| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <DG808GCYJ539.2UEZ50Z9R7ERU@etsalapatis.com>
Date: Fri, 06 Feb 2026 11:03:47 -0500
From: "Emil Tsalapatis" <emil@...alapatis.com>
To: "Andrea Righi" <arighi@...dia.com>, "zhidao su" <soolaugust@...il.com>
Cc: <tj@...nel.org>, <void@...ifault.com>, <changwoo@...lia.com>,
<sched-ext@...ts.linux.dev>, <linux-kernel@...r.kernel.org>,
<suzhidao@...omi.com>
Subject: Re: [PATCH] tools/sched_ext: Improve BPF verifier arena detection
workaround
On Fri Feb 6, 2026 at 2:03 AM EST, Andrea Righi wrote:
> Hi,
>
> On Fri, Feb 06, 2026 at 12:18:08PM +0800, zhidao su wrote:
>> Replace bpf_printk() with volatile access in scx_sdt scheduler's
>> BPF verifier workaround to eliminate console output while maintaining
>> the required LD.IMM instruction generation for arena detection.
>>
>> This addresses the side effect issue of the previous hack while
>> preserving the essential functionality needed by the BPF verifier.
>>
>> Signed-off-by: zhidao su <suzhidao@...omi.com>
>
> Adding Emil in cc.
>
This still doesn't pass verification for me. @suzhidao is this working for you?
If so please let me know your setup so I can replicate this. I am
running this on for-6.20.
>> ---
>> tools/sched_ext/scx_sdt.bpf.c | 18 +++++++++---------
>> 1 file changed, 9 insertions(+), 9 deletions(-)
>>
>> diff --git a/tools/sched_ext/scx_sdt.bpf.c b/tools/sched_ext/scx_sdt.bpf.c
>> index 31b09958e8d5..13d3060c99ff 100644
>> --- a/tools/sched_ext/scx_sdt.bpf.c
>> +++ b/tools/sched_ext/scx_sdt.bpf.c
>> @@ -64,14 +64,10 @@ DEFINE_SDT_STAT(select_busy_cpu);
>> static __u64 zero = 0;
>>
>> /*
>> - * XXX Hack to get the verifier to find the arena for sdt_exit_task.
>> - * As of 6.12-rc5, The verifier associates arenas with programs by
>> - * checking LD.IMM instruction operands for an arena and populating
>> - * the program state with the first instance it finds. This requires
>> - * accessing our global arena variable, but scx methods do not necessarily
>> - * do so while still using pointers from that arena. Insert a bpf_printk
>> - * statement that triggers at most once to generate an LD.IMM instruction
>> - * to access the arena and help the verifier.
>> + * Workaround to help BPF verifier track arena usage.
>> + * The verifier needs to see an explicit reference to the arena variable
>> + * to properly track arena memory usage. This generates the required
>> + * LD.IMM instruction without producing unnecessary output.
>> */
>> static volatile bool scx_arena_verify_once;
>>
>> @@ -80,7 +76,11 @@ __hidden void scx_arena_subprog_init(void)
>> if (scx_arena_verify_once)
>> return;
>>
>> - bpf_printk("%s: arena pointer %p", __func__, &arena);
>> + /*
>> + * Use volatile access to generate LD.IMM instruction without
>> + * producing console output like bpf_printk does.
>> + */
>> + (void)*(volatile void **)&arena;
>
> Makes sense to me.
>
> If we want to be extra picky we can do something like this:
>
> volatile void *arena_ref = &arena;
> (void)arena_ref;
>
> In this way we take the address of the arena map descriptor and store it
> in a volatile void * variable, so the compiler can't optimize away and we
> never read the content of the map descriptor, we only use its address. So,
> we're not reinterpreting the bytes of the struct as another type (no type
> punning, no strict-aliasing violation). Even if it's probably just a
> theoretical thing.
>
>> scx_arena_verify_once = true;
>> }
>>
>> --
>> 2.43.0
>>
>
> Thanks,
> -Andrea
Powered by blists - more mailing lists