Re: [PATCH] bpf: Fix refcount check in check_struct_ops_btf_id()

Next message: Yonghong Song: "Re: [PATCH] bpf: update outdated comment for refactored btf_check_kfunc_arg_match()"
Previous message: K Prateek Nayak: "Re: [tip: sched/core] sched/topology: Compute sd_weight considering cpuset partitions"
In reply to: Emil Tsalapatis: "Re: [PATCH] bpf: Fix refcount check in check_struct_ops_btf_id()"
Next in thread: Kumar Kartikeya Dwivedi: "Re: [PATCH] bpf: Fix refcount check in check_struct_ops_btf_id()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Amery Hung

Date: Sat Mar 21 2026 - 11:18:15 EST

On Fri, Mar 20, 2026 at 8:45 AM Keisuke Nishimura
<keisuke.nishimura@xxxxxxxx> wrote:
>
> The current implementation only checks whether the first argument is
> refcounted. Fix this by iterating over all arguments.
>
> Signed-off-by: Keisuke Nishimura <keisuke.nishimura@xxxxxxxx>
> Fixes: 38f1e66abd184 ("bpf: Do not allow tail call in strcut_ops program with __ref argument")

Thanks for fixing this. If there is a respin, it will be good to
include what problem it could cause in the commit message. For
example, a reference acquiring struct_ops op could tail call if __ref
is used to annotate arguments other than the first one.

Acked-by: Amery Hung <ameryhung@xxxxxxxxx>

> ---
> kernel/bpf/verifier.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 159b25f8269d..278443118a23 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -24853,7 +24853,7 @@ static int check_struct_ops_btf_id(struct bpf_verifier_env *env)
> }
>
> for (i = 0; i < st_ops_desc->arg_info[member_idx].cnt; i++) {
> - if (st_ops_desc->arg_info[member_idx].info->refcounted) {
> + if (st_ops_desc->arg_info[member_idx].info[i].refcounted) {
> has_refcounted_arg = true;
> break;
> }
> --
> 2.34.1
>