[ ... ]

The filter now allows fsession programs to call both bpf_session_is_return()
and bpf_session_cookie(). The verifier inline handles bpf_session_is_return()
for fsession, but what happens when an fsession program calls
bpf_session_cookie()?

Looking at bpf_session_cookie() in the same file:

    __bpf_kfunc __u64 *bpf_session_cookie(void *ctx)
    {
        struct bpf_session_run_ctx *session_ctx;
        session_ctx = container_of(current->bpf_ctx, struct bpf_session_run_ctx, run_ctx);
        return session_ctx->data;
    }

This assumes current->bpf_ctx points to a struct bpf_session_run_ctx, but
fsession programs use struct bpf_tramp_run_ctx (set up in __bpf_prog_enter*).
The container_of() will return an incorrect pointer, and session_ctx->data
will read from the wrong memory location (the saved_run_ctx field of
bpf_tramp_run_ctx instead of the session cookie).

Is this intentional to defer bpf_session_cookie() support to a later commit?
If so, should the filter perhaps only allow bpf_session_is_return() for
fsession at this point?

Note: I see that commit b8f4610f8738 ("bpf: support fsession for
bpf_session_cookie") in the same series adds the verifier inline for
bpf_session_cookie() with fsession, which would resolve this. However, at
this commit, calling bpf_session_cookie() from an fsession program would
produce incorrect results.

 	return 0;
 }

[ ... ]

+static int __init bpf_trace_kfuncs_init(void)
 {
-	return register_btf_kfunc_id_set(BPF_PROG_TYPE_KPROBE, &bpf_kprobe_multi_kfunc_set);
+	int err = 0;
+
+	err = err ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_KPROBE, &bpf_session_kfunc_set);
+	err = err ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_TRACING, &bpf_session_kfunc_set);
+
+	return err;
 }

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21308666922