Re: [PATCH bpf v3 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

[bot+bpf-ci]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 7fb88e1cd7c4..57e5fdf9f7e0 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12082,9 +12082,22 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  			continue;
>  		}
>
> -		if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
> +		if (is_kfunc_arg_ignore(btf, &args[i]))
>  			continue;
>
> +		if (is_kfunc_arg_implicit(meta, i)) {
> +			/* list_push / rbtree_add kfuncs have implicit args
> +			 * (e.g. 'off' parameter) handled during verification
> +			 * in bpf_fixup_kfunc_call().  Don't flag them.
> +			 */

This isn't a bug, but in the v2 review Yonghong Song asked for a comment
explaining that this code exists to work around the pahole 1.30 BTF
mismatch, so it can be removed once that toolchain issue is no longer
relevant:

  https://lore.kernel.org/bpf/7b3ba4a8-a785-4f70-879d-50e63d6de787@xxxxxxxxx/

  "Also, please add some comments in the code to explain the reason of
   this code is due to pahole 1.30. So later on at some point, this code
   can be removed."

The comment block here only documents the list_push/rbtree_add exception
and does not record the pahole 1.30 rationale.  Was that request meant
to be addressed in this version?

> +			if (is_bpf_list_push_kfunc(meta->func_id) ||
> +			    is_bpf_rbtree_add_kfunc(meta->func_id))
> +				continue;
> +			verbose(env, "%s unrecognized implicit argument, possible BTF mismatch\n",
> +				reg_arg_name(env, argno));

Where do reg_arg_name() and argno come from?

Grepping the tree finds reg_arg_name and argno only on this new line;
there is no definition anywhere else, and the enclosing for loop in
check_kfunc_args() declares the register index as:

	u32 regno = i + 1;

not argno.  Does this compile?  As written, reg_arg_name() looks like an
implicit/undeclared function reference and argno an undeclared
identifier.

Should this use the existing regno instead, for example:

	verbose(env, "R%d unrecognized implicit argument, possible BTF mismatch\n",
		regno);

> +			return -EFAULT;
> +		}
> +
>  		t = btf_type_skip_modifiers(btf, args[i].type, NULL);
>
>  		if (btf_type_is_scalar(t)) {


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26810234837