| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aYWSSVDwOYEruRb2@gpd4>
Date: Fri, 6 Feb 2026 08:03:37 +0100
From: Andrea Righi <arighi@...dia.com>
To: zhidao su <soolaugust@...il.com>
Cc: tj@...nel.org, void@...ifault.com, changwoo@...lia.com,
sched-ext@...ts.linux.dev, linux-kernel@...r.kernel.org,
suzhidao@...omi.com, Emil Tsalapatis <emil@...alapatis.com>
Subject: Re: [PATCH] tools/sched_ext: Improve BPF verifier arena detection
workaround
Hi,
On Fri, Feb 06, 2026 at 12:18:08PM +0800, zhidao su wrote:
> Replace bpf_printk() with volatile access in scx_sdt scheduler's
> BPF verifier workaround to eliminate console output while maintaining
> the required LD.IMM instruction generation for arena detection.
>
> This addresses the side effect issue of the previous hack while
> preserving the essential functionality needed by the BPF verifier.
>
> Signed-off-by: zhidao su <suzhidao@...omi.com>
Adding Emil in cc.
> ---
> tools/sched_ext/scx_sdt.bpf.c | 18 +++++++++---------
> 1 file changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/tools/sched_ext/scx_sdt.bpf.c b/tools/sched_ext/scx_sdt.bpf.c
> index 31b09958e8d5..13d3060c99ff 100644
> --- a/tools/sched_ext/scx_sdt.bpf.c
> +++ b/tools/sched_ext/scx_sdt.bpf.c
> @@ -64,14 +64,10 @@ DEFINE_SDT_STAT(select_busy_cpu);
> static __u64 zero = 0;
>
> /*
> - * XXX Hack to get the verifier to find the arena for sdt_exit_task.
> - * As of 6.12-rc5, The verifier associates arenas with programs by
> - * checking LD.IMM instruction operands for an arena and populating
> - * the program state with the first instance it finds. This requires
> - * accessing our global arena variable, but scx methods do not necessarily
> - * do so while still using pointers from that arena. Insert a bpf_printk
> - * statement that triggers at most once to generate an LD.IMM instruction
> - * to access the arena and help the verifier.
> + * Workaround to help BPF verifier track arena usage.
> + * The verifier needs to see an explicit reference to the arena variable
> + * to properly track arena memory usage. This generates the required
> + * LD.IMM instruction without producing unnecessary output.
> */
> static volatile bool scx_arena_verify_once;
>
> @@ -80,7 +76,11 @@ __hidden void scx_arena_subprog_init(void)
> if (scx_arena_verify_once)
> return;
>
> - bpf_printk("%s: arena pointer %p", __func__, &arena);
> + /*
> + * Use volatile access to generate LD.IMM instruction without
> + * producing console output like bpf_printk does.
> + */
> + (void)*(volatile void **)&arena;
Makes sense to me.
If we want to be extra picky we can do something like this:
volatile void *arena_ref = &arena;
(void)arena_ref;
In this way we take the address of the arena map descriptor and store it
in a volatile void * variable, so the compiler can't optimize away and we
never read the content of the map descriptor, we only use its address. So,
we're not reinterpreting the bytes of the struct as another type (no type
punning, no strict-aliasing violation). Even if it's probably just a
theoretical thing.
> scx_arena_verify_once = true;
> }
>
> --
> 2.43.0
>
Thanks,
-Andrea
Powered by blists - more mailing lists