On Tue, May 26, 2026 at 10:58 PM +02, Jiri Olsa wrote:
> From: Andrii Nakryiko <[email protected]>
>
> The uprobe nop5 optimization used to replace a 5-byte NOP with a 5-byte
> CALL to a trampoline. The CALL pushes a return address onto the stack at
> [rsp-8], clobbering whatever was stored there.
>
> On x86-64, the red zone is the 128 bytes below rsp that user code may use
> for temporary storage without adjusting rsp. Compilers can place USDT
> argument operands there, generating specs like "8@-8(%rbp)" when rbp ==
> rsp. With the CALL-based optimization, the return address overwrites that
> argument before the BPF-side USDT argument fetch runs.
>
> Add two tests for this case. The uprobe_syscall subtest stores known values
> at -8(%rsp), -16(%rsp), and -24(%rsp), executes an optimized nop10 uprobe,
> and verifies the red-zone data is still intact. The USDT subtest triggers a
> probe in a function where the compiler places three USDT operands in the
> red zone and verifies that all 10 optimized invocations deliver the expected
> argument values to BPF.
>
> On an unfixed kernel, the first hit goes through the INT3 path and later
> hits use the optimized CALL path, so the red-zone checks fail after
> optimization.
>
> Signed-off-by: Andrii Nakryiko <[email protected]>
> [ updates to use nop10 ]
> Signed-off-by: Jiri Olsa <[email protected]>
> ---
> .../selftests/bpf/prog_tests/uprobe_syscall.c | 75 +++++++++++++++++++
> tools/testing/selftests/bpf/prog_tests/usdt.c | 49 ++++++++++++
> tools/testing/selftests/bpf/progs/test_usdt.c | 25 +++++++
> tools/testing/selftests/bpf/usdt_2.c | 13 ++++
> 4 files changed, 162 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/uprobe_syscall.c
> b/tools/testing/selftests/bpf/prog_tests/uprobe_syscall.c
> index 969f4deba9fd..efff0c515184 100644
> --- a/tools/testing/selftests/bpf/prog_tests/uprobe_syscall.c
> +++ b/tools/testing/selftests/bpf/prog_tests/uprobe_syscall.c
[...]
> @@ -855,6 +897,37 @@ static void test_uprobe_race(void)
> #define __NR_uprobe 336
> #endif
>
> +static void test_uprobe_red_zone(void)
> +{
> + struct uprobe_syscall_executed *skel;
> + struct bpf_link *link;
> + void *nop10_addr;
> + size_t offset;
> + int i;
> +
> + nop10_addr = find_nop10(uprobe_red_zone_test);
> + if (!ASSERT_NEQ(nop10_addr, NULL, "find_nop10"))
Nit: ASSERT_OK_PTR would have worked as well. Dealer's choice.
> + return;
> +
> + skel = uprobe_syscall_executed__open_and_load();
> + if (!ASSERT_OK_PTR(skel, "open_and_load"))
> + return;
> +
> + offset = get_uprobe_offset(nop10_addr);
> + link = bpf_program__attach_uprobe_opts(skel->progs.test_uprobe,
> + 0, "/proc/self/exe", offset, NULL);
> + if (!ASSERT_OK_PTR(link, "attach_uprobe"))
> + goto cleanup;
> +
> + for (i = 0; i < 10; i++)
> + ASSERT_EQ(uprobe_red_zone_test(), 0, "red_zone_intact");
> +
> + bpf_link__destroy(link);
> +
> +cleanup:
> + uprobe_syscall_executed__destroy(skel);
> +}
> +
> static void test_uprobe_error(void)
> {
> long err = syscall(__NR_uprobe);
[...]
Reviewed-by: Jakub Sitnicki <[email protected]>
