cilium · olsajiri · Oct 17, 2025 · Oct 25, 2025 · Oct 26, 2025 · Oct 26, 2025
diff --git a/Makefile b/Makefile
@@ -10,7 +10,7 @@ LOCAL_CLANG ?= 0
 LOCAL_CLANG_FORMAT ?= 0
 FORMAT_FIND_FLAGS ?= -name '*.c' -o -name '*.h'
 NOOPT ?= 0
-CLANG_IMAGE = quay.io/cilium/clang:b97f5b3d5c38da62fb009f21a53cd42aefd54a2f@sha256:e1c8ed0acd2e24ed05377f2861d8174af28e09bef3bbc79649c8eba165207df0
+CLANG_IMAGE = quay.io/cilium/clang:94b9cfd5772185fe8c78c5d558e6d01a49f364dd
 TESTER_PROGS_DIR = "contrib/tester-progs"
 # Extra flags to pass to test binary
 EXTRA_TESTFLAGS ?=

diff --git a/bpf/Makefile.defs b/bpf/Makefile.defs
@@ -32,4 +32,4 @@ ifeq ($(DEBUG),1)
 	__DEBUG_FLAGS = -DTETRAGON_BPF_DEBUG
 endif
 
-CLANG_FLAGS += $(FLAGS) -I $(LIBBPF) -I $(IDIR) -I $(LDIR) -I $(ERRMETRICS_DIR) -target bpf -mcpu=v2 -g -D__TARGET_ARCH_$(BPF_TARGET_ARCH) -fdebug-default-version=4 $(__DEBUG_FLAGS)
+CLANG_FLAGS += $(FLAGS) -I $(LIBBPF) -I $(IDIR) -I $(LDIR) -I $(ERRMETRICS_DIR) -target bpf -mcpu=v3 -g -D__TARGET_ARCH_$(BPF_TARGET_ARCH) -fdebug-default-version=4 $(__DEBUG_FLAGS)
diff --git a/bpf/process/generic_calls.h b/bpf/process/generic_calls.h
@@ -1365,7 +1365,11 @@ FUNC_INLINE long generic_filter_arg(void *ctx, struct bpf_map_def *tailcalls,
 	selidx = e->tailcall_index_selector;
 	pass = filter_args(e, selidx & MAX_SELECTORS_MASK, is_entry);
 	if (!pass) {
+#ifdef __LARGE_BPF_PROG
 		selidx = next_selidx(e, selidx);
+#else
+		selidx += 1;
+#endif
 		if (selidx <= MAX_SELECTORS) {
 			e->tailcall_index_selector = selidx;
 			tail_call(ctx, tailcalls, TAIL_CALL_ARGS);

diff --git a/bpf/process/pfilter.h b/bpf/process/pfilter.h
@@ -246,6 +246,8 @@ process_filter_capabilities(__u32 ty, __u32 op, __u32 ns, __u64 val,
 	if (ty > caps_inheritable)
 		return PFILTER_REJECT;
 
+	asm volatile("%[ty] &= 0x3;\n"
+		     : [ty] "+r"(ty));
 	caps = c->c[ty];
 
 	if (op == op_filter_in)
@@ -279,13 +281,11 @@ process_filter_capability_change(__u32 ty, __u32 op, __u32 ns, __u64 val,
 	    caps_inheritable) /* We should not reach that. Userspace checks that. */
 		return PFILTER_REJECT;
 
+	asm volatile("%[ty] &= 0x3;\n"
+		     : [ty] "+r"(ty));
 	icaps = init->caps.c[ty];
 
-	// When compiling bpf_generic_kprobe_v53.o with clang-18 and loading it on
-	// 5.4.278, the verifier complains than ty could be negative while in this
-	// context it's just the capability set type (effective, inheritable, or
-	// permitted), let's blindly remind the verifier it's a u32.
-	asm volatile("%[ty] &= 0xffffffff;\n"
+	asm volatile("%[ty] &= 0x3;\n"
 		     : [ty] "+r"(ty));
 	ccaps = c->c[ty];
 
@@ -329,13 +329,14 @@ selector_match(__u32 *f, struct selector_filter *sel,
 			res[i] = 1;
 	}
 
+       asm volatile("%[len] &= 0x3;\n"
+                    : [len] "+r"(len));
+
 	/* Updating the number of iterations below, you should also
 	 * update the function namespaceSelectorValue() in kernel.go
 	 */
 #ifdef __LARGE_BPF_PROG
 	for (i = 0; i < len; i++) {
-		if (i > (MAX_SELECTOR_VALUES - 1)) // we need to make the verifier happy
-			break;
 		res[i] = process_filter(sel, f, enter, &msg->ns, &msg->caps);
 		index = next_pid_value(index, f, ty);
 		sel->index = index;

diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h
@@ -189,6 +189,7 @@ struct extract_arg_data {
 #define MAX_BTF_ARG_DEPTH	  10
 #define EVENT_CONFIG_MAX_ARG	  5
 #define EVENT_CONFIG_MAX_USDT_ARG 8
+#define EVENT_CONFIG_MAX_ARG_REAL 8
 
 struct event_config {
 	__u32 func_id;
@@ -210,7 +211,7 @@ struct event_config {
 	__u32 policy_id;
 	__u32 flags;
 	__u32 pad;
-	struct config_btf_arg btf_arg[EVENT_CONFIG_MAX_ARG][MAX_BTF_ARG_DEPTH];
+	struct config_btf_arg btf_arg[EVENT_CONFIG_MAX_ARG_REAL][MAX_BTF_ARG_DEPTH];
 	struct config_usdt_arg usdt_arg[EVENT_CONFIG_MAX_USDT_ARG];
 } __attribute__((packed));
 
@@ -1134,17 +1135,19 @@ FUNC_INLINE long
 copy_char_iovec(void *ctx, long off, unsigned long arg, int argm,
 		struct msg_generic_kprobe *e)
 {
-	int *s = (int *)args_off(e, off);
 	unsigned long meta;
 
 	meta = get_arg_meta(argm, e);
 
+#ifndef GENERIC_TRACEPOINT
 	if (has_return_copy(argm)) {
+		int *s = (int *)args_off(e, off);
 		u64 retid = retprobe_map_get_key(ctx);
 
 		retprobe_map_set_iovec(e->func_id, retid, e->common.ktime, arg, meta);
 		return return_error(s, char_buf_saved_for_retprobe);
 	}
+#endif
 	return __copy_char_iovec(off, arg, meta, 0, e);
 }
 

diff --git a/contrib/verify/verify_test.go b/contrib/verify/verify_test.go
@@ -6,6 +6,7 @@
 package verify
 
 import (
+	"errors"
 	"fmt"
 	"log"
 	"os"
@@ -114,6 +115,16 @@ func TestVerifyTetragonPrograms(t *testing.T) {
 		}
 
 		collection, err := ebpf.NewCollection(spec)
+		if err != nil {
+			var ve *ebpf.VerifierError
+			if errors.As(err, &ve) {
+				fmt.Printf("%+v\n", ve)
+
+				_, kver, _ := kernels.GetKernelVersion("", "/proc")
+				fmt.Printf("failed object %s, kernel %s\n", fileName, kver)
+			}
+		}
+
 		require.NoError(t, err, "failed to load resources into the kernel")
 
 		collection.Close()

diff --git a/pkg/api/tracingapi/client_kprobe.go b/pkg/api/tracingapi/client_kprobe.go
@@ -631,24 +631,28 @@ type ConfigUsdtArg struct {
 }
 
 const (
+	/* Maximum for code logic */
 	EventConfigMaxArgs     = 5
 	EventConfigMaxUsdtArgs = 8
-	MaxBTFArgDepth         = 10 // Artificial value for compilation, may be extended
+	/* Maximum for storage to keep verifier happy. */
+	EventConfigMaxArgsReal = 8
+
+	MaxBTFArgDepth = 10 // Artificial value for compilation, may be extended
 )
 
 type EventConfig struct {
-	FuncId          uint32                                           `align:"func_id"`
-	ArgType         [EventConfigMaxArgs]int32                        `align:"arg"`
-	ArgMeta         [EventConfigMaxArgs]uint32                       `align:"arm"`
-	ArgTpCtxOff     [EventConfigMaxArgs]uint32                       `align:"off"`
-	ArgIndex        [EventConfigMaxArgs]int32                        `align:"idx"`
-	Syscall         uint32                                           `align:"syscall"`
-	ArgReturnCopy   int32                                            `align:"argreturncopy"`
-	ArgReturn       int32                                            `align:"argreturn"`
-	ArgReturnAction int32                                            `align:"argreturnaction"`
-	PolicyID        uint32                                           `align:"policy_id"`
-	Flags           uint32                                           `align:"flags"`
-	Pad             uint32                                           `align:"pad"`
-	BTFArg          [EventConfigMaxArgs][MaxBTFArgDepth]ConfigBTFArg `align:"btf_arg"`
-	UsdtArg         [EventConfigMaxUsdtArgs]ConfigUsdtArg            `align:"usdt_arg"`
+	FuncId          uint32                                               `align:"func_id"`
+	ArgType         [EventConfigMaxArgs]int32                            `align:"arg"`
+	ArgMeta         [EventConfigMaxArgs]uint32                           `align:"arm"`
+	ArgTpCtxOff     [EventConfigMaxArgs]uint32                           `align:"off"`
+	ArgIndex        [EventConfigMaxArgs]int32                            `align:"idx"`
+	Syscall         uint32                                               `align:"syscall"`
+	ArgReturnCopy   int32                                                `align:"argreturncopy"`
+	ArgReturn       int32                                                `align:"argreturn"`
+	ArgReturnAction int32                                                `align:"argreturnaction"`
+	PolicyID        uint32                                               `align:"policy_id"`
+	Flags           uint32                                               `align:"flags"`
+	Pad             uint32                                               `align:"pad"`
+	BTFArg          [EventConfigMaxArgsReal][MaxBTFArgDepth]ConfigBTFArg `align:"btf_arg"`
+	UsdtArg         [EventConfigMaxUsdtArgs]ConfigUsdtArg                `align:"usdt_arg"`
 }
diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go
@@ -719,7 +719,7 @@ func addKprobe(funcName string, instance int, f *v1alpha1.KProbeSpec, in *addKpr
 	var argReturnPrinters []argPrinter
 	var setRetprobe bool
 	var argRetprobe *v1alpha1.KProbeArg
-	var allBTFArgs [api.EventConfigMaxArgs][api.MaxBTFArgDepth]api.ConfigBTFArg
+	var allBTFArgs [api.EventConfigMaxArgsReal][api.MaxBTFArgDepth]api.ConfigBTFArg
 
 	errFn := func(err error) (idtable.EntryID, error) {
 		return idtable.UninitializedEntryID, err

diff --git a/pkg/sensors/tracing/genericlsm.go b/pkg/sensors/tracing/genericlsm.go
@@ -214,7 +214,7 @@ type addLsmIn struct {
 func addLsm(f *v1alpha1.LsmHookSpec, in *addLsmIn) (id idtable.EntryID, err error) {
 	var argSigPrinters []argPrinter
 	var argsBTFSet [api.MaxArgsSupported]bool
-	var allBTFArgs [api.EventConfigMaxArgs][api.MaxBTFArgDepth]api.ConfigBTFArg
+	var allBTFArgs [api.EventConfigMaxArgsReal][api.MaxBTFArgDepth]api.ConfigBTFArg
 
 	errFn := func(err error) (idtable.EntryID, error) {
 		return idtable.UninitializedEntryID, err

diff --git a/pkg/sensors/tracing/genericusdt.go b/pkg/sensors/tracing/genericusdt.go
@@ -312,7 +312,7 @@ func addUsdt(spec *v1alpha1.UsdtSpec, in *addUsdtIn, ids []idtable.EntryID) ([]i
 			}
 		}
 
-		var allBTFArgs [api.EventConfigMaxArgs][api.MaxBTFArgDepth]api.ConfigBTFArg
+		var allBTFArgs [api.EventConfigMaxArgsReal][api.MaxBTFArgDepth]api.ConfigBTFArg
 		for cfgIdx, arg := range spec.Args {
 			tgtIdx := arg.Index
 			if tgtIdx > target.Spec.ArgsCnt {