From: Linus Torvalds Date: Wed, 17 Jun 2026 08:18:14 +0000 (+0100) Subject: Merge tag 'bpf-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf... X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9c87e61e3c5797277407ba5eae4eac8a52be3fa3;p=thirdparty%2Fkernel%2Flinux.git Merge tag 'bpf-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next Pull bpf updates from Alexei Starovoitov: "Major changes: - Recover from BPF arena page faults using a scratch page and add ptep_try_set() for lockless empty-slot installs on x86 and arm64. This allows BPF kfuncs to access arena pointers directly. The 'arena_direct_access' stable branch was created for this work and was pulled into sched-ext and bpf-next trees (Tejun Heo, Kumar Kartikeya Dwivedi) - Lift old restriction and support 6+ arguments in BPF programs and kfuncs on x86 and arm64 (Yonghong Song, Puranjay Mohan) Other features and fixes: - Add 24-bit BTF vlen and reclaim unused bits in the BTF UAPI to ease addition of new BTF kinds (Alan Maguire) - Raise the maximum BPF call chain depth from 8 to 16 frames (Alexei Starovoitov) - Refactor object relationship tracking in the verifier and fix a dynptr use-after-free bug (Amery Hung) - Harden the signed program loader and reject exclusive maps as inner maps (Daniel Borkmann) - Replace the verifier min/max bounds fields with a circular number (cnum) representation and improve 32->64 bit range refinements (Eduard Zingerman) - Introduce the arena library and runtime (libarena) with a buddy allocator, rbtree and SPMC queue data structures, ASAN support and a parallel test harness. Allow subprograms to return arena pointers and switch to a BTF type-tag based __arena annotation (Emil Tsalapatis) - Cache build IDs in the sleepable stackmap path and avoid faultable build ID reads under mm locks (Ihor Solodrai) - Introduce the tracing_multi link to attach a single BPF program to many kernel functions at once. Allow specifying the uprobe_multi target via FD (Jiri Olsa) - Extend the bpf_list family of kfuncs with bpf_list_add/del(), and bpf_list_is_first/is_last/empty() (Kaitao Cheng) - Extend the BPF syscall with common attributes support for prog_load, btf_load and map_create (Leon Hwang) - Wrap rhashtable as BPF map (Mykyta Yatsenko, Herbert Xu) - Add sleepable support for tracepoint programs and fix deadlocks in LRU map due to NMI reentry (Mykyta Yatsenko) - Fix OOB access in bpf_flow_keys, fix nullness analysis of inner arrays, enforce write checks for global subprograms (Nuoqi Gui) - Report the maximum combined stack depth and print a breakdown of instructions processed per subprogram (Paul Chaignon) - Add an XDP load-balancer benchmark and arm64 JIT support for stack arguments (Puranjay Mohan) - Add kfuncs to traverse over wakeup_sources (Samuel Wu) - Allow sleepable BPF programs to use LPM trie maps directly (Vlad Poenaru) - Many more fixes and cleanups across the verifier, BTF, sockmap, devmap, bpffs, security hooks, s390/riscv/loongarch JITs, rqspinlock, libbpf, bpftool, selftests" * tag 'bpf-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next: (336 commits) selftests/bpf: Work around llvm stack overflow in crypto progs selftests/bpf: add test for bpf_msg_pop_data() overflow bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check sockmap: Fix use-after-free in udp_bpf_recvmsg() bpf, sockmap: keep sk_msg copy state in sync bpf, sockmap: Fix wrong rsge offset in bpf_msg_push_data() bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data() selftsets/bpf: Retry map update on helper_fill_hashmap() selftests/bpf: Add test for sleepable lsm_cgroup rejection selftests/bpf: Add test to verify the fix for bpf_setsockopt() helper bpf: Fix bpf_get/setsockopt to tos for ipv4-mapped ipv6 socket selftests/bpf: Avoid static LLVM linking for cross builds selftests/bpf: Use common CFLAGS for urandom_read selftests/bpf: Initialize operation name before use tools/bpf: build: Append extra cflags libbpf: Initialize CFLAGS before including Makefile.include bpftool: Append extra host flags bpftool: Avoid adding EXTRA_CFLAGS to HOST_CFLAGS bpftool: Pass host flags to bootstrap libbpf selftests/bpf: correct CONFIG_PPC64 macro name in comment ... --- 9c87e61e3c5797277407ba5eae4eac8a52be3fa3 diff --cc include/linux/bpf.h index 64efc3fdb7163,56f5da2b437f9..7719f65284456 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@@ -31,7 -32,8 +32,9 @@@ #include #include #include +#include + #include + #include #include struct bpf_verifier_env; diff --cc kernel/bpf/inode.c index c3f79b5a2f8c0,188c774a469ca..7837968c0842c --- a/kernel/bpf/inode.c +++ b/kernel/bpf/inode.c @@@ -842,9 -768,12 +842,13 @@@ static void bpf_destroy_inode(struct in if (!bpf_inode_type(inode, &type)) bpf_any_put(inode->i_private, type); + simple_xattrs_free(&opts->xa_cache, &bi->xattrs, NULL); } + /* + * Called after RCU grace period - safe to free inode and anything + * that might be accessed by RCU pathwalk (inode fields, i_link). + */ static void bpf_free_inode(struct inode *inode) { if (S_ISLNK(inode->i_mode)) diff --cc net/core/filter.c index 40037413dd4ec,126aba56f1c07..2e96b4b847ce1 --- a/net/core/filter.c +++ b/net/core/filter.c @@@ -2654,6 -2654,38 +2654,37 @@@ static void sk_msg_reset_curr(struct sk } } + static bool sk_msg_elem_is_copy(const struct sk_msg *msg, u32 i) + { + return test_bit(i, msg->sg.copy); + } + + static void sk_msg_clear_elem_copy(struct sk_msg *msg, u32 i) + { + __clear_bit(i, msg->sg.copy); + } + -static void sk_msg_set_elem_copy(struct sk_msg *msg, u32 i) ++static void sk_msg_set_elem_copy(struct sk_msg *msg, u32 i, bool sg_copy) + { - __set_bit(i, msg->sg.copy); ++ __assign_bit(i, msg->sg.copy, sg_copy); + } + + static void sk_msg_clear_copy_range(struct sk_msg *msg, u32 start, u32 end) + { + while (start != end) { + sk_msg_clear_elem_copy(msg, start); + sk_msg_iter_var_next(start); + } + } + + static void sk_msg_sg_move(struct sk_msg *msg, u32 dst, u32 src) + { + msg->sg.data[dst] = msg->sg.data[src]; - if (sk_msg_elem_is_copy(msg, src)) - sk_msg_set_elem_copy(msg, dst); - else - sk_msg_clear_elem_copy(msg, dst); ++ ++ sk_msg_set_elem_copy(msg, dst, ++ sk_msg_elem_is_copy(msg, src)); + } + static const struct bpf_func_proto bpf_msg_cork_bytes_proto = { .func = bpf_msg_cork_bytes, .gpl_only = false, @@@ -2733,7 -2765,6 +2764,7 @@@ BPF_CALL_4(bpf_msg_pull_data, struct sk poffset += len; sge->length = 0; put_page(sg_page(sge)); - __clear_bit(i, msg->sg.copy); ++ sk_msg_clear_elem_copy(msg, i); sk_msg_iter_var_next(i); } while (i != last_sge); @@@ -2910,7 -2951,10 +2951,7 @@@ BPF_CALL_4(bpf_msg_push_data, struct sk while (i != msg->sg.end) { msg->sg.data[i] = sge; - __assign_bit(i, msg->sg.copy, sge_copy); - if (sge_copy) - sk_msg_set_elem_copy(msg, i); - else - sk_msg_clear_elem_copy(msg, i); ++ sk_msg_set_elem_copy(msg, i, sge_copy); sge = nsge; sge_copy = nsge_copy; sk_msg_iter_var_next(i); @@@ -2935,8 -2979,12 +2976,9 @@@ place_new get_page(sg_page(&rsge)); sk_msg_iter_var_next(new); msg->sg.data[new] = rsge; - __assign_bit(new, msg->sg.copy, rsge_copy); - if (rsge_copy) - sk_msg_set_elem_copy(msg, new); - else - sk_msg_clear_elem_copy(msg, new); ++ sk_msg_set_elem_copy(msg, new, rsge_copy); } + sk_msg_clear_elem_copy(msg, msg->sg.end); sk_msg_reset_curr(msg); sk_msg_compute_data_pointers(msg); @@@ -2984,7 -3031,10 +3025,7 @@@ static void sk_msg_shift_right(struct s while (i != msg->sg.end) { msg->sg.data[i] = sge; - __assign_bit(i, msg->sg.copy, sge_copy); - if (sge_copy) - sk_msg_set_elem_copy(msg, i); - else - sk_msg_clear_elem_copy(msg, i); ++ sk_msg_set_elem_copy(msg, i, sge_copy); sk_msg_iter_var_next(i); sge = tmp; sge_copy = tmp_copy; @@@ -3063,7 -3114,10 +3105,7 @@@ BPF_CALL_4(bpf_msg_pop_data, struct sk_ sg_set_page(nsge, sg_page(sge), b, sge->offset + pop + a); - __assign_bit(i, msg->sg.copy, sge_copy); - if (sge_copy) - sk_msg_set_elem_copy(msg, i); - else - sk_msg_clear_elem_copy(msg, i); ++ sk_msg_set_elem_copy(msg, i, sge_copy); } else { struct page *page, *orig; u8 *to, *from;