[PATCH bpf-next v2 0/3] libbpf: fix implicit BPF token handling in loading and feature probes

Wed, 03 Jun 2026 20:12:57 -0700 

From: Yuan Chen <[email protected]>

When BPF programs reference global variables (e.g., struct_ops
programs with global data), libbpf creates internal ARRAY maps to
back them.  This depends on FEAT_GLOBAL_DATA, which is gated by
feature probes that load test programs (SOCKET_FILTER, KPROBE, etc.)
into the kernel.

In a user namespace with an implicit BPF token, two problems arise:

 1. bpf_object__probe_loading() passes the token fd to test program
    loads.  When the token's allowed program type mask excludes the
    probe types, the kernel drops the token reference, causing
    subsequent struct_ops loads to fail because the token object
    has been released.

 2. The feature probe framework uses probe_fd() which returns 0 on
    BPF syscall failure, and feat_supported() interprets ret==0 as
    "feature absent".  The token rescue path only handles ret<0,
    so the probe failure is incorrectly cached as a missing feature,
    and internal maps for global data are never created.

Together, these cause struct_ops programs referencing global data
to fail verification with "fd X is not pointing to valid bpf_map".

This series fixes both issues:

  Patch 1: Skip bpf_object__probe_loading() entirely when a BPF
           token is present.  Token creation itself proves the
           kernel BPF subsystem works.

  Patch 2: Add BPF_MAP_TYPE_ARRAY to the token delegation mask for
           struct_ops selftests so global data maps can be created.

  Patch 3: Fix probe_fd() to return the actual error code instead
           of 0 on failure, and add a token-aware rescue path in
           feat_supported() for ret<0 cases.

Reproducible by running the implicit token tests with struct_ops in a
user namespace (tools/testing/selftests/bpf, test_progs -t token).

v2:
- Replace the workaround of granting SOCKET_FILTER/KPROBE permissions
  in the token with a proper fix at the feature probe level in libbpf.
- probe_fd() now returns the actual error code on failure instead of
  0, allowing feat_supported() to distinguish probe errors from
  genuine feature absence.
- Add token_fd rescue path in feat_supported() for ret<0 cases.

Yuan Chen (3):
  libbpf: Skip bpf_object__probe_loading() when BPF token is in use
  selftests/bpf: Add ARRAY map type to token tests that use struct_ops
    global data
  libbpf: fix feature probe failures for implicit BPF tokens

 tools/lib/bpf/features.c                      | 23 +++++++++++++++++--
 tools/lib/bpf/libbpf.c                        | 10 +++-----
 .../testing/selftests/bpf/prog_tests/token.c  |  6 ++---
 3 files changed, 27 insertions(+), 12 deletions(-)

-- 
2.54.0

Reply via email to