Re: [PATCH bpf-next v2 2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries

[bot+bpf-ci]

> diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c b/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c
> new file mode 100644
> index 000000000000..4fbe56cb29d4
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c
> @@ -0,0 +1,65 @@

[ ... ]

> +	err = syscall(__NR_bpf, BPF_PROG_QUERY, &attr, OLD_QUERY_SIZE);
> +	ASSERT_EQ(err, -1, "query_old_size_fails");
> +	ASSERT_EQ(errno, EFAULT, "query_old_size_efault");

This test asserts errno == EFAULT for a short query size. A v2 review
comment on the companion kernel patch (bpf: reject BPF_PROG_QUERY with
short uattr size) questioned whether -EFAULT is the right error code for
a structure size mismatch, noting that -EINVAL or -E2BIG is the more
conventional return code and that -EFAULT usually indicates an invalid
memory address during a copy.

That comment was not answered on the v2 thread. If the kernel patch's
error code changes to -EINVAL or -E2BIG, would this assertion need to
change too?

  https://lore.kernel.org/all/20260531004748.3567875-2-yuyanghuang@xxxxxxxxxx/

[ ... ]

This selftest verifies the fix for an out-of-bounds write to userspace in
BPF_PROG_QUERY, where __cgroup_bpf_query() unconditionally wrote
uattr->query.revision even when userspace passed a smaller bpf_attr. The
companion kernel fix carries a Fixes: tag, but this selftest commit does
not.

Should this include:

  Fixes: 120933984460 ("bpf: Implement mprog API on top of existing cgroup progs")

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26699503418