| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/06/30 23:05 | flow | patch-triage |
0mArgs:null Results: {
"EnableConfigs": [
"BPF_SYSCALL",
"NET"
],
"FocusSymbols": [
"may_update_sockmap",
"check_map_func_compatibility"
],
"Reasoning": "The patch restricts certain BPF program types from updating sockmaps in the BPF verifier. This is a functional change in the core BPF verifier logic that affects what BPF programs are allowed to do. It should be fuzzed to ensure the verifier correctly rejects invalid programs and doesn't introduce any regressions or bypasses.",
"WorthFuzzing": true
} |
| 1/1 | 2026/06/30 23:05 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit fc7de76ad1f513e02edfe2d09226f0dee78e0390\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Tue Jun 30 23:05:44 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c\nindex 25aea4271cd089..83ea3b33ff679c 100644\n--- a/kernel/bpf/verifier.c\n+++ b/kernel/bpf/verifier.c\n@@ -8488,12 +8488,7 @@ static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id)\n \t\tif (func_id == BPF_FUNC_map_delete_elem)\n \t\t\treturn true;\n \t\tbreak;\n-\tcase BPF_PROG_TYPE_SOCKET_FILTER:\n-\tcase BPF_PROG_TYPE_SCHED_CLS:\n-\tcase BPF_PROG_TYPE_SCHED_ACT:\n-\tcase BPF_PROG_TYPE_XDP:\n \tcase BPF_PROG_TYPE_SK_REUSEPORT:\n-\tcase BPF_PROG_TYPE_FLOW_DISSECTOR:\n \tcase BPF_PROG_TYPE_SK_LOOKUP:\n \t\treturn true;\n \tdefault:\ndiff --git a/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c b/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c\nindex 92c20803ea765d..d3a954158c3327 100644\n--- a/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c\n+++ b/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c\n@@ -336,17 +336,6 @@ static void test_fmod_ret_freplace(void)\n }\n \n \n-static void test_func_sockmap_update(void)\n-{\n-\tconst char *prog_name[] = {\n-\t\t\"freplace/cls_redirect\",\n-\t};\n-\ttest_fexit_bpf2bpf_common(\"./freplace_cls_redirect.bpf.o\",\n-\t\t\t\t \"./test_cls_redirect.bpf.o\",\n-\t\t\t\t ARRAY_SIZE(prog_name),\n-\t\t\t\t prog_name, false, NULL);\n-}\n-\n static void test_func_replace_void(void)\n {\n \tconst char *prog_name[] = {\n@@ -599,8 +588,6 @@ void serial_test_fexit_bpf2bpf(void)\n \t\ttest_func_replace();\n \tif (test__start_subtest(\"func_replace_verify\"))\n \t\ttest_func_replace_verify();\n-\tif (test__start_subtest(\"func_sockmap_update\"))\n-\t\ttest_func_sockmap_update();\n \tif (test__start_subtest(\"func_replace_return_code\"))\n \t\ttest_func_replace_return_code();\n \tif (test__start_subtest(\"func_map_prog_compatibility\"))\ndiff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c\nindex cb3229711f93a3..33f788e2786dae 100644\n--- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c\n+++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c\n@@ -7,7 +7,6 @@\n \n #include \"test_progs.h\"\n #include \"test_skmsg_load_helpers.skel.h\"\n-#include \"test_sockmap_update.skel.h\"\n #include \"test_sockmap_invalid_update.skel.h\"\n #include \"test_sockmap_skb_verdict_attach.skel.h\"\n #include \"test_sockmap_progs_query.skel.h\"\n@@ -235,53 +234,6 @@ static void test_skmsg_helpers_with_link(enum bpf_map_type map_type)\n \ttest_skmsg_load_helpers__destroy(skel);\n }\n \n-static void test_sockmap_update(enum bpf_map_type map_type)\n-{\n-\tint err, prog, src;\n-\tstruct test_sockmap_update *skel;\n-\tstruct bpf_map *dst_map;\n-\tconst __u32 zero = 0;\n-\tchar dummy[14] = {0};\n-\tLIBBPF_OPTS(bpf_test_run_opts, topts,\n-\t\t.data_in = dummy,\n-\t\t.data_size_in = sizeof(dummy),\n-\t\t.repeat = 1,\n-\t);\n-\t__s64 sk;\n-\n-\tsk = connected_socket_v4();\n-\tif (!ASSERT_NEQ(sk, -1, \"connected_socket_v4\"))\n-\t\treturn;\n-\n-\tskel = test_sockmap_update__open_and_load();\n-\tif (!ASSERT_OK_PTR(skel, \"open_and_load\"))\n-\t\tgoto close_sk;\n-\n-\tprog = bpf_program__fd(skel-\u003eprogs.copy_sock_map);\n-\tsrc = bpf_map__fd(skel-\u003emaps.src);\n-\tif (map_type == BPF_MAP_TYPE_SOCKMAP)\n-\t\tdst_map = skel-\u003emaps.dst_sock_map;\n-\telse\n-\t\tdst_map = skel-\u003emaps.dst_sock_hash;\n-\n-\terr = bpf_map_update_elem(src, \u0026zero, \u0026sk, BPF_NOEXIST);\n-\tif (!ASSERT_OK(err, \"update_elem(src)\"))\n-\t\tgoto out;\n-\n-\terr = bpf_prog_test_run_opts(prog, \u0026topts);\n-\tif (!ASSERT_OK(err, \"test_run\"))\n-\t\tgoto out;\n-\tif (!ASSERT_NEQ(topts.retval, 0, \"test_run retval\"))\n-\t\tgoto out;\n-\n-\tcompare_cookies(skel-\u003emaps.src, dst_map);\n-\n-out:\n-\ttest_sockmap_update__destroy(skel);\n-close_sk:\n-\tclose(sk);\n-}\n-\n static void test_sockmap_invalid_update(void)\n {\n \tstruct test_sockmap_invalid_update *skel;\n@@ -1385,10 +1337,6 @@ void test_sockmap_basic(void)\n \t\ttest_skmsg_helpers(BPF_MAP_TYPE_SOCKMAP);\n \tif (test__start_subtest(\"sockhash sk_msg load helpers\"))\n \t\ttest_skmsg_helpers(BPF_MAP_TYPE_SOCKHASH);\n-\tif (test__start_subtest(\"sockmap update\"))\n-\t\ttest_sockmap_update(BPF_MAP_TYPE_SOCKMAP);\n-\tif (test__start_subtest(\"sockhash update\"))\n-\t\ttest_sockmap_update(BPF_MAP_TYPE_SOCKHASH);\n \tif (test__start_subtest(\"sockmap update in unsafe context\"))\n \t\ttest_sockmap_invalid_update();\n \tif (test__start_subtest(\"sockmap copy\"))\ndiff --git a/tools/testing/selftests/bpf/progs/freplace_cls_redirect.c b/tools/testing/selftests/bpf/progs/freplace_cls_redirect.c\ndeleted file mode 100644\nindex 7e94412d47a5ca..00000000000000\n--- a/tools/testing/selftests/bpf/progs/freplace_cls_redirect.c\n+++ /dev/null\n@@ -1,34 +0,0 @@\n-// SPDX-License-Identifier: GPL-2.0\n-// Copyright (c) 2020 Facebook\n-\n-#include \u003clinux/stddef.h\u003e\n-#include \u003clinux/bpf.h\u003e\n-#include \u003clinux/pkt_cls.h\u003e\n-#include \u003cbpf/bpf_endian.h\u003e\n-#include \u003cbpf/bpf_helpers.h\u003e\n-\n-struct {\n-\t__uint(type, BPF_MAP_TYPE_SOCKMAP);\n-\t__type(key, int);\n-\t__type(value, int);\n-\t__uint(max_entries, 2);\n-} sock_map SEC(\".maps\");\n-\n-SEC(\"freplace/cls_redirect\")\n-int freplace_cls_redirect_test(struct __sk_buff *skb)\n-{\n-\tint ret = 0;\n-\tconst int zero = 0;\n-\tstruct bpf_sock *sk;\n-\n-\tsk = bpf_map_lookup_elem(\u0026sock_map, \u0026zero);\n-\tif (!sk)\n-\t\treturn TC_ACT_SHOT;\n-\n-\tret = bpf_map_update_elem(\u0026sock_map, \u0026zero, sk, 0);\n-\tbpf_sk_release(sk);\n-\n-\treturn ret == 0 ? TC_ACT_OK : TC_ACT_SHOT;\n-}\n-\n-char _license[] SEC(\"license\") = \"GPL\";\ndiff --git a/tools/testing/selftests/bpf/progs/test_sockmap_update.c b/tools/testing/selftests/bpf/progs/test_sockmap_update.c\ndeleted file mode 100644\nindex 6d64ea536e3d81..00000000000000\n--- a/tools/testing/selftests/bpf/progs/test_sockmap_update.c\n+++ /dev/null\n@@ -1,48 +0,0 @@\n-// SPDX-License-Identifier: GPL-2.0\n-// Copyright (c) 2020 Cloudflare\n-#include \"vmlinux.h\"\n-#include \u003cbpf/bpf_helpers.h\u003e\n-\n-struct {\n-\t__uint(type, BPF_MAP_TYPE_SOCKMAP);\n-\t__uint(max_entries, 1);\n-\t__type(key, __u32);\n-\t__type(value, __u64);\n-} src SEC(\".maps\");\n-\n-struct {\n-\t__uint(type, BPF_MAP_TYPE_SOCKMAP);\n-\t__uint(max_entries, 1);\n-\t__type(key, __u32);\n-\t__type(value, __u64);\n-} dst_sock_map SEC(\".maps\");\n-\n-struct {\n-\t__uint(type, BPF_MAP_TYPE_SOCKHASH);\n-\t__uint(max_entries, 1);\n-\t__type(key, __u32);\n-\t__type(value, __u64);\n-} dst_sock_hash SEC(\".maps\");\n-\n-SEC(\"tc\")\n-int copy_sock_map(void *ctx)\n-{\n-\tstruct bpf_sock *sk;\n-\tbool failed = false;\n-\t__u32 key = 0;\n-\n-\tsk = bpf_map_lookup_elem(\u0026src, \u0026key);\n-\tif (!sk)\n-\t\treturn SK_DROP;\n-\n-\tif (bpf_map_update_elem(\u0026dst_sock_map, \u0026key, sk, 0))\n-\t\tfailed = true;\n-\n-\tif (bpf_map_update_elem(\u0026dst_sock_hash, \u0026key, sk, 0))\n-\t\tfailed = true;\n-\n-\tbpf_sk_release(sk);\n-\treturn failed ? SK_DROP : SK_PASS;\n-}\n-\n-char _license[] SEC(\"license\") = \"GPL\";\ndiff --git a/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c b/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c\nindex fe4b123187b86e..20332a731d4e4f 100644\n--- a/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c\n+++ b/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c\n@@ -74,7 +74,7 @@ static __always_inline void test_sockmap_lookup_and_mutate(void)\n }\n \n SEC(\"action\")\n-__success\n+__failure __msg(\"cannot update sockmap in this context\")\n int test_sched_act(struct __sk_buff *skb)\n {\n \ttest_sockmap_mutate(skb-\u003esk);\n@@ -82,7 +82,7 @@ int test_sched_act(struct __sk_buff *skb)\n }\n \n SEC(\"classifier\")\n-__success\n+__failure __msg(\"cannot update sockmap in this context\")\n int test_sched_cls(struct __sk_buff *skb)\n {\n \ttest_sockmap_mutate(skb-\u003esk);\n@@ -90,7 +90,7 @@ int test_sched_cls(struct __sk_buff *skb)\n }\n \n SEC(\"flow_dissector\")\n-__success\n+__failure __msg(\"cannot update sockmap in this context\")\n int test_flow_dissector_delete(struct __sk_buff *skb __always_unused)\n {\n \ttest_sockmap_delete();\n@@ -98,7 +98,7 @@ int test_flow_dissector_delete(struct __sk_buff *skb __always_unused)\n }\n \n SEC(\"flow_dissector\")\n-__failure __msg(\"program of this type cannot use helper bpf_sk_release\")\n+__failure __msg(\"cannot update sockmap in this context\")\n int test_flow_dissector_update(struct __sk_buff *skb __always_unused)\n {\n \ttest_sockmap_lookup_and_update(); /* no access to skb-\u003esk */\n@@ -146,7 +146,7 @@ int test_sk_reuseport(struct sk_reuseport_md *ctx)\n }\n \n SEC(\"socket\")\n-__success\n+__failure __msg(\"cannot update sockmap in this context\")\n int test_socket_filter(struct __sk_buff *skb)\n {\n \ttest_sockmap_mutate(skb-\u003esk);\n@@ -179,7 +179,7 @@ int test_sockops_update_dedicated(struct bpf_sock_ops *ctx)\n }\n \n SEC(\"xdp\")\n-__success\n+__failure __msg(\"cannot update sockmap in this context\")\n int test_xdp(struct xdp_md *ctx __always_unused)\n {\n \ttest_sockmap_lookup_and_mutate();\n"
} |
| 2/1 | 2026/06/30 23:05 | agent | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": [
"BPF_SYSCALL",
"NET"
],
"FocusSymbols": [
"may_update_sockmap",
"check_map_func_compatibility"
],
"Reasoning": "The patch restricts certain BPF program types from updating sockmaps in the BPF verifier. This is a functional change in the core BPF verifier logic that affects what BPF programs are allowed to do. It should be fuzzed to ensure the verifier correctly rejects invalid programs and doesn't introduce any regressions or bypasses.",
"WorthFuzzing": true
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit fc7de76ad1f513e02edfe2d09226f0dee78e0390
Author: syz-cluster <triage@syzkaller.com>
Date: Tue Jun 30 23:05:44 2026 +0000
syz-cluster: applied patch under review
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 25aea4271cd089..83ea3b33ff679c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8488,12 +8488,7 @@ static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id)
if (func_id == BPF_FUNC_map_delete_elem)
return true;
break;
- case BPF_PROG_TYPE_SOCKET_FILTER:
- case BPF_PROG_TYPE_SCHED_CLS:
- case BPF_PROG_TYPE_SCHED_ACT:
- case BPF_PROG_TYPE_XDP:
case BPF_PROG_TYPE_SK_REUSEPORT:
- case BPF_PROG_TYPE_FLOW_DISSECTOR:
case BPF_PROG_TYPE_SK_LOOKUP:
return true;
default:
diff --git a/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c b/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c
index 92c20803ea765d..d3a954158c3327 100644
--- a/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c
+++ b/tools/testing/selftests/bpf/prog_tests/fexit_bpf2bpf.c
@@ -336,17 +336,6 @@ static void test_fmod_ret_freplace(void)
}
-static void test_func_sockmap_update(void)
-{
- const char *prog_name[] = {
- "freplace/cls_redirect",
- };
- test_fexit_bpf2bpf_common("./freplace_cls_redirect.bpf.o",
- "./test_cls_redirect.bpf.o",
- ARRAY_SIZE(prog_name),
- prog_name, false, NULL);
-}
-
static void test_func_replace_void(void)
{
const char *prog_name[] = {
@@ -599,8 +588,6 @@ void serial_test_fexit_bpf2bpf(void)
test_func_replace();
if (test__start_subtest("func_replace_verify"))
test_func_replace_verify();
- if (test__start_subtest("func_sockmap_update"))
- test_func_sockmap_update();
if (test__start_subtest("func_replace_return_code"))
test_func_replace_return_code();
if (test__start_subtest("func_map_prog_compatibility"))
diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
index cb3229711f93a3..33f788e2786dae 100644
--- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
+++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
@@ -7,7 +7,6 @@
#include "test_progs.h"
#include "test_skmsg_load_helpers.skel.h"
-#include "test_sockmap_update.skel.h"
#include "test_sockmap_invalid_update.skel.h"
#include "test_sockmap_skb_verdict_attach.skel.h"
#include "test_sockmap_progs_query.skel.h"
@@ -235,53 +234,6 @@ static void test_skmsg_helpers_with_link(enum bpf_map_type map_type)
test_skmsg_load_helpers__destroy(skel);
}
-static void test_sockmap_update(enum bpf_map_type map_type)
-{
- int err, prog, src;
- struct test_sockmap_update *skel;
- struct bpf_map *dst_map;
- const __u32 zero = 0;
- char dummy[14] = {0};
- LIBBPF_OPTS(bpf_test_run_opts, topts,
- .data_in = dummy,
- .data_size_in = sizeof(dummy),
- .repeat = 1,
- );
- __s64 sk;
-
- sk = connected_socket_v4();
- if (!ASSERT_NEQ(sk, -1, "connected_socket_v4"))
- return;
-
- skel = test_sockmap_update__open_and_load();
- if (!ASSERT_OK_PTR(skel, "open_and_load"))
- goto close_sk;
-
- prog = bpf_program__fd(skel->progs.copy_sock_map);
- src = bpf_map__fd(skel->maps.src);
- if (map_type == BPF_MAP_TYPE_SOCKMAP)
- dst_map = skel->maps.dst_sock_map;
- else
- dst_map = skel->maps.dst_sock_hash;
-
- err = bpf_map_update_elem(src, &zero, &sk, BPF_NOEXIST);
- if (!ASSERT_OK(err, "update_elem(src)"))
- goto out;
-
- err = bpf_prog_test_run_opts(prog, &topts);
- if (!ASSERT_OK(err, "test_run"))
- goto out;
- if (!ASSERT_NEQ(topts.retval, 0, "test_run retval"))
- goto out;
-
- compare_cookies(skel->maps.src, dst_map);
-
-out:
- test_sockmap_update__destroy(skel);
-close_sk:
- close(sk);
-}
-
static void test_sockmap_invalid_update(void)
{
struct test_sockmap_invalid_update *skel;
@@ -1385,10 +1337,6 @@ void test_sockmap_basic(void)
test_skmsg_helpers(BPF_MAP_TYPE_SOCKMAP);
if (test__start_subtest("sockhash sk_msg load helpers"))
test_skmsg_helpers(BPF_MAP_TYPE_SOCKHASH);
- if (test__start_subtest("sockmap update"))
- test_sockmap_update(BPF_MAP_TYPE_SOCKMAP);
- if (test__start_subtest("sockhash update"))
- test_sockmap_update(BPF_MAP_TYPE_SOCKHASH);
if (test__start_subtest("sockmap update in unsafe context"))
test_sockmap_invalid_update();
if (test__start_subtest("sockmap copy"))
diff --git a/tools/testing/selftests/bpf/progs/freplace_cls_redirect.c b/tools/testing/selftests/bpf/progs/freplace_cls_redirect.c
deleted file mode 100644
index 7e94412d47a5ca..00000000000000
--- a/tools/testing/selftests/bpf/progs/freplace_cls_redirect.c
+++ /dev/null
@@ -1,34 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-// Copyright (c) 2020 Facebook
-
-#include <linux/stddef.h>
-#include <linux/bpf.h>
-#include <linux/pkt_cls.h>
-#include <bpf/bpf_endian.h>
-#include <bpf/bpf_helpers.h>
-
-struct {
- __uint(type, BPF_MAP_TYPE_SOCKMAP);
- __type(key, int);
- __type(value, int);
- __uint(max_entries, 2);
-} sock_map SEC(".maps");
-
-SEC("freplace/cls_redirect")
-int freplace_cls_redirect_test(struct __sk_buff *skb)
-{
- int ret = 0;
- const int zero = 0;
- struct bpf_sock *sk;
-
- sk = bpf_map_lookup_elem(&sock_map, &zero);
- if (!sk)
- return TC_ACT_SHOT;
-
- ret = bpf_map_update_elem(&sock_map, &zero, sk, 0);
- bpf_sk_release(sk);
-
- return ret == 0 ? TC_ACT_OK : TC_ACT_SHOT;
-}
-
-char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/progs/test_sockmap_update.c b/tools/testing/selftests/bpf/progs/test_sockmap_update.c
deleted file mode 100644
index 6d64ea536e3d81..00000000000000
--- a/tools/testing/selftests/bpf/progs/test_sockmap_update.c
+++ /dev/null
@@ -1,48 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-// Copyright (c) 2020 Cloudflare
-#include "vmlinux.h"
-#include <bpf/bpf_helpers.h>
-
-struct {
- __uint(type, BPF_MAP_TYPE_SOCKMAP);
- __uint(max_entries, 1);
- __type(key, __u32);
- __type(value, __u64);
-} src SEC(".maps");
-
-struct {
- __uint(type, BPF_MAP_TYPE_SOCKMAP);
- __uint(max_entries, 1);
- __type(key, __u32);
- __type(value, __u64);
-} dst_sock_map SEC(".maps");
-
-struct {
- __uint(type, BPF_MAP_TYPE_SOCKHASH);
- __uint(max_entries, 1);
- __type(key, __u32);
- __type(value, __u64);
-} dst_sock_hash SEC(".maps");
-
-SEC("tc")
-int copy_sock_map(void *ctx)
-{
- struct bpf_sock *sk;
- bool failed = false;
- __u32 key = 0;
-
- sk = bpf_map_lookup_elem(&src, &key);
- if (!sk)
- return SK_DROP;
-
- if (bpf_map_update_elem(&dst_sock_map, &key, sk, 0))
- failed = true;
-
- if (bpf_map_update_elem(&dst_sock_hash, &key, sk, 0))
- failed = true;
-
- bpf_sk_release(sk);
- return failed ? SK_DROP : SK_PASS;
-}
-
-char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c b/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c
index fe4b123187b86e..20332a731d4e4f 100644
--- a/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c
+++ b/tools/testing/selftests/bpf/progs/verifier_sockmap_mutate.c
@@ -74,7 +74,7 @@ static __always_inline void test_sockmap_lookup_and_mutate(void)
}
SEC("action")
-__success
+__failure __msg("cannot update sockmap in this context")
int test_sched_act(struct __sk_buff *skb)
{
test_sockmap_mutate(skb->sk);
@@ -82,7 +82,7 @@ int test_sched_act(struct __sk_buff *skb)
}
SEC("classifier")
-__success
+__failure __msg("cannot update sockmap in this context")
int test_sched_cls(struct __sk_buff *skb)
{
test_sockmap_mutate(skb->sk);
@@ -90,7 +90,7 @@ int test_sched_cls(struct __sk_buff *skb)
}
SEC("flow_dissector")
-__success
+__failure __msg("cannot update sockmap in this context")
int test_flow_dissector_delete(struct __sk_buff *skb __always_unused)
{
test_sockmap_delete();
@@ -98,7 +98,7 @@ int test_flow_dissector_delete(struct __sk_buff *skb __always_unused)
}
SEC("flow_dissector")
-__failure __msg("program of this type cannot use helper bpf_sk_release")
+__failure __msg("cannot update sockmap in this context")
int test_flow_dissector_update(struct __sk_buff *skb __always_unused)
{
test_sockmap_lookup_and_update(); /* no access to skb->sk */
@@ -146,7 +146,7 @@ int test_sk_reuseport(struct sk_reuseport_md *ctx)
}
SEC("socket")
-__success
+__failure __msg("cannot update sockmap in this context")
int test_socket_filter(struct __sk_buff *skb)
{
test_sockmap_mutate(skb->sk);
@@ -179,7 +179,7 @@ int test_sockops_update_dedicated(struct bpf_sock_ops *ctx)
}
SEC("xdp")
-__success
+__failure __msg("cannot update sockmap in this context")
int test_xdp(struct xdp_md *ctx __always_unused)
{
test_sockmap_lookup_and_mutate();
|
| 3/2 | 2026/06/30 23:05 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 5323 output: 20 thoughts: 191 Thoughts: **Analyzing the BPF Verifier Change** Okay, so I'm looking at this patch and it's hitting `kernel/bpf/verifier.c`. The core of the change revolves around `may_update_sockmap`. It seems they're tightening the reins here, restricting which BPF program types can actually modify sockmaps. Specifically, the patch is explicitly removing support for: `BPF_PROG_TYPE_SOCKET_FILTER`, `BPF_PROG_TYPE_SCHED_CLS`, `BPF_PROG_TYPE_SCHED_ACT`, `BPF_PROG_TYPE_XDP`, and `BPF_PROG_TYPE_FLOW_DISSECTOR`. Essentially, this means these program types are *no longer permitted* to update sockmaps. That's a significant restriction and potentially a security hardening measure, or perhaps a performance optimization, depending on the rationale. I'll need to dig into the commit message and related discussions to understand the exact motivation. The patch also includes updates to the selftests, which is good practice. I'll need to review those tests carefully. They likely removed tests that would have previously succeeded with these program types updating sockmaps, or they've changed the expected result from success to failure. This is critical because the tests need to accurately reflect the new behavior and prevent regressions. I'll pay close attention to the test modifications to ensure they are complete and cover all relevant scenarios. I'll also want to look for any new tests that explicitly verify the restriction. I should probably take a look at the context of `may_update_sockmap` in `kernel/bpf/verifier.c` to see how the logic is structured. It'll give me a clearer picture of *why* these programs are being restricted and how the verifier ensures this restriction is enforced. |
| 4/2 | 2026/06/30 23:05 | tool | grepper |
0mArgs:{
"Expression": "may_update_sockmap"
}Results: {
"Output": "kernel/bpf/verifier.c=8227=static int check_func_arg(struct bpf_verifier_env *env, u32 arg,\n--\nkernel/bpf/verifier.c-8468-\nkernel/bpf/verifier.c:8469:static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id)\nkernel/bpf/verifier.c-8470-{\n--\nkernel/bpf/verifier.c=8508=static int check_map_func_compatibility(struct bpf_verifier_env *env,\n--\nkernel/bpf/verifier.c-8583-\t\t func_id != BPF_FUNC_map_lookup_elem \u0026\u0026\nkernel/bpf/verifier.c:8584:\t\t !may_update_sockmap(env, func_id))\nkernel/bpf/verifier.c-8585-\t\t\tgoto error;\n--\nkernel/bpf/verifier.c-8592-\t\t func_id != BPF_FUNC_map_lookup_elem \u0026\u0026\nkernel/bpf/verifier.c:8593:\t\t !may_update_sockmap(env, func_id))\nkernel/bpf/verifier.c-8594-\t\t\tgoto error;\n"
} |
| 5/2 | 2026/06/30 23:05 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 6252 output: 21 thoughts: 132 Thoughts: **Fuzzing the BPF Verifier: A Focused Approach** Okay, so I'm looking at this new function, `may_update_sockmap`, and it's being used in `check_map_func_compatibility`. This is a pretty significant functional change within the BPF verifier itself, a change that restricts specific BPF program types. My expert intuition is telling me this warrants a closer look, especially from a fuzzing perspective. Yeah, absolutely. A modification to the core verifier logic? That's definitely worth fuzzing. The verifier is where a lot of the critical security checks happen, so changes there are potential goldmines for uncovering vulnerabilities. Alright, time to narrow down the focus. Let's start with identifying the critical symbols. We've got `check_map_func_compatibility` and `may_update_sockmap`. Those are the two main players in this game. Now, I'll dive into the code. I'll need to check `kernel/bpf/verifier.c` directly to understand the implications of this new interaction between `check_map_func_compatibility` and `may_update_sockmap`. The devil is always in the details! |
| 6/2 | 2026/06/30 23:05 | tool | grepper |
0mArgs:{
"Expression": "check_map_func_compatibility"
}Results: {
"Output": "kernel/bpf/verifier.c=8502=bool bpf_allow_tail_call_in_subprogs(struct bpf_verifier_env *env)\n--\nkernel/bpf/verifier.c-8507-\nkernel/bpf/verifier.c:8508:static int check_map_func_compatibility(struct bpf_verifier_env *env,\nkernel/bpf/verifier.c-8509-\t\t\t\t\tstruct bpf_map *map, int func_id)\n--\nkernel/bpf/verifier.c=10181=static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn,\n--\nkernel/bpf/verifier.c-10612-\nkernel/bpf/verifier.c:10613:\terr = check_map_func_compatibility(env, meta.map.ptr, func_id);\nkernel/bpf/verifier.c-10614-\tif (err)\n--\nscripts/bpf_doc.py=607=Compatibility between helper functions and map types can be found in the\nscripts/bpf_doc.py:608:**check_map_func_compatibility**\\\\ () function in file *kernel/bpf/verifier.c*.\nscripts/bpf_doc.py-609-\n"
} |
| 7/2 | 2026/06/30 23:05 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 7000 output: 33 thoughts: 124 Thoughts: **Analyzing the Impact of the Code Change** Okay, so the core of this seems to revolve around `may_update_sockmap`. That function gets called by `check_map_func_compatibility`, which, in turn, is invoked by `check_helper_call`. Therefore, `check_map_func_compatibility` and `may_update_sockmap` are the critical entry points to understand this modification. I should start there, and then trace outwards. Now, what dependencies do we have to worry about? I know the BPF verifier requires `BPF_SYSCALL`. I should probably confirm that that's the only relevant config. I should check either `kernel/bpf/Makefile` or `kernel/bpf/Kconfig` for related settings. Let's see what else might be at play here. |
| 8/2 | 2026/06/30 23:06 | tool | grepper |
0mArgs:{
"Expression": "CONFIG_BPF_SYSCALL",
"PathPrefix": "kernel/bpf/"
}Results: {
"Output": "kernel/bpf/Makefile=7=CFLAGS_core.o += -Wno-override-init $(cflags-nogcse-yy)\nkernel/bpf/Makefile-8-\nkernel/bpf/Makefile:9:obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o tnum.o cnum.o log.o token.o liveness.o const_fold.o\nkernel/bpf/Makefile:10:obj-$(CONFIG_BPF_SYSCALL) += bpf_iter.o map_iter.o task_iter.o prog_iter.o link_iter.o\nkernel/bpf/Makefile:11:obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o bpf_lru_list.o lpm_trie.o map_in_map.o bloom_filter.o\nkernel/bpf/Makefile:12:obj-$(CONFIG_BPF_SYSCALL) += local_storage.o queue_stack_maps.o ringbuf.o bpf_insn_array.o\nkernel/bpf/Makefile:13:obj-$(CONFIG_BPF_SYSCALL) += bpf_local_storage.o bpf_task_storage.o\nkernel/bpf/Makefile:14:obj-$(CONFIG_BPF_SYSCALL) += fixups.o cfg.o states.o backtrack.o check_btf.o\nkernel/bpf/Makefile-15-obj-${CONFIG_BPF_LSM}\t += bpf_inode_storage.o\nkernel/bpf/Makefile:16:obj-$(CONFIG_BPF_SYSCALL) += disasm.o mprog.o\nkernel/bpf/Makefile-17-obj-$(CONFIG_BPF_JIT) += trampoline.o\nkernel/bpf/Makefile:18:obj-$(CONFIG_BPF_SYSCALL) += btf.o memalloc.o rqspinlock.o stream.o\nkernel/bpf/Makefile-19-ifeq ($(CONFIG_MMU)$(CONFIG_64BIT),yy)\nkernel/bpf/Makefile:20:obj-$(CONFIG_BPF_SYSCALL) += arena.o range_tree.o\nkernel/bpf/Makefile-21-endif\n--\nkernel/bpf/Makefile=23=ifeq ($(CONFIG_NET),y)\nkernel/bpf/Makefile:24:obj-$(CONFIG_BPF_SYSCALL) += devmap.o\nkernel/bpf/Makefile:25:obj-$(CONFIG_BPF_SYSCALL) += cpumap.o\nkernel/bpf/Makefile:26:obj-$(CONFIG_BPF_SYSCALL) += offload.o\nkernel/bpf/Makefile:27:obj-$(CONFIG_BPF_SYSCALL) += net_namespace.o\nkernel/bpf/Makefile:28:obj-$(CONFIG_BPF_SYSCALL) += tcx.o\nkernel/bpf/Makefile-29-endif\nkernel/bpf/Makefile=30=ifeq ($(CONFIG_PERF_EVENTS),y)\nkernel/bpf/Makefile:31:obj-$(CONFIG_BPF_SYSCALL) += stackmap.o\nkernel/bpf/Makefile-32-endif\nkernel/bpf/Makefile=33=ifeq ($(CONFIG_CGROUPS),y)\nkernel/bpf/Makefile:34:obj-$(CONFIG_BPF_SYSCALL) += cgroup_iter.o bpf_cgrp_storage.o\nkernel/bpf/Makefile-35-endif\n--\nkernel/bpf/Makefile=37=ifeq ($(CONFIG_INET),y)\nkernel/bpf/Makefile:38:obj-$(CONFIG_BPF_SYSCALL) += reuseport_array.o\nkernel/bpf/Makefile-39-endif\n--\nkernel/bpf/Makefile=43=ifeq ($(CONFIG_BPF_JIT),y)\nkernel/bpf/Makefile:44:obj-$(CONFIG_BPF_SYSCALL) += bpf_struct_ops.o\nkernel/bpf/Makefile:45:obj-$(CONFIG_BPF_SYSCALL) += cpumask.o\nkernel/bpf/Makefile-46-# bpf_lsm_proto.o must precede bpf_lsm.o. The current pahole logic\n--\nkernel/bpf/Makefile=58=ifneq ($(CONFIG_CRYPTO),)\nkernel/bpf/Makefile:59:obj-$(CONFIG_BPF_SYSCALL) += crypto.o\nkernel/bpf/Makefile-60-endif\nkernel/bpf/Makefile=61=obj-$(CONFIG_BPF_PRELOAD) += preload/\nkernel/bpf/Makefile-62-\nkernel/bpf/Makefile:63:obj-$(CONFIG_BPF_SYSCALL) += relo_core.o\nkernel/bpf/Makefile:64:obj-$(CONFIG_BPF_SYSCALL) += btf_iter.o\nkernel/bpf/Makefile:65:obj-$(CONFIG_BPF_SYSCALL) += btf_relocate.o\nkernel/bpf/Makefile:66:obj-$(CONFIG_BPF_SYSCALL) += kmem_cache_iter.o\nkernel/bpf/Makefile-67-ifeq ($(CONFIG_DMA_SHARED_BUFFER),y)\nkernel/bpf/Makefile:68:obj-$(CONFIG_BPF_SYSCALL) += dmabuf_iter.o\nkernel/bpf/Makefile-69-endif\n--\nkernel/bpf/core.c=99=struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags)\n--\nkernel/bpf/core.c-141-\nkernel/bpf/core.c:142:#ifdef CONFIG_BPF_SYSCALL\nkernel/bpf/core.c-143-\tbpf_prog_stream_init(fp);\n--\nkernel/bpf/core.c=2404=EVAL4(PROG_NAME_LIST, 416, 448, 480, 512)\n--\nkernel/bpf/core.c-2407-\nkernel/bpf/core.c:2408:#ifdef CONFIG_BPF_SYSCALL\nkernel/bpf/core.c-2409-int bpf_patch_call_args(struct bpf_insn *insn, u32 stack_depth)\n--\nkernel/bpf/core.c=2992=void __bpf_free_used_btfs(struct btf_mod_pair *used_btfs, u32 len)\nkernel/bpf/core.c-2993-{\nkernel/bpf/core.c:2994:#ifdef CONFIG_BPF_SYSCALL\nkernel/bpf/core.c-2995-\tstruct btf_mod_pair *btf_mod;\n--\nkernel/bpf/core.c=3013=static void bpf_prog_free_deferred(struct work_struct *work)\n--\nkernel/bpf/core.c-3018-\taux = container_of(work, struct bpf_prog_aux, work);\nkernel/bpf/core.c:3019:#ifdef CONFIG_BPF_SYSCALL\nkernel/bpf/core.c-3020-\tbpf_free_kfunc_btf_tab(aux-\u003ekfunc_btf_tab);\n--\nkernel/bpf/core.c=3335=static noinline void bpf_prog_report_may_goto_violation(void)\nkernel/bpf/core.c-3336-{\nkernel/bpf/core.c:3337:#ifdef CONFIG_BPF_SYSCALL\nkernel/bpf/core.c-3338-\tstruct bpf_stream_stage ss;\n--\nkernel/bpf/core.c=3375=__weak u64 bpf_arena_get_kern_vm_start(struct bpf_arena *arena)\n--\nkernel/bpf/core.c-3379-\nkernel/bpf/core.c:3380:#ifdef CONFIG_BPF_SYSCALL\nkernel/bpf/core.c-3381-__weak bool bpf_arena_handle_page_fault(unsigned long addr, bool is_write,\n--\nkernel/bpf/core.c=3406=EXPORT_TRACEPOINT_SYMBOL_GPL(xdp_bulk_tx);\nkernel/bpf/core.c-3407-\nkernel/bpf/core.c:3408:#ifdef CONFIG_BPF_SYSCALL\nkernel/bpf/core.c-3409-\n--\nkernel/bpf/trampoline.c=1467=int __weak arch_bpf_trampoline_size(const struct btf_func_model *m, u32 flags,\n--\nkernel/bpf/trampoline.c-1474- defined(CONFIG_HAVE_SINGLE_FTRACE_DIRECT_OPS) \u0026\u0026 \\\nkernel/bpf/trampoline.c:1475: defined(CONFIG_BPF_SYSCALL)\nkernel/bpf/trampoline.c-1476-\n--\nkernel/bpf/trampoline.c=1711=int bpf_trampoline_multi_detach(struct bpf_prog *prog, struct bpf_tracing_multi_link *link)\n--\nkernel/bpf/trampoline.c-1747-\t CONFIG_HAVE_SINGLE_FTRACE_DIRECT_OPS \u0026\u0026\nkernel/bpf/trampoline.c:1748:\t CONFIG_BPF_SYSCALL */\nkernel/bpf/trampoline.c-1749-\n"
} |
| 9/2 | 2026/06/30 23:06 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 9739 output: 34 thoughts: 103 Thoughts: **Analyzing the BPF Verifier Change** Okay, so the change I need to understand is specifically within `kernel/bpf/verifier.c`. That immediately tells me this is related to the BPF verifier itself, and the primary prerequisite for this code path is `CONFIG_BPF_SYSCALL`. I should double-check that, but I'm reasonably confident. Now, because it's in the context of `sockmap`, I should start thinking about related configurations. Aside from `CONFIG_BPF_SYSCALL`, are there any other dependencies I need to consider? My initial guess is that `CONFIG_CGROUP_BPF` or possibly even `CONFIG_NET` might also play a role. These often interact. I'll need to check the broader context to confirm. Let's quickly get back into the code and double-check specifically the `may_update_sockmap` function within `kernel/bpf/verifier.c`. I need to ensure my assumptions about the dependencies are correct and understand the exact nature of the modification. This is where I'll get the real details. |
| 10/2 | 2026/06/30 23:06 | tool | grepper |
0mArgs:{
"Expression": "may_update_sockmap",
"PathPrefix": "kernel/bpf/verifier.c"
}Results: {
"Output": "kernel/bpf/verifier.c=8227=static int check_func_arg(struct bpf_verifier_env *env, u32 arg,\n--\nkernel/bpf/verifier.c-8468-\nkernel/bpf/verifier.c:8469:static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id)\nkernel/bpf/verifier.c-8470-{\n--\nkernel/bpf/verifier.c=8508=static int check_map_func_compatibility(struct bpf_verifier_env *env,\n--\nkernel/bpf/verifier.c-8583-\t\t func_id != BPF_FUNC_map_lookup_elem \u0026\u0026\nkernel/bpf/verifier.c:8584:\t\t !may_update_sockmap(env, func_id))\nkernel/bpf/verifier.c-8585-\t\t\tgoto error;\n--\nkernel/bpf/verifier.c-8592-\t\t func_id != BPF_FUNC_map_lookup_elem \u0026\u0026\nkernel/bpf/verifier.c:8593:\t\t !may_update_sockmap(env, func_id))\nkernel/bpf/verifier.c-8594-\t\t\tgoto error;\n"
} |
| 11/2 | 2026/06/30 23:06 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 10442 output: 27 thoughts: 52 Thoughts: Okay, let's see, my initial reaction is, hmm, the `may_update_sockmap` function. Where *exactly* is that used? Only in `check_map_func_compatibility`? Interesting. I wonder if there's any specific configuration related to sockmaps I need to be aware of here? My first instinct is to dig around in the source code. Let's start with `net/core/sock_map.c`. That seems like the logical place to find the nitty-gritty details. I'll need to double check any associated files too. I'll keep the context in mind. |
| 12/2 | 2026/06/30 23:06 | tool | grepper |
0mArgs:{
"Expression": "sock_map",
"PathPrefix": "net/core/"
}Results: {
"Output": "\nFull output is too long, showing 500 out of 640 lines.\nUse more precise expression if possible.\n\nnet/core/Makefile=44=obj-$(CONFIG_NET_SOCK_MSG) += skmsg.o\nnet/core/Makefile:45:obj-$(CONFIG_BPF_SYSCALL) += sock_map.o\nnet/core/Makefile-46-obj-$(CONFIG_BPF_SYSCALL) += bpf_sk_storage.o\n--\nnet/core/filter.c=8597=xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)\n--\nnet/core/filter.c-8667-\nnet/core/filter.c:8668:const struct bpf_func_proto bpf_sock_map_update_proto __weak;\nnet/core/filter.c-8669-const struct bpf_func_proto bpf_sock_hash_update_proto __weak;\n--\nnet/core/filter.c=8672=sock_ops_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)\n--\nnet/core/filter.c-8686-\t\treturn \u0026bpf_sock_ops_cb_flags_set_proto;\nnet/core/filter.c:8687:\tcase BPF_FUNC_sock_map_update:\nnet/core/filter.c:8688:\t\treturn \u0026bpf_sock_map_update_proto;\nnet/core/filter.c-8689-\tcase BPF_FUNC_sock_hash_update:\n--\nnet/core/filter.c=11571=BPF_CALL_4(sk_select_reuseport, struct sk_reuseport_kern *, reuse_kern,\n--\nnet/core/filter.c-11588-\t\t *\nnet/core/filter.c:11589:\t\t * Other maps (e.g. sock_map) do not provide this guarantee and\nnet/core/filter.c-11590-\t\t * the sk may never be in the reuseport group to begin with.\n--\nnet/core/filter.c-11613-error:\nnet/core/filter.c:11614:\t/* Lookup in sock_map can return TCP ESTABLISHED sockets. */\nnet/core/filter.c-11615-\tif (sk_is_refcounted(selected_sk))\n--\nnet/core/skmsg.c=671=static void sk_psock_backlog(struct work_struct *work)\n--\nnet/core/skmsg.c-688-\t/* Increment the psock refcnt to synchronize with close(fd) path in\nnet/core/skmsg.c:689:\t * sock_map_close(), ensuring we wait for backlog thread completion\nnet/core/skmsg.c-690-\t * before sk_socket freed. If refcnt increment fails, it indicates\nnet/core/skmsg.c:691:\t * sock_map_close() completed with sk_socket potentially already freed.\nnet/core/skmsg.c-692-\t */\n--\nnet/core/skmsg.c=905=EXPORT_SYMBOL_GPL(sk_psock_drop);\nnet/core/skmsg.c-906-\nnet/core/skmsg.c:907:static int sk_psock_map_verd(int verdict, bool redir)\nnet/core/skmsg.c-908-{\n--\nnet/core/skmsg.c=920=int sk_psock_msg_verdict(struct sock *sk, struct sk_psock *psock,\n--\nnet/core/skmsg.c-936-\tmsg-\u003esk = NULL;\nnet/core/skmsg.c:937:\tret = sk_psock_map_verd(ret, msg-\u003esk_redir);\nnet/core/skmsg.c-938-\tpsock-\u003eapply_bytes = msg-\u003eapply_bytes;\n--\nnet/core/skmsg.c=1075=static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb)\n--\nnet/core/skmsg.c-1095-\t\tskb_bpf_set_strparser(skb);\nnet/core/skmsg.c:1096:\t\tret = sk_psock_map_verd(ret, skb_bpf_redirect_fetch(skb));\nnet/core/skmsg.c-1097-\t\tskb-\u003esk = NULL;\n--\nnet/core/skmsg.c=1198=static int sk_psock_verdict_recv(struct sock *sk, struct sk_buff *skb)\n--\nnet/core/skmsg.c-1219-\t\tret = bpf_prog_run_pin_on_cpu(prog, skb);\nnet/core/skmsg.c:1220:\t\tret = sk_psock_map_verd(ret, skb_bpf_redirect_fetch(skb));\nnet/core/skmsg.c-1221-\t}\n--\nnet/core/sock_map.c=32=static DEFINE_MUTEX(sockmap_mutex);\nnet/core/sock_map.c-33-\nnet/core/sock_map.c:34:static int sock_map_prog_update(struct bpf_map *map, struct bpf_prog *prog,\nnet/core/sock_map.c-35-\t\t\t\tstruct bpf_prog *old, struct bpf_link *link,\nnet/core/sock_map.c-36-\t\t\t\tu32 which);\nnet/core/sock_map.c:37:static struct sk_psock_progs *sock_map_progs(struct bpf_map *map);\nnet/core/sock_map.c-38-\nnet/core/sock_map.c:39:static struct bpf_map *sock_map_alloc(union bpf_attr *attr)\nnet/core/sock_map.c-40-{\n--\nnet/core/sock_map.c-67-\nnet/core/sock_map.c:68:int sock_map_get_from_fd(const union bpf_attr *attr, struct bpf_prog *prog)\nnet/core/sock_map.c-69-{\n--\nnet/core/sock_map.c-80-\tmutex_lock(\u0026sockmap_mutex);\nnet/core/sock_map.c:81:\tret = sock_map_prog_update(map, prog, NULL, NULL, attr-\u003eattach_type);\nnet/core/sock_map.c-82-\tmutex_unlock(\u0026sockmap_mutex);\n--\nnet/core/sock_map.c-85-\nnet/core/sock_map.c:86:int sock_map_prog_detach(const union bpf_attr *attr, enum bpf_prog_type ptype)\nnet/core/sock_map.c-87-{\n--\nnet/core/sock_map.c-109-\tmutex_lock(\u0026sockmap_mutex);\nnet/core/sock_map.c:110:\tret = sock_map_prog_update(map, NULL, prog, NULL, attr-\u003eattach_type);\nnet/core/sock_map.c-111-\tmutex_unlock(\u0026sockmap_mutex);\n--\nnet/core/sock_map.c-116-\nnet/core/sock_map.c:117:static void sock_map_sk_acquire(struct sock *sk)\nnet/core/sock_map.c-118-\t__acquires(\u0026sk-\u003esk_lock.slock)\n--\nnet/core/sock_map.c-123-\nnet/core/sock_map.c:124:static void sock_map_sk_release(struct sock *sk)\nnet/core/sock_map.c-125-\t__releases(\u0026sk-\u003esk_lock.slock)\n--\nnet/core/sock_map.c-130-\nnet/core/sock_map.c:131:static void sock_map_add_link(struct sk_psock *psock,\nnet/core/sock_map.c-132-\t\t\t struct sk_psock_link *link,\n--\nnet/core/sock_map.c-141-\nnet/core/sock_map.c:142:static void sock_map_del_link(struct sock *sk,\nnet/core/sock_map.c-143-\t\t\t struct sk_psock *psock, void *link_raw)\n--\nnet/core/sock_map.c-151-\t\t\tstruct bpf_map *map = link-\u003emap;\nnet/core/sock_map.c:152:\t\t\tstruct sk_psock_progs *progs = sock_map_progs(map);\nnet/core/sock_map.c-153-\n--\nnet/core/sock_map.c-178-\nnet/core/sock_map.c:179:static void sock_map_unref(struct sock *sk, void *link_raw)\nnet/core/sock_map.c-180-{\n--\nnet/core/sock_map.c-183-\tif (likely(psock)) {\nnet/core/sock_map.c:184:\t\tsock_map_del_link(sk, psock, link_raw);\nnet/core/sock_map.c-185-\t\tsk_psock_put(sk, psock);\n--\nnet/core/sock_map.c-188-\nnet/core/sock_map.c:189:static int sock_map_init_proto(struct sock *sk, struct sk_psock *psock)\nnet/core/sock_map.c-190-{\n--\nnet/core/sock_map.c-196-\nnet/core/sock_map.c:197:static struct sk_psock *sock_map_psock_get_checked(struct sock *sk)\nnet/core/sock_map.c-198-{\n--\nnet/core/sock_map.c-203-\tif (psock) {\nnet/core/sock_map.c:204:\t\tif (sk-\u003esk_prot-\u003eclose != sock_map_close) {\nnet/core/sock_map.c-205-\t\t\tpsock = ERR_PTR(-EBUSY);\n--\nnet/core/sock_map.c-216-\nnet/core/sock_map.c:217:static int sock_map_link(struct bpf_map *map, struct sock *sk)\nnet/core/sock_map.c-218-{\nnet/core/sock_map.c:219:\tstruct sk_psock_progs *progs = sock_map_progs(map);\nnet/core/sock_map.c-220-\tstruct bpf_prog *stream_verdict = NULL;\n--\nnet/core/sock_map.c-260-\nnet/core/sock_map.c:261:\tpsock = sock_map_psock_get_checked(sk);\nnet/core/sock_map.c-262-\tif (IS_ERR(psock)) {\n--\nnet/core/sock_map.c-297-\t */\nnet/core/sock_map.c:298:\tret = sock_map_init_proto(sk, psock);\nnet/core/sock_map.c-299-\tif (ret \u003c 0) {\n--\nnet/core/sock_map.c-338-\nnet/core/sock_map.c:339:static void sock_map_free(struct bpf_map *map)\nnet/core/sock_map.c-340-{\n--\nnet/core/sock_map.c-357-\t\t\trcu_read_lock();\nnet/core/sock_map.c:358:\t\t\tsock_map_unref(sk, psk);\nnet/core/sock_map.c-359-\t\t\trcu_read_unlock();\n--\nnet/core/sock_map.c-371-\nnet/core/sock_map.c:372:static void sock_map_release_progs(struct bpf_map *map)\nnet/core/sock_map.c-373-{\n--\nnet/core/sock_map.c-376-\nnet/core/sock_map.c:377:static struct sock *__sock_map_lookup_elem(struct bpf_map *map, u32 key)\nnet/core/sock_map.c-378-{\n--\nnet/core/sock_map.c-387-\nnet/core/sock_map.c:388:static void *sock_map_lookup(struct bpf_map *map, void *key)\nnet/core/sock_map.c-389-{\n--\nnet/core/sock_map.c-391-\nnet/core/sock_map.c:392:\tsk = __sock_map_lookup_elem(map, *(u32 *)key);\nnet/core/sock_map.c-393-\tif (!sk)\n--\nnet/core/sock_map.c-399-\nnet/core/sock_map.c:400:static void *sock_map_lookup_sys(struct bpf_map *map, void *key)\nnet/core/sock_map.c-401-{\n--\nnet/core/sock_map.c-406-\nnet/core/sock_map.c:407:\tsk = __sock_map_lookup_elem(map, *(u32 *)key);\nnet/core/sock_map.c-408-\tif (!sk)\n--\nnet/core/sock_map.c-414-\nnet/core/sock_map.c:415:static int __sock_map_delete(struct bpf_stab *stab, struct sock *sk_test,\nnet/core/sock_map.c-416-\t\t\t struct sock **psk)\n--\nnet/core/sock_map.c-425-\tif (likely(sk))\nnet/core/sock_map.c:426:\t\tsock_map_unref(sk, psk);\nnet/core/sock_map.c-427-\telse\n--\nnet/core/sock_map.c-433-\nnet/core/sock_map.c:434:static void sock_map_delete_from_link(struct bpf_map *map, struct sock *sk,\nnet/core/sock_map.c-435-\t\t\t\t void *link_raw)\n--\nnet/core/sock_map.c-438-\nnet/core/sock_map.c:439:\t__sock_map_delete(stab, sk, link_raw);\nnet/core/sock_map.c-440-}\nnet/core/sock_map.c-441-\nnet/core/sock_map.c:442:static long sock_map_delete_elem(struct bpf_map *map, void *key)\nnet/core/sock_map.c-443-{\n--\nnet/core/sock_map.c-451-\tpsk = \u0026stab-\u003esks[i];\nnet/core/sock_map.c:452:\treturn __sock_map_delete(stab, NULL, psk);\nnet/core/sock_map.c-453-}\nnet/core/sock_map.c-454-\nnet/core/sock_map.c:455:static int sock_map_get_next_key(struct bpf_map *map, void *key, void *next)\nnet/core/sock_map.c-456-{\n--\nnet/core/sock_map.c-469-\nnet/core/sock_map.c:470:static int sock_map_update_common(struct bpf_map *map, u32 idx,\nnet/core/sock_map.c-471-\t\t\t\t struct sock *sk, u64 flags)\n--\nnet/core/sock_map.c-488-\nnet/core/sock_map.c:489:\tret = sock_map_link(map, sk);\nnet/core/sock_map.c-490-\tif (ret \u003c 0)\n--\nnet/core/sock_map.c-505-\nnet/core/sock_map.c:506:\tsock_map_add_link(psock, link, map, \u0026stab-\u003esks[idx]);\nnet/core/sock_map.c-507-\tstab-\u003esks[idx] = sk;\nnet/core/sock_map.c-508-\tif (osk)\nnet/core/sock_map.c:509:\t\tsock_map_unref(osk, \u0026stab-\u003esks[idx]);\nnet/core/sock_map.c-510-\tspin_unlock_bh(\u0026stab-\u003elock);\n--\nnet/core/sock_map.c-520-\nnet/core/sock_map.c:521:static bool sock_map_op_okay(const struct bpf_sock_ops_kern *ops)\nnet/core/sock_map.c-522-{\n--\nnet/core/sock_map.c-527-\nnet/core/sock_map.c:528:static bool sock_map_redirect_allowed(const struct sock *sk)\nnet/core/sock_map.c-529-{\n--\nnet/core/sock_map.c-535-\nnet/core/sock_map.c:536:static bool sock_map_sk_is_suitable(const struct sock *sk)\nnet/core/sock_map.c-537-{\n--\nnet/core/sock_map.c-540-\nnet/core/sock_map.c:541:static bool sock_map_sk_state_allowed(const struct sock *sk)\nnet/core/sock_map.c-542-{\n--\nnet/core/sock_map.c=553=static int sock_hash_update_common(struct bpf_map *map, void *key,\n--\nnet/core/sock_map.c-555-\nnet/core/sock_map.c:556:int sock_map_update_elem_sys(struct bpf_map *map, void *key, void *value,\nnet/core/sock_map.c-557-\t\t\t u64 flags)\n--\nnet/core/sock_map.c-578-\t}\nnet/core/sock_map.c:579:\tif (!sock_map_sk_is_suitable(sk)) {\nnet/core/sock_map.c-580-\t\tret = -EOPNOTSUPP;\n--\nnet/core/sock_map.c-583-\nnet/core/sock_map.c:584:\tsock_map_sk_acquire(sk);\nnet/core/sock_map.c:585:\tif (!sock_map_sk_state_allowed(sk))\nnet/core/sock_map.c-586-\t\tret = -EOPNOTSUPP;\nnet/core/sock_map.c-587-\telse if (map-\u003emap_type == BPF_MAP_TYPE_SOCKMAP)\nnet/core/sock_map.c:588:\t\tret = sock_map_update_common(map, *(u32 *)key, sk, flags);\nnet/core/sock_map.c-589-\telse\nnet/core/sock_map.c-590-\t\tret = sock_hash_update_common(map, key, sk, flags);\nnet/core/sock_map.c:591:\tsock_map_sk_release(sk);\nnet/core/sock_map.c-592-out:\n--\nnet/core/sock_map.c-596-\nnet/core/sock_map.c:597:static long sock_map_update_elem(struct bpf_map *map, void *key,\nnet/core/sock_map.c-598-\t\t\t\t void *value, u64 flags)\n--\nnet/core/sock_map.c-605-\nnet/core/sock_map.c:606:\tif (!sock_map_sk_is_suitable(sk))\nnet/core/sock_map.c-607-\t\treturn -EOPNOTSUPP;\n--\nnet/core/sock_map.c-610-\tbh_lock_sock(sk);\nnet/core/sock_map.c:611:\tif (!sock_map_sk_state_allowed(sk))\nnet/core/sock_map.c-612-\t\tret = -EOPNOTSUPP;\nnet/core/sock_map.c-613-\telse if (map-\u003emap_type == BPF_MAP_TYPE_SOCKMAP)\nnet/core/sock_map.c:614:\t\tret = sock_map_update_common(map, *(u32 *)key, sk, flags);\nnet/core/sock_map.c-615-\telse\n--\nnet/core/sock_map.c-621-\nnet/core/sock_map.c:622:BPF_CALL_4(bpf_sock_map_update, struct bpf_sock_ops_kern *, sops,\nnet/core/sock_map.c-623-\t struct bpf_map *, map, void *, key, u64, flags)\n--\nnet/core/sock_map.c-626-\nnet/core/sock_map.c:627:\tif (likely(sock_map_sk_is_suitable(sops-\u003esk) \u0026\u0026\nnet/core/sock_map.c:628:\t\t sock_map_op_okay(sops)))\nnet/core/sock_map.c:629:\t\treturn sock_map_update_common(map, *(u32 *)key, sops-\u003esk,\nnet/core/sock_map.c-630-\t\t\t\t\t flags);\n--\nnet/core/sock_map.c-633-\nnet/core/sock_map.c:634:const struct bpf_func_proto bpf_sock_map_update_proto = {\nnet/core/sock_map.c:635:\t.func\t\t= bpf_sock_map_update,\nnet/core/sock_map.c-636-\t.gpl_only\t= false,\n--\nnet/core/sock_map.c=645=BPF_CALL_4(bpf_sk_redirect_map, struct sk_buff *, skb,\n--\nnet/core/sock_map.c-652-\nnet/core/sock_map.c:653:\tsk = __sock_map_lookup_elem(map, key);\nnet/core/sock_map.c:654:\tif (unlikely(!sk || !sock_map_redirect_allowed(sk)))\nnet/core/sock_map.c-655-\t\treturn SK_DROP;\n--\nnet/core/sock_map.c=673=BPF_CALL_4(bpf_msg_redirect_map, struct sk_msg *, msg,\n--\nnet/core/sock_map.c-680-\nnet/core/sock_map.c:681:\tsk = __sock_map_lookup_elem(map, key);\nnet/core/sock_map.c:682:\tif (unlikely(!sk || !sock_map_redirect_allowed(sk)))\nnet/core/sock_map.c-683-\t\treturn SK_DROP;\n--\nnet/core/sock_map.c=694=const struct bpf_func_proto bpf_msg_redirect_map_proto = {\n--\nnet/core/sock_map.c-703-\nnet/core/sock_map.c:704:struct sock_map_seq_info {\nnet/core/sock_map.c-705-\tstruct bpf_map *map;\n--\nnet/core/sock_map.c=717=DEFINE_BPF_ITER_FUNC(sockmap, struct bpf_iter_meta *meta,\n--\nnet/core/sock_map.c-720-\nnet/core/sock_map.c:721:static void *sock_map_seq_lookup_elem(struct sock_map_seq_info *info)\nnet/core/sock_map.c-722-{\n--\nnet/core/sock_map.c-725-\nnet/core/sock_map.c:726:\tinfo-\u003esk = __sock_map_lookup_elem(info-\u003emap, info-\u003eindex);\nnet/core/sock_map.c-727-\n--\nnet/core/sock_map.c-731-\nnet/core/sock_map.c:732:static void *sock_map_seq_start(struct seq_file *seq, loff_t *pos)\nnet/core/sock_map.c-733-\t__acquires(rcu)\nnet/core/sock_map.c-734-{\nnet/core/sock_map.c:735:\tstruct sock_map_seq_info *info = seq-\u003eprivate;\nnet/core/sock_map.c-736-\n--\nnet/core/sock_map.c-739-\nnet/core/sock_map.c:740:\t/* pairs with sock_map_seq_stop */\nnet/core/sock_map.c-741-\trcu_read_lock();\nnet/core/sock_map.c:742:\treturn sock_map_seq_lookup_elem(info);\nnet/core/sock_map.c-743-}\nnet/core/sock_map.c-744-\nnet/core/sock_map.c:745:static void *sock_map_seq_next(struct seq_file *seq, void *v, loff_t *pos)\nnet/core/sock_map.c-746-\t__must_hold(rcu)\nnet/core/sock_map.c-747-{\nnet/core/sock_map.c:748:\tstruct sock_map_seq_info *info = seq-\u003eprivate;\nnet/core/sock_map.c-749-\n--\nnet/core/sock_map.c-752-\nnet/core/sock_map.c:753:\treturn sock_map_seq_lookup_elem(info);\nnet/core/sock_map.c-754-}\nnet/core/sock_map.c-755-\nnet/core/sock_map.c:756:static int sock_map_seq_show(struct seq_file *seq, void *v)\nnet/core/sock_map.c-757-\t__must_hold(rcu)\nnet/core/sock_map.c-758-{\nnet/core/sock_map.c:759:\tstruct sock_map_seq_info *info = seq-\u003eprivate;\nnet/core/sock_map.c-760-\tstruct bpf_iter__sockmap ctx = {};\n--\nnet/core/sock_map.c-778-\nnet/core/sock_map.c:779:static void sock_map_seq_stop(struct seq_file *seq, void *v)\nnet/core/sock_map.c-780-\t__releases(rcu)\n--\nnet/core/sock_map.c-782-\tif (!v)\nnet/core/sock_map.c:783:\t\t(void)sock_map_seq_show(seq, NULL);\nnet/core/sock_map.c-784-\nnet/core/sock_map.c:785:\t/* pairs with sock_map_seq_start */\nnet/core/sock_map.c-786-\trcu_read_unlock();\n--\nnet/core/sock_map.c-788-\nnet/core/sock_map.c:789:static const struct seq_operations sock_map_seq_ops = {\nnet/core/sock_map.c:790:\t.start\t= sock_map_seq_start,\nnet/core/sock_map.c:791:\t.next\t= sock_map_seq_next,\nnet/core/sock_map.c:792:\t.stop\t= sock_map_seq_stop,\nnet/core/sock_map.c:793:\t.show\t= sock_map_seq_show,\nnet/core/sock_map.c-794-};\nnet/core/sock_map.c-795-\nnet/core/sock_map.c:796:static int sock_map_init_seq_private(void *priv_data,\nnet/core/sock_map.c-797-\t\t\t\t struct bpf_iter_aux_info *aux)\nnet/core/sock_map.c-798-{\nnet/core/sock_map.c:799:\tstruct sock_map_seq_info *info = priv_data;\nnet/core/sock_map.c-800-\n--\nnet/core/sock_map.c-805-\nnet/core/sock_map.c:806:static void sock_map_fini_seq_private(void *priv_data)\nnet/core/sock_map.c-807-{\nnet/core/sock_map.c:808:\tstruct sock_map_seq_info *info = priv_data;\nnet/core/sock_map.c-809-\n--\nnet/core/sock_map.c-812-\nnet/core/sock_map.c:813:static u64 sock_map_mem_usage(const struct bpf_map *map)\nnet/core/sock_map.c-814-{\n--\nnet/core/sock_map.c-820-\nnet/core/sock_map.c:821:static const struct bpf_iter_seq_info sock_map_iter_seq_info = {\nnet/core/sock_map.c:822:\t.seq_ops\t\t= \u0026sock_map_seq_ops,\nnet/core/sock_map.c:823:\t.init_seq_private\t= sock_map_init_seq_private,\nnet/core/sock_map.c:824:\t.fini_seq_private\t= sock_map_fini_seq_private,\nnet/core/sock_map.c:825:\t.seq_priv_size\t\t= sizeof(struct sock_map_seq_info),\nnet/core/sock_map.c-826-};\nnet/core/sock_map.c-827-\nnet/core/sock_map.c:828:BTF_ID_LIST_SINGLE(sock_map_btf_ids, struct, bpf_stab)\nnet/core/sock_map.c:829:const struct bpf_map_ops sock_map_ops = {\nnet/core/sock_map.c-830-\t.map_meta_equal\t\t= bpf_map_meta_equal,\nnet/core/sock_map.c:831:\t.map_alloc\t\t= sock_map_alloc,\nnet/core/sock_map.c:832:\t.map_free\t\t= sock_map_free,\nnet/core/sock_map.c:833:\t.map_get_next_key\t= sock_map_get_next_key,\nnet/core/sock_map.c:834:\t.map_lookup_elem_sys_only = sock_map_lookup_sys,\nnet/core/sock_map.c:835:\t.map_update_elem\t= sock_map_update_elem,\nnet/core/sock_map.c:836:\t.map_delete_elem\t= sock_map_delete_elem,\nnet/core/sock_map.c:837:\t.map_lookup_elem\t= sock_map_lookup,\nnet/core/sock_map.c:838:\t.map_release_uref\t= sock_map_release_progs,\nnet/core/sock_map.c-839-\t.map_check_btf\t\t= map_check_no_btf,\nnet/core/sock_map.c:840:\t.map_mem_usage\t\t= sock_map_mem_usage,\nnet/core/sock_map.c:841:\t.map_btf_id\t\t= \u0026sock_map_btf_ids[0],\nnet/core/sock_map.c:842:\t.iter_seq_info\t\t= \u0026sock_map_iter_seq_info,\nnet/core/sock_map.c-843-};\n--\nnet/core/sock_map.c=916=static void sock_hash_delete_from_link(struct bpf_map *map, struct sock *sk,\n--\nnet/core/sock_map.c-934-\t\thlist_del_rcu(\u0026elem-\u003enode);\nnet/core/sock_map.c:935:\t\tsock_map_unref(elem-\u003esk, elem);\nnet/core/sock_map.c-936-\t\tsock_hash_free_elem(htab, elem);\n--\nnet/core/sock_map.c=941=static long sock_hash_delete_elem(struct bpf_map *map, void *key)\n--\nnet/core/sock_map.c-955-\t\thlist_del_rcu(\u0026elem-\u003enode);\nnet/core/sock_map.c:956:\t\tsock_map_unref(elem-\u003esk, elem);\nnet/core/sock_map.c-957-\t\tsock_hash_free_elem(htab, elem);\n--\nnet/core/sock_map.c=991=static int sock_hash_update_common(struct bpf_map *map, void *key,\n--\nnet/core/sock_map.c-1009-\nnet/core/sock_map.c:1010:\tret = sock_map_link(map, sk);\nnet/core/sock_map.c-1011-\tif (ret \u003c 0)\n--\nnet/core/sock_map.c-1035-\nnet/core/sock_map.c:1036:\tsock_map_add_link(psock, link, map, elem_new);\nnet/core/sock_map.c-1037-\t/* Add new element to the head of the list, so that\n--\nnet/core/sock_map.c-1042-\t\thlist_del_rcu(\u0026elem-\u003enode);\nnet/core/sock_map.c:1043:\t\tsock_map_unref(elem-\u003esk, elem);\nnet/core/sock_map.c-1044-\t\tsock_hash_free_elem(htab, elem);\n--\nnet/core/sock_map.c=1144=static void sock_hash_free(struct bpf_map *map)\n--\nnet/core/sock_map.c-1180-\t\t\trcu_read_lock();\nnet/core/sock_map.c:1181:\t\t\tsock_map_unref(elem-\u003esk, elem);\nnet/core/sock_map.c-1182-\t\t\trcu_read_unlock();\n--\nnet/core/sock_map.c=1229=BPF_CALL_4(bpf_sock_hash_update, struct bpf_sock_ops_kern *, sops,\n--\nnet/core/sock_map.c-1233-\nnet/core/sock_map.c:1234:\tif (likely(sock_map_sk_is_suitable(sops-\u003esk) \u0026\u0026\nnet/core/sock_map.c:1235:\t\t sock_map_op_okay(sops)))\nnet/core/sock_map.c-1236-\t\treturn sock_hash_update_common(map, key, sops-\u003esk, flags);\n--\nnet/core/sock_map.c=1251=BPF_CALL_4(bpf_sk_redirect_hash, struct sk_buff *, skb,\n--\nnet/core/sock_map.c-1259-\tsk = __sock_hash_lookup_elem(map, key);\nnet/core/sock_map.c:1260:\tif (unlikely(!sk || !sock_map_redirect_allowed(sk)))\nnet/core/sock_map.c-1261-\t\treturn SK_DROP;\n--\nnet/core/sock_map.c=1279=BPF_CALL_4(bpf_msg_redirect_hash, struct sk_msg *, msg,\n--\nnet/core/sock_map.c-1287-\tsk = __sock_hash_lookup_elem(map, key);\nnet/core/sock_map.c:1288:\tif (unlikely(!sk || !sock_map_redirect_allowed(sk)))\nnet/core/sock_map.c-1289-\t\treturn SK_DROP;\n--\nnet/core/sock_map.c=1445=const struct bpf_map_ops sock_hash_ops = {\n--\nnet/core/sock_map.c-1449-\t.map_get_next_key\t= sock_hash_get_next_key,\nnet/core/sock_map.c:1450:\t.map_update_elem\t= sock_map_update_elem,\nnet/core/sock_map.c-1451-\t.map_delete_elem\t= sock_hash_delete_elem,\n--\nnet/core/sock_map.c-1460-\nnet/core/sock_map.c:1461:static struct sk_psock_progs *sock_map_progs(struct bpf_map *map)\nnet/core/sock_map.c-1462-{\n--\nnet/core/sock_map.c-1474-\nnet/core/sock_map.c:1475:static int sock_map_prog_link_lookup(struct bpf_map *map, struct bpf_prog ***pprog,\nnet/core/sock_map.c-1476-\t\t\t\t struct bpf_link ***plink, u32 which)\nnet/core/sock_map.c-1477-{\nnet/core/sock_map.c:1478:\tstruct sk_psock_progs *progs = sock_map_progs(map);\nnet/core/sock_map.c-1479-\tstruct bpf_prog **cur_pprog;\n--\nnet/core/sock_map.c-1523- */\nnet/core/sock_map.c:1524:static int sock_map_prog_update(struct bpf_map *map, struct bpf_prog *prog,\nnet/core/sock_map.c-1525-\t\t\t\tstruct bpf_prog *old, struct bpf_link *link,\n--\nnet/core/sock_map.c-1531-\nnet/core/sock_map.c:1532:\tret = sock_map_prog_link_lookup(map, \u0026pprog, \u0026plink, which);\nnet/core/sock_map.c-1533-\tif (ret)\n--\nnet/core/sock_map.c-1554-\nnet/core/sock_map.c:1555:int sock_map_bpf_prog_query(const union bpf_attr *attr,\nnet/core/sock_map.c-1556-\t\t\t union bpf_attr __user *uattr)\n--\nnet/core/sock_map.c-1575-\nnet/core/sock_map.c:1576:\tret = sock_map_prog_link_lookup(map, \u0026pprog, NULL, attr-\u003equery.attach_type);\nnet/core/sock_map.c-1577-\tif (ret)\n--\nnet/core/sock_map.c-1603-\nnet/core/sock_map.c:1604:static void sock_map_unlink(struct sock *sk, struct sk_psock_link *link)\nnet/core/sock_map.c-1605-{\n--\nnet/core/sock_map.c-1607-\tcase BPF_MAP_TYPE_SOCKMAP:\nnet/core/sock_map.c:1608:\t\treturn sock_map_delete_from_link(link-\u003emap, sk,\nnet/core/sock_map.c-1609-\t\t\t\t\t\t link-\u003elink_raw);\n--\nnet/core/sock_map.c-1617-\nnet/core/sock_map.c:1618:static void sock_map_remove_links(struct sock *sk, struct sk_psock *psock)\nnet/core/sock_map.c-1619-{\n--\nnet/core/sock_map.c-1622-\twhile ((link = sk_psock_link_pop(psock))) {\nnet/core/sock_map.c:1623:\t\tsock_map_unlink(sk, link);\nnet/core/sock_map.c-1624-\t\tsk_psock_free_link(link);\n--\nnet/core/sock_map.c-1627-\nnet/core/sock_map.c:1628:void sock_map_unhash(struct sock *sk)\nnet/core/sock_map.c-1629-{\n--\n\n"
} |
| 13/2 | 2026/06/30 23:06 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 21120 output: 32 thoughts: 100 Thoughts: **Analyzing the Sockmap Configuration** Okay, so I'm digging into this sockmap thing. The documentation states that `CONFIG_BPF_SYSCALL` enables it. Right, makes sense, that's what I'd expect. Now, let me just double-check that in the kernel source. Ah, here we are in `net/core/Makefile`. And it confirms: `obj-$(CONFIG_BPF_SYSCALL) += sock_map.o`. So, yeah, it *is* just `CONFIG_BPF_SYSCALL` that activates the sockmap object. Hmm, but wait. Thinking a bit more deeply about this, since `sock_map.o` is located in the `net/core/` directory, I bet we need `CONFIG_NET` too, even though it's not explicitly mentioned. Let's just confirm that by taking a quick look at `net/core/Makefile` again. Good practice to be thorough here. |
| 14/2 | 2026/06/30 23:06 | tool | grepper |
0mArgs:{
"Expression": "CONFIG_BPF_SYSCALL",
"PathPrefix": "net/core/"
}Results: {
"Output": "net/core/Makefile=44=obj-$(CONFIG_NET_SOCK_MSG) += skmsg.o\nnet/core/Makefile:45:obj-$(CONFIG_BPF_SYSCALL) += sock_map.o\nnet/core/Makefile:46:obj-$(CONFIG_BPF_SYSCALL) += bpf_sk_storage.o\nnet/core/Makefile-47-obj-$(CONFIG_OF)\t+= of_net.o\n--\nnet/core/dev.h=381=int rps_cpumask_housekeeping(struct cpumask *mask);\nnet/core/dev.h-382-\nnet/core/dev.h:383:#if defined(CONFIG_DEBUG_NET) \u0026\u0026 defined(CONFIG_BPF_SYSCALL)\nnet/core/dev.h-384-void xdp_do_check_flushed(struct napi_struct *napi);\n--\nnet/core/filter.c=4441=EXPORT_SYMBOL_GPL(xdp_do_flush);\nnet/core/filter.c-4442-\nnet/core/filter.c:4443:#if defined(CONFIG_DEBUG_NET) \u0026\u0026 defined(CONFIG_BPF_SYSCALL)\nnet/core/filter.c-4444-void xdp_do_check_flushed(struct napi_struct *napi)\n--\nnet/core/flow_dissector.c=74=EXPORT_SYMBOL(skb_flow_dissector_init);\nnet/core/flow_dissector.c-75-\nnet/core/flow_dissector.c:76:#ifdef CONFIG_BPF_SYSCALL\nnet/core/flow_dissector.c-77-int flow_dissector_bpf_prog_attach_check(struct net *net,\n--\nnet/core/flow_dissector.c-105-}\nnet/core/flow_dissector.c:106:#endif /* CONFIG_BPF_SYSCALL */\nnet/core/flow_dissector.c-107-\n--\nnet/core/sock.c=2350=static void __sk_destruct(struct rcu_head *head)\n--\nnet/core/sock.c-2367-\nnet/core/sock.c:2368:#ifdef CONFIG_BPF_SYSCALL\nnet/core/sock.c-2369-\tbpf_sk_storage_free(sk);\n"
} |
| 15/2 | 2026/06/30 23:06 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 22071 output: 25 thoughts: 72 Thoughts: Okay, let's break this down. **Kernel Configuration Dependencies** Alright, so I've got a couple of key dependencies identified right off the bat: `CONFIG_BPF_SYSCALL` and `CONFIG_NET`. That feels right, but let's not make any assumptions. I need to explicitly verify that `CONFIG_NET` is indeed a hard requirement for the `sock_map.o` object. A quick cross-reference would be in order. Ah, yes, looking at the build process, it's clear that the `net/core/` directory gets built only when `CONFIG_NET` is enabled. That confirms my initial intuition. Now, to be thorough, I should really glance at `net/Makefile` to make absolutely sure there aren't any sneaky conditional inclusions or bizarre build rules I'm missing. Always good to double-check those Makefile dependencies, just to be safe. It's the devil in the details, after all! |
| 16/2 | 2026/06/30 23:06 | tool | grepper |
0mArgs:{
"Expression": "core/",
"PathPrefix": "net/Makefile"
}Results: {
"Output": "net/Makefile-8-\nnet/Makefile:9:obj-y\t\t\t\t:= devres.o socket.o core/\nnet/Makefile-10-\n"
} |
| 17/2 | 2026/06/30 23:06 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 22423 output: 130 thoughts: 1003 Thoughts: **Analyzing BPF Verifier Restrictions for Fuzzing**
Okay, let's break this down for fuzzing. We're looking at a patch that restricts sockmap updates within the BPF verifier. The core idea is that certain BPF program types are no longer allowed to modify sockmaps. This is a crucial change in the verifier's behavior. So the first thing I need to establish is the configuration and focus symbols for fuzzing this patch.
Right, the base configuration is determined by `CONFIG_NET` because the `net/` directory is built when `CONFIG_NET` is enabled. And, of course, `CONFIG_BPF_SYSCALL` is essential, since it's a BPF-related change. So those are my initial config assumptions: `CONFIG_NET` and `CONFIG_BPF_SYSCALL`.
Now, let's identify the specific functions this patch touches directly. From the code, the key symbols here seem to be `may_update_sockmap` and `check_map_func_compatibility`. Wait, `may_update_sockmap` is static, which is usually okay with fuzzing tools. The check is called by `check_map_func_compatibility` which in turn is called by `check_helper_call` which is called by `do_check`. This makes it reachable. So that confirms those as valid focus symbols.
I need to make sure I haven't missed anything, like a dependency on `CONFIG_CGROUP_BPF`, but it looks like the modification is restricted to the verifier itself which is always built if `CONFIG_BPF_SYSCALL` is enabled. The patch affects `BPF_PROG_TYPE_SOCKET_FILTER`, `BPF_PROG_TYPE_SCHED_CLS`, `BPF_PROG_TYPE_SCHED_ACT`, `BPF_PROG_TYPE_XDP`, and `BPF_PROG_TYPE_FLOW_DISSECTOR`.
`BPF_PROG_TYPE_SOCKET_FILTER` depends on `CONFIG_NET`. `BPF_PROG_TYPE_SCHED_CLS` and `BPF_PROG_TYPE_SCHED_ACT` depend on `CONFIG_NET_SCHED`. `BPF_PROG_TYPE_XDP` and `BPF_PROG_TYPE_FLOW_DISSECTOR` also depend on `CONFIG_NET`.
So definitely `CONFIG_NET` and `CONFIG_BPF_SYSCALL` are needed.
`CONFIG_NET_SCHED` isn't strictly necessary for compilation but does allow testing `SCHED_CLS` and `SCHED_ACT`, but since the verifier code doesn't rely on it, it looks like `CONFIG_BPF_SYSCALL` and `CONFIG_NET` are sufficient. The `BPF_PROG_TYPE_SCHED_CLS` and other types are defined in `include/uapi/linux/bpf.h` and the verifier will use that information.
Here's what I've got:
* **WorthFuzzing**: `true`
* **FocusSymbols**:
* `may_update_sockmap`
* `check_map_func_compatibility`
* **EnableConfigs**:
* `BPF_SYSCALL`
* `NET`
Confirming `may_update_sockmap` and `check_map_func_compatibility` are static, and that syzkaller can handle this. Also, reviewing changes to `tools/testing/selftests/bpf/*` which are just selftests.
This patch is changing the verifier, so it requires fuzzing. The configuration and focus symbols are what I need to target for fuzzing. I can call set-results.
|
| 18/2 | 2026/06/30 23:06 | tool | set-results |
0mArgs:{
"EnableConfigs": [
"BPF_SYSCALL",
"NET"
],
"FocusSymbols": [
"may_update_sockmap",
"check_map_func_compatibility"
],
"Reasoning": "The patch restricts certain BPF program types from updating sockmaps in the BPF verifier. This is a functional change in the core BPF verifier logic that affects what BPF programs are allowed to do. It should be fuzzed to ensure the verifier correctly rejects invalid programs and doesn't introduce any regressions or bypasses.",
"WorthFuzzing": true
}Results: {
"EnableConfigs": [
"BPF_SYSCALL",
"NET"
],
"FocusSymbols": [
"may_update_sockmap",
"check_map_func_compatibility"
],
"Reasoning": "The patch restricts certain BPF program types from updating sockmaps in the BPF verifier. This is a functional change in the core BPF verifier logic that affects what BPF programs are allowed to do. It should be fuzzed to ensure the verifier correctly rejects invalid programs and doesn't introduce any regressions or bypasses.",
"WorthFuzzing": true
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|