[PATCH bpf v2 0/2] bpf: Fix kfunc implicit arg injection and add selftest

Next message: Joseph Qi: "Re: [PATCH] ocfs2: add journal NULL check in ocfs2_checkpoint_inode()"
Previous message: Hongtao Lee: "[PATCH] drm/qxl: fix local_gobj leak in qxl_gem_object_create_with_handle"
Next in thread: chenyuan_fl: "[PATCH bpf v2 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: chenyuan_fl

Date: Mon Jun 01 2026 - 02:50:42 EST

From: Yuan Chen <chenyuan@xxxxxxxxxx>

v1: https://lore.kernel.org/bpf/20260407080900.551797-1-chenyuan_fl@xxxxxxx/

v1 took the approach of making btf_types_are_same() cross-BTF aware by
comparing kind, size and name. This was correctly rejected by reviewers
(Alan Maguire, sashiko) because:
- Two different structs can have the same name and size but different
members, making this too permissive
- The real root cause is that pahole 1.30 generated BTF that broke
the distilled base deduplication for modules, causing the module to
retain its own copy of struct bpf_prog_aux instead of resolving to
the vmlinux definition

v2 takes a different approach: instead of weakening btf_types_are_same(),
it introduces a two-layer detection in the verifier's check_kfunc_args()
that cleanly handles the mismatch case. A selftest is added (patch 2) as
requested by Leon and Alan.

Yuan Chen (2):
bpf: Fix kfunc implicit arg inject type detection to prevent invalid
pointer deref
selftests/bpf: Add regression test for kfunc implicit arg injection
with stale register

kernel/bpf/verifier.c | 48 ++++++++++++++++++-
.../bpf/prog_tests/test_struct_ops_assoc.c | 5 ++
.../selftests/bpf/progs/struct_ops_assoc.c | 40 ++++++++++++++++
.../selftests/bpf/test_kmods/bpf_testmod.c | 9 ++++
.../bpf/test_kmods/bpf_testmod_kfunc.h | 1 +
5 files changed, 101 insertions(+), 2 deletions(-)

--
2.54.0