libbpf · theihor · Nov 7, 2024 · Nov 6, 2024
diff --git a/ci/diffs/0199-iov_iter-fix-advancing-slot-in-iter_folioq_get_pages.patch b/ci/diffs/0199-iov_iter-fix-advancing-slot-in-iter_folioq_get_pages.patch
@@ -0,0 +1,46 @@
+From 0d24852bd71ec85ca0016b6d6fc997e6a3381552 Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <[email protected]>
+Date: Mon, 30 Sep 2024 11:55:00 -0700
+Subject: [PATCH] iov_iter: fix advancing slot in iter_folioq_get_pages()
+
+iter_folioq_get_pages() decides to advance to the next folioq slot when
+it has reached the end of the current folio. However, it is checking
+offset, which is the beginning of the current part, instead of
+iov_offset, which is adjusted to the end of the current part, so it
+doesn't advance the slot when it's supposed to. As a result, on the next
+iteration, we'll use the same folio with an out-of-bounds offset and
+return an unrelated page.
+
+This manifested as various crashes and other failures in 9pfs in drgn's
+VM testing setup and BPF CI.
+
+Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios")
+Link: https://lore.kernel.org/linux-fsdevel/[email protected]/
+Tested-by: Manu Bretelle <[email protected]>
+Signed-off-by: Omar Sandoval <[email protected]>
+Link: https://lore.kernel.org/r/cbaf141ba6c0e2e209717d02746584072844841a.1727722269.git.osandov@fb.com
+Tested-by: Eduard Zingerman <[email protected]>
+Tested-by: Leon Romanovsky <[email protected]>
+Tested-by: Joey Gouly <[email protected]>
+Acked-by: David Howells <[email protected]>
+Signed-off-by: Christian Brauner <[email protected]>
+---
+ lib/iov_iter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/iov_iter.c b/lib/iov_iter.c
+index 97003155b..1abb32c0d 100644
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -1033,7 +1033,7 @@ static ssize_t iter_folioq_get_pages(struct iov_iter *iter,
+ 		if (maxpages == 0 || extracted >= maxsize)
+ 			break;
+
+-		if (offset >= fsize) {
++		if (iov_offset >= fsize) {
+ 			iov_offset = 0;
+ 			slot++;
+ 			if (slot == folioq_nr_slots(folioq) && folioq->next) {
+-- 
+2.34.1
+
diff --git a/ci/diffs/0299-selftests-bpf-Fix-uprobe-consumer-test.patch b/ci/diffs/0299-selftests-bpf-Fix-uprobe-consumer-test.patch
@@ -0,0 +1,58 @@
+From affb32e4f056883f285f8535b766293b85752fb4 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <[email protected]>
+Date: Tue, 24 Sep 2024 13:07:30 +0200
+Subject: [PATCH] selftests/bpf: Fix uprobe consumer test
+
+With newly merged code the uprobe behaviour is slightly different
+and affects uprobe consumer test.
+
+We no longer need to check if the uprobe object is still preserved
+after removing last uretprobe, because it stays as long as there's
+pending/installed uretprobe instance.
+
+This allows to run uretprobe consumers registered 'after' uprobe was
+hit even if previous uretprobe got unregistered before being hit.
+
+The uprobe object will be now removed after the last uprobe ref is
+released and in such case it's held by ri->uprobe (return instance)
+which is released after the uretprobe is hit.
+
+Reported-by: Ihor Solodrai <[email protected]>
+Signed-off-by: Jiri Olsa <[email protected]>
+Signed-off-by: Daniel Borkmann <[email protected]>
+Tested-by: Ihor Solodrai <[email protected]>
+Closes: https://lore.kernel.org/bpf/w6U8Z9fdhjnkSp2UaFaV1fGqJXvfLEtDKEUyGDkwmoruDJ_AgF_c0FFhrkeKW18OqiP-05s9yDKiT6X-Ns-avN_ABf0dcUkXqbSJN1TQSXo=@pm.me/
+---
+ .../testing/selftests/bpf/prog_tests/uprobe_multi_test.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c b/tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c
+index 844f6fc8487b..c1ac813ff9ba 100644
+--- a/tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c
++++ b/tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c
+@@ -869,21 +869,14 @@ static void consumer_test(struct uprobe_multi_consumers *skel,
+ 			fmt = "prog 0/1: uprobe";
+ 		} else {
+ 			/*
+-			 * uprobe return is tricky ;-)
+-			 *
+ 			 * to trigger uretprobe consumer, the uretprobe needs to be installed,
+ 			 * which means one of the 'return' uprobes was alive when probe was hit:
+ 			 *
+ 			 *   idxs: 2/3 uprobe return in 'installed' mask
+-			 *
+-			 * in addition if 'after' state removes everything that was installed in
+-			 * 'before' state, then uprobe kernel object goes away and return uprobe
+-			 * is not installed and we won't hit it even if it's in 'after' state.
+ 			 */
+ 			unsigned long had_uretprobes  = before & 0b1100; /* is uretprobe installed */
+-			unsigned long probe_preserved = before & after;  /* did uprobe go away */
+
+-			if (had_uretprobes && probe_preserved && test_bit(idx, after))
++			if (had_uretprobes && test_bit(idx, after))
+ 				val++;
+ 			fmt = "idx 2/3: uretprobe";
+ 		}
+-- 
+2.34.1
+
diff --git a/ci/vmtest/configs/DENYLIST b/ci/vmtest/configs/DENYLIST
@@ -12,3 +12,4 @@ xdp_bonding/xdp_bonding_features     # started failing after net merge from 359e
 tc_redirect/tc_redirect_dtime # uapi breakage after net-next commit 885c36e59f46 ("net: Re-use and set mono_delivery_time bit for userspace tstamp packets")
 migrate_reuseport/IPv4 TCP_NEW_SYN_RECV reqsk_timer_handler # flaky, under investigation
 migrate_reuseport/IPv6 TCP_NEW_SYN_RECV reqsk_timer_handler # flaky, under investigation
+uprobe_multi_test/consumers