Re: [PATCH] bpf: Fix refcount check in check_struct_ops_btf_id()

Next message: David Heidelberg via B4 Relay: "[PATCH v7 4/7] Input: synaptics-rmi4 - f55: handle zero electrode count"
Previous message: Simon Horman: "Re: [net-next PATCH v2 1/4] octeontx2-af: npa: cn20k: Add NPA Halo support"
In reply to: Keisuke Nishimura: "[PATCH] bpf: Fix refcount check in check_struct_ops_btf_id()"
Next in thread: Emil Tsalapatis: "Re: [PATCH] bpf: Fix refcount check in check_struct_ops_btf_id()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: sun jian

Date: Fri Mar 20 2026 - 13:08:22 EST

On Fri, Mar 20, 2026 at 11:47 PM Keisuke Nishimura
<keisuke.nishimura@xxxxxxxx> wrote:
>
> The current implementation only checks whether the first argument is
> refcounted. Fix this by iterating over all arguments.
>
> Signed-off-by: Keisuke Nishimura <keisuke.nishimura@xxxxxxxx>
> Fixes: 38f1e66abd184 ("bpf: Do not allow tail call in strcut_ops program with __ref argument")
> ---
> kernel/bpf/verifier.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 159b25f8269d..278443118a23 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -24853,7 +24853,7 @@ static int check_struct_ops_btf_id(struct bpf_verifier_env *env)
> }
>
> for (i = 0; i < st_ops_desc->arg_info[member_idx].cnt; i++) {
> - if (st_ops_desc->arg_info[member_idx].info->refcounted) {
> + if (st_ops_desc->arg_info[member_idx].info[i].refcounted) {
> has_refcounted_arg = true;
> break;
> }
The fix looks correct to me.

Maybe it's better to add a verifier test for the case where info[0] is
non-refcounted,
while __ref is stored in a later entry.

Reviewed-by Sun Jian sun.jian.kdev@xxxxxxxxx