Re: [PATCH bpf v2 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

[Eduard Zingerman]

On Mon, 2026-06-01 at 14:46 +0800, chenyuan_fl@xxxxxxx wrote:

[...]

> @@ -11899,8 +11932,17 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  		u32 ref_id, type_size;
>  		bool is_ret_buf_sz = false;
>  		int kf_arg_type;
> -
> -		if (is_kfunc_arg_prog_aux(btf, &args[i])) {


Thank you for figuring out this corner case.
I don't think I like matching the type by name here, though.
Wdyt about a somewhat more generic solution described below?
bpf_fixup_kfunc_call() lists all the cases when verifier injects an
implicit argument:
- functions with KF_IMPLICIT_ARGS flag and a parameter of type bpf_prog_aux.
- functions with KF_IMPLICIT_ARGS allowed by is_bpf_list_push_kfunc() /
  is_bpf_rbtree_add_kfunc().
  
Meaning that current check_kfunc_arg() code can be changed as follows:

       if (is_kfunc_arg_prog_aux(btf, &args[i])) {
               ... unmodified ...
               continue;
       }
       if (is_bpf_list_push_kfunc(...) || is_bpf_rbtree_add_kfunc(...)) {
               ...
               continue;
       }
       if (is_kfunc_arg_implicit(meta, i)) {
               ... report error ...
               return -EFAULT;
       }

Thus catching all the cases.

> +		enum kfunc_inject_arg_type inject_type;
> +
> +		inject_type = get_kfunc_arg_inject_type(btf, &args[i]);
> +		switch (inject_type) {
> +		case KF_INJECT_ARG_PROG_AUX:
> +			/* Validate the arg type against vmlinux's definition */
> +			if (!is_kfunc_arg_prog_aux(btf, &args[i])) {
> +				verbose(env, "arg#%d implicit argument type mismatch, "
> +					"expected struct bpf_prog_aux *\n", i);
> +				return -EINVAL;
> +			}
>  			/* Reject repeated use bpf_prog_aux */
>  			if (meta->arg_prog) {
>  				verifier_bug(env, "Only 1 prog->aux argument supported per-kfunc");

[...]