar definitions already present for MIPS, RISCV, and other non-x86 targets.
Generated 2026-05-28T00:00:00Z
May 24–25 saw a single patch to bpf-next: v2 of Dhiraj Shah's kernel-doc addition for the BPF arena page kfuncs. The patch documents the kfunc interface that allows BPF programs to allocate and manage pages within a BPF arena, improving API discoverability for this relatively new memory-management primitive.
bpf: Add kernel-doc for arena page kfuncs
Adds kernel-doc comments to the BPF arena page kfuncs, which expose page-level memory management to BPF programs running in an arena context. The BPF arena is a relatively new feature that allows BPF programs to work with large, sparsely populated memory regions; the kfuncs provide the primitives for allocating, freeing, and querying pages within that arena. This v2 patch addresses review feedback on the documentation format and coverage from the initial submission. Improved docs make the arena kfunc API more discoverable for BPF developers building memory-intensive programs.
Generated 2026-05-26T00:00:00Z
May 23–24 was dominated by v3 of Kuniyuki Iwashima's 11-patch series adding SOCK_OPS hooks for TCP AutoLOWAT. The series introduces BPF_SOCK_OPS_RCVQ_CB, a new callback that fires when data arrives in the TCP receive queue, along with a kfunc to adjust sk_rcvlowat from BPF programs. This enables transparent, per-connection receive threshold tuning to suppress spurious application wakeups on partial message delivery.
bpf: tcp: Introduce BPF_SOCK_OPS_RCVQ_CB.
Introduces BPF_SOCK_OPS_RCVQ_CB, a new sock_ops callback that fires when data is added to the TCP receive queue on an established connection. The callback is the core hook around which the TCP AutoLOWAT feature is built, enabling BPF programs to observe receive queue growth and react before the socket's wait-queue is signalled. It provides enough context to implement protocol-aware wakeup scheduling without any userspace changes. This patch lays the foundation for the rest of the series.
bpf: tcp: Support bpf_skb_load_bytes() for BPF_SOCK_OPS_RCVQ_CB.
Allows BPF programs running in BPF_SOCK_OPS_RCVQ_CB to call bpf_skb_load_bytes() to non-destructively peek at bytes in the receive queue. This is essential for protocol-aware rcvlowat decisions—for example, reading a length prefix to determine whether a complete message frame has arrived before waking the reader. The change threads the incoming sk_buff through the callback context and reuses the existing skb-based load-bytes path.
bpf: tcp: Add kfunc to adjust sk->sk_rcvlowat.
Adds a kfunc callable from BPF_SOCK_OPS_RCVQ_CB that sets sk_rcvlowat on the socket, controlling the minimum bytes threshold before the socket is considered readable. The kfunc is a thin wrapper around the __tcp_set_rcvlowat() helper factored out earlier in the series, ensuring both setsockopt and BPF paths apply the same validation and capping logic. This is the principal mechanism through which an AutoLOWAT BPF program suppresses unnecessary application wakeups.
bpf: tcp: Make BPF_SOCK_OPS_RCVQ_CB and SOCKMAP mutually exclusive.
Adds a guard that prevents BPF_SOCK_OPS_RCVQ_CB from being enabled on sockets already in a SOCKMAP, and vice versa. Because SOCKMAP intercepts the receive path ahead of where the new callback fires, combining the two would produce undefined semantics. The patch enforces the exclusion at attachment time and returns a clear error rather than allowing silent misbehavior.
bpf: mptcp: Don't support BPF_SOCK_OPS_RCVQ_CB.
Explicitly disables BPF_SOCK_OPS_RCVQ_CB for MPTCP sockets because MPTCP's receive queue management diverges significantly from plain TCP, making the callback semantics unreliable in that context. Supporting MPTCP correctly would require separate, more complex handling out of scope for this series. The patch returns a clear error on MPTCP sockets rather than allowing silent incorrect behavior.
bpf: tcp: Add SOCK_OPS rcvlowat hook.
Wires BPF_SOCK_OPS_RCVQ_CB into the TCP receive path so it fires when new data is placed on the socket's receive queue, immediately before the socket's wait-queue is checked. The hook passes the arriving sk_buff as context so the BPF program can read payload bytes and decide the new rcvlowat value before any wakeup decision is made. This patch completes the integration of the new callback into the SOCK_OPS dispatch machinery.
selftest: bpf: Add test for BPF_SOCK_OPS_RCVQ_CB.
Adds an end-to-end selftest for the BPF_SOCK_OPS_RCVQ_CB and rcvlowat kfunc flow over a loopback TCP connection. The test verifies that the BPF program is invoked on receive-queue events, that adjusting sk_rcvlowat via the kfunc correctly gates reader wakeups, and that the SOCKMAP and non-empty-queue rejection paths return the expected errors. It serves as the integration test for the entire TCP AutoLOWAT series.
Generated 2026-05-26T00:00:00Z
Today's bpf-next activity centered on three significant patch series. Kuniyuki Iwashima posted v3 of a series adding BPF_SOCK_OPS_RCVQ_CB hooks and kfuncs for TCP AutoLOWAT, enabling BPF programs to dynamically adjust sk_rcvlowat when data arrives in the TCP receive queue. Daniel Borkmann submitted a 3-patch series adding basic xattr support to bpffs for object labeling, while KP Singh contributed a substantial 13-patch series implementing signed BPF programs and IPE policies to enforce integrity-based access control at program load time.
bpf: tcp: Introduce BPF_SOCK_OPS_RCVQ_CB.
Introduces a new BPF_SOCK_OPS_RCVQ_CB callback into the SOCK_OPS framework that fires when data arrives in the TCP receive queue. This enables BPF programs to inspect incoming data and dynamically adjust socket parameters such as rcvlowat, supporting the TCP AutoLOWAT feature. The hook is the central mechanism for the entire 11-patch series, providing a new programmability point in the TCP receive path. This patch is part of v3 of the series, incorporating feedback from earlier revisions.
bpf: tcp: Add kfunc to adjust sk->sk_rcvlowat.
Adds a new kfunc allowing BPF programs running under BPF_SOCK_OPS_RCVQ_CB to modify the sk_rcvlowat field of a TCP socket, controlling the minimum receive threshold for readability and EPOLLRDHUP events. This enables dynamic, per-connection tuning to reduce unnecessary wakeups in high-throughput workloads. The kfunc is designed to be called from within the receive-queue callback to implement AutoLOWAT-style optimizations. It is mutually exclusive with SOCKMAP and unsupported on MPTCP sockets, as established by companion patches in the series.
bpf: tcp: Add SOCK_OPS rcvlowat hook.
Wires up the new BPF_SOCK_OPS_RCVQ_CB hook into the TCP stack's data-ready path, invoking the BPF program whenever data is added to the socket's receive queue. The hook integrates with the existing SOCK_OPS infrastructure and shares the BPF socket operations context, with support for bpf_skb_load_bytes() to inspect receive-queue contents. This v3 revision incorporates fixes for mutual-exclusivity with SOCKMAP, rejection when the receive queue is already non-empty, and refactoring of bpf_skops_established() to reduce duplication.
bpf: Add simple xattr support to bpffs
Adds basic extended attribute (xattr) support to the BPF filesystem, allowing user-space to annotate BPF objects pinned in bpffs with custom key-value metadata. This lays the groundwork for BPF LSM-based labeling workflows where security labels can be read by BPF hooks at access time. The implementation is intentionally minimal, supporting a well-defined set of xattr namespaces. Two companion selftests cover the new API and demonstrate integration with BPF LSM label enforcement.
bpf: expose signature verdict to LSMs via bpf_prog_aux
Stores the BPF loader signature verification verdict in bpf_prog_aux, making it accessible to LSM hooks during program loading. This is the foundation of the 13-patch 'Signed BPF + IPE Policies' series, which integrates BPF loader signature verification with the Integrity Policy Enforcement LSM. The verdict field allows security policies to gate program loads based on whether the BPF program was signed by a trusted key, enabling supply-chain-level integrity enforcement for BPF deployments.
bpf: add bpf_loader_verify_metadata kfunc
Introduces a kfunc callable from BPF loader programs that triggers metadata verification against a signed scope, combining the program BTF digest and loader signature into a unified integrity check. This allows the loader program itself to assert that the BPF program being loaded matches an expected signed description. The kfunc bridges the BPF verifier with the kernel's existing signature verification infrastructure and is the mechanism through which IPE policies can enforce signing requirements at load time.
lsm: add bpf_prog_load_post_integrity hook
Adds a new LSM hook bpf_prog_load_post_integrity that fires after a BPF program's integrity has been verified but before the program is fully committed to the kernel. This hook allows LSMs like IPE to implement mandatory access control policies conditioned on BPF program signatures, blocking unsigned or mis-signed programs from loading. It completes the integrity enforcement path alongside earlier patches in the series that compute the program digest, expose the signature verdict, and wire up IPE policy evaluation for BPF program loads.
Generated 2026-05-24T00:00:00Z
Activity on May 21-22 was dominated by two major series: KP Singh's 13-patch series enabling signed BPF programs with IPE (Integrity Policy Enforcement) policy gating, and Kuniyuki Iwashima's 11-patch v2 series adding SOCK_OPS hooks for TCP AutoLOWAT with a new kfunc to dynamically adjust sk_rcvlowat. Kaitao Cheng posted v11 of the bpf_list API extensions adding bpf_list_del, bpf_list_add, and is_first/last/empty kfuncs, while Ihor Solodrai's v6 series improved sleepable stackmap build ID handling.
bpf: expose signature verdict to LSMs via bpf_prog_aux
Exposes the signature verification verdict for BPF programs to LSMs by storing it in bpf_prog_aux, laying the foundation for integrity policy enforcement at BPF program load time. This allows LSM hooks to inspect whether a loader program was signed and what the verdict was. It is the first patch in the 13-patch 'Signed BPF + IPE Policies' series, which integrates BPF with the Integrity Policy Enforcement LSM to address supply-chain security concerns for BPF programs. Downstream patches build on this to implement the full kfunc-based metadata verification and IPE policy gating.
bpf: add bpf_loader_verify_metadata kfunc
Adds a new kfunc bpf_loader_verify_metadata that allows loader-style BPF programs to verify metadata attached to the program being loaded, resolving kfunc calls against prog BTF rather than kernel BTF. This is a key building block of the signed BPF + IPE framework, enabling BPF programs to participate in their own integrity attestation at load time. It works in conjunction with the prog digest computed at BPF_PROG_LOAD entry and feeds into the post-integrity LSM hook. The kfunc is available only to loader programs and enforces strict type safety through BTF resolution.
ipe: gate post-integrity BPF program loads
Wires IPE policy enforcement into the new security_bpf_prog_load_post_integrity LSM hook so that IPE can gate BPF program loads based on cryptographic signature properties. System administrators can write IPE policies that allow or deny BPF programs depending on whether their loader's signature was valid and the metadata verified. This completes the end-to-end flow from loader signature verification through BPF program BTF embedding to IPE decision enforcement. Integration tests in selftests/bpf validate the full policy pipeline.
bpf: tcp: Introduce BPF_SOCK_OPS_RCVQ_CB
Introduces a new sock_ops callback BPF_SOCK_OPS_RCVQ_CB that fires when data arrives in a TCP socket's receive queue, enabling BPF programs to react to incoming data and adjust receive behavior dynamically. This callback is the core mechanism behind the TCP AutoLOWAT feature, which allows BPF to set sk_rcvlowat based on inspection of pending data. The patch ensures mutual exclusivity with SOCKMAP and disallows the callback on MPTCP sockets, and also prevents enabling it when the receive queue is already non-empty to avoid missed callbacks. It is part of the v2 11-patch series 'bpf: Add SOCK_OPS hooks for TCP AutoLOWAT'.
bpf: tcp: Add kfunc to adjust sk->sk_rcvlowat
Adds a new kfunc callable from BPF_SOCK_OPS_RCVQ_CB programs that adjusts sk->sk_rcvlowat, the minimum number of bytes that must be in the receive buffer before waking up a waiting reader. This enables 'AutoLOWAT' behavior where BPF inspects incoming data inside the new RCVQ callback and sets an appropriate threshold, eliminating spurious wakeups when partial data arrives. The kfunc builds on the __tcp_set_rcvlowat() helper split out in an earlier patch in the series. It also supports bpf_skb_load_bytes() within the same callback context to allow programs to examine payload content when making the threshold decision.
bpf: Introduce the bpf_list_del kfunc
Adds bpf_list_del, a new kfunc that removes a node from a BPF linked list given a non-owning reference to the node, without requiring access to the list head. This is part of v11 of the 'bpf: Extend the bpf_list family of APIs' series, which also introduces bpf_list_add for arbitrary insertion, and bpf_list_is_first/is_last/is_empty for introspection. The series refactors __bpf_list_del and __bpf_list_add internally to operate on node pointers and insertion-point pointers respectively, and relaxes ownership rules via a new __nonown_allowed annotation. Together these bring BPF linked-list semantics much closer to those available in kernel code.
bpf: Cache build IDs in sleepable stackmap path
Implements stack_map_get_build_id_offset_sleepable() which caches ELF build IDs in the sleepable stackmap code path, avoiding faultable reads under mm locks that could cause issues in non-sleepable contexts. This is the final patch of v6 of the series, which first factors out shared build ID helpers and then fixes the non-sleepable path to avoid page faults under mmap_lock. The result is more reliable build ID collection when BPF stack traces are captured from sleepable programs such as fentry/fexit and LSM hooks. Proper caching also reduces overhead on repeated stack captures of the same binary.
bpf: Fix concurrent regression in map_create()
Fixes a concurrency bug in map_create() where a race between concurrent map creation calls could lead to incorrect behavior introduced by a recent change. This v2 single-patch series corrects the synchronization logic to ensure the common single-threaded path is not penalized while the concurrent case is handled correctly. The fix is targeted and minimal, addressing the regression without restructuring the broader map creation flow.
Generated 2026-05-23T10:04:57Z
Activity on bpf-next for May 20–21 was dominated by Kaitao Cheng's v11 series extending the BPF linked-list kfunc API with deletion, mid-list insertion, and boundary-query helpers. Documentation coverage also improved, with new BPF ISA docs for atomic LOAD_ACQUIRE and STORE_RELEASE instructions, and kernel-doc annotations for arena page kfuncs.
bpf: Extend the bpf_list family of APIs
This v11 eight-patch series significantly extends the BPF linked-list kfunc API. It introduces bpf_list_del to remove a node from a list in-place, bpf_list_add to insert a node after an arbitrary existing node (enabling mid-list insertion rather than only head/tail), and bpf_list_is_first/bpf_list_is_last/bpf_list_empty helpers for querying list state. Supporting refactors rework the internal __bpf_list_del and __bpf_list_add helpers to accept direct node or prev-pointer arguments, and a new __nonown_allowed annotation is introduced to permit non-owning list-node arguments in the verifier. Selftests covering all new operations are added in the final patch.
bpf: Add kernel-doc for arena page kfuncs
This single patch adds kernel-doc comments to the BPF arena page kfuncs, filling a documentation gap for the arena memory subsystem introduced in recent kernels. Arena kfuncs allow BPF programs to allocate and manage contiguous page regions, and the new docs describe parameters, return values, and usage constraints. Proper kernel-doc coverage makes these APIs easier to discover and use correctly from both BPF program and tooling perspectives.
bpf, docs: add LOAD_ACQUIRE and STORE_RELEASE instructions
This v2 patch updates the BPF ISA documentation to formally describe the LOAD_ACQUIRE and STORE_RELEASE atomic memory instructions added to the BPF instruction set. These instructions provide acquire and release memory ordering semantics for BPF programs running on SMP systems, bridging a gap between the implemented behavior and the official specification. The v2 revision corrects a typo in the instruction name present in v1 (LOAD_AQCUIRE) and refines the prose descriptions.
selftests/bpf: XDP LB benchmark fixes
This v2 three-patch series fixes correctness and statistical reliability issues in the XDP load-balancer benchmark selftests. Patch 1 fixes cold_lru producing a zero batch_hash value, patch 2 addresses expired UDP LRU entries that could corrupt benchmark measurements, and patch 3 introduces interquartile range (IQR) filtering to the batch-timing library to discard timing outliers and produce more stable latency results. Together these changes make the XDP LB benchmark suitable for automated performance regression testing.
selftests/bpf: Fix zero batch_hash on CPU 0 after batch_gen wraparound
This patch fixes a bug in the BPF selftests where the batch_hash value for CPU 0 could become zero after the batch_gen counter wraps around, causing incorrect test assertions. The root cause is an off-by-one in the hash computation that produces the reserved value 0 only for the wraparound case on the first CPU. The fix adjusts the hash so that valid hashes are never zero regardless of counter value or CPU index.
Generated 2026-05-22T00:00:00Z
The 2026-05-19/20 period was dominated by two significant series targeting the bpf-next tree. Martin KaFai Lau posted a 12-patch RFC introducing common infrastructure for attaching struct_ops programs to cgroups, with TCP sock_ops callbacks as the first concrete consumer. Amery Hung's fifth revision of a verifier refactor series unifies dynptr and referenced-object tracking, fixes a dynptr use-after-free bug, and lays groundwork for virtual references.
bpf: Add infrastructure to support attaching struct_ops to cgroups
This patch adds the core kernel-side plumbing that allows a BPF struct_ops map to be attached to a cgroup, analogous to how cgroup-bpf programs are attached today. It introduces a new attach_cgroup / detach_cgroup path in the struct_ops subsystem and wires it into the cgroup hierarchy so that struct_ops implementations are automatically inherited and detached as cgroups come and go. The change builds on earlier patches in the series that refactored prog_list helpers and made the tasks_rcu grace period optional for struct_ops. Together these patches enable a general mechanism for per-cgroup behavioral customization via struct_ops without requiring a bespoke attach type for every future use case.
bpf: tcp: Support selected sock_ops callbacks as struct_ops
This patch exposes a curated subset of TCP sock_ops callbacks through the new cgroup-attached struct_ops mechanism, making it the first real consumer of the infrastructure added earlier in the series. By doing so, BPF programs gain a type-safe, struct_ops-based alternative to the older BPF_PROG_TYPE_SOCK_OPS approach for per-cgroup TCP policy. The patch registers the relevant TCP callbacks with the struct_ops subsystem so that a BPF program implementing the struct can be loaded and attached to a cgroup just like any other struct_ops map. This positions the kernel to eventually migrate more sock_ops functionality to the cleaner struct_ops model.
bpf: Refactor object relationship tracking and fix dynptr UAF bug
This patch, the centerpiece of Amery Hung's v5 series, consolidates how the BPF verifier tracks ownership relationships between registers that point to reference-counted objects. The existing code used separate, partly duplicated logic for dynptrs, slices, and kptrs; this change unifies them under a single "object relationship" model that makes parent-child lifetime constraints explicit. As a side effect it fixes a real use-after-free bug where the verifier would allow a dynptr to be used after its backing object had already been released. The refactor is a prerequisite for the later patches in the series that introduce virtual references and unify release handling.
bpf: Fold ref_obj_id into id and introduce virtual references
The BPF verifier historically maintained two separate ID namespaces: reg->id for aliasing and reg->ref_obj_id for reference tracking. This patch merges them into a single id field, reducing verifier state size and eliminating the conceptual split that complicated dynptr and kptr handling. It simultaneously introduces the notion of "virtual references": lightweight tracked references that don't correspond directly to a kernel refcount but allow the verifier to reason about object lifetimes across helper and kfunc calls. The change simplifies several verifier paths and is a direct enabler for the cross-call-frame dynptr ref-count fix that follows.
selftests/bpf: Fix expired UDP LRU entries in XDP LB benchmark
The XDP load-balancer benchmark in selftests/bpf uses an LRU map to track active UDP flows, but stale entries were not being evicted correctly, causing the benchmark to route packets to the wrong backend after a flow's natural expiry. This patch adds proper expiry logic so that aged-out LRU entries are treated as new flows and re-hashed to a fresh backend. The fix is part of a four-patch series that also addresses a zero-hash corner case and caps the calibration loop at the may_goto limit to avoid hangs on slow machines.
bpf: fix deadlock in special field destruction in NMI
When a BPF map value containing special fields (such as bpf_spin_lock or bpf_timer) is destroyed from an NMI context, the cleanup path attempted to acquire a spin lock that is not NMI-safe, resulting in a deadlock. This patch defers the special-field teardown out of the NMI-hot path by queuing the work to a safe context before performing any locking. The fix prevents a hard-to-trigger but potentially fatal lockup on systems where map entries can be freed at interrupt level.
Generated 2026-05-21T00:00:00Z
Activity on the bpf-next mailing list for May 18–19 was headlined by two new feature series and several correctness fixes. Mahe Tardy's series to add a bpf_icmp_send kfunc reached its sixth revision, enabling BPF programs to send ICMP messages for both IPv4 and IPv6. Leon Hwang posted follow-up fixes to BPF syscall common attribute handling, and Mykyta Yatsenko's series to expose tracepoint BTF IDs via tracefs arrived in a second revision.
This patch, part of a six-patch series now in its sixth revision, introduces the bpf_icmp_send kfunc allowing BPF programs to generate ICMP error messages in response to network events. The series also refactors netfilter's nf_reject helper functions into core IPv4 and IPv6 to make the destination-filling logic reusable. Adding an ICMP send primitive to the kfunc interface gives BPF-based network policies a standard mechanism to signal errors back to senders without resorting to custom helpers. Comprehensive selftests covering both IPv4 and IPv6 paths, as well as a recursion safety test, are included.
tracing: Expose tracepoint BTF ids via tracefs
This patch exposes per-tracepoint BTF type IDs through a new tracefs file, making it possible for user-space tools to programmatically discover the BTF-typed arguments for any tracepoint without parsing kernel headers. It is the core piece of a three-patch series (v2) that also makes btf_get_module_btf() and btf_relocate_id() non-static so they can be called from the tracing subsystem. The change improves the ergonomics of generic tracepoint BPF programs by giving loaders a stable interface to resolve argument types at runtime.
bpf: fix deadlock in special field destruction in NMI
This fix addresses a deadlock that can occur when BPF map special fields (such as spin locks or timers) are destroyed from NMI context, where taking a sleeping or regular spinlock is unsafe. The patch ensures that the field-destruction path uses an NMI-safe locking strategy to avoid the deadlock. This is an important correctness fix for any workload that can trigger map cleanup from interrupt context.
bpf: Check tail zero of bpf_common_attr using offsetofend
The first patch in a five-patch follow-up series improves how the kernel validates the trailing padding bytes of bpf_common_attr by switching from a manual size check to offsetofend(), which is more precise and less error-prone. The series also fixes a concurrency regression in map_create(), adds OPTS_VALID() coverage for log_opts in libbpf's bpf_map_create, and extends selftests to cover both the padding check and the token_fd edge case. Together these patches tighten the BPF syscall attribute ABI and harden the map creation path.
selftests/bpf: Fix test for refinement of single-value tnum
This standalone patch corrects a selftest that validates the verifier's tnum (tracked number) refinement logic for registers known to hold a single concrete value. The test was not properly exercising the refinement path, so this fix ensures the coverage is accurate. Keeping verifier selftests precise is important for catching regressions in the abstract interpretation engine.
Generated 2026-05-20T00:00:00Z
Activity on May 17-18 was dominated by two series: Mahe Tardy's v6 of the bpf_icmp_send kfunc, which adds the ability for BPF programs to emit ICMP messages from both IPv4 and IPv6 paths, and Yonghong Song's follow-up fix for exception unwinding when BPF functions pass arguments on the stack. Both series continued iterating toward merge readiness.
This patch (3/6 of the v6 series) introduces the bpf_icmp_send kfunc, which lets BPF programs send ICMP error messages directly from the kernel networking stack. It builds on earlier refactoring that moved netfilter's nf_reject_fill_skb_dst helpers into the core IPv4 and IPv6 layers, making them reusable outside of netfilter. The kfunc is gated by appropriate capability checks and includes recursion protection. This fills a long-standing gap for BPF-based packet filtering policies that need to signal rejection back to senders.
net: move netfilter nf_reject_fill_skb_dst to core ipv4
Prerequisite patch for bpf_icmp_send that refactors the netfilter IPv4 reject helper nf_reject_fill_skb_dst out of the nf_reject_ipv4 module and into core IPv4 code. This makes the destination fill logic reachable by non-netfilter subsystems, specifically the new BPF kfunc. An identical companion patch (2/6) does the same for the IPv6 path via nf_reject6_fill_skb_dst.
bpf,x86: Fix exception unwinding with outgoing stack arguments
This two-patch series addresses a bug in the x86 BPF JIT where the exception unwinding path fails to correctly account for stack space used to pass arguments beyond the six-register ABI limit. When a BPF-to-BPF call places extra arguments on the stack, the unwinder could miscalculate the frame pointer, leading to incorrect stack traces or crash recovery. A companion selftest patch validates the fix across a range of argument-passing scenarios.
Generated 2026-05-19T00:00:00Z
No patches were submitted to the bpf mailing list during this period.
Generated 2026-05-18T00:00:00Z
Activity on May 15–16 centered on follow-up fixes for BPF stack argument support in the verifier and x86 JIT (v3 of Yonghong Song's series), a new bpf_icmp_send kfunc enabling BPF programs to emit ICMP messages (v5, Mahe Tardy), and infrastructure to expose tracepoint BTF IDs through tracefs (Mykyta Yatsenko). Additional work addressed syscall writeback boundary correctness and added build ID caching to the sleepable stackmap path.
Introduces a new bpf_icmp_send kfunc that allows BPF programs to send ICMP messages directly from the kernel, wrapping the existing icmp_send and icmp6_send infrastructure. This enables use cases such as custom network error signaling and path MTU discovery helpers that previously required kernel modifications. The v5 series covers both IPv4 and IPv6 with dedicated selftests, and includes a recursion test to verify safety under re-entrant conditions.
tracing: Expose tracepoint BTF ids via tracefs
Exposes per-tracepoint BTF type IDs through a new tracefs file, making it easier for BPF programs and userspace tools to discover typed tracepoint argument layouts without relying on name-based BTF lookups. A companion patch exports btf_get_module_btf() and btf_relocate_id() to support cross-module BTF resolution needed by the new interface. This infrastructure lays groundwork for more reliable generic tracepoint attachment in BPF.
bpf: Validate outgoing stack args when btf_prepare_func_args fails
Fixes a gap in the BPF verifier where outgoing stack arguments were not validated when btf_prepare_func_args failed, which could leave stack slots in an inconsistent state. This is patch 1/7 of the v3 follow-up series for stack argument support, which also improves liveness analysis logging and cleans up redundant checks for non-JITed programs. The series addresses correctness issues surfaced during review of the original stack argument passing feature.
bpf,x86: Fix exception unwinding with outgoing stack arguments
Fixes exception unwinding on x86 when BPF programs use outgoing stack arguments, ensuring the stack frame state is correctly maintained during exception handling. Without this fix, the unwinder could misinterpret stack slots used for passing arguments as part of the exception handler frame. This patch is part of the same v3 stack argument follow-up series from Yonghong Song.
bpf: align syscall writeback behavior with caller-declared size
Corrects the BPF syscall's data writeback to respect the size declared by the caller rather than always writing the kernel's internal buffer size, preventing potential exposure of uninitialized memory past the requested boundary. The fix applies to BPF_PROG_QUERY and similar commands that copy data back to userspace. An accompanying selftest verifies correct boundary enforcement for the attr size parameter.
bpf: Cache build IDs in sleepable stackmap path
Implements build ID caching in the sleepable stackmap code path, reducing overhead for stack traces that include build IDs by avoiding repeated lookups for the same mappings. A prerequisite patch in the series also avoids faultable build ID reads while mm locks are held, fixing a correctness issue that could cause deadlocks. The series refactors internal stackmap helpers to cleanly support both sleepable and non-sleepable code paths.
Generated 2026-05-17T00:00:00Z
Activity on bpf-next for May 14-15 centered on three areas: a five-revision series from Ihor Solodrai implementing a sleepable code path for stack map build-ID resolution, verifier fixes from Yonghong Song ensuring outgoing stack arguments are validated even when BTF introspection fails early, and a pair of fixes improving syscall writeback bounds and custom syncookie statistics.
bpf: Factor out stack_map_build_id_set_ip() in stackmap.c
First patch in a three-part v5 series implementing a sleepable stack-map build-ID path. This preparatory change extracts the logic that records a build ID and instruction pointer into a new helper function stack_map_build_id_set_ip(), reducing duplication and making it easier to share the logic between the existing non-sleepable and the upcoming sleepable implementation. The refactor is a no-op in terms of runtime behavior but is a prerequisite for the two patches that follow.
bpf: Avoid faultable build ID reads under mm locks
Second patch in the sleepable stackmap series, addressing a correctness hazard in the existing path where build-ID reads from user memory could fault while mm locks are held. The fix ensures that any operation that may trigger a page fault is deferred or guarded so it cannot occur while the mm read lock is taken. This is a safety prerequisite for safely introducing a sleepable variant that can drop and reacquire locks around faultable accesses.
bpf: Cache build IDs in sleepable stackmap path
Culminating patch of the series, implementing stack_map_get_build_id_offset_sleepable() which allows BPF programs running in sleepable contexts to resolve build IDs from user-space stack traces without holding non-sleepable locks. Build IDs are cached to avoid repeated costly lookups. This enables accurate symbolization in profiling use cases that run under sleepable BPF programs, such as those attached via fentry/fexit on sleepable kernel functions.
bpf: Validate outgoing stack args when btf_prepare_func_args fails
Verifier fix in the v2 revision of a two-patch series. When btf_prepare_func_args() returns an error early, the verifier previously skipped validation of outgoing stack-passed arguments, leaving them unchecked. This patch ensures that even on the failure path the stack argument regions are validated, preventing potential information leaks or incorrect program acceptance. A companion selftest is added in the second patch to exercise the newly covered code path.
bpf: align syscall writeback behavior with caller-declared size
Fixes an inconsistency in BPF_PROG_QUERY where the kernel could write back more data than the user declared in the attribute's size field. The patch aligns writeback length with the size the caller provided, preventing potential buffer overruns on the user side and making the syscall behave consistently with how other BPF syscall commands handle user-declared sizes. A selftest verifying the size boundary is introduced in the accompanying patch.
net: add missing syncookie statistics for BPF custom syncookies
Fourth revision of a two-patch series fixing a statistics gap when BPF programs implement custom TCP SYN-cookie handling. When a BPF program in the tc or XDP layer generates or validates syncookies, the standard kernel syncookie counters were not incremented, making the system appear to have no syncookie activity in tools like ss and netstat. This patch adds the missing counter updates so BPF-managed syncookie traffic is accounted for correctly alongside kernel-native syncookies.
Generated 2026-05-16T10:10:01Z
Today's bpf-next activity was dominated by two significant feature series. Yonghong Song's 25-patch series (v4) introduces stack-based argument passing for BPF functions and kfuncs with JIT support on x86-64 and arm64, lifting the long-standing 5-register argument limit. Mykyta Yatsenko's 11-patch series (v4) adds a new resizable hash map type backed by the kernel's rhashtable infrastructure, with full libbpf and bpftool support.
bpf: Support stack arguments for bpf functions
This patch adds core verifier support for passing arguments to BPF subprograms via the stack using a new r11-relative addressing scheme, complementing the existing register-based calling convention. BPF functions are currently limited to 5 register arguments (r1-r5), which restricts the number and size of parameters that can be passed. By enabling stack-based arguments the verifier must be taught to validate r11-based load/store instructions and track their types through precision backtracking and liveness analysis. This is the central piece of a 25-patch series that also adds JIT support for x86-64 and arm64.
bpf: Support stack arguments for kfunc calls
This patch extends the stack argument mechanism to kfunc calls, allowing BPF programs to pass more than 5 arguments to kernel functions by placing overflow arguments on the stack. Kfuncs currently face the same register-count limit as BPF subprograms, restricting the expressiveness of kernel APIs exposed to BPF. The verifier's kfunc call handling is updated to recognize and validate stack-passed arguments using the new r11-relative addressing. This enables richer kernel APIs to be exposed as kfuncs without requiring workarounds such as packing arguments into structs.
bpf,x86: Implement JIT support for stack arguments
This patch implements x86-64 JIT support for the new stack argument calling convention, emitting code to pass and receive values via the system stack when register arguments are exhausted. The JIT must set up r11 to point at the stack argument area on the caller side and emit the appropriate loads on the callee side. A companion patch (16/25) disables the BPF private stack feature for x86-64 when stack arguments are in use, since the two mechanisms conflict. This is the primary architecture-specific enabler for stack arguments on the most widely used BPF platform.
bpf, arm64: Add JIT support for stack arguments
This patch adds arm64 JIT support for the new BPF stack argument passing convention, completing architecture coverage alongside the x86-64 implementation. A prerequisite change (patch 23/25) remaps BPF_REG_0 from x7 to x8 to align with the arm64 ABI's use of x8 as the indirect result register, which is required for correct stack argument handling. The JIT emits the appropriate load/store instructions to place and retrieve stack arguments on arm64. With this change, stack arguments are functional on both major JIT-supported architectures.
bpf: Implement resizable hashmap basic functions
This patch implements the core lookup, update, and delete operations for a new BPF_MAP_TYPE_RHASH resizable hash map type. Unlike the existing hash map which fixes its bucket count at creation time, this type uses the kernel's rhashtable infrastructure to dynamically grow and shrink based on the number of elements. The implementation handles locking and memory management differences between rhashtable and BPF's existing percpu hash map. This provides a more efficient and adaptive alternative for workloads with highly variable element counts.
libbpf: Support resizable hashtable
This patch adds libbpf support for the new BPF_MAP_TYPE_RHASH resizable hash map type, enabling BPF C programs to declare and interact with resizable maps through the standard libbpf API. The patch updates libbpf's map type recognition and handles any type-specific attributes needed at map creation time. Companion patches in the series add bpftool documentation (10/11) and benchmark support (11/11) to fully round out the user-space tooling. Together with the kernel implementation patches, this makes the resizable hashmap a first-class, fully supported BPF map type.
bpf: Report maximum combined stack depth
This patch adds a new field to BPF program information that exposes the maximum combined stack depth across all subprograms reachable from the main program. The BPF verifier already tracks per-subprogram stack depth, but the worst-case combined depth (accounting for nested calls) is not currently surfaced to user space. This information is useful for debugging stack overflow issues and for static analysis tools to report resource consumption. A companion patch updates veristat to display the new field, and selftests verify correct reporting.
net: add missing syncookie statistics for BPF custom syncookies
This patch fixes missing SYN cookie statistics when BPF programs implement custom syncookie handling via bpf_tcp_raw_check_syncookie_ipv4/ipv6 kfuncs. When the kernel's standard syncookie path is bypassed by a BPF program, counters such as TcpExtSyncookiesRecv are never incremented, causing misleading /proc/net/netstat output. The fix adds the missing statistics updates to the BPF custom syncookie code paths, bringing accounting into parity with the in-kernel path. A selftest verifies that the statistics are correctly reported after exercising the BPF-based syncookie path.
Generated 2026-05-15T00:00:00Z
On May 12-13, Yonghong Song posted v4 of the 25-patch stack arguments series, adding a new patch that disables the x86_64 private stack optimization when stack arguments are in use and refining several earlier patches based on review feedback. Paul Chaignon contributed two independent patches: a new kernel-side feature reporting the maximum combined BPF program stack depth via the verifier log, and a build fix ensuring BPF selftests link correctly in static builds. Leon Hwang and Kaitao Cheng continued iteration on their series with v14 of the BPF syscall common attributes extension and another RESEND of the bpf_list API additions.
bpf: Support stack arguments for bpf functions
The core patch of Yonghong Song's v4 25-patch series 'bpf: Support stack arguments for BPF functions and kfuncs' implements verifier support for passing arguments via stack slots to BPF subprograms, overcoming the five-register argument limit. This v4 incorporates review feedback from v3 and adds a new patch (16/25) that disables the x86_64 private-stack-per-CPU optimization for programs using stack arguments, since the two features are incompatible. The series also adds full JIT backend support for x86 and arm64, liveness tracking for stack argument slots, precision backtracking, and verifier restrictions barring use with tail calls or non-JITed execution. An updated arm64 patch remaps BPF_REG_0 to x8 to align with the AAPCS64 indirect result register convention.
bpf: Report maximum combined stack depth
This patch makes the BPF verifier report the maximum combined stack depth across all subprograms in the verifier log after program load, giving developers a quick way to gauge how close a program is to the 512-byte per-frame limit. Previously this information was only available by summing per-subprogram stack depths manually or by reading JIT output. The companion selftest patch verifies the reported value matches expectations for programs with various subprogram call graphs. This is a small but useful observability improvement for BPF developers working with deeply nested or stack-heavy programs.
bpf: Extend BPF syscall with common attributes support
The first patch of the 8-patch v14 series extends the BPF syscall with a unified common attributes structure for log buffer and log level, shared across `prog_load`, `btf_load`, and `map_create` commands. This v14 addresses review comments from v13 and further refines the libbpf API surface. Subsequent patches wire the common attribute into each command, update libbpf, and add selftests confirming that failure messages—including map creation errors—are surfaced correctly via the new interface. The series improves error observability without requiring callers to set up per-command log fields for each operation.
bpf: Introduce the bpf_list_del kfunc.
A RESEND of the 8-patch v10 series 'bpf: Extend the bpf_list family of APIs,' this patch introduces the `bpf_list_del` kfunc for removing a node from a BPF linked list. Earlier patches refactor internal helpers to accept node pointers directly, while later patches add `bpf_list_add` for mid-list insertion, status-query kfuncs (`bpf_list_is_first`, `bpf_list_is_last`, `bpf_list_empty`), and a `__nonown_allowed` annotation supporting non-owning node arguments. The series has been under review for many iterations and the RESEND aims to keep it visible to maintainers for merging.
selftests/bpf: Override EXTRA_LDFLAGS for static builds
This single patch fixes a build issue where the BPF selftests' static build mode incorrectly propagates dynamic-linking flags via EXTRA_LDFLAGS, causing link failures. The fix overrides EXTRA_LDFLAGS with the appropriate static variants when building BPF test binaries in static mode, ensuring selftests can be linked without a dynamic linker. This is a small build infrastructure fix but is important for environments such as embedded or minimal-userspace test rigs where static BPF selftests are required.
Generated 2026-05-14T12:00:00Z
Activity on May 11-12 was dominated by Yonghong Song's large 24-patch v3 series extending BPF to support stack-based argument passing for BPF-to-BPF function calls and kfuncs, including JIT backends for x86 and arm64 and verifier precision tracking. Alongside it, Kaitao Cheng posted a RESEND of v10 of the bpf_list kfunc API extensions, and Leon Hwang submitted v13 of a series adding common attribute support to the BPF syscall. Kuan-Wei Chiu contributed two notable JIT efforts: an initial BPF JIT for the m68k architecture and 32-bit atomic operation support for the RISC-V 32-bit JIT.
bpf: Support stack arguments for bpf functions
Part of the 24-patch v3 series 'bpf: Support stack arguments for BPF functions and kfuncs,' this patch implements the core verifier support for stack-slot-based argument passing in BPF-to-BPF calls, lifting the prior hard limit of five register arguments. It introduces a new r11-relative addressing scheme for stack argument slots and updates the verifier's type-checking logic accordingly. Companion patches in the series extend liveness analysis and precision backtracking to track stack argument slots, add JIT support for x86 and arm64, and enforce restrictions such as rejecting stack arguments when tail calls are reachable or when running under an interpreter. Comprehensive selftests cover verifier validation, precision tracking, and JIT correctness on both architectures.
bpf: Introduce the bpf_list_del kfunc.
Part of the 8-patch v10 RESEND series 'bpf: Extend the bpf_list family of APIs,' this patch introduces the `bpf_list_del` kfunc for removing a node from a BPF linked list without requiring ownership transfer back to the caller. Earlier patches in the series refactor the internal `__bpf_list_del` helper to accept a node pointer directly, while later patches add `bpf_list_add` for mid-list insertion and status query kfuncs `bpf_list_is_first`, `bpf_list_is_last`, and `bpf_list_empty`. An additional patch introduces the `__nonown_allowed` annotation to permit non-owning list-node arguments to kfuncs. Together these additions bring BPF list manipulation closer to parity with kernel-side linked-list operations.
m68k, bpf: Add initial BPF JIT compiler support
This v3 single-patch submission adds an initial BPF JIT compiler for the m68k (Motorola 68000) architecture, which previously relied on the BPF interpreter. It covers register mapping, instruction translation for arithmetic, memory, branch, and call operations, and wires the JIT into the existing bpf_int_jit_compile infrastructure. Adding a JIT improves BPF program performance on m68k targets and eliminates the overhead of interpreter dispatch. This is a greenfield port that brings m68k into the set of Linux architectures with native BPF JIT support.
riscv, bpf: Add 32 bit atomic operations to RV32 JIT
The final patch of the 3-patch v2 series 'riscv, bpf: Fix signed operations and add 32 bit atomics' implements 32-bit atomic operations (ADD, OR, AND, XOR, XCHG, CMPXCHG) in the RISC-V 32-bit BPF JIT using the RV32A extension instructions. The series also fixes two correctness bugs in the RV32 JIT: improper handling of BPF_MOVSX sign-extension moves and incorrect code generation for signed division (BPF_SDIV) and signed modulo (BPF_SMOD). These changes bring the RV32 JIT substantially closer to feature parity with the 64-bit RISC-V JIT.
bpf: Extend BPF syscall with common attributes support
The first patch of the 8-patch v13 series extends the BPF syscall with a new common attributes structure that unifies log buffer and log level handling across the `prog_load`, `btf_load`, and `map_create` commands. Previously each command carried its own per-command log fields, making it awkward to pass a single log buffer for observing failures across multiple operations. Subsequent patches wire this common attribute into each command, update libbpf to expose a new API for callers, and add selftests verifying that failure messages (including map creation errors) are correctly reported. This improves error observability for all major BPF object creation paths.
selftests/bpf: libarena: Add rbtree data structure
Part of the 2-patch series adding initial data structures to a new `libarena` selftest library, this patch implements an intrusive red-black tree backed by BPF arena memory. The companion patch adds a lock-free Lev-Chase work-stealing deque. The `libarena` library is intended to provide reusable, arena-allocator-backed data structures for BPF selftests, enabling tests that exercise complex heap-based program patterns without per-test boilerplate. A RESEND of the same series (1093106) also appeared the same day.
Generated 2026-05-14T12:00:00Z
Yonghong Song submitted v3 of his 24-patch series adding stack argument support for BPF functions and kfuncs, superseding the v2 sent earlier in the week. The series enables BPF programs to pass arguments to subprograms and kfuncs via the stack when register pressure exceeds six, aligning the BPF calling convention with native ABI practices. It spans verifier liveness and precision analysis, a new r11-based instruction encoding, x86-64 and arm64 JIT backends, and extensive selftests.
bpf: Support stack arguments for bpf functions
The central verifier patch enabling BPF subprograms to accept arguments beyond register r5 by passing them on an auxiliary stack frame. The verifier is extended to recognise the new stack-based argument slots, validate their types, and propagate liveness information through calls. This removes the hard six-argument limit for BPF-to-BPF calls.
bpf: Add precision marking and backtracking for stack argument slots
Extends the verifier's precision backtracking engine to track stack argument slots in addition to registers. Precision marking is required for state pruning to be correct when programs use stack arguments, as the verifier must know which stack slots carry values that affect control flow. Without this, the verifier could incorrectly prune states and miss safety violations.
bpf: Extend liveness analysis to track stack argument slots
Teaches the verifier's liveness analysis to treat stack argument slots as live across a call site, ensuring that the writes to those slots are not incorrectly classified as dead stores. This is necessary for the verifier to correctly determine which stack writes must be preserved before a call instruction. The patch also updates the jmp_history mechanism to record stack-argument frame information.
Introduces support for a new pseudo-register r11 used as the base for stack argument addressing in BPF instructions. Since BPF's ISA did not previously expose r11, the verifier and disassembler are updated to accept and display r11-relative memory operands. This encoding allows the JIT to reliably distinguish stack argument accesses from regular frame-pointer-relative accesses.
bpf: Support stack arguments for kfunc calls
Extends the new stack argument convention to kfunc call sites, allowing kernel functions registered as kfuncs to receive more than six typed arguments from BPF programs. The verifier validates the type and alignment of stack-passed arguments against the kfunc's BTF signature. This is particularly useful for kfuncs with struct-typed or numerous parameters.
bpf,x86: Implement JIT support for stack arguments
Implements x86-64 JIT code generation for the new stack argument passing convention. The JIT emits r11-based MOV instructions to write arguments into the callee's stack frame before the call instruction, following the System V AMD64 ABI spill area layout. This patch makes the feature functional on x86-64, the primary development architecture.
bpf, arm64: Add JIT support for stack arguments
Adds arm64 JIT backend support for the new stack argument calling convention, mirroring the x86-64 implementation. The arm64 JIT must also remap BPF_REG_0 from x7 to x8 (addressed in a companion patch) to free x7 for use as the auxiliary stack frame pointer. With this patch, the feature gains support on both major 64-bit architectures targeted by the series.
Generated 2026-05-12T10:00:00Z
No patches were submitted to the bpf mailing list during this period.
Generated 2026-05-12T10:00:00Z
Activity today was limited to a single series from Kuniyuki Iwashima introducing BPF_SOCK_OPS_RCVLOWAT_CB, a new SOCK_OPS callback enabling BPF programs to dynamically control the TCP receive low-watermark threshold. The series adds a supporting kfunc to write back to sk_rcvlowat, extends bpf_skb_load_bytes() access to the new callback context, and includes selftest coverage.
bpf: tcp: Introduce BPF_SOCK_OPS_RCVLOWAT_CB.
Introduces the new BPF_SOCK_OPS_RCVLOWAT_CB operation in the SOCK_OPS framework, fired when TCP needs to determine a socket's effective receive low watermark. BPF programs attached to this op can inspect packet data and socket state to compute an appropriate threshold, enabling TCP AutoLOWAT-style behaviour. The patch defines the new op constant and wires it into the SOCK_OPS dispatch path.
bpf: tcp: Support bpf_skb_load_bytes() for BPF_SOCK_OPS_RCVLOWAT_CB.
Extends the bpf_skb_load_bytes() helper to be callable within the new BPF_SOCK_OPS_RCVLOWAT_CB context. This allows BPF programs running under the callback to inspect the contents of the socket receive buffer, which is necessary for making data-driven decisions about the appropriate low watermark. The change adds the new op to the set of SOCK_OPS operations that have a valid skb pointer.
bpf: tcp: Add kfunc to adjust sk->sk_rcvlowat.
Adds a kfunc that BPF programs can call within BPF_SOCK_OPS_RCVLOWAT_CB to explicitly set sk_rcvlowat on the current socket. Using a kfunc for the write-back rather than the SOCK_OPS return value avoids convention conflicts and keeps the API clean. The patch includes proper BTF type annotations and checks that the kfunc is only callable in the correct callback context.
bpf: tcp: Factorise bpf_skops_established().
Refactors the internal bpf_skops_established() function to extract shared logic needed by the new rcvlowat hook. This is a preparatory cleanup that avoids code duplication between the existing established-state SOCK_OPS dispatch and the new BPF_SOCK_OPS_RCVLOWAT_CB dispatch site. No functional change is intended.
bpf: tcp: Add SOCK_OPS rcvlowat hook.
The culminating patch of the series, this hooks BPF_SOCK_OPS_RCVLOWAT_CB into the TCP data-ready path so the callback fires at the correct moment. The result returned or written back by the BPF program is then applied as the socket's effective receive low watermark. Together with the preceding patches, this completes the end-to-end implementation of BPF-controlled TCP AutoLOWAT.
Generated 2026-05-12T10:00:00Z
Two major patch series dominated the day's activity. Yonghong Song submitted v2 of a 23-patch series adding stack argument support for BPF functions and kfuncs, touching the verifier, JIT backends for x86 and arm64, and liveness/precision analysis. Kuniyuki Iwashima proposed a new BPF_SOCK_OPS_RCVLOWAT_CB callback enabling BPF programs to dynamically adjust TCP receive low watermarks via a new kfunc. Justin Suess also posted a fix to offload kptr destructors running from NMI context to avoid potential deadlocks.
bpf: tcp: Introduce BPF_SOCK_OPS_RCVLOWAT_CB.
Introduces a new BPF_SOCK_OPS_RCVLOWAT_CB callback in the SOCK_OPS framework, invoked when the kernel needs to determine the effective TCP receive low watermark (sk_rcvlowat). This enables BPF programs to intercept and override the receive threshold on a per-socket basis, which is a building block for TCP AutoLOWAT. The patch wires the new op into the existing SOCK_OPS dispatch path and defines the callback flag.
bpf: tcp: Add kfunc to adjust sk->sk_rcvlowat.
Adds a new kfunc that BPF programs can call within the BPF_SOCK_OPS_RCVLOWAT_CB context to set the socket's sk_rcvlowat field. By exposing this as a kfunc rather than a return value, the API is extensible and avoids ambiguity with other SOCK_OPS return conventions. The patch includes appropriate BTF annotations and guards against misuse outside the designated callback.
bpf: tcp: Add SOCK_OPS rcvlowat hook.
Hooks the BPF_SOCK_OPS_RCVLOWAT_CB into the TCP stack so that the callback is invoked at the right point in data-ready processing. The hook calls into the BPF SOCK_OPS dispatch machinery and applies the result to update the socket's effective receive low watermark. This completes the core implementation of TCP AutoLOWAT support in the SOCK_OPS framework.
bpf: Support stack arguments for bpf functions
Core patch in Yonghong Song's 23-patch v2 series that enables BPF subprograms to receive arguments passed on the stack, moving beyond the current six-register limit. The verifier is extended to understand the new stack-argument slots, tracking their types and liveness. This is a significant capability improvement allowing BPF programs to call subprograms with more than six parameters.
bpf: Support stack arguments for kfunc calls
Extends the stack argument calling convention to kfunc calls as well as BPF-to-BPF calls. The verifier is taught to validate argument types passed via the stack when invoking kernel functions registered as kfuncs. This is important for kfuncs with complex or numerous parameters that currently cannot be expressed within the six-register limit.
bpf,x86: Implement JIT support for stack arguments
Implements the x86-64 JIT backend changes required to emit correct code for stack-based argument passing in BPF programs. The JIT must set up an auxiliary stack frame (using r11 as a frame pointer) and copy argument values to the expected offsets before a call. This is the first architecture JIT to gain stack argument support in this series.
bpf: Offload kptr destructors that run from NMI
Fixes a potential deadlock when a BPF kptr destructor is invoked from NMI context, where taking locks required for safe reference counting is not possible. The fix offloads such destructors to a work queue so they run in a sleepable context. The companion patch adds an NMI exerciser selftest to verify the fix holds under stress.
Generated 2026-05-12T10:00:00Z
Two patch series landed on bpf-next today. Amery Hung posted v4 of a 12-patch series refactoring verifier object relationship tracking, unifying dynptr and referenced-object handling while fixing a use-after-free bug in dynptr operations. Yazhou Tang posted v10 of a 3-patch series fixing an out-of-bounds read and s16 truncation bug in bpf_patch_call_args() for large bpf-to-bpf call offsets.
bpf: Refactor object relationship tracking and fix dynptr UAF bug
This is the core patch in a 12-patch series refactoring how the BPF verifier tracks relationships between objects. It rewrites the parent-child relationship model for dynptrs, slices, and referenced objects under a unified representation, and simultaneously fixes a use-after-free bug where a dynptr could be accessed after its underlying object was freed. The fix enforces stricter lifetime rules in the verifier so that deriving a dynptr from a freed resource is correctly rejected at verification time. This is a significant correctness improvement for programs that use dynptrs backed by kernel objects.
bpf: Unify dynptr handling in the verifier
Consolidates dynptr state tracking in the verifier by routing all dynptr-related checks and state propagation through a single code path, removing previously scattered handling of dynptr metadata. This patch is a prerequisite for the later patches in the series that generalize object relationship tracking. The change improves maintainability and reduces the risk of subtle inconsistencies between different dynptr handling sites.
bpf: Unify referenced object tracking in verifier
Merges the per-type tracking of referenced objects (dynptrs, slices, kptrs) into a single unified mechanism within the verifier. Previously, each object type carried partially redundant and inconsistent tracking data structures. The unified approach simplifies the verifier's internal state and makes it easier to extend object tracking for new reference types in the future.
bpf: Unify release handling for helpers and kfuncs
Merges the release-handling paths for BPF helpers and kfuncs in the verifier, which previously maintained separate but largely duplicated logic for releasing acquired references. Unifying these paths ensures consistent semantics regardless of whether a reference is released via a helper or a kfunc. This is part of the broader series to consolidate verifier object tracking infrastructure.
bpf: Fix out-of-bounds read in bpf_patch_call_args()
Fixes an out-of-bounds read in bpf_patch_call_args(), the function responsible for rewriting bpf-to-bpf call instruction offsets during program loading. The bug could be triggered when patching programs with calls positioned near the end of the instruction array, causing the function to read beyond the allocated buffer. This is v10 of the fix series, reflecting a lengthy review process to ensure the bounds check is correct under all patching scenarios.
bpf: Fix s16 truncation for large bpf-to-bpf call offsets
Fixes an s16 truncation bug in bpf_patch_call_args() where call offsets exceeding the range of a signed 16-bit integer were silently truncated, producing incorrect jump targets in patched programs. The fix widens the internal offset representation to correctly handle large programs where the distance between caller and callee exceeds 32767 instructions. This patch pairs with the out-of-bounds read fix in the same series.
Generated 2026-05-08T00:00:00Z
Two fix series landed targeting correctness and safety in core BPF infrastructure. Yazhou Tang's v10 series addresses an out-of-bounds read and s16 call offset truncation bug in bpf_patch_call_args(), preventing memory corruption when BPF programs use large bpf-to-bpf call offsets. Justin Suess's v2 series fixes a deadlock that can occur when kptr destructors are triggered from NMI context by offloading them to a safe workqueue path.
bpf: Fix out-of-bounds read in bpf_patch_call_args()
bpf_patch_call_args() is responsible for rewriting call instructions in BPF programs when functions are relocated during loading. This patch fixes an out-of-bounds memory read that occurs in that function when processing bpf-to-bpf calls with large offsets. The bug arises because the code reads beyond the bounds of the instruction array before the offset is validated. At v10, this fix has been through significant refinement and is paired with a companion patch correcting the underlying s16 truncation issue.
bpf: Fix s16 truncation for large bpf-to-bpf call offsets
When a bpf-to-bpf call offset is large enough to overflow a signed 16-bit integer, the value gets silently truncated during patching, causing the call instruction to jump to an incorrect address. This patch fixes the truncation by ensuring offsets are handled with the correct width throughout the call patching path. The bug could cause silent misbehavior in complex BPF programs with many subprograms spread far apart in the instruction stream. A selftest (patch 3/3) accompanies this fix to cover the large-offset case.
bpf: Offload kptr destructors that run from NMI
BPF kptr destructors can be invoked from NMI (non-maskable interrupt) context, for example via perf-event-attached programs, but acquiring the locks required for cleanup is unsafe in that context and can deadlock the kernel. This patch resolves the issue by detecting the NMI case and offloading the destructor call to a workqueue so it runs in a safe, preemptible context. The fix preserves correct lifecycle management for kptrs while eliminating the deadlock risk. A companion selftest (patch 2/2) exercises the NMI destructor path to prevent regressions.
Generated 2026-05-07T00:00:00Z
A quiet day on bpf-next, with a single two-patch series from Matt Bobrowski. The v2 series enforces VFS constraints on the xattr BPF kfuncs and pairs that change with negative selftests that verify the error paths.
bpf: enforce VFS constraints for xattr related BPF kfuncs
This v2 patch enforces standard VFS permission and existence checks inside the BPF xattr kfuncs bpf_get_dentry_xattr, bpf_set_dentry_xattr, and bpf_remove_dentry_xattr. Without these guards, BPF LSM programs could bypass the capability checks and dentry validity requirements that the normal VFS xattr code path enforces, creating a privilege inconsistency. The fix aligns kfunc semantics with userspace-visible VFS behavior, closing a potential privilege-related gap for LSM-heavy deployments. This is the v2 revision incorporating feedback from the initial posting.
selftests/bpf: add new negative tests for xattr related BPF kfuncs
This companion patch adds a set of negative test cases exercising the VFS constraint enforcement introduced in the first patch of the series. The tests attempt xattr kfunc calls on negative dentries, on filesystems that do not support extended attributes, and with invalid capability state, confirming that the kernel returns the expected error codes in each case. Having explicit negative coverage prevents future regressions from quietly re-opening the constraint bypass.
Generated 2026-05-06T00:00:00Z
The May 3-4 window saw two active series. Matt Bobrowski posted a v2 two-patch series enforcing VFS constraints for xattr-related BPF kfuncs, tightening permission and existence checks that were previously bypassable from BPF context. Kuan-Wei Chiu followed up with a v2 of the initial BPF JIT compiler for the m68k architecture, bringing Motorola 68000-series CPUs into the JIT-capable BPF tier.
bpf: enforce VFS constraints for xattr related BPF kfuncs
This patch (v2, 1/2) enforces standard VFS permission and existence constraints inside the xattr BPF kfuncs bpf_get_dentry_xattr, bpf_set_dentry_xattr, and bpf_remove_dentry_xattr. Previously, BPF programs could bypass the checks that the regular VFS xattr path imposes, such as requiring a positive dentry and appropriate capabilities. The fix aligns kfunc behavior with what a userspace caller would experience, closing a privilege-related inconsistency in LSM hook programs. It is the companion to the negative-dentry crash fix posted earlier in the week.
selftests/bpf: add new negative tests for xattr related BPF kfuncs
This patch (v2, 2/2) adds a set of negative test cases that verify the VFS constraint enforcement introduced in the companion patch. The tests exercise scenarios such as operating on negative dentries, missing capability bits, and invalid xattr name prefixes to confirm the kfuncs now return the expected error codes. Covering these failure paths in selftests ensures regressions will be caught before the series lands in the tree.
m68k, bpf: Add initial BPF JIT compiler support
This v2 patch introduces a BPF JIT compiler for the Motorola m68k architecture, making m68k the newest architecture to gain native BPF execution instead of falling back to the interpreter. The JIT covers the core BPF instruction set including ALU ops, memory loads and stores, branching, and function calls, mapping them to m68k assembly. The v2 addresses review feedback from the initial posting, primarily around instruction selection and register allocation details. This expands BPF's JIT footprint to an architecture frequently used in embedded and legacy systems.
Generated 2026-05-06T00:00:00Z
No patches were submitted to the bpf mailing list during this period.
Generated 2026-05-04T00:00:00Z
May 1 was a quiet day on the bpf-next mailing list with just two series submitted. Florian Lehner posted v3 of LINK_DETACH support for perf links, and hadrien Patte submitted two revisions of a bpftool build fix to resolve libcrypto link flags via pkg-config.
bpf: Add LINK_DETACH support for perf link
Adds LINK_DETACH semantics to perf links, enabling a perf link to be detached from its underlying perf event without closing the link file descriptor. This mirrors detach behavior already available for other BPF link types and is useful for programs that need to temporarily suspend tracing without fully tearing down associated state. The v3 series also includes a selftest that exercises the detach path for perf links and verifies correct behavior after detachment.
bpftool: Resolve libcrypto link flags via pkg-config
Switches bpftool's libcrypto linkage from a hardcoded -lcrypto flag to a pkg-config query, improving portability across distributions and build environments where OpenSSL may be installed in non-standard locations. This v2 incorporates review feedback from the initial submission posted earlier the same day. The fix matters for downstream packagers who build bpftool against system-provided or vendored OpenSSL installations where pkg-config is the canonical way to obtain library flags.
Generated 2026-05-02T10:30:00Z
April 30 saw heavy activity around the ongoing selftests/bpf build robustness series from Ricardo B. Marlière, which reached its eleventh revision with both v10 and v11 landing on the same day. Notable companion patches include Paul Chaignon's verifier enhancement to print per-subprogram instruction counts, and a crash fix from Matt Bobrowski for negative dentry handling in xattr kfuncs.
selftests/bpf: Add BPF_STRICT_BUILD toggle
First patch of an 11-part series (now at v11) reworking the BPF selftests build system to gracefully handle partial or misconfigured kernel configurations. This patch introduces a BPF_STRICT_BUILD Makefile toggle that, when disabled, allows the test suite to build and run even when some BPF features or kernel modules are absent. The series as a whole adds skip logic for missing compiled objects, tolerance for benchmark and skeleton generation failures, and fixes KDIR handling for distro kernels built with O=. This is particularly valuable for CI environments and downstream packagers who build BPF selftests against non-default kernel configs.
bpf: Print breakdown of insns processed by subprogs
Extends the BPF verifier's log output to print a per-subprogram breakdown of instruction counts processed, rather than only a single aggregate total. Previously, developers debugging large BPF programs with multiple subprograms had no direct way to identify which subprogram was consuming most of the verifier budget. This v3 addresses reviewer feedback on the log format and is accompanied by a selftest that validates the new per-subprogram lines in the verifier log.
bpf: fix crash in bpf_[set|remove]_dentry_xattr for negative dentries
Fixes a null pointer dereference crash in the bpf_set_dentry_xattr and bpf_remove_dentry_xattr kfuncs when called with a negative dentry, i.e., one that does not correspond to an existing filesystem object. Both functions previously assumed the dentry had an associated inode and would crash when that assumption was violated. This v2 adds an early guard to reject negative dentries, preventing BPF LSM programs from triggering the crash when walking filesystem paths that include non-existent entries.
Generated 2026-05-02T10:30:00Z
This daily window's highlight is a new BPF JIT compiler for the m68k architecture, alongside fixes and new 32-bit atomic support for the RISC-V 32-bit JIT. The verifier gained a useful diagnostic improvement to print per-subprogram instruction counts, and a crash in the BPF LSM dentry xattr helpers for negative dentries was corrected. A large selftests series (v9) to allow partial builds across varying kernel configs also landed.
m68k, bpf: Add initial BPF JIT compiler support
Adds an initial BPF JIT compiler for the m68k architecture, bringing JIT-accelerated BPF execution to this historically interpreter-only platform. The implementation covers the core BPF instruction set, translating BPF bytecode into native m68k machine code. This is significant because JIT compilation greatly reduces BPF program overhead compared to the interpreter path. It extends the set of architectures with BPF JIT support, which has grown substantially in recent kernel cycles.
riscv, bpf: Fix support for BPF_SDIV and BPF_SMOD in RV32 JIT
Fixes handling of signed division (BPF_SDIV) and signed modulo (BPF_SMOD) in the RISC-V 32-bit BPF JIT, correcting incorrect results for negative operands. This is the first patch in a three-part series that also fixes BPF_MOVSX sign-extension support and adds 32-bit atomic operations to the RV32 JIT. Together, the series brings the RV32 JIT closer to feature parity with its 64-bit counterpart. Correct signed arithmetic is essential for BPF programs that perform integer division on potentially negative values.
bpf: Print breakdown of insns processed by subprogs
Extends the BPF verifier's log output to include a per-subprogram breakdown of the instruction count processed during verification, rather than just reporting the aggregate total. This makes it much easier to identify which subprogram is responsible for hitting verifier complexity limits in large BPF programs composed of multiple subprograms. The companion patch adds a selftest exercising this new output format. This is a diagnostic quality-of-life improvement that helps developers debug complex BPF programs.
bpf: fix crash in bpf_[set|remove]_dentry_xattr for negative dentries
Fixes a kernel crash in the BPF LSM helpers bpf_set_dentry_xattr and bpf_remove_dentry_xattr when they are called with a negative dentry (one that does not resolve to an existing inode). Without this fix, operating on a negative dentry would cause a NULL pointer dereference. This is the second version of the fix, refining the approach from v1 submitted the previous day. The fix adds a proper check for the negative dentry case and returns an appropriate error code.
bpf: Fix out-of-bounds read in bpf_patch_call_args()
Fixes an out-of-bounds read in bpf_patch_call_args() that can occur when patching BPF-to-BPF call instructions during program loading. This is the first patch in a v9 three-part series; the second patch addresses a related s16 truncation bug for large call offsets that could produce incorrect branch targets. Together these fixes prevent memory safety issues in the BPF program loading path. The series also includes a selftest to exercise the large-offset call scenario.
selftests/bpf: Add BPF_STRICT_BUILD toggle
Introduces a BPF_STRICT_BUILD Makefile toggle as the first step in a large 11-patch series (v9) to allow the BPF selftests to build and run gracefully under partial kernel configurations. Without this work, missing kernel features (such as CONFIG options not selected) cause the entire selftest build to fail, making it difficult to run any tests on non-standard kernels. Subsequent patches in the series tolerate BPF/skeleton generation failures, test file compilation errors, benchmark build failures, and missing install files. This is important for downstream distributions and CI environments that build kernels with non-default configs.
Generated 2026-04-30T10:57:52Z
The bpf-next mailing list for April 28-29 featured correctness fixes in core BPF infrastructure alongside testing improvements. Yazhou Tang posted a v8 series fixing an out-of-bounds read and s16 truncation bug in `bpf_patch_call_args()` for programs with large bpf-to-bpf call offsets, while Justin Suess addressed an NMI deadlock in referenced kptr destructors. Paul Chaignon improved verifier diagnostics by printing per-subprogram instruction counts, and Ricardo B. Marlière continued a large selftests series enabling BPF tests to tolerate partial kernel builds.
bpf: Fix out-of-bounds read in bpf_patch_call_args()
Fixes an out-of-bounds read in `bpf_patch_call_args()` that can occur when patching bpf-to-bpf calls in programs with a large instruction count. The function previously lacked a bounds check before reading into the instruction buffer, creating a potential memory safety violation in the BPF core. This is patch 1 of a v8 three-patch series that also addresses a related s16 truncation bug for call offsets exceeding the 16-bit signed range. The series has gone through eight revisions reflecting the careful scrutiny applied to verifier-adjacent bug fixes.
bpf: Fix s16 truncation for large bpf-to-bpf call offsets
Addresses silent truncation of bpf-to-bpf call offsets when the relative distance between subprograms exceeds the range of a signed 16-bit integer. The offset was previously stored as s16 without range validation, causing the JIT to encode incorrect call targets in programs with many subprograms spread far apart in the instruction stream. This patch widens the representation and adds an explicit range check before encoding the call offset. It accompanies the out-of-bounds read fix submitted in the same v8 series by Yazhou Tang.
bpf: Limit fields used in btf_record_equal comparisons
Tightens the `btf_record_equal()` comparison to only consider the fields relevant for determining whether two BTF records are structurally equivalent. Comparing unnecessary fields can cause false mismatches or mask actual differences, and in this series the change is a prerequisite for safely restructuring BTF teardown. This is patch 1 of a 4-patch series titled "bpf: Fix NMI deadlock in referenced kptr destructors". The series also converts BTF teardown to rcu_work and fixes the kptr destructor deadlock in NMI context.
bpf: Fix deadlock in kptr dtor in nmi
Fixes a deadlock that arises when a referenced kptr destructor is invoked from NMI context on an SMP system. NMI handlers cannot safely acquire certain sleeping or spinlocks that the normal kptr destruction path takes, leading to a hard deadlock. The fix defers lock-requiring cleanup out of the NMI-safe hot path, relying on workqueue-based deferred execution introduced earlier in the series. A selftest reproducer accompanies the fix in patch 4/4.
bpf: Print breakdown of insns processed by subprogs
Extends the BPF verifier log to emit a per-subprogram breakdown of instructions processed during verification, in addition to the existing total count. Currently it is difficult to identify which subprogram dominates verification complexity when working with large BPF programs that contain many subprograms. The new output gives developers a direct signal for where to focus optimization efforts. This is the v2 revision of the series, paired with a selftest in patch 2/2.
selftests/bpf: Add BPF_STRICT_BUILD toggle
Introduces a `BPF_STRICT_BUILD` Makefile variable for the BPF selftests as the first step in an 11-patch v8 series aimed at tolerating partial kernel builds. When the toggle is absent, individual test build failures are treated as non-fatal, allowing the suite to compile and run whatever subset of tests the current kernel config supports. This is particularly valuable on distribution kernels and CI systems that do not enable every BPF feature. The series goes on to handle benchmark failures, skeleton generation errors, missing install files, and cross-test weak symbol definitions.
xskmap: reject TX-only AF_XDP sockets
Adds a validation check to `xskmap` that rejects AF_XDP sockets configured for TX-only operation at map update time. TX-only sockets have no receive queue, so placing them in an xskmap entry that the kernel uses for packet reception can cause a null pointer dereference on the RX path. The fix enforces the constraint early during `BPF_MAP_UPDATE_ELEM`, returning an error before a bad socket can be installed. This is the third revision of the patch.
Generated 2026-04-30T10:21:05Z
This period's bpf-next activity centered on a v10 series extending the BPF linked-list API with new kfuncs (bpf_list_del, bpf_list_add, bpf_list_is_first/last/empty), and a v2 series adding arm64 JIT support for stack arguments by remapping registers and wiring in the AArch64 calling convention. The day also brought a new XDP load-balancer benchmark suite, a bpf_init_inode_xattr kfunc for atomic inode security labeling, syncookie statistics fixes, and build-failure patches addressing undefined symbol references from recent cnum changes.
bpf: Introduce the bpf_list_del kfunc.
Adds bpf_list_del, a new kfunc that removes a node from a BPF linked list given a direct pointer to the node rather than requiring callers to manage the list head. This is the core new primitive in the v10 "Extend the bpf_list family of APIs" series, which has been iterated extensively to handle ownership semantics and verifier integration correctly. The kfunc plugs into the existing BPF ownership model so the verifier can statically reason about node membership and prevent double-removal bugs.
bpf: add bpf_list_is_first/last/empty kfuncs
Introduces three new introspection kfuncs—bpf_list_is_first, bpf_list_is_last, and bpf_list_empty—that let BPF programs query the position and emptiness of nodes in a linked list without full traversal. These predicates complement the bpf_list_del and bpf_list_add kfuncs added earlier in the same series, rounding out the mid-list manipulation API. Together the series enables BPF programs to implement significantly more expressive in-kernel data structures.
bpf, arm64: Add JIT support for stack arguments
Extends the arm64 BPF JIT to spill function arguments onto the stack when a call exceeds the number of available argument registers, which is required for kfuncs that take more arguments than AArch64 registers can hold. The patch works in tandem with an earlier change in the series that remaps BPF_REG_0 from x7 to x8 to align with the AArch64 indirect result location register convention. A companion selftest patch validates stack-argument passing behavior on arm64.
selftests/bpf: Add XDP load-balancer BPF program
Adds the core BPF XDP program for a new load-balancer benchmark suite intended to measure and track XDP forwarding performance across architectures and kernel versions. The seven-patch series also contributes a batch-timing library, a nop-baseline benchmark for overhead calibration, common definitions, a userspace benchmark driver, and a shell script for automated benchmark runs. The suite is designed for head-to-head regression testing rather than absolute throughput claims.
bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling
Introduces bpf_init_inode_xattr, a new kfunc that allows BPF LSM programs to atomically set an xattr on a newly created inode during the inode_init_security hook, mirroring how in-kernel LSMs like SELinux and Smack perform mandatory access control labeling at creation time. Doing this atomically at initialization avoids the TOCTOU race that would result from setting xattrs after the inode is already visible. A companion selftest verifies the kfunc's behavior under the BPF LSM framework.
net: add missing syncookie statistics for BPF custom syncookies
Fixes a gap where TCP syncookie-sent and syncookie-received statistics counters are not incremented when BPF programs implement custom syncookie logic via the BPF sock_ops hooks. Without these increments, standard monitoring tools and kernel selftests cannot detect or verify that the custom syncookie path is active. The v3 series includes a selftest that validates the counter values after the fix is applied.
Fix undefined symbol references for module build post cnum changes
Fixes a module build breakage where symbols used by modular BPF components became undefined after recent cnum (commit-number) infrastructure changes in the BPF tree. The patch adds EXPORT_SYMBOL annotations for the affected symbols to restore out-of-tree and modular kernel build compatibility. This follows a report from Thierry Reding that linux-next failed to build after pulling the bpf-next tree.
Generated 2026-04-29T10:09:27Z
April 26-27 brought three distinct series to bpf-next. The largest submission was Emil Tsalapatis's v9 of the libarena library, adding a buddy allocator and ASAN runtime for BPF arena-backed memory. David Windsor introduced a new kfunc for atomically labeling inodes with xattrs, and Jiayuan Chen fixed missing syncookie statistics for BPF custom syncookie implementations.
bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling
Introduces bpf_init_inode_xattr(), a new kfunc that allows BPF programs to atomically set an xattr on an inode during its initialization phase, before the inode is visible to other processes. This is intended for LSM-based security labeling workflows where a label must be present before the first access. The companion patch (2/2) adds selftests covering the kfunc under various inode types.
selftests/bpf: add tests for bpf_init_inode_xattr kfunc
Adds a selftest suite for the bpf_init_inode_xattr kfunc introduced in patch 1/2. The tests attach a BPF LSM program to the inode_init_security hook and verify that the xattr is correctly set and readable after inode creation. Covers both success paths and error conditions such as oversized values or missing permissions.
net: add missing syncookie statistics for BPF custom syncookies
Fixes a gap where BPF programs using the custom syncookie mechanism (via the bpf_tcp_raw_gen_syncookie_ipv4/ipv6 kfuncs) did not increment the standard SYN cookie counters visible via netstat. This makes BPF-handled syncookies observable through the same monitoring interfaces as kernel-native syncookies. The v3 series also includes a selftest that verifies the statistics are updated correctly.
selftests/bpf: Add basic libarena scaffolding
Part of the v9 libarena series, this patch establishes the build scaffolding and test harness for a standalone user-space library that manages BPF arena memory. The library provides a C-callable allocator backed by BPF arena pages, letting user-space and BPF programs share memory without copying. Subsequent patches in the series add a buddy allocator and ASAN instrumentation for catching out-of-bounds accesses in arena-backed allocations.
selftests/bpf: Add buddy allocator for libarena
Adds a power-of-two buddy allocator to libarena so that BPF programs can perform dynamic memory allocation within a BPF arena. The buddy allocator supports split and merge operations for efficient reuse of arena pages without external fragmentation. This enables BPF programs that need variable-sized allocations — such as per-connection state blocks — to manage their own memory without resorting to fixed-size map elements.
Generated 2026-04-28T00:00:00Z
A single two-patch series from Eduard Zingerman addresses a correctness bug in the BPF verifier's range_within() function, which is used by is_state_visited() to prune redundant verification paths. The fix ensures that range subset checks operate on cnum (cross-value number) ranges rather than plain min/max pairs, preventing the verifier from incorrectly concluding that a prior state subsumes the current one.
bpf: range_within() must check cnum ranges instead of min/max pairs
This patch fixes a bug in the BPF verifier's range_within() helper, which checks whether one register value range is a subset of another. The function was comparing raw min/max pairs rather than the correct cnum (cross-value number) ranges, causing is_state_visited() to make incorrect pruning decisions during verification. An incorrect subset determination can cause the verifier to skip re-examining a code path it should explore, potentially leading to missed safety violations or spurious rejections. The fix aligns range_within() with the same cnum-based representation used elsewhere in the verifier's range tracking logic.
selftests/bpf: a test for proper cnums compare in is_state_visited()
This patch adds a selftest to the BPF test suite that exercises the corrected cnum-based range comparison in is_state_visited(). The test constructs a scenario where the old min/max comparison would have produced a wrong result, confirming that the verifier now makes the correct pruning decision. Having an explicit regression test prevents future changes from silently reintroducing the same class of state-pruning bug.
Generated 2026-04-26T09:56:49Z
April 24 was one of the busiest days recently on the bpf mailing list, with two major new-feature series landing alongside continued iteration on earlier work. Yonghong Song posted an 18-patch series implementing full stack argument support for BPF functions and kfuncs, covering verifier liveness analysis, precision backtracking, JIT backends for x86 and arm64, and a comprehensive test suite. Mykyta Yatsenko's 10-patch v3 series introduces a resizable hash map type backed by the kernel rhashtable, supporting automatic resizing, batch operations, and BPF iterators.
bpf: Support stack arguments for bpf functions
The first patch in an 18-patch series that adds support for passing arguments on the stack to BPF subprograms and kfuncs, lifting the current hard limit of five register-passed arguments. When more arguments are needed than available registers, a pointer to an argument area is passed in r11 (BPF_REG_PARAMS) and the verifier is taught to validate accesses through that pointer. This enables writing BPF programs and kfuncs with richer signatures without resorting to context structs.
bpf: Add precision marking and backtracking for stack argument slots
Extends the verifier's precision backtracking pass to cover the stack slots used for stack-passed arguments. Precision marking is needed so that the verifier can correctly identify which stack argument slots must be tracked precisely for safety proofs and state pruning. Without this extension, the verifier would either over-approximate or reject valid programs that use stack arguments. The patch integrates stack argument liveness into the existing precision propagation framework.
bpf: Support stack arguments for kfunc calls
Extends the stack argument mechanism from BPF-to-BPF calls to kfunc calls, allowing kfuncs to declare parameters beyond the five-register limit. The verifier validates that BPF programs set up the argument area correctly before calling such kfuncs and that the types of stack-passed arguments satisfy the kfunc's BTF annotations. This patch is a key enabler for kfuncs with complex or wide argument lists without requiring callers to bundle arguments into a struct.
bpf,x86: Implement JIT support for stack arguments
Implements the x86-64 JIT backend changes needed to emit code that sets up and tears down the stack argument area when calling functions or kfuncs with stack arguments. The JIT must allocate space on the program's stack frame, marshal arguments into the argument area, pass r11 pointing to it, and restore the stack afterward. A companion patch in the same series handles arm64.
bpf: Implement resizable hashmap basic functions
Introduces a new BPF map type BPF_MAP_TYPE_RHASH backed by the kernel's rhashtable, which automatically resizes as entries are inserted and removed. Unlike the existing BPF_MAP_TYPE_HASH, rhash does not require a pre-allocated fixed capacity and can grow without manual intervention, making it better suited for workloads with unpredictable cardinality. This first patch implements the core lookup, update, and delete operations; subsequent patches in the series add iterators, batch ops, timer/workqueue support, and libbpf/bpftool integration.
libbpf: Support resizable hashtable
Adds libbpf-side support for the new BPF_MAP_TYPE_RHASH map type, allowing userspace programs to create and interact with resizable hash maps through the standard libbpf map API. The patch updates the map type table and any type-specific helpers so that tools like bpftool and skeleton-generated code can handle rhash maps transparently.
bpf: representation and basic operations on circular numbers
V3 of the patch introducing cnum32 and cnum64 typed structs for circular integer range representation in the BPF verifier. This revision addresses review feedback on the arithmetic semantics and adds more thorough documentation of the invariants that the types maintain. The circular number abstraction replaces the existing eight loose scalar-range fields in bpf_reg_state, and this patch provides the foundational primitives used throughout the series.
bpf: Implement dtor for struct file BTF ID
V3 of the patch registering fput() as the destructor for the struct file BTF ID, enabling BPF programs to store referenced struct file kptrs in maps. The new version incorporates review feedback on the destructor registration mechanism and ensures the BTF ID lookup is robust across kernel configurations. Together with the accompanying selftest patch, this series allows BPF programs to hold long-lived file references in map storage for use across program invocations.
Generated 2026-04-25T10:15:04Z
Activity on April 23-24 centered on three series targeting verifier range tracking, kptrs, and kfunc call conventions. Eduard Zingerman posted v2 of a series refactoring bpf_reg_state by replacing bare min/max fields with a typed circular-number abstraction (cnum), enabling stronger 32-to-64-bit range refinements in the verifier. Justin Suess enabled struct file as a reference-counted kptr storable in BPF maps, while Yonghong Song posted v3 preparatory cleanups to verifier argument handling ahead of upcoming kfunc stack argument support.
bpf: representation and basic operations on circular numbers
Introduces cnum32 and cnum64, typed structs representing circular (wrapping) integer numbers with defined arithmetic semantics for use in the BPF verifier. Circular numbers more accurately model unsigned integer range constraints that can wrap around, avoiding the imprecision of separate smin/smax/umin/umax fields. This patch provides the foundation — constructors, comparison, and arithmetic primitives — that subsequent patches use to replace the existing verifier range fields. The approach enables more accurate range propagation, particularly for 32-to-64-bit sign-extension scenarios.
bpf: replace min/max fields with struct cnum{32,64}
Replaces the eight loose scalar range fields in bpf_reg_state (smin32, smax32, umin32, umax32, smin64, smax64, umin64, umax64) with two typed structs cnum32 and cnum64. The structural change enforces correct usage through accessor functions added in the preceding patch and eliminates a class of subtle bugs where fields could be updated inconsistently. This is the core mechanical transformation of the series, affecting the verifier's central register-state data structure.
bpf: Implement dtor for struct file BTF ID
Registers a destructor for the struct file BTF ID so that BPF programs can hold referenced kptrs to struct file objects in maps without leaking file references. Without a dtor, the kernel refuses to allow struct file as a referenced kptr type because it cannot safely release the reference on map entry deletion. The patch wires up fput() as the destructor, enabling map-stored file references to be properly cleaned up when entries are removed or the map is freed.
selftests/bpf: Add test for map-stored struct file kptrs
Adds a selftest exercising the new ability to store referenced struct file kptrs in BPF maps. The test acquires a file reference via a kfunc, stores it in a hash map, retrieves it, and verifies that the reference is properly released on map cleanup. Coverage confirms that both the kptr store/load paths and the destructor-triggered fput work correctly end-to-end.
bpf: Remove unused parameter from check_map_kptr_access()
A small clean-up removing a parameter from check_map_kptr_access() that is no longer used after earlier refactoring. This is the first of a nine-patch preparatory series that restructures verifier internals to support passing arguments on the stack to BPF functions and kfuncs. The patch series as a whole refactors argument tracking, memory/size pairing, and verifier log messages without yet enabling the stack-argument feature itself.
bpf: Introduce bpf register BPF_REG_PARAMS
Introduces a new pseudo-register alias BPF_REG_PARAMS (mapped to r11) to name the register that will hold a pointer to the stack-spilled arguments area when kfunc stack arguments are eventually supported. Using a named alias instead of a raw register number makes the upcoming JIT and verifier changes easier to follow and review. This patch is part of the v3 preparatory series by Yonghong Song and does not yet enable stack argument passing.
Generated 2026-04-25T10:15:04Z
Activity on April 21-22 was dominated by two major verifier-adjacent series: Yonghong Song's v2 9-patch series preparing the BPF verifier and calling convention to support stack-based arguments for kfuncs, and Amery Hung's v3 refactor of verifier object relationship tracking that also fixes a dynptr use-after-free bug. Mykyta Yatsenko's long-running effort to add sleepable tracepoint program support reached its 11th revision, while Emil Tsalapatis pushed an 8th iteration of the arena library and runtime. Eduard Zingerman also submitted an RFC proposing a structural overhaul of verifier scalar range tracking using typed circular number types.
bpf: Introduce bpf register BPF_REG_PARAMS
Introduces a new BPF pseudo-register BPF_REG_PARAMS as part of the groundwork for supporting stack-based calling conventions in kfuncs. Currently all kfunc arguments pass through the standard register file; adding stack argument support requires a dedicated register to track the stack parameter region. This is patch 8 of 9 in Yonghong Song's v2 series 'bpf: Prepare to support stack arguments', which makes several preparatory refactors before the stack ABI extension lands.
bpf: Refactor object relationship tracking and fix dynptr UAF bug
Refactors how the BPF verifier tracks ownership and dependency relationships between objects such as dynptrs, slices, and kptrs, and simultaneously fixes a use-after-free bug in dynptr handling. The prior tracking was ad hoc and missed some invalidation paths, allowing a program to use a dynptr after the underlying object was released. This is the core patch in Amery Hung's v3 9-patch series on verifier object relationship tracking.
bpf: Unify dynptr handling in the verifier
Consolidates the divergent code paths for dynptr validation in the BPF verifier into a single unified representation and set of helpers. The unification is a prerequisite for the subsequent object relationship tracking refactor in the same series. Together the series improves correctness guarantees for dynptr lifetime and cloning.
bpf: Add sleepable support for raw tracepoint programs
Extends the BPF raw tracepoint infrastructure to allow programs to be marked sleepable, enabling use of blocking helpers and memory allocations within raw tracepoint handlers. Sleepable tracepoint programs are valuable for observability use cases that need to perform I/O or acquire locks during event capture. This is the first of six patches in Mykyta Yatsenko's 11th revision, which also covers classic tracepoints, verifier support, and libbpf section handlers.
selftests/bpf: Add basic libarena scaffolding
Introduces the foundational test scaffolding for libarena, a new userspace-style dynamic memory management library built on top of BPF arena maps. libarena aims to give BPF programs safe, flexible allocation patterns without requiring fixed-size map entries. This is part of Emil Tsalapatis's v8 8-patch series, which includes a buddy allocator, ASAN runtime support, and comprehensive selftests.
bpf: replace min/max fields with struct cnum{32,64}
RFC patch replacing the loose scalar min/max range fields in bpf_reg_state with typed circular number structs (cnum32/cnum64) that encode value and bit-width together. The goal is to make verifier range tracking structurally sound and enable better 32-to-64-bit range refinements. This is the central patch of Eduard Zingerman's 4-patch RFC series, which first introduces the cnum abstraction and accessor functions before applying the broad refactor.
bpf, x86: Granlund-Montgomery optimization for 64-bit div/mod by immediate
Applies the Granlund-Montgomery algorithm to the BPF x86 JIT, replacing expensive hardware division instructions with a multiply-and-shift sequence when the divisor is a compile-time immediate. Division is among the slowest x86 instructions, and BPF programs with tight loops that perform constant-divisor modulo or divide operations benefit significantly. This is the third revision of the single-patch optimization.
bpf: Fix out-of-bounds read in bpf_patch_call_args()
Fixes an out-of-bounds memory read in bpf_patch_call_args() that could be triggered by BPF-to-BPF calls with large offsets. The function failed to account for all expansion cases when reallocating the instruction array, allowing reads past the buffer end. This is the first of three patches in Yazhou Tang's v7 series, which also fixes s16 truncation of large call offsets and adds a regression selftest.
Generated 2026-04-23T00:00:00Z
Today's bpf-next activity spanned three significant feature series alongside a pair of RFC submissions. Leon Hwang's long-running series (now at v12) to extend the BPF syscall with common attributes landed alongside new kfunc work from Mahe Tardy and arm64 JIT improvements from Puranjay Mohan. Mohan also submitted an RFC XDP load-balancer benchmark framework, while Justin Suess introduced support for storing referenced struct file kptrs in BPF maps.
bpf: Implement dtor for struct file BTF ID
Implements a destructor for the struct file BTF ID, enabling BPF maps to store referenced struct file kptrs. This is the core kernel patch of a two-part series that adds proper lifecycle management for file references held inside BPF maps. Tracking struct file references prevents resource leaks when map entries are removed or the map itself is destroyed. The accompanying selftest verifies that map-stored file kptrs are correctly acquired and released.
bpf, arm64: Map BPF_REG_0 to x8 instead of x7
Remaps BPF_REG_0 to the arm64 x8 register (the indirect result register) to free x7 for use as a stack-argument-passing register under the AAPCS64 calling convention. This register reassignment is a prerequisite for the arm64 BPF JIT to support BPF programs calling kernel functions that pass arguments on the stack rather than solely in registers. Follow-on patches in the series add the JIT logic for stack arguments and enable the relevant selftests on arm64.
bpf: Extend BPF syscall with common attributes support
Introduces a unified common-attributes mechanism for the BPF syscall, allowing prog_load, btf_load, and map_create commands to share a consistent log-size reporting path. At version 12, this series also adds libbpf support and the ability for userspace to retrieve the true log buffer size when BPF object loading fails. The change reduces duplication in the BPF syscall implementation and makes failure diagnostics more consistent across all BPF object types.
bpf: add bpf_icmp_send_unreach kfunc
Adds a new kfunc bpf_icmp_send_unreach that allows BPF programs to generate ICMP destination-unreachable messages for both IPv4 and IPv6. This enables tc and XDP programs to reject packets with meaningful ICMP feedback rather than silently dropping them, improving network-level error signaling. The series refactors netfilter helper functions into core ipv4/ipv6 to make them reusable outside of netfilter, and is accompanied by comprehensive tests covering both address families and recursion safety.
selftests/bpf: Add bench_force_done() for early benchmark completion
First patch of an RFC series adding an XDP load-balancer benchmark to the BPF selftest suite. This patch introduces bench_force_done(), a helper that lets a benchmark signal early completion without waiting for the full configured duration. Subsequent patches build a batch-timing library, a full XDP load-balancer BPF program with common definitions, and a driver and shell script to run the benchmark end-to-end. The RFC status invites feedback on the benchmark design and infrastructure before finalization.
selftests/bpf: fix off-by-one in bpf_cpumask_populate related selftest
Fixes an off-by-one error in the selftest for bpf_cpumask_populate. The bug caused the test to iterate one index past the valid CPU range, potentially producing incorrect results or accessing memory beyond the expected bounds on systems with specific CPU counts. This is a standalone single-patch fix with no other dependencies.
Generated 2026-04-22T00:00:00Z
Activity on April 19–20 was dominated by Yonghong Song's v6 of the stack-arguments series for BPF functions and kfuncs, a 17-patch set that extends the BPF calling convention to pass arguments on the stack beyond the standard six registers with full x86-64 JIT support. Two smaller patches rounded out the day: Aaron Tomlin fixed libbpf to properly reject negative kprobe offsets, and Matt Bobrowski corrected an off-by-one error in the bpf_cpumask_populate selftest.
bpf: Support stack arguments for bpf functions
This patch adds verifier support for BPF subprogram functions to receive arguments on the stack, enabling function signatures with more than the standard six register-based parameters. A new BPF_REG_PARAMS mechanism tracks the stack argument state through verifier analysis, and the calling convention is updated to lay out excess parameters in a well-defined region of the caller's stack frame. This is patch 07 of a 17-part series (v6) that collectively introduces stack argument passing for both BPF functions and kfuncs. The change is the core enabler for the rest of the series and requires corresponding JIT backend work to become operational.
bpf: Support stack arguments for kfunc calls
Extends the new stack argument infrastructure to kfunc calls, allowing kernel functions exposed to BPF programs to accept arguments beyond the six-register limit. The verifier is updated to validate that stack argument types and sizes match the expected kfunc BTF signature, keeping the calling convention consistent with BPF-to-BPF calls. This patch is the twelfth in the series and pairs tightly with the BPF subprogram stack argument changes introduced earlier. Unified handling across both call sites simplifies future extensions to the argument-passing mechanism.
bpf,x86: Implement JIT support for stack arguments
Implements the x86-64 JIT backend changes required to physically place excess function arguments onto the stack when calling BPF subprograms or kfuncs. The JIT allocates additional stack space for spilled parameters and emits the appropriate store instructions to lay them out before the call site. Programs using stack arguments are rejected by the verifier on architectures without JIT support, making this x86-64 implementation the first concrete gate that allows the feature to be used in practice. Other JIT backends can add independent support following the same pattern.
libbpf: Report error when a negative kprobe offset is specified
Fixes a libbpf bug where a negative offset for a kprobe attachment would be silently accepted rather than rejected at the library level, leading to confusing downstream failures. With this patch, libbpf validates the offset field and returns a clear EINVAL if a negative value is provided. This is the third revision of the fix, addressing earlier review feedback on where in the attachment path the check should live. Negative kprobe offsets are not supported by the kernel and catching them early improves the user experience for programs that misconfigure their probes.
selftests/bpf: fix off-by-one in bpf_cpumask_populate related selftest
Corrects an off-by-one error in a BPF selftest exercising bpf_cpumask_populate, where the loop bound caused a read one element past the intended array boundary. The bug could produce spurious failures or undefined behavior on configurations where the adjacent memory was not safely accessible. The fix is a one-line bound correction with no impact on the BPF subsystem itself. Keeping selftests clean ensures CI results accurately reflect real regressions rather than test-infrastructure noise.
Generated 2026-04-21T00:00:00Z
Today's bpf-next activity featured three series spanning the verifier, kfuncs, and libbpf. Kumar Kartikeya Dwivedi posted v3 of a series adding verifier warning infrastructure and a kfunc deprecation annotation, enabling non-fatal diagnostic messages during BPF program loading. Puranjay Mohan posted v13 of a long-running series introducing CPU time counter kfuncs with arm64 JIT support, bringing high-resolution per-CPU timing to BPF programs.
libbpf: Report error when a negative kprobe offset is specified
libbpf now returns an error when a user specifies a negative offset for a kprobe attachment point. Previously this case could be silently accepted, leading to undefined behavior at attach time. This is a defensive input validation improvement that catches misconfigured kprobe offsets early during program load rather than at runtime.
bpf: Add support for verifier warning messages
Introduces a new mechanism in the BPF verifier to emit non-fatal warning messages during program verification. Unlike verifier errors that abort loading, warnings allow programs to load successfully while surfacing diagnostic information to the user. This patch is the foundation of the series, adding the core warning message infrastructure that subsequent patches in the series build upon.
bpf: Introduce __bpf_kfunc_mark_deprecated annotation
Adds the `__bpf_kfunc_mark_deprecated` annotation macro that kernel developers can use to mark kfuncs as deprecated. When a BPF program calls a deprecated kfunc, the verifier emits a warning rather than rejecting the program outright. This enables gradual kfunc lifecycle management, giving users time to migrate away from old APIs without breaking existing BPF programs.
libbpf: Request verifier warnings for object loads
Updates libbpf to opt in to the new verifier warning infrastructure when loading BPF objects, so that warning messages emitted by the kernel verifier are surfaced to userspace. This wires the kernel-side warning mechanism into the standard BPF program loading path. Users relying on libbpf will automatically receive deprecation and other verifier warnings without any application-level changes.
bpf: add bpf_get_cpu_time_counter kfunc
Introduces the `bpf_get_cpu_time_counter` kfunc, which exposes the per-CPU hardware time counter to BPF programs. This allows BPF programs to perform high-resolution timing measurements using the CPU's native cycle counter. Part of a series that has reached v13 after extensive review, this kfunc gives BPF programs direct access to low-overhead hardware timing primitives.
bpf: add bpf_cpu_time_counter_to_ns kfunc
Adds `bpf_cpu_time_counter_to_ns` as a companion kfunc to convert raw CPU time counter values to nanoseconds. Raw cycle counter values are CPU-frequency-dependent and not directly portable, so this conversion kfunc makes timing results meaningful across different hardware. Together with `bpf_get_cpu_time_counter`, BPF programs can now perform accurate, portable elapsed-time measurements.
bpf, arm64: Add JIT support for cpu time counter kfuncs
Adds arm64 JIT backend support for the new CPU time counter kfuncs, enabling them to be efficiently inlined on AArch64 hardware. Without JIT support the kfuncs would fall back to a slower generic execution path. This patch completes the architecture-specific optimization needed for production-quality use of the CPU timing kfuncs on arm64 systems.
Generated 2026-04-19T09:51:17Z
A busy day on bpf-next dominated by Jiri Olsa's 28-patch tracing_multi link series, which introduces a new BPF link type for attaching a single program to multiple kernel functions simultaneously via a single syscall. Yonghong Song's 16-patch series adding stack argument support for BPF functions and kfuncs also appeared, extending the calling convention to pass structs beyond the six-register limit on x86-64.
bpf: Add support for tracing multi link
Introduces the new BPF_LINK_TYPE_TRACING_MULTI link type, allowing a single BPF tracing program to be attached to many kernel functions at once rather than requiring one link per function. The implementation reuses and extends the existing trampoline infrastructure, adding bpf_trampoline_multi_attach/detach helpers to manage bulk attachment. This is a significant usability improvement for tools that need to trace large numbers of functions—for example, function-graph style tracers or security monitors—without the overhead of managing thousands of individual links.
libbpf: Add support to create tracing multi link
Adds the libbpf-side API for creating tracing_multi links, exposing the new kernel capability to userspace BPF programs. The patch wires up bpf_link_create() for the new attach type and introduces a btf_type_is_traceable_func() helper so that callers can filter BTF entries to only traceable functions before bulk attachment. Together with the kernel patches in this series, libbpf users gain a high-level interface for multi-function tracing.
bpf: Support stack arguments for bpf functions
Extends the BPF verifier and calling convention to allow struct arguments larger than eight bytes to be passed on the stack to BPF-to-BPF calls, mirroring the C ABI on x86-64. Previously BPF functions were limited to six register-width arguments; this patch introduces the BPF_REG_PARAMS pseudo-register to track stack-passed parameters and updates the verifier to validate them. The change is a prerequisite for supporting the full kfunc calling convention when kfuncs themselves accept stack-spilled arguments.
bpf: Support stack arguments for kfunc calls
Adds verifier support for kfunc calls that take struct arguments passed on the stack, complementing the BPF-function stack-argument patch in the same series. The patch enforces that such structs are no larger than eight bytes per slot and rejects stack arguments when tail calls are reachable (since tail calls don't preserve the stack frame). x86-64 JIT emission for the new calling convention is handled by a companion patch in the series.
bpf: Extend BTF UAPI vlen, kinds to use unused bits
Expands the BTF type-info fields by repurposing currently-unused bits in the type_info word, raising the vlen limit from 16 bits to 24 bits and the kind field from 5 bits to 8 bits. This removes a long-standing constraint on the number of struct members and enum values that can be described in a single BTF type, which matters for very large auto-generated BTF from complex kernel structs. The series updates libbpf, bpftool, and selftests to handle the wider fields, with libbpf gaining a feature-probe to detect kernel support.
arm32, bpf: Reject BPF-to-BPF calls and callbacks in the JIT
Makes the 32-bit ARM BPF JIT explicitly reject programs that use BPF-to-BPF calls or callbacks, which the JIT does not implement, rather than silently producing incorrect code. This is a correctness fix: without the rejection the interpreter would be invoked as a fallback but with a JIT-compiled caller, leading to undefined behavior. The v2 revision consolidates the rejection of both BPF_PSEUDO_CALL and callback-carrying helper calls into a single check.
selftests/bpf: Trace bpf_local_storage_update to debug flaky local storage tests
Adds a fentry tracepoint on bpf_local_storage_update in the BPF local-storage selftests to capture diagnostic information when the tests fail intermittently. Flaky local-storage tests have been observed under memory pressure; the additional tracing helps identify whether failures correlate with concurrent updates or allocation failures. This is a test-infrastructure improvement rather than a kernel change.
Generated 2026-04-18T09:52:31Z
A productive day on bpf-next with three major series in flight. Yonghong Song's v5 stack-argument series for BPF functions and kfuncs reached near-final shape, while Paul Chaignon posted an RFC improving verifier register-bounds refinement for 32-to-64-bit range propagation. Mykyta Yatsenko fixed a NULL dereference in the verifier's kptr slot type-checking path, and Nick Hudson continued refining tunnel decapsulation flags for skb_adjust_room.
bpf: Support stack arguments for bpf functions
The core patch of Yonghong Song's 16-patch v5 series, teaching the BPF verifier to accept struct arguments passed on the stack in BPF-to-BPF calls. A new BPF_REG_PARAMS pseudo-register tracks the stack pointer for parameter spilling, and the verifier validates that stack slots are properly initialized before the call. The x86-64 JIT is updated in a companion patch to emit the required push/pop sequences, while non-JITed paths and tail-call-reachable paths are explicitly rejected.
bpf: Fix NULL deref in map_kptr_match_type for scalar regs
Fixes a NULL pointer dereference in map_kptr_match_type() that occurs when a BPF program tries to store a scalar register into a map slot typed as a kernel pointer (kptr). The function assumed the source register always holds a pointer with associated BTF type info, but scalars have no such info, causing a crash during verification. The fix adds a scalar-register check before accessing the BTF type, and the companion selftest confirms the verifier now properly rejects such stores.
bpf: Extend BTF UAPI vlen, kinds to use unused bits
Version 2 of Alan Maguire's series widening the BTF type-info word's vlen field from 16 to 24 bits and the kind field from 5 to 8 bits by repurposing reserved bits. The kernel change is accompanied by libbpf updates that add a feature probe for extended-vlen kernel support and adjust btf_vlen() to return __u32, plus bpftool changes to display and handle 24-bit vlen values. This removes a hard ceiling on the number of members in large structs and enum types representable in BTF.
bpf/verifier: Use intersection checks when simulating to detect dead branches
An RFC series improving the BPF verifier's ability to prune dead branches by using intersection checks between tnum (tracked number) constraints and integer range bounds when simulating conditional jumps. The series also fixes a bug in the verifier's slow-mode reg_bounds path and improves 32-to-64-bit range refinement so that the verifier derives tighter 64-bit bounds from known 32-bit constraints. Several new selftests capture the refinement cases that were previously missed.
bpf: add BPF_F_ADJ_ROOM_DECAP_* flags for tunnel decapsulation
Introduces new BPF_F_ADJ_ROOM_DECAP_L3_IPV4 and BPF_F_ADJ_ROOM_DECAP_L3_IPV6 flags for the bpf_skb_adjust_room() helper, allowing BPF programs performing tunnel decapsulation to signal the kernel that the outer IP header has been removed. A companion patch clears the GSO tunnel state in skb_adjust_room when decap flags are set, preventing the networking stack from incorrectly re-segmenting the now-bare inner packet. The v4 revision also adds a tc_tunnel selftest validating the GSO state after decapsulation.
selftests/bpf: Add BPF_STRICT_BUILD toggle
The first patch of Ricardo B. Marlière's v7 11-patch series that makes the BPF selftest build system more robust against partial kernel configurations. This patch adds a BPF_STRICT_BUILD Makefile toggle: when unset, compilation and BPF skeleton generation failures are tolerated rather than aborting the whole build. Subsequent patches in the series handle benchmark build failures, cross-test weak-symbol definitions, and install-time missing-file tolerance, making it practical to build and run BPF selftests on distro kernels without full source trees.
Generated 2026-04-17T10:16:06Z
The most notable submission was Mykyta Yatsenko's v10 of sleepable tracepoint support, a long-requested feature that allows raw and classic tracepoint BPF programs to call sleeping helpers and kfuncs. Nick Hudson's v4 series introduced new BPF_F_ADJ_ROOM_DECAP_* flags to fix GSO state corruption during tunnel decapsulation. Harishankar Vishwanathan improved the verifier's branch pruning with tnum intersection checks, and Ricardo B. Marlière posted an 11-patch series overhauling the BPF selftests build system to tolerate partial kernel configurations.
bpf: Add sleepable support for raw tracepoint programs
Adds support for BPF programs attaching to raw tracepoints to be marked sleepable, enabling them to call helpers and kfuncs that may sleep. This has been a long-requested feature (v10 of this series), as raw tracepoints see heavy use in production tracing infrastructure but could not previously use the growing set of sleepable-only BPF primitives. The series also extends libbpf with new section handlers for sleepable tracepoints and adds verifier logic to validate the sleepable flag for these program types.
bpf: add BPF_F_ADJ_ROOM_DECAP_* flags for tunnel decapsulation
Introduces new BPF_F_ADJ_ROOM_DECAP_* flags for the bpf_skb_adjust_room() helper to properly signal tunnel decapsulation operations to the kernel. Previously, programs performing decapsulation had no standard way to inform the kernel that GSO state needed updating after header removal, leading to potential packet corruption on large segmented packets. This series pairs the new flags with a fix to clear GSO state appropriately in skb_adjust_room when decapsulating.
bpf/verifier: Use intersection checks when simulating to detect dead branches
Improves the BPF verifier's branch pruning by computing tnum/u64 intersections to detect branches that can never be taken given current register constraints. This reduces the number of states the verifier must explore for programs with range checks, lowering verification time for complex programs. The accompanying selftest adds cases where the tnum and u64 ranges produce an empty intersection, verifying that the verifier correctly prunes those paths.
bpf: copy BPF token from main program to subprograms
V4 of the fix ensuring BPF token delegation is correctly propagated from a main BPF program to its subprograms during verification. Without this, privileged operations in subprograms are incorrectly rejected even when the token grants the necessary permissions. This iteration addresses review feedback from v3 and improves selftest coverage verifying that kallsyms entries are present for token-loaded subprograms.
selftests/bpf: Add BPF_STRICT_BUILD toggle
First patch in an 11-part series overhauling the BPF selftests build system to tolerate partial kernel configurations. Introduces a BPF_STRICT_BUILD toggle that lets upstreams enforce strict build behavior while allowing distro kernel CI environments to skip tests for features not compiled in. The full series handles BPF object compilation failures, skeleton generation failures, benchmark build failures, and install-time missing file handling.
selftests/bpf: Use local type for flow_offload_tuple_rhash in xdp_flowtable
Updates BPF selftests to use local type definitions for kfunc declarations rather than pulling in internal kernel headers directly, improving portability across kernel versions and configurations. The series covers two test files—xdp_flowtable and test_tunnel_kern—both of which referenced internal kernel types that can differ between kernel builds. Using local type definitions avoids header inclusion issues that arise when testing against distro or out-of-tree kernels.
Generated 2026-04-17T00:00:00Z
The day's patches centered on two substantial new features: Alan Maguire's series extending BTF's btf_type struct to use previously unused bits for larger vlen and kind fields, and Leon Hwang's v4 series introducing global per-CPU data support in BPF programs. Eduard Zingerman continued refining BPF token propagation to subprograms, while KaFai Wan added a kernel-side guard rejecting TCP_NODELAY from BPF TCP header option callbacks.
bpf: Introduce global percpu data
Introduces first-class support for global per-CPU variables in BPF programs, allowing programs to declare and use per-CPU data in a way that is reflected in generated skeletons. This eliminates the need for manual per-CPU map management when global per-CPU state is desired. The series also adds BPF_F_ALL_CPUS flag support for per-CPU map updates and extends libbpf with feature probing and skeleton generation for the new type.
bpf: Extend BTF UAPI vlen, kinds to use unused bits
Extends the BTF btf_type UAPI to repurpose previously unused bits, expanding the vlen field from 16 to 24 bits and the kind field from 5 to 8 bits. This unblocks future growth of BTF type counts (particularly for large structs with many members) and new kind definitions. The series includes matching libbpf feature detection, bpftool support for the wider fields, and selftest coverage for the new limits.
bpf: copy BPF token from main program to subprograms
Fixes a bug where the BPF token associated with a main program was not propagated to its subprograms during verification, causing permission checks on subprogram-specific operations to fail when loading via token delegation. Without this fix, privileged operations in subprograms could be incorrectly rejected even when the token grants the necessary permissions. The accompanying selftest verifies that kallsyms entries are correctly created for token-loaded subprograms.
bpf: tcp: Reject TCP_NODELAY from BPF hdr opt callbacks
Adds a kernel-side guard to reject attempts to set TCP_NODELAY from within BPF TCP header option write and reserve callbacks. Setting TCP_NODELAY from these callbacks can cause unexpected behavior because the callback context does not allow safe modification of socket-level TCP flags. The patch ensures consistent and safe behavior by failing such attempts early with an appropriate error code.
bpf: Refactor dynptr mutability tracking
Refactors how the BPF verifier tracks whether a dynptr is mutable or read-only, consolidating the logic to make it cleaner and easier to extend. The existing tracking was spread across multiple code paths using implicit conventions; this change makes mutability an explicit property of dynptr state. This v3 incorporates reviewer feedback from earlier rounds and should make future dynptr feature additions less error-prone.
s390/bpf: inline smp_processor_id and current_task
Teaches the s390 BPF JIT to inline calls to smp_processor_id() and current_task rather than emitting out-of-line function calls. Inlining these frequently-used helpers reduces call overhead and improves performance of BPF programs running on s390 hardware. This brings s390 more in line with x86 and arm64 JITs which have had similar optimizations for some time.
Generated 2026-04-17T00:00:00Z
Activity for April 13-14 was dominated by two significant RFC proposals: KASAN instrumentation for JIT-compiled BPF programs on x86, and an expanded atomics selftest suite targeting cpuv4 and sub-32-bit operations. The day also saw important verifier fixes from Eduard Zingerman correcting argument tracking through imprecise and multi-offset stack pointers, plus a use-after-free fix in BPF arena's fork handling from Alexei Starovoitov. Security hardening continued with Xu Kuohai's v14 series adding ENDBR/BTI emission for indirect jump targets across x86 and arm64.
bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs
This RFC introduces a new Kconfig option BPF_JIT_KASAN that enables Kernel Address Sanitizer checks inside JIT-compiled BPF programs on x86. The series works by having the BPF verifier mark instructions that access the program stack, then having the x86 JIT emit inline KASAN shadow-memory checks around those accesses. This brings the same memory-safety guarantees that KASAN provides to kernel C code into the JIT-compiled BPF execution path, significantly improving the ability to catch out-of-bounds and use-after-free bugs in BPF programs. The series is eight patches covering KASAN helper exposure, stack-access marking in the verifier, the core Kconfig, x86 JIT emission, and selftests.
bpf: Fix use-after-free in arena_vm_close on fork
This single patch fixes a use-after-free bug triggered when a process that has a BPF arena mapped forks and then the child or parent closes the arena's VM region. The arena_vm_close callback was accessing memory that could already be freed in the fork path, leading to potential memory corruption or a kernel crash. The fix ensures proper reference counting and ordering so that the arena structure remains valid for the lifetime of all mappings referencing it.
bpf: fix arg tracking for imprecise/multi-offset BPF_ST/STX
This v2 two-patch series corrects the BPF verifier's argument liveness tracking for BPF_ST and BPF_STX instructions when accessed through imprecise or multi-offset stack pointers. Without this fix, the verifier could fail to mark stack slots as live, causing incorrect pruning of program states and potentially accepting unsafe programs or rejecting valid ones. The companion selftest patch adds regression coverage for these edge cases involving imprecise pointer arithmetic targeting stack memory.
bpf: Move constants blinding out of arch-specific JITs
This is the base patch of a v14 five-patch series that refactors BPF JIT infrastructure to enable emission of ENDBR (x86 IBT) and BTI (arm64) instructions at indirect jump targets. The series first centralizes constant blinding out of arch-specific JITs, then passes bpf_verifier_env into the JIT, adds a generic helper to identify indirect jump targets, and finally adds x86 ENDBR and arm64 BTI emission. The result hardens JIT-compiled BPF programs against control-flow hijacking attacks on hardware that supports CET/BTI.
bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator finalize
This v2 series removes redundant instruction-cache flush calls on arm64 and RISC-V that were being issued after the BPF pack allocator's finalize step. The pack allocator already performs an icache flush as part of finalization, making the subsequent flush in the JIT code superfluous and wasteful. Eliminating the duplicate flushes reduces overhead during BPF program load, particularly for workloads that frequently load and unload programs.
selftests/bpf: Prevent allocating data larger than a page
This three-patch series fixes bugs in the BPF task local storage selftests where allocations larger than a page were permitted, leading to garbage data being returned by tld_get_data(). The series adds a guard against oversized allocations, fixes the garbage-data return path, and adds a new selftest verifying that small task local data allocations work correctly end-to-end. These fixes improve reliability of the task local storage feature for programs that use it to track per-task state.
bpf/tests: Exhaustive test coverage for signed division and modulo
This v3 single patch adds exhaustive test cases for signed 32-bit and 64-bit division and modulo operations in the BPF test infrastructure. The tests cover edge cases including division by negative numbers, INT_MIN divided by -1 (overflow), and modulo by negative divisors, which are all areas where interpreter and JIT implementations can diverge. Comprehensive coverage here helps catch correctness regressions across different architectures when new JIT backends are added or existing ones are modified.
selftests/bpf: Only define ENABLE_ATOMICS_TESTS for cpuv4 runner
This RFC four-patch series updates the BPF atomics selftest suite with broader coverage, starting by scoping the ENABLE_ATOMICS_TESTS macro to cpuv4 runner environments to avoid spurious failures on older hardware. Subsequent patches in the series add 8-bit and 16-bit fetch-based atomic testcases, non-fetch-based atomics for all widths, and exhaustive stack-based atomic operation coverage. The expanded suite is motivated by work on LoongArch BPF JIT support and improves confidence in atomic instruction correctness across architectures.
Generated 2026-04-15T00:00:00Z
April 12-13 brought a wave of structural and feature work to bpf-next. Alexei Starovoitov posted four revision rounds of a series splitting the monolithic verifier.c into focused modules, while Yonghong Song's v4 18-patch series adds stack-based argument support for BPF functions and kfuncs with x86_64 JIT backing. Emil Tsalapatis's arena library reached v7, Menglong Dong fixed missing fsession references across the subsystem, and a lone test fix replaced a deprecated shm_open call with memfd_create.
bpf: Split fixup/post-processing logic from verifier.c into fixups.c
The first patch of Starovoitov's v4 verifier.c split series moves the fixup and post-processing logic out of the monolithic verifier.c into a dedicated fixups.c. The overarching goal is to make the BPF verifier codebase more navigable by isolating distinct concerns into their own files, reducing the size of verifier.c from tens of thousands of lines to a more manageable core. This is the opening move in a 6-patch series that also splits out liveness, CFG analysis, state equivalence, backtracking, and BTF checking.
bpf: Move backtracking logic to backtrack.c
Part of the v4 verifier.c split series, this patch extracts the precision backtracking logic into its own backtrack.c file. Precision backtracking is one of the more complex subsystems in the verifier, responsible for determining which register values must be tracked precisely to correctly prune equivalent states. Isolating it improves reviewability and makes future modifications to the backtracking algorithm easier to scope.
bpf: Support stack arguments for bpf functions
This is the core verifier patch in Song's v4 18-patch series enabling BPF functions to pass arguments via the stack, overcoming the five-register argument limit. A new BPF_REG_STACK_ARG_BASE register is introduced to address arguments spilled beyond the register window, and the verifier is taught to validate PTR_TO_STACK arguments at call sites. The series handles both BPF-to-BPF calls and kfunc calls, with safeguards against use in programs reachable by tail calls or in non-JITed contexts.
bpf,x86: Implement JIT support for stack arguments
The x86_64 JIT backend patch in Song's stack arguments series teaches the JIT to emit code that correctly marshals stack-based arguments at BPF function call boundaries. Arguments exceeding the five-register limit are placed in a designated area of the caller's stack frame and addressed relative to the new BPF_REG_STACK_ARG_BASE. The patch is paired with architecture enablement and verifier-side validation patches in the same series.
bpf: Allow instructions with arena source and non-arena dest registers
The first substantive patch in Tsalapatis's v7 arena library series relaxes a verifier restriction to allow arithmetic operations where one operand is an arena pointer and the result is a plain scalar or non-arena pointer. This is needed so that user-space arena library code can freely mix arena and non-arena pointers in calculations without triggering spurious verifier rejections. The v7 series also adds a buddy allocator, ASAN support, and a full libarena test harness.
bpf: add missing fsession to the verifier log
This v3 patch adds the missing BPF_TRACE_FSESSION attach type to the verifier's human-readable log output, which previously omitted it when printing program attach type information. Companion patches in the same 3-patch series add fsession to the BPF documentation and to bpftool's usage and man page, rounding out the coverage for this attach type. The series is a straightforward completeness fix with no functional behavior change.
selftests/bpf: Use memfd_create instead of shm_open in cgroup_iter_memcg
Replaces the use of the now-deprecated shm_open() call in the cgroup_iter_memcg BPF selftest with the more modern memfd_create() interface. The existing shm_open usage was causing test infrastructure issues on systems where POSIX shared memory is not available or behaves differently. This is a one-patch cleanup with no impact on what the test actually exercises.
Generated 2026-04-14T00:00:00Z
The April 11–12 bpf-next window was dominated by verifier refactoring and significant new feature work. Alexei Starovoitov continued the multi-part effort to split the monolithic verifier.c into focused modules (fixups.c, liveness.c, cfg.c, states.c, backtrack.c, check_btf.c) and posted follow-up cleanups to simplify the main instruction-dispatch loop and move reserved-field checks out of the hot path. Yonghong Song posted a v4 18-patch series enabling stack-passed arguments for BPF-to-BPF calls and kfunc calls on x86-64, while Emil Tsalapatis's v6 arena-library series introduced a buddy allocator and ASAN runtime for BPF arena programs.
bpf: Support stack arguments for bpf functions
Part of an 18-patch v4 series that adds first-class support for passing arguments on the stack to BPF-to-BPF functions and kfuncs. This patch adds the core verifier logic to validate PTR_TO_STACK arguments in BPF function calls, teaching the verifier to track stack-passed memory regions across call boundaries. The feature is needed because BPF programs calling functions with more than five arguments (the current register limit) have no way to pass the extras without this infrastructure. Companion patches add x86-64 JIT emission, kfunc support, and restrictions against use with tail calls or non-JITed programs.
bpf: Split fixup/post-processing logic from verifier.c into fixups.c
First patch of a v2 six-part series that breaks up the notoriously large verifier.c by extracting distinct subsystems into their own files. This patch moves fixup and post-processing logic into a new fixups.c, while companion patches create liveness.c, cfg.c, states.c, backtrack.c, and check_btf.c. The goal is to reduce verifier.c to a manageable size and improve code navigation and maintainability for one of the most complex files in the kernel. The v2 revision addresses review feedback on include dependencies and symbol visibility.
A standalone cleanup that refactors do_check_insn(), the core per-instruction dispatch function in the BPF verifier. The patch reorganizes the function to reduce nesting and improve readability without changing behavior. This is part of the broader ongoing effort to make verifier.c easier to split and maintain, complementing the multi-file decomposition series posted the same day.
bpf: Move checks for reserved fields out of the main pass
A v2 verifier cleanup that extracts reserved-field validation (zero-check of src_reg, imm, offset, etc.) from the main instruction-decode loop into a dedicated pre-pass. Moving these checks out of the hot verification path makes the main pass easier to read and avoids redundant branching on every instruction. This is a prerequisite refactoring for the broader verifier.c decomposition work.
bpf: Upgrade scalar to PTR_TO_ARENA on arena pointer addition
Lead patch of a v6 nine-patch series introducing an arena library and runtime for BPF programs. This specific patch teaches the verifier to upgrade a plain scalar register to PTR_TO_ARENA when it is the result of adding a scalar to an arena pointer, enabling safe arithmetic inside arena regions. Companion patches add basic libarena scaffolding, an ASAN runtime for memory error detection in arena programs, a buddy allocator, and a comprehensive selftest suite including ASAN-instrumented tests.
bpf, arm64: Emit BTI for indirect jump target
Final patch of a v13 five-patch series that adds ENDBR (x86 CET) and BTI (arm64) instructions at indirect-jump targets in BPF JIT-compiled programs. The series introduces a verifier helper to identify indirect jump targets, refactors constants blinding out of per-arch JITs to share common logic, and passes bpf_verifier_env to the JIT so architecture back-ends can use the target information. Reaching v13 reflects the extensive review this security hardening feature has undergone.
bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc
A v3 fix for a null-pointer dereference triggered when a BPF fmod_ret program attaches to security_task_alloc and returns a non-zero value, causing kernel_clone() to proceed with an incompletely initialized task struct. The patch adds a check so that if fmod_ret short-circuits security_task_alloc with an error, the kernel correctly unwinds without dereferencing the null task pointer. A companion selftest verifies the return-value semantics of fmod_ret on this hook.
bpf: Use kmalloc_nolock() universally in local storage
Core patch of a v2 three-patch series that switches BPF local storage allocation to kmalloc_nolock() throughout, removing the need to plumb gfp_flags through the call chain. kmalloc_nolock() uses a per-CPU cache and avoids lock contention, which matters on fast paths like socket and task storage lookups. A companion patch removes the now-unnecessary kmalloc tracing from the local storage benchmark, and a final patch cleans up gfp_flags plumbing from bpf_local_storage_update().
bpf: add missing fsession to the verifier log
Part of a v3 three-patch series that adds the missing fsession attach type to the BPF verifier log, documentation, and bpftool. The fsession attach type was introduced but not reflected in the verifier's textual output or in user-facing tools, making it harder to debug programs using that hook. This patch fixes the verifier log output; companion patches update the BPF documentation and bpftool's usage text and man page.
Generated 2026-04-12T09:52:00Z
This period was dominated by Eduard Zingerman's ambitious static stack liveness data flow analysis series, which hit v4 with 14 patches and adds a forward arg-tracking pass to the verifier that enables poisoning of dead stack slots. Mykyta Yatsenko's sleepable tracepoint support reached v9, and Emil Tsalapatis posted a v5 of the arena library and runtime introducing buddy-allocator support and ASAN integration for BPF arena programs.
The final patch of the 14-part v4 static stack liveness series, this change poisons dead stack slots identified by the new dataflow analysis pass. By overwriting slots that the verifier proves are no longer live, it prevents inadvertent reuse of stale values and strengthens the safety guarantees of the BPF verifier. The series introduces 4-byte granularity liveness tracking, a forward arg-tracking pass, and function-instance keying by (callsite, depth) to correctly handle subprogram calls. Companion selftest patches validate the new behavior against both new and existing verifier test cases.
bpf: introduce forward arg-tracking dataflow analysis
This patch is the algorithmic core of the static stack liveness series: it adds a forward dataflow analysis pass that tracks which stack slots are written before being read, enabling the verifier to identify dead writes. Unlike the existing backward liveness pass, this forward pass computes arg-tracking results stored in bpf_liveness masks so they can be queried during normal verification. The approach handles subprogram calls by keying func_instances on (callsite, depth) pairs.
bpf: Add sleepable support for raw tracepoint programs
The first patch of a 6-part v9 series enabling BPF tracepoint programs to be marked sleepable, allowing them to call kfuncs and helpers that may block. This patch extends raw tracepoint support by running programs via a new bpf_prog_run_array_sleepable() helper that takes an RCU read-side lock safe for sleeping contexts. Verifier changes in patch 4 enforce that only raw and classic tracepoint program types may carry the sleepable flag. libbpf gains matching SEC() handlers and the series ships with selftests covering both raw and classic tracepoint flavors.
bpf: Upgrade scalar to PTR_TO_ARENA on arena pointer addition
This verifier change allows a scalar value added to a PTR_TO_ARENA pointer to itself be upgraded to a PTR_TO_ARENA, enabling more ergonomic arena-relative pointer arithmetic in BPF programs without requiring a full re-cast. It is the foundation patch for a 9-part v5 series that also introduces a userspace libarena scaffolding, an arena ASAN runtime, a buddy allocator library, and integration tests with ASAN support. The arena memory model is increasingly important for BPF programs that manage their own heap.
bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars
This verifier fix ensures that when two scalar registers are compared for equivalence via regsafe(), their base_id fields are treated consistently for scalars produced by BPF_ADD_CONST operations. Without this check, the verifier could incorrectly mark two states as equivalent even when their add_const chains differ, potentially allowing unsound pruning. The companion patch adds a selftest to exercise the base_id consistency requirement directly.
bpf: Use kmalloc_nolock() universally in local storage
This patch (2/3, v2) extends the use of kmalloc_nolock() throughout the BPF local storage implementation so that allocations in IRQ and NMI contexts no longer need to fall back to pre-allocated memory. The companion patch removes the now-unnecessary gfp_flags plumbing from bpf_local_storage_update(), simplifying the call chain. The first patch in the series drops kmalloc tracing from the local storage create benchmark since it is no longer representative.
bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc
This v2 fix addresses a null pointer dereference triggered when a BPF fmod_ret program attached to security_task_alloc returns a non-zero error code: kernel_clone() proceeds to call copy_process() which may dereference a task pointer that was never fully initialised. The fix adds an early return in the relevant path when the fmod_ret hook indicates failure, preventing the use-after-free or null dereference. A selftest validates the correct return value behavior of fmod_ret for this hook.
Generated 2026-04-11T10:00:00Z
Activity over this period was dominated by Eduard Zingerman's static stack liveness data flow analysis series, which progressed through three revisions (v1, v2, v3) and implements a new verifier pass to track dead stack slots and poison them at verification time. Daniel Borkmann contributed a fix to drop pkt_end markers after arithmetic operations to prevent the verifier's is_pkt_ptr_branch_taken() from making incorrect branch decisions, while Feng Yang addressed a null-pointer dereference in kernel_clone() triggered by a BPF fmod_ret program attached to security_task_alloc.
bpf: share several utility functions as internal API
This patch opens the 13-patch v3 series implementing static stack liveness data flow analysis by refactoring several internal verifier utilities into a shared internal API. Exposing these helpers avoids duplication between liveness.c and the rest of the verifier. The series as a whole introduces a new forward dataflow analysis pass that precisely tracks which BPF stack slots are live across a program's execution paths, feeding into improved liveness masks. Later patches in the series build on this foundation to identify and poison dead stack slots, improving both safety and verifier diagnostics.
bpf: introduce forward arg-tracking dataflow analysis
Introduces the core new analysis pass in the static stack liveness series: a forward arg-tracking dataflow analysis that computes which subprogram arguments and stack slots are actually consumed during execution. This complements the existing backward liveness analysis by propagating use information in the forward direction through the CFG. The results are recorded in bpf_liveness masks, enabling the verifier to distinguish truly live slots from dead ones with higher precision. This is the algorithmic heart of the feature, upon which the subsequent logging improvements and dead-slot poisoning depend.
The final patch of the v3 static stack liveness series implements the actual poisoning of stack slots determined to be dead by the new analysis pass. Dead slots are written with a special poison marker during verification, ensuring that any path the verifier missed which accesses them will be caught. This provides a defense-in-depth safety property and improves the quality of error messages when BPF programs touch uninitialized or logically dead stack memory. Accompanying selftests in patches 12/13 and earlier verify both the analysis results and the poisoning behavior.
bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc
Fixes a null-pointer dereference in kernel_clone() that occurs when a BPF fmod_ret program attached to the security_task_alloc LSM hook returns a non-zero (error) value. In that case the fmod_ret causes an early return from the hook, bypassing actual task allocation, but the caller still dereferences the resulting null task pointer. The fix adjusts the error path to correctly handle the case where fmod_ret aborted allocation before a task object was produced. This is v2 of the series; patch 2/2 adds selftests exercising the corrected behavior.
bpf: Drop pkt_end markers on arithmetic to prevent is_pkt_ptr_branch_taken
Fixes a verifier bug where pkt_end pointer markers were incorrectly retained after arithmetic operations (scalar addition or subtraction) on a packet-end pointer. Preserving the marker after arithmetic causes is_pkt_ptr_branch_taken() to treat the derived pointer as a genuine pkt_end boundary, leading to incorrect branch-pruning decisions and potential unsoundness. The fix drops the pkt_end marker whenever arithmetic is performed on such a pointer, since the result no longer carries the same semantic guarantee. Patch 2/2 adds a selftest reproducing the stale pkt range scenario to prevent regressions.
Generated 2026-04-16T00:00:00Z
Today's bpf-next activity was dominated by two major series: Eduard Zingerman's 14-patch overhaul introducing static stack liveness data flow analysis in the verifier, and Mykyta Yatsenko's RFC for a new resizable BPF hash map backed by the kernel's rhashtable infrastructure. Additional notable work includes Kumar Kartikeya Dwivedi's verifier warning message framework, enabling non-fatal deprecation warnings during program load, and Daniel Borkmann's fix for ld_{abs,ind} failure path analysis in BPF subprograms.
bpf: share several utility functions as internal API
This is the opening patch in a 14-part series introducing static stack liveness data flow analysis into the BPF verifier. It refactors several internal utility functions into a shared API to be reused by the upcoming liveness analysis pass. The broader series upgrades stack-slot tracking to 4-byte granularity and introduces a forward arg-tracking dataflow analysis, culminating in dead stack slot poisoning — marking unused stack slots to catch uninitialized reads more reliably. The work also includes logging improvements and extensive selftests covering the new analysis behavior.
This RFC introduces a new BPF map type backed by the kernel's rhashtable infrastructure, enabling dynamically resizable hash maps without the fixed-capacity constraints of BPF_MAP_TYPE_HASH. The 18-patch series implements full lookup/update/delete operations, batch ops, BPF iterators, timer and workqueue support, and libbpf integration. This addresses long-standing performance cliffs when BPF hash maps approach their pre-allocated capacity, as resizing happens transparently at runtime. bpftool documentation and comprehensive selftests round out the RFC.
bpf: Add support for verifier warning messages
This patch introduces a new BPF verifier infrastructure for emitting non-fatal warning messages to userspace during program load, distinct from errors that reject programs outright. The six-patch series adds a KF_DEPRECATED flag for kfuncs, a __bpf_kfunc_replacement() annotation to guide migration, and libbpf support to surface warnings by default. Source location information is exposed by making find_linfo widely available within the verifier. This closes an important ergonomics gap where developers had no in-band signal for deprecated or suboptimal BPF patterns.
bpf: Propagate error from visit_tailcall_insn
This series fixes a verifier bug where errors returned by visit_tailcall_insn were silently discarded during subprogram analysis, potentially allowing malformed programs through verification. A second patch corrects the failure-path analysis for ld_abs and ld_ind instructions when used inside subprograms. A third patch removes an overly narrow static qualifier on a local subprog pointer to support the fix. Selftests are added to cover the previously undetected failure paths, and this is the second revision following initial review feedback.
bpf: Reject sleepable kprobe_multi programs at attach time
kprobe_multi programs execute in a non-preemptible context where sleeping would cause a kernel crash, yet the BPF subsystem previously accepted programs with the sleepable flag for this attach type. This patch adds an explicit check at attach time to reject the sleepable flag in combination with BPF_TRACE_KPROBE_MULTI, returning a clear error rather than silently misbehaving. A selftest verifies the rejection behavior. This is the fifth revision of the series, refined through several rounds of review.
selftests/bpf: Add BPF struct_ops + livepatch integration test
This selftest exercises the interaction between BPF struct_ops programs and the kernel livepatch infrastructure, which allows BPF programs to replace kernel functions in a structured, reversible way. The test verifies that struct_ops-based function replacement behaves correctly alongside livepatch semantics, covering both attachment and detachment paths. This is important validation for a relatively new capability that enables BPF programs to participate in live kernel patching workflows.
libbpf: Allow use of feature cache for non-token cases
libbpf's BTF feature detection previously bypassed the feature cache in code paths that did not involve a BPF token, leading to redundant kernel probes on repeated calls. This patch relaxes that requirement so the feature cache is consulted and populated regardless of token availability. The companion patch adds a BTF sanitization selftest validating BTF layout correctness under various configurations. This is the third revision of the two-patch series.
bpf: add missing fsession to the verifier log
The BPF_ATTACH_TYPE_FSESSION attach type was missing from the verifier log output, bpftool's usage strings, and kernel documentation, leaving it as an undocumented attach type in all developer-facing surfaces. This three-patch series adds fsession to the verifier log, BPF documentation, and bpftool usage output, ensuring consistency across tooling. This is the second revision addressing minor style feedback from the initial submission.
Generated 2026-04-09T10:30:00Z
April 7-8 saw broad activity across verifier correctness, networking, and tooling. Kumar Kartikeya Dwivedi submitted a series adding verifier warning message support for deprecated kfuncs, while Daniel Borkmann fixed linked register delta tracking bugs in the verifier. Nick Hudson's v3 series introduced new tunnel decapsulation flags for bpf_skb_adjust_room, and Andrey Grodzovsky's kprobe symbol disambiguation fix reached v7.
bpf: Add support for verifier warning messages
This v2 series introduces a new verifier warning infrastructure that allows the BPF verifier to emit non-fatal warning messages to users, separate from hard errors. The series leverages KF_DEPRECATED to trigger warnings for deprecated kfuncs and adds a __bpf_kfunc_replacement() annotation to point developers toward preferred replacements. libbpf is updated to flush these warnings by default, giving developers earlier visibility into deprecated API usage without causing program rejection.
bpf: Fix linked reg delta tracking when src_reg == dst_reg
This series fixes two related verifier bugs in linked register delta tracking. The first patch addresses a case where src_reg == dst_reg causes stale delta state to propagate incorrectly through register linking. The second patch ensures the delta field is cleared whenever a register's ID is reset for non-add/sub operations, preventing stale deltas from leaking through ID reassignment. Both fixes are accompanied by targeted selftests.
tracing: Prefer vmlinux symbols over module symbols for unqualified kprobes
Now at v7 (with a concurrent v6 also posted on the same day), this patch stabilizes the fix for kprobe symbol disambiguation when a module symbol shadows a vmlinux symbol of the same name. Unqualified kprobe attachments now correctly prefer the vmlinux symbol, preventing inadvertent tracing of module code. A selftest covering duplicate symbol handling is included.
bpf: add BPF_F_ADJ_ROOM_DECAP_* flags for tunnel decapsulation
Part of the v3 'bpf: decap flags and GSO state updates' series, this patch introduces new BPF_F_ADJ_ROOM_DECAP_* flags for the bpf_skb_adjust_room helper to handle tunnel decapsulation scenarios correctly. A companion patch clears tunnel GSO state in skb_adjust_room when decapping, addressing correctness issues for BPF programs performing software tunnel decap. The series also refactors ADJ_ROOM flag masks and adds guard rails for invalid flag combinations.
bpf: add missing fsession to the verifier log
This v2 series adds missing support for the fsession BPF attach type across the verifier log, BPF documentation, and bpftool. The fsession attach type was supported in the kernel but absent from these user-facing surfaces, making it invisible to developers using introspection tools. The three-patch series ensures fsession is consistently recognized and displayed alongside other attach types.
bpf: Retire rcu_trace_implies_rcu_gp()
This patch removes the rcu_trace_implies_rcu_gp() function from the BPF RCU machinery, which was a temporary workaround that treated RCU trace critical sections as implying a full RCU grace period. As the kernel RCU subsystem has matured, this workaround is no longer necessary and its removal simplifies the BPF memory model and reduces maintenance burden.
bpf: Upgrade scalar to PTR_TO_ARENA on arena pointer addition
The v4 arena library and runtime series continues to appear in this period, covering the core verifier change and an extensive libarena user-space test library. The kernel patch upgrades a scalar register to PTR_TO_ARENA when derived from arena pointer arithmetic, enabling safe arena pointer tracking in the BPF verifier. The selftest side introduces a complete arena library with buddy allocator and ASAN runtime support.
Generated 2026-04-08T12:00:00Z
Activity on April 6-7 was dominated by two substantial series: Emil Tsalapatis's v4 arena library and runtime series, which introduces a BPF memory arena with buddy allocator and ASAN support, and Kumar Kartikeya Dwivedi's v5 series enabling variable offsets for syscall PTR_TO_CTX access. Additional notable work includes Andrey Grodzovsky's RFC for fixing kprobe attachment priority when module symbols shadow vmlinux symbols, and smaller fixes for dynptr reference handling and insn_array offset loads.
bpf: Upgrade scalar to PTR_TO_ARENA on arena pointer addition
Part of the v4 'Introduce arena library and runtime' series, this patch updates the BPF verifier to upgrade a scalar register to PTR_TO_ARENA when it results from adding a scalar to an arena pointer. This is a key verifier change that enables safe tracking of pointers derived from BPF arena memory regions. The companion patches introduce a full arena user-space library for BPF selftests, including a buddy allocator and ASAN runtime integration.
bpf: Support variable offsets for syscall PTR_TO_CTX
This v5 patch extends the BPF verifier to allow variable (non-constant) offsets when accessing PTR_TO_CTX in BPF programs running in syscall context. Previously, only fixed offsets were permitted, which was overly restrictive for programs that compute offsets dynamically. Companion patches also enable unaligned accesses for syscall context and add comprehensive selftests including tests for accesses beyond U16_MAX.
tracing: Prefer vmlinux symbols over module symbols for unqualified kprobes
This RFC v5 patch addresses an ambiguity in kprobe symbol resolution: when a kernel module exports a symbol with the same name as a vmlinux symbol, an unqualified kprobe attachment would previously latch onto the module symbol. The fix ensures vmlinux symbols take precedence for unqualified probes, aligning behavior with user expectations and reducing inadvertent tracing of module code. A selftest covering the duplicate symbol scenario is included.
bpf: Do not ignore offsets for loads from insn_arrays
This v3 fix corrects a bug in the BPF loader where non-zero offsets in insn_array map loads were silently ignored, resulting in incorrect instruction loading. The patch ensures the offset is correctly applied when reading BPF instructions from array maps, preventing subtle program errors that would otherwise be difficult to diagnose. A companion selftest verifies loading from various non-zero offsets.
bpf: Allow overwriting referenced dynptr when refcnt > 1
The BPF verifier currently rejects programs that attempt to overwrite a referenced dynptr even when sibling states still hold a valid reference, causing overly conservative program rejections. This patch relaxes the restriction by tracking the reference count across sibling states and permitting the overwrite when refcnt > 1, ensuring the sibling state can still clean up the dynptr on exit. A selftest demonstrating the previously-rejected but safe pattern is included.
Generated 2026-04-08T12:00:00Z
Activity on April 5-6 was dominated by Yonghong Song's v2 and v3 iterations of the 'Support stack arguments for BPF functions and kfuncs' series, which introduces a new BPF_REG_STACK_ARG_BASE register and extends the BPF calling convention to allow structs larger than 8 bytes to be passed via the stack. The v3 revision refines the design with improved verifier validation, x86_64 JIT support, and comprehensive selftests for both BPF-to-BPF calls and kfunc calls.
bpf: Introduce bpf register BPF_REG_STACK_ARG_BASE
Introduces BPF_REG_STACK_ARG_BASE, a new virtual BPF register used as a base pointer for stack-allocated function arguments. This is the foundational patch in the series enabling BPF functions and kfuncs to accept arguments too large to fit in the six general-purpose argument registers. The new register is handled specially by the verifier and JIT backends to track and validate stack argument slots. It allows BPF programs to pass structs larger than 8 bytes by value through a well-defined stack ABI.
bpf: Support stack arguments for bpf functions
Extends the BPF verifier to recognize and validate stack-based argument passing for BPF-to-BPF function calls. The patch teaches the verifier to track argument slots relative to BPF_REG_STACK_ARG_BASE and verify their types, sizes, and liveness. This enables BPF subprograms to receive large struct arguments that cannot fit in registers, matching a common pattern in kernel C code.
bpf: Support stack arguments for kfunc calls
Extends stack argument support to kfunc calls, allowing BPF programs to pass large structs by value to kernel functions exposed via kfuncs. The verifier is updated to check stack argument slots when validating kfunc call sites, ensuring type safety between the BPF caller and the kernel-side parameter declaration. Stack arguments for kfuncs are limited to 8 bytes per slot to match kernel ABI expectations.
bpf: Reject stack arguments in non-JITed programs
Adds a verifier check that rejects programs using stack arguments when running without a JIT compiler. Stack argument passing requires JIT support because the interpreter cannot implement the necessary stack manipulation semantics. This guard ensures the feature is only enabled on platforms and configurations where it is fully supported.
bpf,x86: Implement JIT support for stack arguments
Implements x86_64 JIT backend support for emitting code to set up and tear down stack argument frames for BPF function and kfunc calls. The JIT allocates space on the native stack, copies argument values into position relative to the stack pointer, and passes the base address in the appropriate register. This patch is the concrete implementation that makes the stack argument ABI functional on x86_64.
selftests/bpf: Add verifier tests for stack argument validation
Adds verifier-level selftests that exercise both positive and negative cases for stack argument validation, including type mismatches, size violations, and use of uninitialized stack slots. These tests complement the functional selftests from earlier patches and ensure the verifier correctly rejects malformed programs using stack arguments. The negative tests cover the greater-than-8-byte kfunc stack argument restriction introduced in the series.
Generated 2026-04-06T10:13:03Z
No patches were submitted to the bpf mailing list during this period.
Generated 2026-04-05T09:43:13Z
The bpf-next mailing list saw active development on April 3-4, 2026, centered on BPF verifier improvements, JIT code generation, and libbpf usability enhancements. Alexei Starovoitov continued iterating on preparatory patches for static stack liveness analysis (reaching v5), while Xu Kuohai posted a 12th revision of the ENDBR/BTI CFI series for x86 and arm64. Emil Tsalapatis introduced a comprehensive arena library and runtime for BPF programs, and Chengkaitao proposed new infrastructure to simplify kfunc verifier registration.
bpf: Do register range validation early
This patch moves register range validation to an earlier stage in the BPF verifier pipeline as a preparatory step for implementing static stack liveness analysis. By validating register ranges sooner, subsequent analysis passes can make more informed decisions about stack usage. This is the first of a 6-patch v5 series from Alexei Starovoitov that lays the groundwork for static stack liveness, a significant verifier enhancement aimed at improving precision in BPF program analysis.
bpf: Add bpf_compute_const_regs() and bpf_prune_dead_branches() passes
Introduces two new compiler-style analysis passes to the BPF verifier: constant register computation and dead branch pruning. These passes allow the verifier to identify and eliminate unreachable code paths before the main verification pass runs, reducing the state space that must be explored. This is foundational infrastructure for static stack liveness analysis, which will allow the verifier to precisely track stack slot usage across subprograms and enable future optimizations.
bpf: Add helper and kfunc stack access size resolution
The final patch in Alexei Starovoitov's v5 series adds logic for resolving the sizes of stack accesses made by helpers and kfuncs, a prerequisite for accurate static stack liveness computation. Understanding how much stack space each helper or kfunc call may touch is essential for the verifier to determine which stack slots are live at any given program point. Together with the earlier patches in the series, this completes the preparatory infrastructure for static stack liveness.
bpf: Introduce BTF_SET/ID_SUB and BPF_VERIF_KFUNC_DEF
Introduces new BTF infrastructure (BTF_SET/ID_SUB) and a BPF_VERIF_KFUNC_DEF macro to simplify how the BPF verifier registers and matches kfunc verification callbacks. Currently kfunc verification logic requires manual BTF set management and is scattered across the codebase; this refactoring provides a unified, declarative mechanism for associating kfuncs with their verifier hooks. The accompanying patch applies this new infrastructure to rbtree kfuncs as a concrete demonstration.
bpf: Add helper to detect indirect jump targets
Adds a helper function to the BPF JIT infrastructure for identifying indirect jump targets in BPF programs, enabling subsequent patches to emit control-flow integrity (CFI) landing pad instructions at those sites. On x86 this means emitting ENDBR instructions (for Intel IBT), and on arm64 BTI instructions. This is the 12th revision of a mature series by Xu Kuohai that improves BPF JIT compatibility with CPU-enforced CFI features, with both x86 and arm64 backends covered.
bpf: Upgrade scalar to PTR_TO_ARENA on arena pointer addition
Enhances the BPF verifier to recognize that a scalar value resulting from arithmetic on an arena pointer should itself be typed as PTR_TO_ARENA, improving the ergonomics and correctness of arena-based BPF programs. This is the core kernel-side change in a 9-patch v3 series that also introduces a libarena library and runtime for BPF, including a buddy allocator and ASAN integration. The series significantly lowers the barrier for BPF programs to perform dynamic memory management using arenas.
libbpf: Auto-upgrade kprobes to multi-kprobes when supported
This RFC proposes transparent automatic upgrading of single kprobe attachments to the more efficient multi-kprobe mechanism when the kernel supports it, mirroring a companion patch that does the same for uprobes. Multi-kprobes attach to multiple functions via a single file descriptor, reducing per-attach overhead considerably. The series (RFC v3) also adds a libbpf feature probe to detect kernel multi-kprobe link support, making the upgrade decision automatic and safe across kernel versions.
Generated 2026-04-04T09:42:10Z
A busy day on bpf-next dominated by verifier and JIT work. Yonghong Song posted a major 10-patch series introducing stack-based argument passing for BPF functions and kfuncs, enabling larger structs to be passed by value. Alexei Starovoitov continued iterating—reaching v5—on preparatory verifier patches for static stack liveness analysis, while Emil Tsalapatis proposed a new arena library and runtime for BPF selftests.
bpf: Introduce bpf register BPF_REG_STACK_ARG_BASE
First patch in a 10-part series adding stack-based argument passing to BPF functions and kfuncs. It introduces a new virtual register BPF_REG_STACK_ARG_BASE to represent the base of stack-passed arguments in the BPF calling convention. This enables passing large structs by value that exceed the available register count. Subsequent patches in the series add verifier enforcement, x86-64 JIT support, and selftests covering both positive and negative cases.
bpf: Do register range validation early
First patch (v5) in a 6-patch series preparing the verifier for static stack liveness analysis. This patch moves register range validation to an earlier point in the verification pipeline so that subsequent passes can rely on consistent range invariants. The series also adds topological subprogram ordering after check_cfg(), dead branch pruning, and constant register computation passes. A v5 respin was posted within hours of v4, indicating rapid iteration.
bpf: Upgrade scalar to PTR_TO_ARENA on arena pointer addition
First patch (v3) in a 9-part series introducing an arena library and runtime for BPF selftests. This verifier change teaches the BPF verifier to upgrade a scalar register to PTR_TO_ARENA when it is the result of adding a scalar to an arena pointer, improving type-safety for arena-allocated memory. The rest of the series builds libarena scaffolding, an ASAN runtime for detecting memory errors in arena programs, a buddy allocator, and comprehensive selftests.
bpf: Move constants blinding out of arch-specific JITs
First patch (v11) in a 5-patch series that emits ENDBR (x86) and BTI (arm64) instructions at indirect jump targets in BPF JIT-compiled programs to harden against control-flow hijacking attacks. This initial patch refactors constants blinding out of architecture-specific JITs and into shared BPF core code, passing the bpf_verifier_env to the JIT. Later patches add a verifier helper to detect indirect jump targets and the per-arch emission logic for ENDBR and BTI landing pads.
bpf: Refactor reg_bounds_sanity_check
First patch (v3) in a 6-patch series fixing verifier invariant violations surfaced by syzbot. The series refactors the register bounds sanity check, exits early when reg_bounds_sync receives invalid inputs, simulates branches to prune states based on range violations, and removes now-unnecessary invariant violation flags from selftests. These fixes improve the reliability of the verifier's range-tracking logic and address potential incorrect pruning decisions.
bpf: Do not ignore offsets for loads from insn_arrays
Bug fix (v2) correcting the BPF verifier's handling of loads from instruction arrays with non-zero offsets. Previously the offset was silently ignored, leading to incorrect values being read. The fix ensures the offset is properly applied, and a companion selftest patch adds coverage for the various offset scenarios to prevent regressions.
bpf: Refactor dynptr mutability tracking
A v2 verifier cleanup that refactors how dynptr mutability is tracked internally. Instead of scattering mutability checks across dynptr helper validation paths, this patch consolidates the tracking into a cleaner representation. This makes it easier to reason about read-only vs. read-write dynptr semantics and reduces the risk of future correctness bugs when new dynptr types or helpers are introduced.
Generated 2026-04-03T10:00:00Z
April 1-2 saw heavy activity on the verifier and libbpf fronts. Yonghong Song posted a significant new feature series enabling stack-based argument passing for BPF functions and kfuncs with x86_64 JIT support, while Alexei Starovoitov iterated to v3 on preparatory verifier passes for static stack liveness analysis. Paul Chaignon and Kumar Kartikeya Dwivedi also landed verifier improvements addressing invariant violations and variable-offset syscall context access.
bpf: Introduce bpf register BPF_REG_STACK_ARG_BASE
Introduces a new virtual BPF register BPF_REG_STACK_ARG_BASE to support stack-based argument passing for BPF subprograms and kfuncs. This is the first patch in a 10-part series that extends the BPF calling convention beyond the existing five register arguments. Subsequent patches add verifier support, x86_64 JIT code generation, and selftests. This enables BPF programs to call functions with more than five arguments by spilling extra arguments onto the stack, bringing BPF closer to native C calling conventions.
bpf: Add bpf_compute_const_regs() and bpf_prune_dead_branches() passes
Adds two new pre-verification passes to the BPF verifier: bpf_compute_const_regs() performs a lightweight constant propagation to identify registers holding compile-time constants, and bpf_prune_dead_branches() eliminates unreachable code paths before the main verification pass runs. These passes are groundwork for upcoming static stack liveness analysis, which will reduce the state space the verifier must explore. This is patch 4/6 in Alexei's v3 series "bpf: Prep patches for static stack liveness."
bpf: Add helper and kfunc stack access size resolution
Adds logic to the verifier to resolve the access size for stack slots passed to helpers and kfuncs, completing the v3 preparatory series for static stack liveness analysis. When a helper or kfunc receives a pointer to a stack slot, the verifier now computes the precise byte range being accessed rather than conservatively marking the entire slot as live. This precision is necessary for the upcoming static liveness pass to correctly determine which stack slots need to be initialized before use.
bpf: Simulate branches to prune based on range violations
Fixes a class of verifier invariant violations where register range bounds became inconsistent after branch pruning. When the verifier detects that a register's tracked range is provably violated on a branch, it now simulates taking that branch and prunes the state rather than leaving the inconsistency unresolved. This addresses syzbot-reported crashes caused by invalid register states propagating through the verifier. This is patch 4/6 in Paul Chaignon's v3 series "Fix invariant violations and improve branch detection."
bpf: Support variable offsets for syscall PTR_TO_CTX
Extends the BPF verifier to allow variable (non-constant) offsets when accessing syscall program context pointers of type PTR_TO_CTX. Previously, the verifier rejected any non-zero variable offset into a syscall ctx, requiring programs to use only constant offsets. The patch teaches the verifier to track variable offsets and validate bounds at access time, enabling more flexible syscall BPF programs. This is the first patch in Kumar's v4 seven-patch series.
bpf: Do not ignore offsets for loads from insn_arrays
Fixes a bug in the BPF loader where non-zero offsets within instruction arrays were silently ignored when resolving map file descriptors and other relocations. The offset field was being discarded, causing incorrect values to be loaded when programs accessed elements beyond the base of an insn_array. This is a correctness fix affecting programs that use offset-based access patterns into instruction arrays, with accompanying selftests added in patch 2/2.
bpf: Refactor dynptr mutability tracking
Refactors how the BPF verifier tracks whether a dynptr is mutable or read-only, consolidating scattered mutability checks into a cleaner abstraction. Previously, mutability was inferred from the dynptr type and call context at each check site; this patch centralizes the logic to reduce duplication and make the invariants easier to audit. The refactor prepares the codebase for future dynptr extensions without changing existing behavior.
bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
Adds input length validation to bpf_prog_test_run_skb() to reject buffers shorter than a minimum IPv4 or IPv6 header when the data is marked as IP traffic. Without this check, a malformed short packet could cause the verifier test runner to access memory beyond the supplied buffer. This is a v3 single-patch fix addressing a potential out-of-bounds read in the BPF test infrastructure.
libbpf: Fix BTF handling in bpf_program__clone()
Fixes a bug in libbpf's bpf_program__clone() where the cloned program did not correctly inherit or reference the parent's BTF object, leading to use-after-free or incorrect BTF type resolution when the cloned program was loaded. The fix ensures the BTF reference is properly managed across the clone operation. This is a v2 single-patch bug fix for an issue discovered in programs that use program cloning with BTF-dependent features.
Generated 2026-04-02T23:24:36Z
The week ending June 1st was one of the busiest in recent memory for the BPF subsystem, with 100 patches across 23 series. The headline contribution is Jiri Olsa's 29-patch tracing_multi link series (v6), which introduces a new BPF link type that allows a single tracing program to attach to multiple kernel functions atomically and efficiently. Mykyta Yatsenko posted v5 of the resizable hash map, a new BPF map type backed by the kernel rhashtable that can grow and shrink at runtime, while Alexei Starovoitov introduced SLUB-backed kfuncs for BPF arena allocation and Emil Tsalapatis reduced arena annotation overhead by teaching the verifier to track arena pointer return values from subprogs. Amery Hung's v6 verifier object relationship refactor rounded out the week with a dynptr use-after-free fix and unified object tracking infrastructure.
bpf: Implement resizable hashmap basic functions
Implements the core lookup, update, and delete operations for a new BPF_MAP_TYPE_RHASH resizable hash map backed by the kernel's rhashtable infrastructure. Unlike the fixed-size BPF hash map, this map can resize its bucket array at runtime as the element count grows or shrinks, avoiding the need to pre-allocate for worst-case load. The v5 series spans 11 patches and includes rhashtable API additions, iteration support, special field handling, and bpftool documentation.
bpf: Add support for tracing multi link
Introduces a new BPF_LINK_TYPE_TRACING_MULTI link that allows a single BPF tracing program to be attached to a set of kernel functions in one operation, replacing the overhead of creating N individual fentry/fexit links. The kernel side adds multi-attach/detach trampoline infrastructure and a new set of attach types. The 29-patch series (v6) also adds libbpf API support, session and cookie support for the new link type, and comprehensive selftests.
bpf,slab: Add slub-backed allocator for bpf_arena
Adds a SLUB-backed slab allocator for bpf_arena that allows BPF programs to call kmem_cache_alloc/free-style kfuncs within the arena address space, enabling arena-based data structures with efficient per-object allocation. The implementation adds arena-aware nolock variants of kmem_cache operations to avoid deadlocks with BPF's non-preemptible execution contexts. This is the core patch of Starovoitov's 4-patch v2 series introducing bpf_arena_alloc() kfuncs.
bpf: Refactor object relationship tracking and fix dynptr UAF bug
Refactors how the BPF verifier tracks relationships between referenced objects (dynptrs, slices, and kptrs) by introducing a unified parent-child model, and simultaneously fixes a use-after-free bug where a dynptr slice could be used after its parent dynptr was invalidated. The refactor unifies dynptr and referenced-object tracking into a shared infrastructure, making future extensions cleaner. This is patch 5/13 of Amery Hung's v6 series.
bpf: Allow subprogs to return arena pointers
Extends the BPF verifier to recognize and propagate arena pointer types through subprogram return values, eliminating the need for callers to re-annotate returned pointers with __arena or __arg_arena. This is the core verifier change in the 5-patch "Minimize annotations for arena programs" series, which also adds an "arena" BTF type tag, teaches the verifier to parse BTF type tags for function arguments, and removes now-unnecessary __arg_arena annotations from the selftests.
bpf: Reject exclusive maps as inner maps in map-in-map
Blocks exclusive maps from being nested inside map-in-map structures, closing a loophole where the map-in-map lookup path could hand out references to an exclusive inner map without the signed loader's ownership checks. The v2 series (7 patches) also drops a redundant hash_buf parameter from map_get_hash, adds libbpf-side enforcement of exclusive metadata maps in the signed loader, and adds selftests. This is patch 1/7.
bpf: Fix NMI/tracepoint re-entry deadlock on lru locks
RFC patch that replaces the raw spinlock in LRU hash map operations with an rqspinlock (a lock variant that records the interrupted holder context), preventing deadlocks when a BPF tracepoint fires on a CPU that is already holding the LRU lock in an NMI or softirq context. This is a known pain point for BPF programs that trace memory-allocation paths. The 3-patch series also updates the LRU state-machine diagram for the new lock variant.
bpf: fix BPF_PROG_QUERY OOB write and cgroup backward compat
Fixes an out-of-bounds write in BPF_PROG_QUERY where the kernel wrote back more bytes than the user-declared uattr size, potentially corrupting adjacent user memory. The fix uses the user-declared size for writeback, while a companion patch adds boundary verification selftests. Backward compatibility with cgroup queries using older-layout attrs is explicitly preserved.
bpf: reject overlarge global subprog argument sizes
Adds a verifier check that rejects global subprograms whose argument types would result in a combined stack frame larger than BPF's MAX_BPF_STACK limit. Without the check, a global subprog with oversized struct-by-value arguments could pass verification but overflow the stack at runtime. This is v3 of the standalone single-patch fix.
bpf: report hot simulated callchains when 1M instructions limit is met
RFC patch that makes the BPF verifier emit diagnostic information about the hottest simulated call chains when it hits the 1 million instruction verification budget, helping developers understand why a complex program is exhausting the verifier. This is part of a 6-patch series that also adds register diff summaries for hot callchains and a selftest for the new reporting. The improved diagnostics address a long-standing usability gap when debugging large BPF programs.
Generated 2026-06-02T00:00:00Z
The week of May 18–25 was one of the busiest of the cycle, with 100 patches across 21 series. The headline work spans three major areas: KP Singh's 13-patch series wiring BPF program signing into the Linux IPE (Integrity Policy Enforcement) framework for secure BPF deployments, Amery Hung's 14-patch verifier refactor that unifies object relationship tracking and fixes a dynptr use-after-free bug, and Kuniyuki Iwashima's v3 series adding SOCK_OPS hooks for TCP AutoLOWAT. Martin KaFai Lau posted an RFC for a common mechanism to attach struct_ops programs to cgroups, which would extend TCP sock_ops callbacks to the struct_ops model. Additional highlights include Daniel Borkmann adding xattr support to bpffs, Kaitao Cheng's v11 of the bpf_list kfunc extensions, tracepoint BTF ID exposure via tracefs, and several selftest and documentation improvements.
bpf: expose signature verdict to LSMs via bpf_prog_aux
Opens the 13-patch 'Signed BPF + IPE Policies' series by plumbing the BPF program signature verdict through bpf_prog_aux so that LSM hooks can observe it. The series as a whole teaches libbpf to embed prog BTF in the loader program signature, adds a bpf_loader_verify_metadata kfunc for signature verification, hooks into the IPE policy engine to gate BPF program loads post-integrity-check, and provides selftests. Together these patches make it possible to enforce signed-BPF policies via IPE, allowing security-sensitive deployments to cryptographically verify BPF programs at load time.
bpf: Add simple xattr support to bpffs
Adds basic extended-attribute (xattr) support to bpffs, the virtual filesystem where BPF objects such as pinned maps and programs are stored. This enables userspace tooling and BPF LSM programs to attach metadata to pinned BPF objects using standard xattr interfaces. Two follow-on patches in the series add a selftest for the new API and a BPF LSM integration test using security.bpf xattr labels. The feature fills a long-standing gap that prevented bpffs objects from participating in Linux label-based access control systems.
bpf: tcp: Introduce BPF_SOCK_OPS_RCVQ_CB.
Introduces the core callback of the 11-patch TCP AutoLOWAT series (v3): BPF_SOCK_OPS_RCVQ_CB fires when data arrives in the TCP receive queue, giving a BPF program the opportunity to adjust sk_rcvlowat before the socket's wait-queue is signalled. The series also adds bpf_skb_load_bytes() support in the callback, a kfunc to set sk_rcvlowat, mutual exclusion with SOCKMAP, MPTCP rejection, and a full selftest. The feature enables protocol-aware wakeup suppression to reduce unnecessary application wake-ups on partial message delivery.
bpf: Refactor object relationship tracking and fix dynptr UAF bug
The central patch of a 14-patch verifier refactor series (v5) that unifies how the BPF verifier tracks ownership and lifetime relationships between heap objects, dynptrs, and slices. By folding ref_obj_id into the existing id field and introducing 'virtual references', the series eliminates parallel tracking structures and fixes a dynptr use-after-free bug where a dynptr derived from a file object could be used after the underlying file reference was dropped. The refactor also unifies release handling for helpers and kfuncs and adds comprehensive selftests covering the new edge cases.
bpf: Add infrastructure to support attaching struct_ops to cgroups
Core patch from a 12-patch RFC series proposing a common mechanism for attaching struct_ops BPF programs to cgroups, similar to how classic sock_ops and LSM programs attach today. The infrastructure introduces bpf_cgroup_array_* helpers and extends the bpf_cgroup_link lifecycle management. A follow-on patch in the series demonstrates the model by exposing selected tcp sock_ops callbacks as struct_ops, replacing boilerplate with type-safe function pointers. The RFC solicits feedback on the overall architecture before wider adoption.
bpf: Introduce the bpf_list_del kfunc.
Part of an 8-patch v11 series extending the BPF linked-list kfunc family. This patch adds bpf_list_del(), which removes a node from its list given a direct pointer to the node rather than requiring a container-of lookup. Companion patches in the series add bpf_list_add() (insert after a given node), bpf_list_is_first(), bpf_list_is_last(), and bpf_list_empty() kfuncs, along with the necessary verifier changes to permit non-owning list-node arguments via a new __nonown_allowed annotation. The series substantially fills the gap between the kernel's list_head API and what BPF programs can use.
bpf: Factor out stack_map build ID helpers
First patch of a 3-patch v6 series implementing a sleepable version of the stack_map build-ID resolution path. This preparatory patch extracts the build-ID lookup helpers from the existing non-sleepable code so they can be reused by the new stack_map_get_build_id_offset_sleepable() function added in the next patch. A follow-on patch eliminates faultable build-ID reads that were being performed under mm locks by deferring them to the sleepable context, fixing a latent correctness issue on systems with strict lock-ordering requirements.
tracing: Expose tracepoint BTF ids via tracefs
Adds a new tracefs file that exports the BTF type IDs for kernel tracepoints, allowing userspace tools and BPF loaders to look up tracepoint argument types without resorting to offline BTF parsing. This is a building block for generic tracepoint attachment: a BPF loader can read the BTF ID from tracefs at runtime and use it to verify argument types before attaching a program. A companion patch makes btf_get_module_btf() and btf_relocate_id() non-static so they can be called from the tracing subsystem.
bpf, docs: add LOAD_ACQUIRE and STORE_RELEASE instructions
Documents the LOAD_ACQUIRE and STORE_RELEASE atomic memory-ordering instructions in the BPF ISA specification. These instructions, which emit acquire/release barriers on architectures that support them, were added to the BPF bytecode but lacked formal documentation in the instruction set reference. This v2 addresses typos and formatting issues noted in review of the original submission, completing the documentation of BPF's atomic instruction set.
bpf: Check tail zero of bpf_common_attr using offsetofend
Lead patch of a 5-patch cleanup series for BPF syscall attribute validation. This patch corrects the tail-zero check in the common attribute structure to use offsetofend() rather than a hand-rolled calculation, closing a potential gap where new fields added at the end of the struct might bypass the zero-check. Subsequent patches fix a concurrency regression in map_create(), add OPTS_VALID() checking for log_opts, and add selftests verifying padding byte enforcement. Together the series tightens the BPF syscall ABI.
bpf: Fix concurrent regression in map_create()
Fixes a race condition in map_create() introduced by the recent BPF common-attribute refactor, where a concurrent map creation could observe partially initialized state. This v2 standalone submission extracts the fix from the larger cleanup series for faster merging. The race window is narrow but reproducible under parallel BPF program loading, making it important to land before the window of common-attribute changes closes.
bpf: fix deadlock in special field destruction in NMI
Fixes a deadlock that can occur when BPF special fields (such as bpf_spin_lock or bpf_timer) are destroyed from NMI context. The NMI handler would attempt to acquire a spinlock already held on the interrupted CPU, causing a hard lockup. The fix defers the destruction work to a safe context using an existing irq-work mechanism already present in the BPF runtime. The bug affects any workload using BPF maps with special fields on kernels that allow NMI-context BPF execution.
Generated 2026-05-26T00:00:00Z
The week of May 11-18 saw a burst of ambitious work landing in bpf-next. The single largest series was Yonghong Song's 25-patch v4 adding stack argument support for BPF-to-BPF function calls and kfuncs on both x86-64 and arm64, including verifier extensions for liveness and precision tracking. In parallel, Mykyta Yatsenko posted v4 of a resizable BPF hash map built on the kernel's rhashtable, and also introduced a tracefs interface to expose tracepoint BTF IDs. Other notable efforts include Leon Hwang's v14 extending the BPF syscall with common attributes (log size feedback for map_create and btf_load), Kaitao Cheng's v10 expanding the bpf_list kfunc family with deletion, insertion, and query primitives, and Kuan-Wei Chiu's new m68k BPF JIT plus RISC-V 32-bit atomic fixes.
bpf: Support stack arguments for BPF functions and kfuncs
This landmark 25-patch series (v4) adds support for passing arguments beyond the five-register BPF ABI via the stack, matching how native C calling conventions spill arguments on x86-64 and arm64. It introduces a new r11-based instruction class for stack-argument addressing, extends the verifier's liveness analysis and precision-backtracking engine to track stack argument slots, and implements JIT lowering for both x86 and arm64. Programs using stack arguments cannot mix with tail calls and must be JIT-compiled. The series also includes a comprehensive set of verifier and functional selftests. This unlocks calling kfuncs with more than five arguments, a long-requested capability for complex in-kernel helper use cases.
bpf: Introduce resizable hash map
This 11-patch v4 series introduces BPF_MAP_TYPE_RHASH, a new map type backed by the kernel's rhashtable that automatically resizes as elements are inserted and removed. Unlike BPF_MAP_TYPE_HASH, which requires a fixed max_entries budget, the resizable hash map amortizes rehashing over updates and avoids worst-case memory waste. The series adds rhashtable_next_key() to traverse the table during BPF iteration, wires up iterator ops and special-field support, adds a word-sized key optimization, updates libbpf and bpftool documentation, and provides benchmarks. This is a significant quality-of-life improvement for programs that manage variable-cardinality state.
bpf: Extend BPF syscall with common attributes support
Now at v14, this 8-patch series adds a common attributes block to the BPF syscall that can carry log-level settings and receive the true log size back from the kernel for prog_load, btf_load, and map_create commands. Previously only prog_load could report how much log space was actually consumed; this unifies the pattern. libbpf is updated to populate the new common attribute structure when applications set log-level parameters, and selftests verify that oversized attribute structs are correctly rejected.
bpf: Extend the bpf_list family of APIs
This v10 resend (8 patches) expands the BPF linked-list kfunc set with bpf_list_del (remove a node by pointer), bpf_list_add (insert after an arbitrary node), and bpf_list_is_first/is_last/is_empty queries. The internal __bpf_list_del and __bpf_list_add helpers are refactored to take node pointers and **prev_ptr respectively, enabling positional insertion without walking the list. Non-owning list-node arguments are permitted via a new __nonown_allowed annotation, and the node owner and link are cleared before drop to prevent dangling references.
tracing: Expose tracepoint BTF ids via tracefs
This 3-patch series exposes each tracepoint's BTF type ID through a new btf_ids file under tracefs, letting userspace tools enumerate the BTF-typed tracepoints without requiring kernel headers or parsing /sys/kernel/btf/vmlinux directly. It also exports btf_get_module_btf() and btf_relocate_id() so the tracing subsystem can resolve cross-module BTF references. A selftest verifies that the exposed IDs round-trip correctly through the BTF APIs.
bpf: Follow-up fixes for stack argument support
This 7-patch v3 series addresses post-review issues found in the stack argument feature. It adds validation of outgoing stack arguments when btf_prepare_func_args fails, fixes a verifier log message to use the correct sa (stack argument) prefix for slot tracking, cleans up redundant stack arg checks for non-JIT paths, and fixes exception unwinding on x86 when stack arguments are present. New selftests cover the case where a callee reads a stack slot that the caller never wrote.
bpf: Implement stack_map_get_build_id_offset_sleepable()
This 3-patch v5 series adds a sleepable variant of the stack map's build-ID resolution path for use in BPF programs that run in sleepable context. It avoids faultable memory reads under mm locks by deferring them to a safe window, and caches resolved build IDs to amortize repeated ELF header lookups in the same VMA region. The refactoring factors out stack_map_build_id_set_ip() to share logic between the sleepable and non-sleepable paths.
bpf: Maximum combined stack depth
This 3-patch v3 series adds a new field to BPF program info reporting the maximum combined stack depth across all subprograms reachable from the main function. Currently the kernel only reports per-subprogram stack usage, making it difficult to reason about worst-case stack consumption in programs with deep subprogram chains. A companion veristat patch surfaces the new field in its output for offline analysis, and a selftest validates the reported values against known program structures.
m68k, bpf: Add initial BPF JIT compiler support
This single-patch v3 introduces a BPF JIT for the Motorola 68000 (m68k) architecture, enabling native JIT compilation of BPF programs on m68k-based embedded systems. The JIT covers the core BPF instruction set including ALU operations, memory loads and stores, calls, and jumps. Previously m68k programs fell back to the BPF interpreter, which carries significant overhead. This makes m68k one of the more unusual architectures to gain a dedicated BPF JIT.
riscv, bpf: Fix signed operations and add 32 bit atomics
This 3-patch v2 series fixes two correctness bugs in the RISC-V 32-bit BPF JIT — BPF_SDIV/BPF_SMOD (signed division and modulo) emitted incorrect instruction sequences, and BPF_MOVSX (sign-extending move) was broken. It also adds full 32-bit atomic operation support (add, and, or, xor, xchg, cmpxchg) to the RV32 JIT, bringing it to feature parity with the 64-bit RISC-V JIT for atomic workloads.
At v6, this 6-patch series adds the bpf_icmp_send kfunc, allowing BPF programs to synthesize and transmit ICMP error messages (unreachable, time exceeded, etc.) in response to dropped packets. Two prerequisite patches move the netfilter nf_reject destination-fill helpers into core IPv4 and IPv6 to avoid a netfilter dependency. Selftests cover IPv4, IPv6, and recursion guards that prevent a BPF-triggered ICMP from itself triggering another call back into the kfunc.
bpf: align syscall writeback behavior with caller-declared size
This 2-patch series fixes an inconsistency in the BPF_PROG_QUERY syscall path where the kernel could write back more bytes into user buffers than the caller declared via attr_size, violating the extensible attribute protocol established elsewhere in the BPF syscall. The fix restricts writebacks to the declared size boundary, ensuring forward-compatibility when newer kernels communicate with older libbpf versions.
Generated 2026-05-19T00:00:00Z
The week was headlined by Yonghong Song's sustained effort to add stack argument support for BPF functions and kfuncs, with v2 (23 patches) arriving mid-week and v3 (24 patches) following on Sunday, collectively touching the verifier, x86-64 and arm64 JITs, precision backtracking, and liveness analysis. Kuniyuki Iwashima introduced new BPF_SOCK_OPS hooks for TCP receive low-watermark tuning, enabling fine-grained per-socket control of sk_rcvlowat through a new kfunc. Amery Hung contributed a substantial 12-patch verifier refactor that unifies object relationship tracking and fixes a dynptr use-after-free bug. Justin Suess addressed a deadlock hazard by offloading kptr destructors invoked from NMI context to a work queue, and Yazhou Tang fixed an out-of-bounds read in bpf_patch_call_args() after ten revision cycles.
bpf: Support stack arguments for bpf functions
Core verifier patch from Yonghong Song's v3 series enabling BPF subprograms to receive arguments passed on an auxiliary stack frame when the six-register limit is exhausted. The verifier learns to validate new stack-based argument slots, track their types, and propagate liveness across call boundaries. This removes the hard six-argument ceiling for BPF-to-BPF calls and aligns the convention with native ABIs.
bpf: Add precision marking and backtracking for stack argument slots
Extends the verifier's precision backtracking engine to include stack argument slots so that state pruning remains correct when programs use the new calling convention. Without precision tracking for these slots, the verifier could incorrectly prune states and miss safety violations in programs that pass derived or constrained values as stack arguments.
bpf: Support stack arguments for kfunc calls
Extends the stack argument convention to kfunc call sites, letting kernel functions registered as kfuncs accept more than six typed arguments from BPF programs. The verifier validates each stack-passed argument against the kfunc's BTF signature, including type, size, and alignment. This is especially valuable for kfuncs with struct-typed or numerous parameters that could not previously be called with full argument sets.
bpf,x86: Implement JIT support for stack arguments
Implements x86-64 JIT code generation for the new stack argument passing convention, emitting r11-based MOV instructions to write arguments into the callee's stack area before a call. This makes the feature functional on x86-64 and serves as the reference JIT implementation for the feature across the series.
bpf: tcp: Introduce BPF_SOCK_OPS_RCVLOWAT_CB.
Adds a new BPF_SOCK_OPS_RCVLOWAT_CB callback to the SOCK_OPS framework, invoked when TCP needs to determine a socket's effective receive low watermark. This is the foundational piece of BPF-controlled TCP AutoLOWAT, allowing programs to inspect socket and buffer state and dynamically set sk_rcvlowat on a per-socket basis rather than relying on a fixed sysctl value.
bpf: tcp: Add kfunc to adjust sk->sk_rcvlowat.
Provides a kfunc callable within BPF_SOCK_OPS_RCVLOWAT_CB to write a new value back to sk_rcvlowat, completing the TCP AutoLOWAT control loop. Using a kfunc for the write-back, rather than the SOCK_OPS return value, keeps the API unambiguous and extensible. Proper BTF annotations and context guards are included to prevent misuse.
bpf: Offload kptr destructors that run from NMI
Fixes a deadlock hazard that occurs when a BPF kptr destructor is triggered from NMI context, where taking spinlocks required for safe reference-count management is prohibited. The fix defers such destructors to an IRQ work queue so they execute in a safe, non-NMI context. An NMI exerciser selftest accompanies the fix to verify correctness under stress.
bpf: Refactor object relationship tracking and fix dynptr UAF bug
Central patch in Amery Hung's 12-patch verifier refactor that unifies how the verifier tracks ownership relationships between referenced objects (kptrs, dynptrs, slices). The refactor also fixes a use-after-free bug where a dynptr's backing object could be freed while a slice pointing into it remained live. Subsequent patches extend the unified tracking to helpers and kfuncs and add regression tests.
bpf: Unify referenced object tracking in verifier
Consolidates the previously separate code paths for tracking referenced kptrs and dynptrs into a single, unified mechanism in the BPF verifier. This reduces duplication, makes it easier to reason about correctness, and lays the groundwork for future types of referenced objects to be tracked with minimal additional code.
bpf: Fix out-of-bounds read in bpf_patch_call_args()
Fixes an out-of-bounds read in bpf_patch_call_args() triggered when a BPF program has a very large number of instructions, causing the patched instruction array to be accessed beyond its allocated size. A companion patch addresses a related s16 truncation bug in call-offset encoding for large bpf-to-bpf call offsets. This is the tenth revision of the series, reflecting thorough review.
bpf: enforce VFS constraints for xattr related BPF kfuncs
Hardens the xattr BPF kfuncs by enforcing the same VFS-level constraints (capability checks, namespace restrictions, and immutability flags) that the standard getxattr/setxattr syscall path enforces. Without these checks, a BPF LSM program could read or write extended attributes that the calling process would not be permitted to access via normal syscalls. The series also adds negative selftests verifying each constraint is correctly enforced.
Generated 2026-05-12T10:00:00Z
The April 27 – May 4 week was busy across multiple BPF subsystems. The most active thread by patch volume was Ricardo B. Marlière's long-running selftests/bpf build-robustness series, which reached v11 and makes the test suite tolerate partial kernel configurations without aborting. On the JIT front, Kuan-Wei Chiu posted initial BPF JIT support for both m68k and RISC-V RV32, while Puranjay Mohan extended the arm64 JIT to handle stack arguments and contributed an XDP load-balancer benchmark suite. Matt Bobrowski addressed two xattr kfunc issues: a crash on negative dentries and a broader VFS constraint enforcement series. Kaitao cheng's v10 of the extended bpf_list kfunc API landed new list manipulation helpers, and Paul Chaignon added per-subprogram instruction-count reporting to improve verifier diagnostics.
m68k, bpf: Add initial BPF JIT compiler support
This v2 patch adds a BPF JIT for the m68k (Motorola 68000) architecture, eliminating the interpreter fallback on that platform. The JIT maps the full core BPF ISA — ALU operations, memory access, branches, and BPF-to-BPF calls — onto m68k assembly. The v2 revision addresses register allocation and instruction selection feedback from the initial posting. Gaining a JIT on m68k is meaningful for embedded and legacy m68k systems that run Linux and want the performance benefits of native BPF execution.
bpf: enforce VFS constraints for xattr related BPF kfuncs
This v2 patch enforces standard VFS permission and existence checks inside the BPF xattr kfuncs (bpf_get_dentry_xattr, bpf_set_dentry_xattr, bpf_remove_dentry_xattr). Without this, BPF LSM hook programs could bypass capability checks and operate on dentries that userspace code cannot access. The patch aligns kfunc semantics with what the normal VFS xattr path enforces, closing an inconsistency that could be exploited for privilege escalation in LSM-heavy environments. It pairs with the negative-dentry crash fix also posted this week.
bpf: fix crash in bpf_[set|remove]_dentry_xattr for negative dentries
This v2 single-patch fix prevents a NULL dereference crash in bpf_set_dentry_xattr and bpf_remove_dentry_xattr when the supplied dentry is negative (i.e., points to a path that does not exist). Negative dentries lack an associated inode, and the kfuncs were unconditionally dereferencing d_inode without checking first. The fix adds a guard that returns -ENOENT for negative dentries, matching VFS behavior and eliminating the crash vector for any BPF program that encounters a not-yet-created path.
bpf, arm64: Add JIT support for stack arguments
This patch (v2, 2/3) implements stack-based argument passing in the arm64 BPF JIT, allowing BPF programs to call kernel functions that take more arguments than fit in the eight AArch64 argument registers. The series remaps BPF_REG_0 from x7 to x8 to free the last argument slot (patch 1), then uses the stack for spilling additional arguments (patch 2), and adds selftests that verify the calling convention on arm64 (patch 3). This unblocks kfunc authors who need to pass large structs or many parameters to helper functions from BPF on arm64.
selftests/bpf: Add XDP load-balancer benchmark
This seven-patch series adds a complete XDP load-balancer benchmark to the BPF selftests suite, including a BPF program that performs L4 load balancing, a userspace driver, a batch-timing library, a bpf-nop baseline benchmark, and a run script. The benchmark is designed to measure end-to-end XDP packet-processing throughput and latency, giving developers a reproducible way to evaluate JIT and verifier changes against a realistic XDP workload. It complements the existing map and program-focused benchmarks already in selftests/bpf.
bpf: Extend the bpf_list family of APIs
This v10 eight-patch series extends the BPF linked-list kfunc API with several new operations: bpf_list_del (remove a node from a list without freeing), bpf_list_add (insert a node after a given position), and bpf_list_is_first/last/empty (query helpers). It also introduces the __nonown_allowed annotation so non-owning list-node pointers can be passed as kfunc arguments. These additions allow BPF programs to implement more sophisticated in-kernel data structures using the existing bpf_list_head/node primitives, moving toward parity with the C linked-list API available to kernel modules.
bpf: Add LINK_DETACH support for perf link
This v3 two-patch series adds LINK_DETACH support to perf-type BPF links, enabling userspace to detach a BPF program from its perf event via the BPF_LINK_DETACH command without destroying the link object. Previously, perf links did not implement the detach operation, which prevented use cases that require temporarily suspending a BPF program attached to a perf event while keeping the link fd alive for later re-use. The selftest patch validates that a detached perf link stops delivering events and can be distinguished from a fully destroyed link.
bpf: Print breakdown of insns processed by subprogs
This v3 two-patch series makes the BPF verifier log include a per-subprogram breakdown of the instructions processed count alongside the existing aggregate figure. When a complex program composed of multiple subprograms approaches the verifier complexity limit, it can be hard to identify which subprogram is the bottleneck; the new output lines directly attribute instruction counts to each function. The companion selftest verifies the format of the new log lines. This is a developer-facing diagnostic improvement with no runtime overhead.
bpf: Fix out-of-bounds read in bpf_patch_call_args()
This v9 three-patch series fixes two related bugs in bpf_patch_call_args(): an out-of-bounds read that occurs when the insn array is grown for a large number of subprograms, and a silent s16 truncation of call offsets that overflows when a BPF-to-BPF call target is far away in the instruction stream. The OOB read can lead to kernel memory exposure; the truncation causes incorrect branch targets and potential crashes at runtime. The third patch adds a selftest with a program that generates a large call offset to act as a regression guard.
bpf: Fix NMI deadlock in referenced kptr destructors
This four-patch series fixes a deadlock that can occur when a referenced kptr's destructor is called from NMI context, where taking the locks normally acquired during BTF teardown is not safe. The fix uses rcu_work to defer BTF reference dropping out of NMI context, and limits the fields compared in btf_record_equal to avoid unnecessary lock acquisition. A selftest reproducer is included to verify that the deadlock path is closed. The bug affects any BPF program that holds a referenced kptr and is invoked from a perf NMI handler.
xskmap: reject TX-only AF_XDP sockets
This v3 single patch adds a check in xskmap insertion that rejects TX-only AF_XDP sockets (those created without an RX ring). XSK maps are used for XDP redirect, which inherently requires an RX ring to receive packets; inserting a TX-only socket previously succeeded but caused silent misbehavior at redirect time. The fix returns -EINVAL early during map update if the socket lacks an RX ring, making the error explicit and preventing subtle data-path failures in production XDP setups.
selftests/bpf: Tolerate partial builds across kernel configs
This v11 eleven-patch series makes the selftests/bpf Makefile and test runner gracefully handle builds where some BPF objects or skeleton headers could not be compiled due to missing kernel config options, rather than failing the entire build. Key changes include a BPF_STRICT_BUILD toggle, tolerating BPF and skeleton generation failures, skipping tests whose objects were not built, and tolerating missing files during install. The series allows developers and CI systems running non-standard kernel configurations (e.g., distro kernels) to still execute the subset of BPF selftests that do apply to their config.
Generated 2026-05-06T00:00:00Z
The week of April 20-27 was one of the most active bpf-next periods in recent months, with 100 patches across 19 distinct series touching nearly every layer of the BPF stack. The headline feature is Yonghong Song's 18-patch series adding full stack-argument support for BPF functions and kfuncs, complete with x86 and arm64 JIT backends, which lifts the long-standing six-argument limit. Mykyta Yatsenko drove two major features in parallel: a 10-patch resizable hash map backed by rhashtable and a 6-patch series (reaching v13) enabling sleepable tracepoint programs. On the verifier side, Eduard Zingerman continued refining the cnum-based range representation and Amery Hung posted a 9-patch series unifying dynptr object-relationship tracking and fixing a UAF bug.
bpf: Support stack arguments for bpf functions
The first patch of an 18-patch series that introduces a stack-based calling convention allowing BPF programs and kfuncs to accept more than six arguments. When a callee requires extra arguments beyond the six hardware registers, a pointer in r11 (BPF_REG_PARAMS) points to an on-stack argument area that the verifier validates. The series covers verifier liveness, precision backtracking, x86 and arm64 JIT backends, and a comprehensive test suite. This is the most significant BPF calling-convention change since the subsystem was created.
bpf: Support stack arguments for kfunc calls
Extends the stack-argument calling convention to kfunc calls, allowing kernel functions exposed via the kfunc mechanism to declare parameters beyond position six. The verifier validates that BPF programs populate the stack argument area correctly before the call and that argument types match the kfunc's BTF annotations. This removes the need to bundle excess parameters into a context struct, enabling cleaner kfunc APIs for networking, storage, and LSM use cases.
bpf,x86: Implement JIT support for stack arguments
Implements x86-64 JIT emission for the new stack-argument calling convention. The JIT allocates space in the caller's stack frame, marshals excess arguments into the argument area, passes r11 pointing to it, and tears down the area on return. Stack arguments are rejected when the BPF interpreter is in use, so this patch is the prerequisite for the feature to be enabled on x86 systems.
bpf: Implement resizable hashmap basic functions
Introduces BPF_MAP_TYPE_RHASH, a new map type backed by the kernel's rhashtable that resizes automatically as entries are inserted and deleted, eliminating the need to pre-allocate a fixed capacity. This addresses a common operational pain point where over-provisioned hash maps waste memory while under-provisioned ones drop entries under load. The 10-patch v3 series adds batch ops, iterators, timer/workqueue support, libbpf integration, and bpftool documentation.
bpf: Add sleepable support for raw tracepoint programs
The first patch of a 6-patch v13 series enabling BPF programs attached to raw and classic tracepoints to be marked as sleepable. Sleepable tracepoint programs can acquire locks, call sleeping kfuncs, and perform GFP_KERNEL allocations, unlocking use cases such as per-event kernel object allocation that are currently impossible. The series adds the verifier gating, a new bpf_prog_run_array_sleepable() helper, libbpf section handlers, and a full selftest suite.
bpf: representation and basic operations on circular numbers
Third iteration of the foundational patch introducing cnum32/cnum64 typed structs to replace the eight loose min/max scalar fields in bpf_reg_state. Circular-number semantics correctly model modular arithmetic for 32-bit sub-register range tracking, preventing a class of precision loss in the verifier. The v3 iteration incorporates reviewer feedback on the arithmetic primitives and adds more detailed correctness arguments.
bpf: range_within() must check cnum ranges instead of min/max pairs
Fixes a correctness bug in range_within(), the verifier's state-subsumption check used during state pruning: it was comparing raw min/max fields instead of the new cnum range representation, causing the pruner to incorrectly merge states that differ in circular-number range. Incorrect pruning can lead the verifier to accept programs that should be rejected. The companion patch (2/2) adds a regression test that triggers the wrong behaviour before the fix.
bpf: Unify dynptr handling in the verifier
The first patch of a 9-patch v3 series that consolidates the verifier's scattered dynptr-validation logic into a single unified code path. Previously each dynptr type (ringbuf, skb, xdp, etc.) had its own partially duplicated checks; the refactor eliminates the duplication and provides a consistent foundation for the bug fixes and new tests that follow in the series.
bpf: Refactor object relationship tracking and fix dynptr UAF bug
The core patch of the v3 dynptr series, reworking how the verifier tracks ownership relationships between BPF objects (dynptrs, slices, and the underlying memory they reference). The refactor also fixes a use-after-free bug where the verifier failed to invalidate derived dynptr slices after the parent object was freed, potentially allowing a program to access freed memory at runtime.
bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling
Introduces a new kfunc that BPF LSM programs can call from the inode_init_security hook to atomically attach an xattr to an inode before it becomes visible to the rest of the system. This fills a gap for security labeling workflows that need a label to be present from the moment of first access, without races against concurrent readers. The v1 series includes selftests exercising the kfunc across multiple inode types.
bpf, x86: Granlund-Montgomery optimization for 64-bit div/mod by immediate
Applies the Granlund-Montgomery strength-reduction technique to the x86 BPF JIT to replace 64-bit integer division and modulo by compile-time immediates with a multiply-shift sequence, avoiding the expensive DIV/IDIV instructions. The optimisation can be several times faster than hardware division on modern CPUs. This is v3 of the patch, incorporating earlier feedback on overflow edge cases and negative immediate handling.
net: add missing syncookie statistics for BPF custom syncookies
Fixes missing counter increments in the network stack when BPF programs handle SYN cookies via the kfunc-based custom syncookie API, ensuring that /proc/net/netstat SYN cookie counters accurately reflect BPF-generated cookies. Without this fix, operators relying on standard Linux TCP statistics cannot detect or diagnose syncookie activity handled by BPF programs. The v3 series adds a selftest that verifies the counters increment correctly.
Generated 2026-04-28T00:00:00Z
The week of April 13–20 saw substantial activity across the BPF subsystem. The most prominent contribution was Yonghong Song's stack-arguments series (reaching v6), which enables BPF functions and kfuncs to accept more than six arguments by spilling extras onto the stack, complete with x86-64 JIT support and verifier validation. Jiri Olsa posted a 28-patch series introducing a tracing_multi link type, allowing a single BPF link to attach to multiple kernel functions simultaneously for more efficient multi-function tracing. Other notable work included Alan Maguire extending the BTF UAPI to use previously reserved bits for larger vlen and kind fields, Puranjay Mohan adding CPU time counter kfuncs for precise hardware performance measurement, and Kumar Kartikeya Dwivedi adding a mechanism for the verifier to emit non-fatal warning messages along with a deprecated kfunc annotation.
bpf: Support stack arguments for bpf functions
Adds verifier support for BPF subprogram functions to receive arguments on the stack, enabling signatures with more than the standard six register-based parameters. A new BPF_REG_PARAMS mechanism tracks stack argument state through the verifier's analysis, and the calling convention is updated to lay out excess parameters in a defined region of the caller's stack frame. This is patch 07/17 of the v6 series and is the core enabler for the rest of the stack argument work. The feature requires JIT support and programs on interpreter-only configurations are rejected.
bpf,x86: Implement JIT support for stack arguments
Implements the x86-64 JIT backend changes needed to physically spill excess function arguments onto the stack when calling BPF subprograms or kfuncs. The JIT allocates additional stack space and emits store instructions to lay out parameters before the call site as the callee expects. This is patch 14/17 of the v6 series and is the first architecture-specific implementation, after which the feature becomes usable on x86-64 systems. Other JIT backends can follow the same pattern independently.
bpf: Add support for tracing multi link
Introduces the core kernel implementation of the tracing_multi link type, which lets a single BPF link attach a program to multiple kernel functions at once instead of requiring one link per function. The implementation reuses and extends the existing trampoline infrastructure, adding bulk attach and detach operations via new bpf_trampoline_multi_attach/detach functions. This is patch 13/28 of a 28-patch v5 series that also covers libbpf support, session semantics, cookies, fdinfo, and extensive selftests. Bulk attachment reduces per-function overhead and simplifies management of tracing programs that monitor many kernel entry points.
libbpf: Add support to create tracing multi link
Adds the libbpf API surface for creating tracing_multi links, enabling user-space programs to attach to multiple kernel functions through a single library call. The implementation resolves function names to BTF IDs and constructs the appropriate bpf_link_create attributes for the new link type. This is patch 20/28 of the tracing_multi series and depends on the earlier kernel-side implementation patches. Applications that currently loop over individual fentry/fexit attachments can migrate to this API for a simpler and more efficient interface.
bpf: Add support for verifier warning messages
Introduces a new verifier facility to emit non-fatal warning messages during program verification, separate from the existing error-only log. Warnings allow the verifier to surface advisory information—such as use of deprecated kfuncs—without failing the load. This is patch 1/4 of the v3 series; subsequent patches use the mechanism to implement the deprecated kfunc annotation. The change keeps the existing log level semantics intact and exposes the warnings through the bpf_attr verifier log interface so that libbpf and tools can display them to users.
bpf: Introduce __bpf_kfunc_mark_deprecated annotation
Adds a __bpf_kfunc_mark_deprecated macro that kernel developers can apply to kfunc definitions to signal that a function is deprecated and should not be used in new programs. When the verifier encounters a call to a deprecated kfunc it emits a warning (via the new warning infrastructure from patch 1/4) rather than rejecting the program, preserving backward compatibility. This follows a well-understood deprecation pattern familiar from other kernel annotation systems and gives BPF subsystem maintainers a clean path to phase out old kfuncs.
bpf: add bpf_get_cpu_time_counter kfunc
Introduces bpf_get_cpu_time_counter, a new kfunc that reads the raw CPU hardware time-stamp counter, providing BPF programs with a low-overhead, high-resolution time source for performance measurement. This is patch 2/6 of a 13-revision series that also adds bpf_cpu_time_counter_to_ns for converting the raw counter value to nanoseconds and includes ARM64 JIT support. The kfunc is useful for latency profiling and micro-benchmarking from within BPF programs without the overhead of a full clock_gettime call. The long revision history reflects careful review of security and portability concerns.
bpf: Extend BTF UAPI vlen, kinds to use unused bits
Expands the BTF type header to use previously reserved bits, growing the vlen field from 16 to 24 bits and the kind field to support additional type kinds. This removes a practical limit on the number of members a BTF struct or union can describe, which matters for large generated types. The patch is the first of a six-part v3 series that updates libbpf, bpftool, selftests, and documentation to match the new layout. Careful backward compatibility handling ensures existing tools and kernels can still parse older BTF blobs correctly.
bpf: Fix NULL deref in map_kptr_match_type for scalar regs
Fixes a NULL pointer dereference in map_kptr_match_type that could be triggered when a BPF program stored a scalar (non-pointer) value into a map slot typed as a kptr. The function assumed the register was always a pointer and dereferenced its type information without checking, leading to a verifier crash. The fix adds an early check that rejects the scalar store with a clear error message before the dereference occurs. The companion selftest patch (2/2) reproduces the crash to prevent regression.
libbpf: Report error when a negative kprobe offset is specified
Fixes a libbpf oversight where a negative offset for a kprobe attachment was silently forwarded to the kernel rather than rejected early with a clear error. Negative kprobe offsets are not supported and passing them produces confusing kernel-level failures. This is the third revision of the fix, refining the placement of the validation check based on earlier review feedback. Catching the invalid value in libbpf provides a much better error experience for programs that accidentally misconfigure their kprobe offsets.
arm32, bpf: Reject BPF-to-BPF calls and callbacks in the JIT
Makes the ARM32 BPF JIT explicitly reject programs that use BPF-to-BPF subprogram calls or callbacks, which the 32-bit ARM JIT does not support. Previously such programs could reach the JIT and fail in an undefined way; now they are turned away with a clear error at JIT time. This is a v2 follow-up that supersedes an earlier patch targeting only BPF_PSEUDO_CALL. Explicit rejection is preferable to a silent fallback to the interpreter, which could mask bugs and produce inconsistent performance characteristics.
selftests/bpf: fix off-by-one in bpf_cpumask_populate related selftest
Corrects an off-by-one error in a BPF selftest exercising bpf_cpumask_populate, where the loop bound caused a read one element past the intended array boundary. The bug could produce spurious failures or undefined behavior on configurations where the adjacent memory was not safely accessible. The fix is a one-line bound correction with no impact on the BPF subsystem itself. Accurate selftests are important so that CI results reflect real regressions rather than test-infrastructure noise.
Generated 2026-04-21T00:00:00Z
The week of April 6-13 on bpf-next was defined by two parallel verifier modernization efforts and a significant new calling-convention feature. Eduard Zingerman's static stack liveness analysis series (v4, 14 patches) completed its run, delivering 4-byte stack tracking granularity, a forward arg-tracking dataflow pass, and dead stack slot poisoning to strengthen initialization safety guarantees. Alexei Starovoitov simultaneously pursued a structural cleanup, splitting the monolithic verifier.c into focused modules across four revision rounds. On the feature side, Yonghong Song's v4 18-patch series brings stack-based argument passing to BPF functions and kfuncs, backed by x86_64 JIT support, while Emil Tsalapatis pushed the arena memory library to v7 with a buddy allocator and ASAN runtime.
The culmination of Zingerman's v4 static stack liveness series (14 patches), this patch uses the results of the new forward arg-tracking dataflow analysis to poison BPF stack slots that are written but never subsequently read. Poisoning dead slots causes the verifier to reject programs that rely on uninitialized stack memory, closing a class of subtle bugs where stale values could influence program behavior. The series builds on 4-byte stack granularity tracking, (callsite, depth)-keyed func_instances, and a new forward liveness API introduced in earlier patches.
bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars
Fixes a verifier state-pruning correctness bug where the regsafe() check failed to account for base ID consistency when comparing two BPF_ADD_CONST scalar registers. Without this fix, the verifier could incorrectly declare two program states as equivalent and prune a branch that should have been explored, potentially accepting a program that reads out-of-bounds. A companion selftest is included to exercise the specific code path.
bpf: Split fixup/post-processing logic from verifier.c into fixups.c
The opening patch of Starovoitov's v4 verifier.c split series moves fixup and post-processing logic out of the monolithic verifier.c into fixups.c. Over four revision rounds this week the series also spun out liveness.c, cfg.c, states.c, backtrack.c, and check_btf.c, dramatically reducing the size of verifier.c and making each subsystem independently reviewable. The refactoring is behavior-preserving and comes with no functional changes.
bpf: Support stack arguments for bpf functions
The core verifier patch of Song's v4 18-patch series teaches the BPF verifier to validate stack-based arguments at BPF-to-BPF call sites, extending the calling convention beyond the five-register limit. A new BPF_REG_STACK_ARG_BASE register is introduced for addressing arguments passed on the caller's stack, and the verifier enforces that stack arguments are only used in JITed programs not reachable through tail calls. This enables BPF functions and kfuncs to accept more than five arguments.
bpf,x86: Implement JIT support for stack arguments
The x86_64 JIT backend patch in Song's stack-arguments series emits code to correctly marshal arguments placed on the caller's stack frame at BPF function call boundaries. Arguments beyond the five-register window are addressed via BPF_REG_STACK_ARG_BASE and copied into the appropriate stack location before the call. This patch completes the end-to-end implementation for x86_64, with negative tests for unsupported configurations included in the selftest series.
bpf: Allow instructions with arena source and non-arena dest registers
The first substantive verifier patch in Tsalapatis's v7 arena library series relaxes a restriction on mixed arena/non-arena arithmetic so that result values can be plain scalars or non-arena pointers. This is needed to support the user-space arena library code, which frequently mixes pointer types in address calculations. The v7 series accompanying it adds a buddy allocator, ASAN runtime, and a comprehensive libarena selftest suite.
bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc
This v3 bug fix addresses a null-pointer dereference triggered when a BPF fmod_ret program attached to the security_task_alloc hook returns non-zero, causing kernel_clone() to proceed with a partially-initialized task struct. The fix adds the missing return-value check so the error path is taken before the null dereference, and a selftest verifies correct behavior. This patch appeared as v2 earlier in the week and was refined to v3 by April 11.
bpf: Move constants blinding out of arch-specific JITs
The first patch in Xu Kuohai's v13 5-patch series consolidates JIT constant blinding into the architecture-independent BPF core, removing per-arch duplication. The series' broader goal is to enable all JIT backends to emit ENDBR (x86) and BTI (AArch64) instructions for indirect call targets, strengthening CFI on those architectures. Earlier patches in the series abstract the blinding so that the arch-specific CFI instruction emission can slot in cleanly.
bpf: Use kmalloc_nolock() universally in local storage
Converts BPF local storage allocation paths to use the recently introduced kmalloc_nolock() variant, which avoids lock acquisition and improves performance in the common case where the per-CPU slab is warm. A companion patch in the same v2 series removes now-unnecessary gfp_flags plumbing from bpf_local_storage_update(). The series also fixes a selftest that was inadvertently tracing kmalloc calls and would be perturbed by the allocation strategy change.
bpf: add missing fsession to the verifier log
Adds the BPF_TRACE_FSESSION attach type to the verifier's attach-type log output, which omitted it despite the type being defined. Two companion patches in the v3 series fix the same omission in the BPF documentation and bpftool's usage text. This is a purely cosmetic/correctness fix with no change to runtime behavior.
Generated 2026-04-14T00:00:00Z
The week of March 30 - April 6 saw heavy activity around BPF verifier improvements and calling convention extensions. Yonghong Song iterated through three versions of stack argument support for BPF functions and kfuncs, culminating in v3 with a new BPF_REG_STACK_ARG_BASE register and x86_64 JIT implementation. Alexei Starovoitov continued refining prep patches for static stack liveness analysis, reaching v5 with subprogram topological ordering and constant-register computation passes that will enable smarter stack slot tracking. Additional highlights include Emil Tsalapatis introducing a full arena library and runtime, Xu Kuohai reaching v12 for emitting ENDBR/BTI instructions at indirect JIT jump targets, Chengkaitao refactoring how the verifier dispatches kfunc checks via a new BPF_VERIF_KFUNC_DEF mechanism, and Paul Chaignon fixing verifier invariant violations discovered by syzbot.
bpf: Introduce bpf register BPF_REG_STACK_ARG_BASE
Introduces BPF_REG_STACK_ARG_BASE, a new virtual BPF register serving as the base pointer for stack-allocated function arguments. This is the foundation of the 11-patch v3 series enabling BPF functions and kfuncs to receive arguments too large for the six general-purpose argument registers. The register is handled specially by both the verifier and x86_64 JIT backend to allocate, track, and validate stack argument slots. The series also includes selftests for BPF-to-BPF calls, kfunc calls, and negative cases for oversized arguments.
bpf: Add helper and kfunc stack access size resolution
The final patch in Alexei Starovoitov's v5 'Prep patches for static stack liveness' series, which adds helper and kfunc stack access size resolution used by upcoming static liveness analysis. The series as a whole sorts subprograms in topological order after check_cfg(), adds bpf_compute_const_regs() and bpf_prune_dead_branches() verifier passes, and moves verifier helpers to a shared header. Together these changes lay the groundwork for tracking which stack slots are actually live, reducing unnecessary spill/fill overhead.
bpf: Upgrade scalar to PTR_TO_ARENA on arena pointer addition
The first patch in the v3 'Introduce arena library and runtime' series, which teaches the verifier to promote a scalar register to PTR_TO_ARENA when added to an arena pointer. The broader 9-patch series introduces a libarena scaffolding with an ASAN-compatible runtime, a buddy allocator implementation, and comprehensive selftests. This infrastructure enables BPF programs using memory arenas to benefit from proper pointer type tracking and arena-aware address sanitization during testing.
bpf, x86: Emit ENDBR for indirect jump targets
Part of Xu Kuohai's v12 series adding Intel CET ENDBR (x86) and ARM64 BTI instructions at indirect JIT jump targets to harden BPF programs against control-flow hijacking. A companion patch adds a helper to detect indirect jump targets during JIT compilation, and another passes bpf_verifier_env to the JIT so it has the information needed to insert these instructions. The series also moves constant blinding out of arch-specific JITs into a shared location to simplify future JIT backends.
bpf: Introduce BTF_SET/ID_SUB and BPF_VERIF_KFUNC_DEF
Introduces BTF_SET/ID_SUB and BPF_VERIF_KFUNC_DEF macros that allow kfunc sets to embed their own verifier check callbacks, replacing the existing flat dispatch table used by the verifier. This refactor makes it easier to add verifier logic for new kfuncs without touching central verifier files. A follow-on patch converts the rbtree kfuncs to use the new mechanism, demonstrating the pattern.
bpf: Refactor reg_bounds_sanity_check
The first patch in Paul Chaignon's v3 'Fix invariant violations and improve branch detection' series, which addresses syzbot-reported verifier invariant violations. The series refactors reg_bounds_sanity_check, adds early exit for invalid reg_bounds_sync inputs, simulates branches to prune paths with range violations, and removes incorrect invariant-violation flags from selftests. These fixes improve verifier correctness when dealing with edge cases in register range tracking.
libbpf: Auto-upgrade kprobes to multi-kprobes when supported
Part of an RFC v3 series that transparently upgrades single kprobe and uprobe attachments to their multi-kprobe/multi-uprobe equivalents when the kernel supports them. A new FEAT_KPROBE_MULTI_LINK feature probe is added to libbpf to detect kernel support at runtime. This allows BPF programs written against the single-attach API to silently benefit from the performance improvements of multi-attach without any code changes.
bpf: Do not ignore offsets for loads from insn_arrays
Fixes a bug where the BPF verifier ignored non-zero offsets when loading values from instruction arrays, causing incorrect value reads. The fix ensures the offset is properly factored into the load address computation in the verifier's constant propagation path. A companion patch adds regression tests covering a variety of offset values to prevent recurrence.
pull-request: bpf-next 2026-04-01
Martin KaFai Lau's bpf-next pull request for April 1, 2026, consolidating the accumulated bpf-next changes for submission to Linus's tree. Pull requests like this mark a significant milestone in the development cycle, bundling verifier improvements, new helpers, libbpf changes, and selftests accumulated since the previous pull.
bpf: Refactor dynptr mutability tracking
Refactors how the BPF verifier tracks dynptr mutability, consolidating the immutability flag into the dynptr state representation for cleaner handling. This v2 patch simplifies the code paths that check whether a dynptr may be written through, reducing the risk of correctness issues when new dynptr types are added. The change is internal to the verifier with no user-visible behavior change.
Generated 2026-04-06T10:13:03Z
May 2026 saw substantial forward momentum in the BPF subsystem, with the activity concentrated in the final week. The most ambitious contribution is Jiri Olsa's 29-patch bpf tracing_multi link series (v6), which introduces a new link type enabling a single BPF tracing program to be attached atomically to many kernel functions, dramatically reducing per-function attachment overhead. Alexei Starovoitov advanced BPF arena memory management by introducing SLUB-backed kfuncs for arena allocation, pairing with Emil Tsalapatis's work to minimize the annotation burden on arena programs through verifier improvements that propagate arena pointer types across subprogram boundaries. Mykyta Yatsenko drove two major initiatives: a v5 resizable hash map backed by the kernel's rhashtable, and an RFC fixing an NMI/tracepoint re-entry deadlock in LRU map locking. Amery Hung's v6 verifier object relationship refactor unified dynptr and kptr tracking and fixed a dynptr use-after-free bug, while Daniel Borkmann contributed a series of signed loader integrity fixes and Eduard Zingerman submitted an RFC improving verifier diagnostics when the 1M instruction budget is exhausted.
bpf: Implement resizable hashmap basic functions
Implements the core lookup, update, and delete operations for a new BPF_MAP_TYPE_RHASH resizable hash map backed by the kernel's rhashtable infrastructure. Unlike fixed-size BPF hash maps, this map type can resize its bucket array at runtime as element count changes, removing the need to over-provision capacity at creation time. The 11-patch v5 series includes rhashtable API additions, iterator support, special field handling, word-sized key optimizations, and bpftool documentation.
bpf: Add support for tracing multi link
Introduces BPF_LINK_TYPE_TRACING_MULTI, a new link type that attaches a single BPF tracing program to multiple kernel functions in a single syscall, replacing the cost of N individual fentry/fexit links. The kernel adds multi-attach/detach trampoline infrastructure, new multi tracing attach types, and session/cookie support. The 29-patch v6 series also adds full libbpf API support, benchmark tests, and thorough selftests covering attach failures, rollback, and intersection semantics.
bpf,slab: Add slub-backed allocator for bpf_arena
Adds a SLUB-backed per-object allocator for bpf_arena that exposes kmem_cache_alloc/free semantics to BPF programs via new kfuncs, enabling efficient arena-based data structures without manual slab management. The implementation introduces arena-aware nolock variants of kmem_cache operations to prevent deadlocks in BPF's non-preemptible contexts. This is the core of Starovoitov's 4-patch v2 series.
bpf: Refactor object relationship tracking and fix dynptr UAF bug
Refactors the BPF verifier's handling of object relationships (dynptrs, slices, kptrs) by introducing a unified parent-child ownership model and fixes a use-after-free bug where a dynptr slice remained accessible after its parent dynptr was freed. The unified infrastructure also correctly propagates invalidation across call frames, fixing a dynptr ref-count scanning bug. This is patch 5/13 of Amery Hung's v6 series.
bpf: Allow subprogs to return arena pointers
Teaches the BPF verifier to recognize arena pointer types returned from subprograms by parsing the "arena" BTF type tag on return types, so callers no longer need to re-annotate returned pointers. The change removes the last common source of required __arg_arena annotations and is accompanied by a codebase-wide cleanup removing those annotations from selftests. This is the verifier core patch of Emil Tsalapatis's 5-patch v2 series.
bpf: Reject exclusive maps as inner maps in map-in-map
Prevents exclusive maps from being nested as inner maps in map-in-map types, closing a path by which the map-in-map lookup could distribute exclusive map references without the signed loader's ownership checks. The v2 7-patch series also drops a redundant hash_buf from map_get_hash, adds libbpf-side enforcement for exclusive metadata maps in the signed loader, and adds selftests for both constraints.
bpf: Fix NMI/tracepoint re-entry deadlock on lru locks
RFC patch replacing the raw spinlock in LRU hash map operations with an rqspinlock, which records the interrupted CPU context so that NMI or tracepoint re-entry on the same CPU does not deadlock when the BPF program itself accesses the LRU map. The 3-patch series also refreshes the LRU state machine diagram and adds a stress test for the recovery path.
bpf: report hot simulated callchains when 1M instructions limit is met
RFC patch that records and reports the most frequently simulated call chains during BPF verification, emitting them as diagnostics when the verifier exhausts its 1M instruction budget. A companion patch adds register diff summaries for hot callchains to help pinpoint why state merging fails to converge. This 6-patch RFC (v3) addresses a significant usability gap when developing large BPF programs.
bpf: fix BPF_PROG_QUERY OOB write and cgroup backward compat
Fixes an out-of-bounds write in BPF_PROG_QUERY where the kernel wrote back more bytes than the user-declared uattr size, potentially corrupting user memory adjacent to the attr struct. The fix caps writeback to the user-declared size and restores backward compatibility for older cgroup query layouts. A companion patch adds boundary verification tests.
bpf: Take mmap_lock in zap_pages()
Fixes a missing mmap_lock acquisition in the bpf_arena zap_pages() path, which unmaps arena pages from user space. Without the lock, concurrent mmap operations could race with page zapping and corrupt the process address space. This is a standalone single-patch fix to the arena memory management path.
bpf: reject overlarge global subprog argument sizes
Adds a verifier check that rejects global subprograms whose by-value struct arguments would produce a combined frame larger than BPF's maximum stack size. Without this guard, such programs could pass verification and then overflow the stack at runtime. This v3 single-patch fix closes a gap in the global subprog stack-frame validation.
bpf: MAINTAINERS: Update bpf maintainers
Updates the MAINTAINERS file to reflect changes in the BPF subsystem maintainer list. MAINTAINERS updates are a notable signal of organizational changes in a subsystem and affect who receives patch submissions and review requests via the get_maintainer.pl script.
Generated 2026-06-02T00:00:00Z
April 2026 was an active month for the bpf-next mailing list, with 100 patches across 25 series. The month was headlined by Kaitao Cheng's extended bpf_list kfunc API and Ricardo B. Marlière's substantial rework of the BPF selftests build system, the latter reaching its eleventh revision. JIT work was broad: Kuan-Wei Chiu added initial m68k BPF JIT support and fixed the RV32 JIT, while Puranjay Mohan added stack argument support to the arm64 JIT and contributed a new XDP load-balancer benchmark. LSM-related activity saw two new xattr kfuncs for atomic inode labeling and fixes for negative dentry crashes, and the verifier gained per-subprogram instruction count reporting from Paul Chaignon.
bpf: refactor __bpf_list_del to take list node pointer
First patch of an 8-part series (v10) extending the BPF linked-list kfunc API with new operations closer to the kernel's native list_head API. The series adds bpf_list_del (remove a node without knowing the head), bpf_list_add (insert after a given node), bpf_list_is_first/last/empty query kfuncs, and introduces __nonown_allowed annotations to permit non-owning reference arguments. These additions enable richer data structure manipulation in BPF programs and reflect extensive iteration on ownership semantics across the ten review rounds.
bpf, arm64: Map BPF_REG_0 to x8 instead of x7
First patch of a 3-part series (v2) enabling the arm64 BPF JIT to support functions with more than eight arguments via stack-based argument passing per the AArch64 calling convention. This initial patch remaps BPF_REG_0 from x7 to x8 to free the register slot needed for stack argument setup. Subsequent patches add JIT emission for stack arguments and update selftests to exercise the new path on arm64. This unblocks BPF programs that call kfuncs or helpers with many parameters on arm64 hardware.
selftests/bpf: Add bench_force_done() for early benchmark completion
First patch of a 7-part series adding an XDP load-balancer benchmark to the BPF selftests suite. The series contributes a hash-based XDP load-balancing BPF program, a batch-timing library for precise measurement, a userspace benchmark driver, and a shell script for automated benchmark runs. A bpf-nop benchmark is also added to establish a timing overhead baseline. This fills a significant gap in performance tooling for XDP-based packet processing programs in the upstream test suite.
m68k, bpf: Add initial BPF JIT compiler support
Introduces the first BPF JIT compiler for the m68k (Motorola 68000) architecture, bringing JIT acceleration to m68k systems running Linux. Before this patch, BPF programs on m68k ran exclusively through the interpreter. The JIT covers the core BPF instruction set and follows the established pattern of other architecture JIT implementations. This benefits embedded and retro computing platforms using m68k processors.
riscv, bpf: Fix support for BPF_SDIV and BPF_SMOD in RV32 JIT
First patch of a 3-part series fixing and extending the RISC-V 32-bit BPF JIT. The patches correct incorrect code generation for signed division and modulo (BPF_SDIV/BPF_SMOD) and sign-extend moves (BPF_MOVSX), then add support for 32-bit atomic operations. The correctness fixes prevent silent arithmetic errors in BPF programs using signed integer division on RV32 platforms, and 32-bit atomic support expands the range of lock-free data structure operations available to BPF programs on RV32.
bpf: Fix out-of-bounds read in bpf_patch_call_args()
First patch of a 3-part series (v9) fixing two bugs in bpf_patch_call_args(): an out-of-bounds array read when the patch buffer is exhausted, and silent truncation of large BPF-to-BPF call offsets that do not fit in a signed 16-bit field. The truncation bug can produce incorrect branch targets in large BPF programs, leading to incorrect behavior or crashes at runtime. The series includes a selftest that specifically exercises the large-offset scenario to prevent regression.
bpf: Limit fields used in btf_record_equal comparisons
First patch of a 4-part series fixing a deadlock that occurs when a referenced kptr's destructor is invoked from NMI context while a spinlock is already held on the same CPU. The series limits unnecessary fields compared in btf_record_equal, defers BTF teardown via rcu_work to avoid NMI-unsafe locking, and directly fixes the kptr destructor deadlock path. A selftest reproducer for the NMI deadlock scenario is included as the final patch.
bpf: Print breakdown of insns processed by subprogs
Extends the BPF verifier's log to emit per-subprogram instruction counts rather than only an aggregate total. This gives developers visibility into which subprograms are driving verification complexity in large multi-subprog BPF programs, making it much easier to diagnose and fix programs that approach the verifier instruction limit. This v3 refines the log format based on reviewer feedback and is paired with a selftest that validates the new output lines.
bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling
Introduces bpf_init_inode_xattr, a new kfunc allowing BPF LSM programs to atomically set an extended attribute on an inode during its initialization, before it becomes visible to other processes. This fills a race window in bpf_set_dentry_xattr where a label could be missing briefly after inode creation. The kfunc is intended for security labeling use cases where the label must be present from the very first access to the inode, and a selftest verifies the behavior in a BPF LSM context.
bpf: fix crash in bpf_[set|remove]_dentry_xattr for negative dentries
Fixes a null pointer dereference crash in bpf_set_dentry_xattr and bpf_remove_dentry_xattr when called with a negative dentry that has no associated inode. BPF LSM programs that walk filesystem paths can encounter negative dentries for non-existent files, and both kfuncs previously lacked a guard for this case. This v2 adds the necessary check to reject negative dentries early, preventing the crash without changing behavior for positive dentries.
selftests/bpf: Add BPF_STRICT_BUILD toggle
First patch of an 11-part series (v11) reworking the BPF selftests Makefile to handle partial kernel configurations gracefully. The series introduces BPF_STRICT_BUILD to toggle strict vs. tolerant behavior, adds skip logic for tests whose BPF objects were not compiled, fixes KDIR handling for distro out-of-tree builds, and tolerates BPF skeleton generation and benchmark build failures. The extensive revision history reflects the complexity of making the selftests build system robust across the wide variety of kernel configurations encountered in practice.
selftests/bpf: Add arena ASAN runtime to libarena
Part of a v9 series developing the libarena memory allocator library for BPF selftests. This patch adds ASAN (AddressSanitizer) runtime support so that arena-backed allocations can be checked for memory safety errors during testing. Later patches in the series add a buddy allocator backend for libarena and associated selftests. The arena library provides a structured mechanism for BPF programs to manage large memory regions backed by BPF arena maps.
xskmap: reject TX-only AF_XDP sockets
Adds a validation check to reject TX-only AF_XDP sockets from being inserted into an XSKMAP. TX-only sockets do not have a receive queue and cannot process XDP_REDIRECT actions, so permitting them in the map leads to silent packet drops that are difficult to diagnose. This v3 enforces the restriction at map insertion time with a clear EINVAL error, preventing misconfiguration of AF_XDP-based packet processing pipelines.
net: add missing syncookie statistics for BPF custom syncookies
Fixes missing syncookie statistics when BPF programs handle SYN cookies via the custom syncookie interface. Without this fix, counters such as TcpExtSyncookiesRecv were not incremented for BPF-managed connections, making it impossible to distinguish BPF SYN flood mitigation from standard kernel behavior through standard statistics tooling like netstat or /proc/net/netstat. A selftest validates that the correct counters are updated when a BPF custom syncookie program handles a connection.
Generated 2026-05-02T10:30:00Z