Re: [PATCH bpf v4 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

[bot+bpf-ci]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 7fb88e1cd7c4..57e5fdf9f7e0 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12082,9 +12082,22 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  			continue;
>  		}
>
> -		if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
> +		if (is_kfunc_arg_ignore(btf, &args[i]))
>  			continue;
>
> +		if (is_kfunc_arg_implicit(meta, i)) {
> +			/* list_push / rbtree_add kfuncs have implicit args
> +			 * (e.g. 'off' parameter) handled during verification
> +			 * in bpf_fixup_kfunc_call().  Don't flag them.
> +			 */

A small note here: the v2 review asked for a comment recording that this
workaround exists because of the pahole 1.30 BTF mismatch, so the code can be
removed once that toolchain issue is no longer relevant.  The comment block
here only documents the list_push/rbtree_add exception and does not mention the
pahole 1.30 rationale.  Should that be added?

> +			if (is_bpf_list_push_kfunc(meta->func_id) ||
> +			    is_bpf_rbtree_add_kfunc(meta->func_id))
> +				continue;
> +			verbose(env, "%s unrecognized implicit argument, possible BTF mismatch\n",
> +				reg_arg_name(env, argno));
                                ^^^^^^^^^^^^^^^^^^^^^^^

Will this compile?  I cannot find a declaration of argno or a definition of
reg_arg_name() anywhere in the tree at this commit.

The per-argument loop in check_kfunc_args() names its register index regno,
not argno:

kernel/bpf/verifier.c:check_kfunc_args() {
    ...
    for (i = 0; i < nargs; i++) {
        ...
        u32 regno = i + 1, ref_id, type_size;
        ...
    }
}

There is no argno in this function, and git grep for reg_arg_name at this
commit returns only this call site, with no definition or declaration.  That
would give "argno undeclared" and an implicit declaration of reg_arg_name(),
which is an error under -Werror=implicit-function-declaration, so
kernel/bpf/verifier.c (obj-y, always built) would fail to build.

The rest of this function uses regno with an R%d format, for example "R%d is
not a scalar".  Did you mean something like:

	verbose(env, "R%d unrecognized implicit argument, possible BTF mismatch\n",
		regno);

The bpf-ci bot and sashiko-bot both raised this on v3 and v4, and it still
reads reg_arg_name(env, argno) verbatim here:

  https://lore.kernel.org/bpf/20260602085827.2562222-2-chenyuan_fl@xxxxxxx/

> +			return -EFAULT;
> +		}
> +

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26812478701