When BPF_PROG_TEST_RUN returns non-linear output and userspace provides a short data_out buffer, bpf_test_finish() can return -ENOSPC before copying the packet prefix or updating data_size_out.
Fix this by deriving the linear copy length from the packet layout rather than from the already-clamped copy_size. Add selftest coverage for both non-linear skb and XDP frags paths. --- Changes in v2: * Fix the Fixes tag to point to the commit that introduced the shared non-linear copy-out logic. * Drop skb-specific wording from the fix commit. * Move the selftest from skb_load_bytes.c to prog_run_opts.c. * Add XDP frags coverage in addition to non-linear skb coverage. v1: https://lore.kernel.org/bpf/[email protected]/ Tested with: ./test_progs -t prog_run_opts -v ./test_progs -t skb_load_bytes -v ./test_progs -t xdp_pull_data -v Sun Jian (2): bpf: Fix partial copy of non-linear test_run output selftests/bpf: Cover partial copy of non-linear test_run output net/bpf/test_run.c | 11 ++- .../selftests/bpf/prog_tests/prog_run_opts.c | 72 +++++++++++++++++++ .../selftests/bpf/progs/test_pkt_access.c | 12 ++++ 3 files changed, 88 insertions(+), 7 deletions(-) Range-diff: 1: 3691b07aa440 ! 1: e5a0c426d4cb bpf: Fix partial copy of non-linear skb test_run output @@ Metadata Author: Sun Jian <[email protected]> ## Commit message ## - bpf: Fix partial copy of non-linear skb test_run output + bpf: Fix partial copy of non-linear test_run output - For non-linear skbs, bpf_test_finish() derives the linear head copy - length from copy_size - frag_size. This only matches the skb head length - when copy_size is the full packet size. + For non-linear test_run output, bpf_test_finish() derives the linear + data copy length from copy_size - frag_size. This only matches the + linear data length when copy_size is the full packet size. When userspace provides a short data_out buffer, copy_size is clamped to that buffer size. If copy_size is smaller than frag_size, the computed length becomes negative and bpf_test_finish() returns -ENOSPC before copying the packet prefix or updating data_size_out. - Compute the linear head length from the skb layout instead, and clamp the - head copy length to copy_size. This preserves the expected partial-copy - semantics: return -ENOSPC, copy the packet prefix that fits in data_out, - and report the full packet length through data_size_out. + Compute the linear data length from the packet layout instead, and clamp + the linear copy length to copy_size. This preserves the expected + partial-copy semantics: return -ENOSPC, copy the packet prefix that fits + in data_out, and report the full packet length through data_size_out. - Fixes: 838baa351cee ("bpf: Craft non-linear skbs in BPF_PROG_TEST_RUN") + Fixes: 7855e0db150ad ("bpf: test_run: add xdp_shared_info pointer in bpf_test_finish signature") Signed-off-by: Sun Jian <[email protected]> ## net/bpf/test_run.c ## 2: 663847520f0b < -: ------------ selftests/bpf: Cover partial copy of non-linear skb test_run output -: ------------ > 2: 680506532d97 selftests/bpf: Cover partial copy of non-linear test_run output -- 2.43.0
