summaryrefslogtreecommitdiff
path: root/tools
AgeCommit message (Collapse)Author
2026-06-10libperf: Document code simplification case for widening struct perf_cpuArnaldo Carvalho de Melo
Add a bullet point to the libperf ABI TODO explaining the code simplification benefit of widening struct perf_cpu.cpu from int16_t to int: the narrow type forces defensive truncation checks at every boundary where wider CPU indices are narrowed, and values > 32767 silently wrap to negative numbers (two's complement), bypassing bounds validation without them. Acked-by: Ian Rogers <irogers@google.com> Cc: Ian Rogers <irogers@google.com> Cc: Namhyung Kim <namhyung@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf tools: Use scnprintf() in build_id__snprintf() and hwmon read_events()Arnaldo Carvalho de Melo
build_id__snprintf() and hwmon_pmu__read_events() accumulate formatted output via snprintf(), which returns the would-have-been-written count on truncation. In build_id__snprintf(), this inflates the return value beyond the buffer size. In hwmon_pmu__read_events(), len overshoots out_buf_len and the next 'out_buf_len - len' underflows. Switch both to scnprintf() which returns actual bytes written. In build_id__snprintf(), also tighten the loop guard from 'offs < bf_size' to 'offs + 1 < bf_size': since scnprintf() returns at most size-1, offs never reaches bf_size, and the original condition would spin doing zero-byte writes once the buffer fills. Fixes: fccaaf6fbbc59910 ("perf build-id: Change sprintf functions to snprintf") Fixes: 53cc0b351ec99278 ("perf hwmon_pmu: Add a tool PMU exposing events from hwmon in sysfs") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf hists: Fix snprintf() in hists__scnprintf_title() UID filter pathArnaldo Carvalho de Melo
hists__scnprintf_title() accumulates formatted output into a buffer using scnprintf() for all filter clauses except the UID filter, which uses snprintf(). If the buffer fills up and snprintf() returns more than the remaining space, printed exceeds size and the next 'size - printed' underflows, causing later scnprintf() calls to write past the buffer. Switch the UID filter clause to scnprintf() to match the rest of the function. Fixes: 25c312dbf88ca402 ("perf hists: Move hists__scnprintf_title() away from the TUI code") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf bpf: Use scnprintf() in snprintf_hex() and synthesize_bpf_prog_name()Arnaldo Carvalho de Melo
Both functions accumulate formatted output via ret += snprintf(buf + ret, size - ret, ...). If the buffer is too small and snprintf() returns more than the remaining space, ret exceeds size and the next 'size - ret' underflows, causing snprintf() to write past the buffer end. Switch to scnprintf() which returns the actual number of bytes written, making the accumulation safe. Fixes: 7b612e291a5affb1 ("perf tools: Synthesize PERF_RECORD_* for loaded BPF programs") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Song Liu <song@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf tools: Add O_CLOEXEC to open() calls in DSO and ELF codeArnaldo Carvalho de Melo
open() calls in dso.c and symbol-elf.c omit O_CLOEXEC, which leaks file descriptors to child processes spawned during symbol resolution (e.g., addr2line, objdump). This can exhaust the fd limit during long profiling sessions or when processing many DSOs. Add O_CLOEXEC to all open() calls in both files (12 call sites). Fixes: cdd059d731eeb466 ("perf tools: Move dso_* related functions into dso object") Fixes: e5a1845fc0aeca85 ("perf symbols: Split out util/symbol-elf.c") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf sched: Fix idle-hist callchain display using wrong rb_first variantArnaldo Carvalho de Melo
timehist_print_idlehist_callchain() calls rb_first_cached() on sorted_root, but the sort function (callchain_param.sort) populates it via rb_insert_color() on the plain rb_root member — not the cached variant. This means rb_leftmost is never set, so rb_first_cached() always returns NULL and the entire callchain summary is silently dropped from --idle-hist output. The original code in ba957ebb54893aca ("perf sched timehist: Show callchains for idle stat") was correct — it used struct rb_root and rb_first(). The bug was introduced when sorted_root was converted to rb_root_cached without converting the sort insertion path to use rb_insert_color_cached(). Use rb_first(&root->rb_root) to match how the tree was populated. Fixes: cb4c13a5137766c3 ("perf sched: Use cached rbtrees") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Namhyung Kim <namhyung@kernel.org> Acked-by: Ian Rogers <irogers@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf sched: Bounds-check prio before test_bit() in timehistArnaldo Carvalho de Melo
timehist_skip_sample() reads prio from untrusted tracepoint data via perf_sample__intval(sample, "prev_prio") without bounds validation. A crafted perf.data with prev_prio >= MAX_PRIO (140) causes test_bit() to read past the end of the prio_bitmap, which is only MAX_PRIO bits. Add a prio >= 0 guard before the test_bit() call and skip out-of-range values (>= MAX_PRIO) that can never match the user's filter set. The original prio != -1 already let all negatives other than -1 through (after an undefined-behavior bitmap read); the new prio >= 0 guard preserves that pass-through behavior — negative means "no priority info", so the event is shown unfiltered — while fixing the OOB. Values >= MAX_PRIO are skipped because they cannot be represented in the filter bitmap. Fixes: 9b3a48bbe20d9692 ("perf sched timehist: Add --prio option") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Yang Jihong <yangjihong@bytedance.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10cxl/test: Zero out LSA backing memory to avoid leaking to userDave Jiang
Memory through vmalloc() is not zeroed out. When this memory is copied into output payload, it leaks memory content to user. Use vzalloc() instead to zero out the memory. Suggested-by: sashiko-bot Link: https://lore.kernel.org/linux-cxl/20260605173146.2B9A31F00893@smtp.kernel.org/ Fixes: 7d3eb23c4ccf ("tools/testing/cxl: Introduce a mock memory device + driver") Reviewed-by: Alison Schofield <alison.schofield@intel.com> Link: https://patch.msgid.link/20260605184426.4070913-1-dave.jiang@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
2026-06-10cxl/test: Fix integer overflow in mock LSA bounds checksDave Jiang
Pre-existing issue discovered by sashiko-bot. mock_get_lsa() and mock_set_lsa() validate the requested LSA range with "offset + length > LSA_SIZE". Both offset and length are u32 and, in mock_get_lsa(), both are taken directly from the user-supplied payload. The addition is evaluated modulo 2^32, so a large offset combined with a small length wraps around and passes the check. Rewrite the checks to first bound offset, then compare length against the remaining LSA size. Suggested-by: sashiko-bot Fixes: 7d3eb23c4ccf ("tools/testing/cxl: Introduce a mock memory device + driver") Link: https://lore.kernel.org/linux-cxl/20260605143748.235271F00893@smtp.kernel.org/ Assisted-by: Claude:claude-opus-4-8 Reviewed-by: Alison Schofield <alison.schofield@intel.com> Signed-off-by: Dave Jiang <dave.jiang@intel.com>
2026-06-10cxl/test: Verify cmd->size_in before accessing payloadDave Jiang
Several mock mailbox handlers access input payload fields before verifying that cmd->size_in is large enough for the corresponding structure. To ensure invalid commands are rejected before any payload data is consumed, add missing size checks and move existing checks ahead of the first payload field access. [dj: Updated commit log per Alison's comments. ] Fixes: 7d3eb23c4ccf ("tools/testing/cxl: Introduce a mock memory device + driver") Fixes: d1dca858f058 ("cxl/test: Add generic mock events") Fixes: f6448cb5f2f3 ("tools/testing/cxl: add firmware update emulation to CXL memdevs") Fixes: e77e9c107978 ("cxl/test: Add Get Feature support to cxl_test") Link: https://lore.kernel.org/linux-cxl/20260605143748.235271F00893@smtp.kernel.org/ Suggested-by: sashiko-bot Tested-by: Alison Schofield <alison.schofield@intel.com> Reviewed-by: Alison Schofield <alison.schofield@intel.com> Signed-off-by: Dave Jiang <dave.jiang@intel.com>
2026-06-10perf tools: NULL bitmap pointers after bitmap_free()Arnaldo Carvalho de Melo
Two call sites free bitmaps without NULLing the pointer, risking double-free if the structure is reused or cleanup is called twice: - mmap__munmap(): map->affinity_mask.bits - record__mmap_cpu_mask_free(): mask->bits Set each pointer to NULL after bitmap_free(). Fixes: 8384a2600c7ddfc8 ("perf record: Adapt affinity to machines with #CPUs > 1K") Fixes: f466e5ed6c356d1d ("perf record: Extend --threads command line option") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Alexey Budankov <alexey.budankov@linux.intel.com> Cc: Alexey Bayduraev <alexey.v.bayduraev@linux.intel.com> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10selftests/bpf: Fix bpf_iter/task_vma testYonghong Song
For selftest bpf_iter/task_vma, I got a failure like below on my qemu run: test_task_vma_common:FAIL:compare_output unexpected compare_output: actual '561593546000-561593585000r--p0000000000:241256579534/root/devshare/bpf-next/tools/testing/selftests/bpf/test_progs' != expected '561593546000-561593585000r--p0000000000:245551546830/root/devshare/bpf-next/tools/testing/selftests/bpf/test_progs' Further debugging found out file->f_inode->i_ino value may exceed 32bit, e.g., i_ino = 0x14c2eae35, but the format string is '%u'. This caused inode mismatch between bpf iter and proc result. Fix the issue by using format string '%llu' to accommodate 64bit i_ino. Fixes: e8168840e16c ("selftests/bpf: Add test for bpf_iter_task_vma") Signed-off-by: Yonghong Song <yonghong.song@linux.dev> Acked-by: Leon Hwang <leon.hwang@linux.dev> Link: https://lore.kernel.org/r/20260610051831.1346659-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-10selftests: bonding: add test for lacp_strict modeLouis Scalbert
Add a test for the bonding lacp_strict mode. Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Acked-by: Jay Vosburgh <jv@jvosburgh.net> Link: https://patch.msgid.link/20260603150331.1919611-7-louis.scalbert@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10bonding: 3ad: add lacp_strict configuration knobLouis Scalbert
When an 802.3ad (LACP) bonding interface has no slaves in the collecting/distributing state, the bonding master still reports carrier as up as long as at least 'min_links' slaves have carrier. In this situation, only one slave is effectively used for TX/RX, while traffic received on other slaves is dropped. Upper-layer daemons therefore consider the interface operational, even though traffic may be blackholed if the lack of LACP negotiation means the partner is not ready to deal with traffic. Introduce a configuration knob to control this behavior. It allows the bonding master to assert carrier only when at least 'min_links' slaves are in Collecting_Distributing state. The default mode preserves the existing behavior. This patch only introduces the knob; its behavior is implemented in the subsequent commit. Fixes: 655f8919d549 ("bonding: add min links parameter to 802.3ad") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Acked-by: Jay Vosburgh <jv@jvosburgh.net> Link: https://patch.msgid.link/20260603150331.1919611-4-louis.scalbert@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10tools: missed broadcast_neigh if_link uapi headerLouis Scalbert
Add missing IFLA_BOND_BROADCAST_NEIGH in if_link uapi header. Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Acked-by: Jay Vosburgh <jv@jvosburgh.net> Link: https://patch.msgid.link/20260603150331.1919611-2-louis.scalbert@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-10perf tools: Use perf_env__get_cpu_topology() in machine__resolve()Arnaldo Carvalho de Melo
machine__resolve() accesses env->cpu[al->cpu].socket_id after checking al->cpu >= 0 and env->cpu != NULL, but without validating al->cpu against env->nr_cpus_avail. Since al->cpu comes from the untrusted perf.data sample, a crafted file with a large CPU index causes an out-of-bounds heap read. Use perf_env__get_cpu_topology() which validates both NULL and bounds. Also bounds-check al->cpu before the cast to struct perf_cpu (int16_t): without this, values like 65536 silently truncate to 0, bypassing the accessor's internal check and returning CPU 0's topology. Fixes: 0c4c4debb0adda4c ("perf tools: Add processor socket info to hist_entry and addr_location") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Kan Liang <kan.liang@intel.com> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf tools: Use scnprintf() in cpu_map__snprint() to prevent overflowArnaldo Carvalho de Melo
cpu_map__snprint() accumulates snprintf() return values in ret. snprintf() returns the number of characters that *would have been written* on truncation, not the actual count. When a fragmented CPU list exceeds the buffer, ret grows past size, causing `size - ret` to underflow (both are size_t), and subsequent snprintf() calls write past the end of the caller's stack buffer. Switch to scnprintf() which returns the actual number of characters written, making ret accumulation safe by construction. Fixes: a24020e6b7cf6eb8 ("perf tools: Change cpu_map__fprintf output") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10perf tools: Fix get_max_num() size_t underflow on empty sysfs fileArnaldo Carvalho de Melo
get_max_num() reads a sysfs file (cpu/possible, cpu/present, or node/possible) and scans backward from the end to find the last number. If the file is empty, filename__read_str() returns num == 0. The loop `while (--num)` decrements the size_t from 0 to SIZE_MAX, reading backward across the heap until a comma or hyphen is found or unmapped memory is hit. Add an early return for empty files before the backward scan. Fixes: 7780c25bae59fd04 ("perf tools: Allow ability to map cpus to nodes easily") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Ian Rogers <irogers@google.com> Cc: Don Zickus <dzickus@redhat.com> Cc: Ian Rogers <irogers@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-10Merge tag 'riscv-for-linux-7.1-rc8' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Paul Walmsley: - Fix the implementation of the CFI branch landing pad control prctl()s to return -EINVAL if unknown control bits are set, rather than silently ignoring the request; and add a kselftest for this case - Fix unaligned access performance testing to happen earlier in boot, which fixes a performance regression in the lib/checksum code - Fix a binfmt_elf warning when dumping core (due to missing .core_note_name for CFI registers) * tag 'riscv-for-linux-7.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: cfi: reject unknown flags in PR_SET_CFI riscv: Fix fast_unaligned_access_speed_key not getting initialized riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI
2026-06-10tools/virtio: fix build for kmalloc_obj API and missing stubsMichael S. Tsirkin
Add stubs for kmalloc_obj() and kmalloc_objs() to the tools/virtio test harness, matching the new kernel allocator API. Also add the DMA_ATTR_CPU_CACHE_CLEAN definition and include kernel.h from err.h for the unlikely() macro. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Message-ID: <a0bd4b5bed56c49626c92a754d7aceab3325de25.1780520728.git.mst@redhat.com>
2026-06-10tools/virtio: check mmap return value in vringh_testlonglong yan
In parallel_test(), the return values of mmap() for both host_map and guest_map are not checked against MAP_FAILED. If mmap() fails, the subsequent code will dereference the invalid pointer, leading to a segmentation fault. Add MAP_FAILED checks after both mmap() calls, using err() to report the error and exit, consistent with the existing error handling style in this file (e.g., the open() call on line 149). Fixes: 1515c5ce26ae ("tools/virtio: add vring_test.") Signed-off-by: longlong yan <yanlonglong@kylinos.cn> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Message-ID: <20260605021446.1611-1-yanlonglong@kylinos.cn>
2026-06-09selftests/bpf: Exercise kptr map update lifetimeKumar Kartikeya Dwivedi
Add focused map_kptr coverage for BPF-side map updates that touch values containing referenced kptrs. The new syscall programs stash the testmod refcounted object in an array map, a preallocated hash map, and a no-prealloc hash map, then update the same map from BPF. The refcount must remain elevated after the update, while the userspace runner destroys the skeleton and reuses the existing refcount wait to confirm map teardown releases the kptr. Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/r/20260609202548.3571690-5-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-09selftests/bpf: Exercise unsafe obj drops from tracing progsKumar Kartikeya Dwivedi
Add task_kfunc failure cases for bpf_obj_drop() on local objects with referenced kptr fields from tracing and NMI tracing programs. These programs must be rejected because dropping the object would run full special-field destruction synchronously in an unsafe context. Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/r/20260609202548.3571690-4-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-09bpf: Cancel special fields on map value recycleJustin Suess
Map update and delete paths currently call bpf_obj_free_fields() when a value is being replaced or recycled. That makes field destruction depend on the context of the update/delete operation. For tracing programs this can include NMI context, where referenced kptr destructors, uptr unpinning, and graph root destruction are not generally safe. Introduce bpf_obj_cancel_fields() for the reusable-value path. It only performs NMI-safe cleanup for timer, workqueue, and task_work fields. Fields that need full destruction are left attached to the recycled value and are destroyed by the final cleanup path instead. Switch array and hashtab update/delete/recycle paths to this cancel helper. Keep bpf_obj_free_fields() for final map destruction and for bpf_mem_alloc destructors. Preallocated hashtabs do not have allocator destructors, so teardown continues to walk the normal and extra elements and fully destroy their fields. This deliberately relaxes the eager-free semantics of map update/delete for special fields. Programs that relied on a recycled map slot becoming empty immediately after update/delete were relying on behavior that cannot be implemented safely from every BPF execution context without offloading arbitrary destructors. There is a chance this change breaks programs making assumptions regarding the eager freeing of fields. If so, we can relax semantics to cancellation only when irqs_disabled() is true in the future. However, theoretically, map values that get reused eagerly already have weaker guarantees as parallel users can recreate freed fields before the new element becomes visible again. Fixes: 14a324f6a67e ("bpf: Wire up freeing of referenced kptr") Signed-off-by: Justin Suess <utilityemal77@gmail.com> Co-developed-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/r/20260609202548.3571690-3-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-09bpf: Reject bpf_obj_drop() from tracing progsJustin Suess
bpf_obj_drop() runs bpf_obj_free_fields() synchronously for program-allocated objects. When such an object contains NMI unsafe fields, tracing programs that can run from arbitrary instrumented context can reach that destruction from unsafe contexts, including NMI. NMI is likely one instance of this problem, and other instances would include possible unsafe reentrancy. Deferring bpf_obj_drop() is not appealing either: it would add delayed-free machinery to a release operation that otherwise has straightforward synchronous ownership semantics. Reject bpf_obj_drop() and bpf_percpu_obj_drop() from tracing programs that may run from unsafe contexts unless every field in the object's BTF record is explicitly NMI safe. Do not reject sleepable BPF_PROG_TYPE_TRACING programs, since they are not the arbitrary/NMI contexts that motivate the restriction. Note that while bpf_rb_root and bpf_list_head would be NMI safe on their own to free, the objects recursively held by them may not be; be conservative and just mark them as not NMI safe for now. Use a whitelist for the NMI-safe field set instead of listing only known NMI unsafe fields. Locks, async fields, unreferenced kptrs, and refcounts are known to be NMI safe because their destruction is either a no-op, simple state reset, or async cancellation. Referenced kptrs, percpu referenced kptrs, uptrs, graph roots, graph nodes, and any future field type are rejected until audited for arbitrary tracing and NMI contexts. This is less susceptible to future changes in fields that were previously safe by exclusion, and to new fields being added without updating this check. Convert the existing recursive local-object drop success case to a syscall program in the same commit, since this verifier change makes the old tracing program form invalid. The test still exercises bpf_obj_drop() releasing a referenced task kptr from a safe program type. Fixes: ac9f06050a35 ("bpf: Introduce bpf_obj_drop") Signed-off-by: Justin Suess <utilityemal77@gmail.com> Co-developed-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/r/20260609202548.3571690-2-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-09selftests/bpf: Adjust fexit_bpf2bpf ctx layout for llvm23 true signatureYonghong Song
test_pkt_access_subprog2() is defined in C as int test_pkt_access_subprog2(int val, volatile struct __sk_buff *skb) but llvm optimizes away the unused 'int val' argument. Before llvm23 the BTF signature did not match the optimized assembly, so the verifier set attach_func_proto to NULL and fell back to MAX_BPF_FUNC_REG_ARGS (5) u64 arguments (see btf_ctx_access()). The fexit ctx struct therefore placed the return value after args[5]. With llvm23 the 'true' signature int test_pkt_access_subprog2(volatile struct __sk_buff *skb) is recorded in BTF, so nr_args becomes 1 and the return value moves to the slot right after args[1]. Select the matching args_subprog2 layout based on __clang_major__ so the test works with both old and new llvm. Signed-off-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260609233412.2712178-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-09selftests/bpf: Keep int return type for tailcall subprogsYonghong Song
LLVM23 ([1]) supports 'true' function signature in BTF. The return type of the caller of a tailcall must be an 'int'. Otherwise, verification will fail (see check_btf_func() in check_btf.c). So with llvm23, it is possible that the compiler may change the caller's return type from 'int' to 'void'. To prevent this, barrier_var() and __sink() are used to avoid returning a constant prone to be optimized. [1] https://github.com/llvm/llvm-project/pull/198426 Signed-off-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260609233407.2711577-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-09selftests: net: add getsockopt_iter binary to .gitignoreFernando Fernandez Mancera
The generated binary for getsockopt_iter.c shouldn't show up as an untracked git file after running: make -C tools/testing/selftests TARGETS=net install Let's just ignore it. Fixes: d39887f55d8e ("net: selftests: add getsockopt_iter regression tests") Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Link: https://patch.msgid.link/20260608112259.4022-1-fmancera@suse.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-09Merge tag 'trace-rv-v7.1-rc6-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull runtime verifier fixes from Steven Rostedt: - Fix reset ordering on per-task destruction Reset the task before dropping the slot instead of after, which was causing out-of-bound memory accesses. - Fix HA monitor synchronization and cleanup Ensure synchronous cleanup for HA monitors by running timer callbacks in RCU read-side critical sections and using synchronize_rcu() during destruction. - Avoid armed timers after tasks exit Add automatic cleanup for per-task HA monitors to prevent timers from firing after task exit. - Fix memory ordering for DA/HA monitors Fix race conditions during monitor start by using release-acquire semantics for the monitoring flag. - Fix initialization for DA/HA monitors Ensure monitors are not initialized relying on potentially corrupted state like the monitoring flag, that is not reset by all monitors type and may have an unknown state in monitors reusing the storage (per-task). - Fix memory safety in per-task and per-object monitors Prevent use-after-free and out-of-bounds access by synchronizing with in-flight tracepoint probes using tracepoint_synchronize_unregister() before freeing monitor storage or releasing task slots. - Adjust monitors for preemptible tracepoints Fix monitors that relied on tracepoints disabling preemption. Explicitly disable task migration when per-CPU monitors handle events to avoid accessing the wrong state and update the opid monitor logic. - Fix incorrect __user specifier usage Remove __user from a non-pointer variable in the extract_params() helper. - Fix bugs in the rv tool Ensure strings are NUL-terminated, fix substring matching in monitor searches, and improve cleanup and exit status handling. - Fix several bugs in rvgen Fix LTL literal stringification, subparsers' options handling, and suffix stripping in dot2k. * tag 'trace-rv-v7.1-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: verification/rvgen: Fix ltl2k writing True as a literal verification/rvgen: Fix options shared among commands verification/rvgen: Fix suffix strip in dot2k tools/rv: Fix cleanup after failed trace setup tools/rv: Fix substring match when listing container monitors tools/rv: Fix substring match bug in monitor name search tools/rv: Ensure monitor name and desc are NUL-terminated rv: Use 0 to check preemption enabled in opid rv: Prevent task migration while handling per-CPU events rv: Ensure synchronous cleanup for HA monitors rv: Add automatic cleanup handlers for per-task HA monitors rv: Do not rely on clean monitor when initialising HA rv: Fix monitor start ordering and memory ordering for monitoring flag rv: Ensure all pending probes terminate on per-obj monitor destroy rv: Prevent in-flight per-task handlers from using invalid slots rv: Reset per-task DA monitors before releasing the slot rv: Fix __user specifier usage in extract_params()
2026-06-09Merge tag 'trace-tools-v7.1-rc7' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull RTLA fix from Steven Rostedt: - Fix multi-character short option parsing Fix regression in parsing of multiple-character short options (eg -p100 /= -p 100/, -un /= -u -n/) caused by getopt_long() internal state corruption after a refactoring. * tag 'trace-tools-v7.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: rtla: Fix parsing of multi-character short options
2026-06-09selftests/bpf: Avoid spurious spmc parallel selftest errors in libarenaEmil Tsalapatis
The libarena parallel spmc selftest is nondeterministic by design. As a result it depends up to a point on the relative timing between the producer and consumer threads. This introduces the possibility for two kinds of spurious failures that this patch addresses. 1) Spurious timeouts. The test proceeds in phases, and threads use a common counter as a barrier to avoid proceeding to the next phase until all threads are ready to do so. If a thread takes too long to reach the barrier, the already waiting threads may time out. Increase the current timeout. The timeout's value is a balance between the maximum amount of time spent on the test and the possibility of spurious failures. Right now the timeout is too short. Err on the side of caution and significantly increase it to avoid spurious failures. 2) Spurious resize failures. Some selftests require the spmc queue to resize itself. This in turn requires for the producer side to be materially faster than the consumer side so that the queue gets full enough for a resize. However, in the benchmark the spmc queue's producer is outnumbered 3:1. To offset it we add busy waits for consume queues. However, we still see occasional failures due to the queue never resizing. Minimize the possibility for this in two ways: First, remove one of the consumers. The 2 consumers still exercise the "race between consumers" scenario. Second, increase the busy wait duration to decrease the rate by which the consumers act on the queue. While at it, also replace a stray invalid error value "153" with EINVAL. Fixes: 42998f819256 ("selftests/bpf: libarena: parallel test harness and spmc parallel selftest") Reported-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260609063630.10245-1-emil@etsalapatis.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-09selftests/bpf: Cover writable BTF field global subprog argsNuoqi Gui
Add a verifier test for passing a BTF-backed task_struct field pointer to a global subprogram argument typed as writable memory. The direct field store is already rejected. The global subprogram path should be rejected too. The callee must not lose the BTF pointer's read-only provenance. It must not validate the argument as ordinary writable memory. Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Link: https://lore.kernel.org/bpf/20260609-f01-04-btf-writable-arg-v1-2-f449cd970669@mails.tsinghua.edu.cn Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
2026-06-09Merge tag 'mm-hotfixes-stable-2026-06-08-20-51' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "11 hotfixes. 9 are for MM. 8 are cc:stable and the remaining 3 address post-7.1 issues or aren't considered suitable for backporting. Thre's a two-patch series "mm/damon/{reclaim,lru_sort}: handle ctx allocation failures" from SeongJae Park which fixes a couple of DAMON -ENOMEM bloopers. The rest are singletons - please see the individual changelogs for details" * tag 'mm-hotfixes-stable-2026-06-08-20-51' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: mm/mincore: handle non-swap entries before !CONFIG_SWAP guard arm64: mm: call pagetable dtor when freeing hot-removed page tables mm/list_lru: drain before clearing xarray entry on reparent mm/huge_memory: use correct flags for device private PMD entry mm/damon/lru_sort: handle ctx allocation failure mm/damon/reclaim: handle ctx allocation failure zram: fix use-after-free in zram_bvec_write_partial() MAINTAINERS: update Baoquan He's email address tools headers UAPI: sync linux/taskstats.h for procacct.c mm/cma_sysfs: skip inactive CMA areas in sysfs ipc/shm: serialize orphan cleanup with shm_nattch updates
2026-06-09selftests/bpf: Add BTF repeated field count overflow testPaul Moses
Add a raw BTF test that exercises repeated special-field expansion with a large array count. The compact element layout keeps the array byte size representable while the repeated field count overflows the old u32 capacity calculation in btf_repeat_fields(). Signed-off-by: Paul Moses <p@1g4.org> Link: https://lore.kernel.org/bpf/SzebdWqm2zREZBf8Tc5Kc-JDWbh9nBztnk4PUu5kRSD1OOdr_ESVTt__2Hd3-lClr47jIjJCXfOH0RHsMpjjpEUh_R2v30nh3T1IXNT6Pbo=@1g4.org Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
2026-06-09selftests/net/openvswitch: guard command substitutions against empty outputMinxi Hou
When ip-link output is unavailable, when the upcall daemon log has not been written yet, or when pahole does not know the OVS drop subsystem ID, the affected command substitutions silently produce empty strings. The caller then passes empty sha= or pid= arguments to ovs_add_flow, or matches against wrong drop reason codes, all without a diagnostic. Add [ -z ] guards immediately after each assignment. For test_arp_ping, also align the MAC extraction to use awk '/link\/ether/' as in test_pop_vlan. The drop_reason guard returns ksft_skip because an absent subsystem ID is an environment issue, not a test failure. Signed-off-by: Minxi Hou <houminxi@gmail.com> Reviewed-by: Aaron Conole <aconole@redhat.com> Link: https://patch.msgid.link/20260604163016.3929371-1-houminxi@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-09selftests/livepatch: fix resource leak in test_klp_syscall init error pathRui Qi
In livepatch_init(), if klp_enable_patch() fails, the previously created kobject and sysfs file are never cleaned up, causing a resource leak. Capture the return value and add proper cleanup on the error path. Signed-off-by: Rui Qi <qirui.001@bytedance.com> Acked-by: Miroslav Benes <mbenes@suse.cz> Reviewed-by: Petr Mladek <pmladek@suse.com> Link: https://patch.msgid.link/20260604083208.1071428-1-qirui.001@bytedance.com Signed-off-by: Petr Mladek <pmladek@suse.com>
2026-06-09selftests: drv-net: gro: signal over-coalescing more reliablyJakub Kicinski
GRO test is very timing-sensitive, packets may be delayed by the network or just sent slowly. Because of this we retry each test case up to 6 times. This makes perfect sense for positive cases, in which we want to see coalescing. Negative test cases, which modify headers and expect no coalescing should have opposite treatment. We should really try 6 times and make sure that each time the test failed. This would, however, require that we annotate each test to indicate whether its positive or negative. Let's start with a simpler improvement. Do not allow retries if we detected over-coalescing. Previously the negative case would have to get lucky at least once in 6 tries to pass. Now the first failure breaks the retry loop. For background - NICs tend to ignore the contents of the TCP timestamp option, so that test case commonly fails. In NIPA having 6 attempts, however, was enough for some NICs to get multiple successful runs in a row, getting the test cases auto-classified as expected to pass, even tho the NIC does not comply with the expectations. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260607002401.212976-1-kuba@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-08selftests/mm/hmm-tests: test pagemap reads of PMD device-private entriesDev Jain
To cover pagemap paths scanning PMD entries, add assertions to check whether a device-private PMD entry has the correct pagemap information - the PM_SWAP bit must be on in the pagemap entry. Before that, we must assert through HMM_DMIRROR_SNAPSHOT snapshot that the leaf entry is at PMD level and not PTE level. Link: https://lore.kernel.org/20260604055308.1947679-3-dev.jain@arm.com Signed-off-by: Dev Jain <dev.jain@arm.com> Reviewed-by: Lorenzo Stoakes <ljs@kernel.org> Cc: Balbir Singh <balbirs@nvidia.com> Cc: David Hildenbrand (Arm) <david@kernel.org> Cc: Oscar Salvador (SUSE) <osalvador@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-06-08selftest: net: Extend ipmr.c for IP6MR.Kuniyuki Iwashima
This commit extends most test cases in ipmr.c for IPV6MR. Note that IP6MR does not provide rtnetlink interface for MFC, so such tests are added to XFAIL_ADD(). Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260604224712.3209821-2-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-08selftests: drv-net: extend so_txtime with FQ with other clocksWillem de Bruijn
Add a variant of the existing FQ tests, but pass CLOCK_TAI rather than the native CLOCK_MONOTONIC clock id. FQ used to imply monotonic. This is no longer the case, and the inverse need not hold either. Rename $PREFIX_mono to $PREFIX_fq. Signed-off-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260604194221.3319080-4-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-08KVM: selftests: Add regression test for mediated PMU fixed counter filter bugSean Christopherson
Add a regression test where KVM would inadvertently ignore PMU event filters on writes that change _some_ bits in FIXED_CTR_CTRL, but not the enable bits for PMCs that are denied to the guest. Link: https://patch.msgid.link/20260603231905.1738487-3-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
2026-06-08selftests/bpf: Cover dynamic inner array lookup nullabilityNuoqi Gui
Add a verifier regression test that looks up a constant key through a dynamic inner array template and dereferences the result without a NULL check. The verifier must reject the program because BPF_F_INNER_MAP allows the concrete runtime array to have fewer entries than the template. Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Acked-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/bpf/20260607-f01-v2-v2-2-da48453146e8@mails.tsinghua.edu.cn Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
2026-06-07kunit:tool: Don't write to stdout when it should be disabledDavid Gow
The kunit_parser module accepts a 'printer' object which is used as a destination for all output. This is typically set to stdout, so that the parsed results are visible, but can be set to a special 'null_printer' to implement options where not all results are always printed. However, there are a few places where use of stdout is hardcoded, notably in handling crashed tests and in outputting the colour escape sequences. Properly use the specified printer for all output. This is okay for the colour handling (as this is already gated behind isatty() anyway), and also for the crash handling, as cases where printer != stdout are separately printed afterwards. Link: https://lore.kernel.org/r/20260606020317.264178-1-david@davidgow.net Fixes: 062a9dd9bad7 ("kunit: tool: Only print the summary") Signed-off-by: David Gow <david@davidgow.net> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-06-07kunit: tool: Add (primitive) support for outputting JUnit XMLDavid Gow
This is used by things like Jenkins and other CI systems, which can pretty-print the test output and potentially provide test-level comparisons between runs. The implementation here is pretty basic: it only provides the raw results, split into tests and test suites, and doesn't provide any overall metadata. However, CI systems like Jenkins can ingest it and it is already useful. Link: https://lore.kernel.org/r/20260606013827.240790-2-david@davidgow.net Reviewed-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de> Signed-off-by: David Gow <david@davidgow.net> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-06-07kunit: tool: Parse and print the reason tests are skippedDavid Gow
When a KUnit test (or other KTAP test) is skipped, a "skip reason" can be provided. kunit.py has never done anything with this, ignoring anything included in the KTAP output after the 'SKIP' directive. Since we have it, and it's used, print it in a nice friendly yellow in parentheses after a skipped test's name. (And, by parsing it, it can be included in the JUnit results as well.) Link: https://lore.kernel.org/r/20260606013827.240790-1-david@davidgow.net Signed-off-by: David Gow <david@davidgow.net> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2026-06-07selftests/bpf: Stress LRU rqspinlock recovery pathsMykyta Yatsenko
Introduces stress test for bpf_lru_list that exercises lock-failures and orphan-recovery, added by the LRU rqspinlock conversion. Runs three subtests: common LRU, per-CPU LRU lists (BPF_F_NO_COMMON_LRU), and per-CPU LRU map. Each pins one userspace hammer per CPU and attaches the perf_event NMI BPF prog (update+delete mix) on every online CPU. Pre-fix, lockdep fires the "INITIAL USE -> IN-NMI" splat during stress. After stress test, drain_then_verify_capacity() drains every key and refills the lru map. A stranded node on any CPU's pool would have forced eviction of a just-inserted key on that CPU, surfacing here as a missing lookup. Marked serial_ because per-CPU pinning and high-rate HW perf events would perturb parallel tests. Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com> Link: https://lore.kernel.org/r/20260607-lru_map_spin-v3-3-bcd9332e911b@meta.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-07selftests/bpf: Add tracing multi attach rollback testsJiri Olsa
Adding tests for the rollback code when the tracing_multi link won't get attached, covering 2 reasons: - wrong btf id passed by user, where all previously allocated trampolines will be released - trampoline for requested function is fully attached (has already maximum programs attached) and the link fails, the rollback code needs to release all previously link-ed trampolines and release them We need the bpf_fentry_test* unattached for the tests to pass, so the rollback tests are serial. Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260606123955.345967-30-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-07selftests/bpf: Add tracing multi attach benchmark testJiri Olsa
Adding benchmark test that attaches to (almost) all allowed tracing functions and display attach/detach times. # ./test_progs -t tracing_multi_bench_attach -v bpf_testmod.ko is already unloaded. Loading bpf_testmod.ko... Successfully loaded bpf_testmod.ko. serial_test_tracing_multi_bench_attach:PASS:btf__load_vmlinux_btf 0 nsec serial_test_tracing_multi_bench_attach:PASS:tracing_multi_bench__open_and_load 0 nsec serial_test_tracing_multi_bench_attach:PASS:get_syms 0 nsec serial_test_tracing_multi_bench_attach:PASS:bpf_program__attach_tracing_multi 0 nsec serial_test_tracing_multi_bench_attach: found 51186 functions serial_test_tracing_multi_bench_attach: attached in 1.295s serial_test_tracing_multi_bench_attach: detached in 0.243s #507 tracing_multi_bench_attach:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED Successfully unloaded bpf_testmod.ko. Exporting skip_entry as is_unsafe_function and using it in the test. Also updating trace_blacklist with ___migrate_enable to be in sync with kernel functions deny list. Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260606123955.345967-29-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-07selftests/bpf: Add tracing multi verifier fails testJiri Olsa
Adding tests for verifier fails on tracing multi programs. Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260606123955.345967-28-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-07selftests/bpf: Add tracing multi attach fails testJiri Olsa
Adding tests for attach fails on tracing multi link. Signed-off-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260606123955.345967-27-jolsa@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>