libbpf-tools: ksnoop: Fix two invalid access to map value#5361
Merged
yonghong-song merged 1 commit intoiovisor:masterfrom Jul 13, 2025
Merged
libbpf-tools: ksnoop: Fix two invalid access to map value#5361yonghong-song merged 1 commit intoiovisor:masterfrom
yonghong-song merged 1 commit intoiovisor:masterfrom
Conversation
On fedora42, llvm 20.1.7, kernel 6.15.4-200.fc42.x86_64 has two verifier
errors. Test with command:
$ sudo ./ksnoop trace do_sys_openat2
1st:
; last_stack_depth = stack_depth - 1; @ ksnoop.bpf.c:102
108: (bc) w3 = w6 ; frame1: R3_w=scalar(id=5,smin=smin32=0,smax=umax=smax32=umax32=14,var_off=(0x0; 0xf)) R6=scalar(id=5,smin=smin32=0,smax=umax=smax32=umax32=14,var_off=(0x0; 0xf))
109: (04) w3 += -1 ; frame1: R3_w=scalar(smin=0,smax=umax=0xffffffff,smin32=-1,smax32=13,var_off=(0x0; 0xffffffff))
110: (bc) w4 = w3 ; frame1: R3_w=scalar(id=6,smin=0,smax=umax=0xffffffff,smin32=-1,smax32=13,var_off=(0x0; 0xffffffff)) R4_w=scalar(id=6,smin=0,smax=umax=0xffffffff,smin32=-1,smax32=13,var_off=(0x0; 0xffffffff))
111: (54) w4 &= 255 ; frame1: R4_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))
112: (b7) r7 = 0 ; frame1: R7=0
; if (last_stack_depth >= 0 && @ ksnoop.bpf.c:104
113: (26) if w4 > 0xf goto pc+5 ; frame1: R4=scalar(smin=smin32=0,smax=umax=smax32=umax32=15,var_off=(0x0; 0xf))
; last_ip = func_stack->ips[last_stack_depth]; @ ksnoop.bpf.c:106
114: (57) r3 &= 255 ; frame1: R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff))
115: (67) r3 <<= 3 ; frame1: R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=2040,var_off=(0x0; 0x7f8))
116: (bf) r4 = r2 ; frame1: R2=map_value(map=ksnoop_func_sta,ks=8,vs=144) R4_w=map_value(map=ksnoop_func_sta,ks=8,vs=144)
117: (0f) r4 += r3 ; frame1: R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=2040,var_off=(0x0; 0x7f8)) R4_w=map_value(map=ksnoop_func_sta,ks=8,vs=144,smin=smin32=0,smax=umax=smax32=umax32=2040,var_off=(0x0; 0x7f8))
118: (79) r7 = *(u64 *)(r4 +8)
invalid access to map value, value_size=144 off=2048 size=8
The last_stack_depth use 'w4 > 0xf' check boundary, but 'r3 &= 255'
is beyond 0xf (0~15).
2nd:
; trace_len = sizeof(*trace) + trace->buf_len - MAX_TRACE_BUF; @ ksnoop.bpf.c:222
502: (04) w5 += 4008 ; frame1: R5_w=scalar(smin=umin=smin32=umin32=4009,smax=umax=smax32=umax32=0x10fa7,var_off=(0x0; 0x1ffff))
503: (bc) w2 = w5 ; frame1: R2_w=scalar(id=27,smin=umin=smin32=umin32=4009,smax=umax=smax32=umax32=0x10fa7,var_off=(0x0; 0x1ffff)) R5_w=scalar(id=27,smin=umin=smin32=umin32=4009,smax=umax=smax32=umax32=0x10fa7,var_off=(0x0; 0x1ffff))
504: (54) w2 &= 65535 ; frame1: R2_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff))
; if (trace_len <= sizeof(*trace)) @ ksnoop.bpf.c:224
505: (26) if w2 > 0x3fa8 goto pc+7 ; frame1: R2_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=16296,var_off=(0x0; 0x3fff))
506: (57) r5 &= 65535 ; frame1: R5_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff))
507: (18) r2 = 0xffff8ec554700c00 ; frame1: R2_w=map_ptr(map=ksnoop_perf_map,ks=4,vs=4)
509: (18) r3 = 0xffffffff ; frame1: R3_w=0xffffffff
511: (bf) r4 = r9 ; frame1: R4_w=map_value(map=ksnoop_func_map,ks=8,vs=16296) R9=map_value(map=ksnoop_func_map,ks=8,vs=16296)
512: (85) call bpf_perf_event_output#25
invalid access to map value, value_size=16296 off=0 size=65535
Just fix it with size type 'u64' instead of 'u32', see:
long bpf_perf_event_output(void *ctx, struct bpf_map *map, u64 flags, void *data, u64 size)
Signed-off-by: Rong Tao <rongtao@cestc.cn>
Rtoax
requested review from
4ast,
brendangregg,
davemarchevsky,
drzaeus77,
goldshtn and
yonghong-song
as code owners
ekyooo
added a commit
to ekyooo/bcc
that referenced
this pull request
Jan 23, 2026
* Support for kernel up to 6.18
* New Tools
tools/softirqslower: New tool to trace slow software interrupt handlers (iovisor#5356)
* Enhanced Functionality
libbpf-tools/opensnoop: Added full-path support with `-F` option (iovisor#5323, iovisor#5333)
libbpf-tools/filelife: Added full-path support (iovisor#5347, ab8e061)
libbpf-tools: Introduced path helpers (ab8e061)
libbpf-tools/trace_helpers: Added str_loadavg() and str_timestamp() common functions (694de9f)
libbpf-tools/filetop: Added directory filter capability (iovisor#5300)
libbpf-tools/runqslower: Added `-c` option to filter by process name prefix (673911c)
libbpf-tools/runqlat: Dynamically size pid/pidns histogram map (iovisor#5342)
libbpf-tools/fsdist, fsslower: Added support for fuse filesystem (9691c56)
libbpf-tools/tcptop: Major refactoring using fentry/fexit for better performance (75bb73a, e2c7917, d786eaa, da3a474)
tools/opensnoop: Added full-path support with `-F` option (iovisor#5334, iovisor#5339)
tools/kvmexit: Added AMD processor support and parallel post-processing (13a4e5a, c2af2ee)
tools/offwaketime: Added raw tracepoint support to reduce overhead (380ee01)
Python uprobe API: Added functionality to detach all uprobes for a binary (iovisor#5325)
Python API: Added support for executing a program and tracing it (iovisor#5362)
* Bug Fixes
libbpf-tools/filelife: Fixed wrong full-path handling (iovisor#5347)
libbpf-tools/filelife: Fixed problem when using perf-buffer (ec8415b)
libbpf-tools/funclatency: Delete the element from the `starts` map after it has been used (06ce134)
libbpf-tools/offcputime: Fixed min/max_block_ns unit conversion error (iovisor#5327, d507a53)
libbpf-tools/syncsnoop: Added support for sync_file_range2 and arm_sync_file_range() (4287921)
libbpf-tools/ksnoop: Fixed two invalid access to map value (iovisor#5361)
libbpf-tools/klockstat: Allows kprobe fallback to work with lock debugging (iovisor#5359)
libbpf-tools/biotop: Fixed segmentation fault with musl libc build (52d2d09)
libbpf-tools/syscall_helpers, Python BCC: Updated syscall list (add file_getattr/file_setattr) (b63d7e3, a9c6650)
tools/tcpaccept: Fixed on recent kernels (c208d0e)
tools/tcpconnect: Fixed iov field for DNS with Linux>=6.4 (iovisor#5382)
tools/javaobjnew: Use MIN macro instead of min function (fb8910a)
tools/biolatency, biosnoop, biotop: Use TRACEPOINT_PROBE() for tracepoints (iovisor#5366)
Various tools: Don't use the old bpf_probe_read() helper (1cc15c3)
CC: Support versioned SONAME in shared library resolution (beb1fe4, c351210)
Python TCP: Added state2str() and applied to tools (bfa05d2)
s390 architecture: Prevent invalid mem access when reading PAGE_OFFSET (d8595ee)
* Build & Test Fixes
Fixed build failure with clang21 (iovisor#5369)
Fixed build for LLVM 23 by avoiding deprecated TargetRegistry overloads (iovisor#5401)
ci: Make version.cmake handle shallow clone (2232b7e)
ci: Various test fixes for proper CI operation (blk probes, rss_stat, kmalloc, btrfs/f2fs) (a499181, c338547, 6b7dd5d, ea5cf83)
tests: Added coverage for versioned SONAME resolution (c351210)
Removed luajit options to ensure no errors (26eaf13)
* Doc update, other bug fixes and tools improvement
ekyooo
added a commit
that referenced
this pull request
Jan 26, 2026
* Support for kernel up to 6.18
* New Tools
tools/softirqslower: New tool to trace slow software interrupt handlers (#5356)
* Enhanced Functionality
libbpf-tools/opensnoop: Added full-path support with `-F` option (#5323, #5333)
libbpf-tools/filelife: Added full-path support (#5347, ab8e061)
libbpf-tools: Introduced path helpers (ab8e061)
libbpf-tools/trace_helpers: Added str_loadavg() and str_timestamp() common functions (694de9f)
libbpf-tools/filetop: Added directory filter capability (#5300)
libbpf-tools/runqslower: Added `-c` option to filter by process name prefix (673911c)
libbpf-tools/runqlat: Dynamically size pid/pidns histogram map (#5342)
libbpf-tools/fsdist, fsslower: Added support for fuse filesystem (9691c56)
libbpf-tools/tcptop: Major refactoring using fentry/fexit for better performance (75bb73a, e2c7917, d786eaa, da3a474)
tools/opensnoop: Added full-path support with `-F` option (#5334, #5339)
tools/kvmexit: Added AMD processor support and parallel post-processing (13a4e5a, c2af2ee)
tools/offwaketime: Added raw tracepoint support to reduce overhead (380ee01)
Python uprobe API: Added functionality to detach all uprobes for a binary (#5325)
Python API: Added support for executing a program and tracing it (#5362)
* Bug Fixes
libbpf-tools/filelife: Fixed wrong full-path handling (#5347)
libbpf-tools/filelife: Fixed problem when using perf-buffer (ec8415b)
libbpf-tools/funclatency: Delete the element from the `starts` map after it has been used (06ce134)
libbpf-tools/offcputime: Fixed min/max_block_ns unit conversion error (#5327, d507a53)
libbpf-tools/syncsnoop: Added support for sync_file_range2 and arm_sync_file_range() (4287921)
libbpf-tools/ksnoop: Fixed two invalid access to map value (#5361)
libbpf-tools/klockstat: Allows kprobe fallback to work with lock debugging (#5359)
libbpf-tools/biotop: Fixed segmentation fault with musl libc build (52d2d09)
libbpf-tools/syscall_helpers, Python BCC: Updated syscall list (add file_getattr/file_setattr) (b63d7e3, a9c6650)
tools/tcpaccept: Fixed on recent kernels (c208d0e)
tools/tcpconnect: Fixed iov field for DNS with Linux>=6.4 (#5382)
tools/javaobjnew: Use MIN macro instead of min function (fb8910a)
tools/biolatency, biosnoop, biotop: Use TRACEPOINT_PROBE() for tracepoints (#5366)
Various tools: Don't use the old bpf_probe_read() helper (1cc15c3)
CC: Support versioned SONAME in shared library resolution (beb1fe4, c351210)
Python TCP: Added state2str() and applied to tools (bfa05d2)
s390 architecture: Prevent invalid mem access when reading PAGE_OFFSET (d8595ee)
* Build & Test Fixes
Fixed build failure with clang21 (#5369)
Fixed build for LLVM 23 by avoiding deprecated TargetRegistry overloads (#5401)
ci: Make version.cmake handle shallow clone (2232b7e)
ci: Various test fixes for proper CI operation (blk probes, rss_stat, kmalloc, btrfs/f2fs) (a499181, c338547, 6b7dd5d, ea5cf83)
tests: Added coverage for versioned SONAME resolution (c351210)
Removed luajit options to ensure no errors (26eaf13)
* Doc update, other bug fixes and tools improvement
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On fedora42, llvm 20.1.7, kernel 6.15.4-200.fc42.x86_64 has two verifier errors. Test with command:
1st:
2nd: