Re: [PATCH bpf-next v2 1/2] bpf, verifier: fold reg->var_off into PTR_TO_FLOW_KEYS bounds check

[bot+bpf-ci]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 8ed484cb1a8a..c04941636ef4 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -4728,9 +4728,22 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, struct b
>  	return err;
>  }
>
> -static int check_flow_keys_access(struct bpf_verifier_env *env, int off,
> -				  int size)
> +static int check_flow_keys_access(struct bpf_verifier_env *env, u32 regno,
> +				  int off, int size)
>  {
> +	struct bpf_reg_state *reg = reg_state(env, regno);
> +
> +	/* Only a constant offset is allowed here; fold it into off. */
> +	if (!tnum_is_const(reg->var_off)) {
> +		char tn_buf[48];
> +
> +		tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
> +		verbose(env, "R%d invalid variable offset to flow keys: off=%d, var_off=%s\n",
> +			regno, off, tn_buf);
> +		return -EACCES;
> +	}
> +	off += reg->var_off.value;
> +
>  	if (size < 0 || off < 0 ||
>  	    (u64)off + size > sizeof(struct bpf_flow_keys)) {
>  		verbose(env, "invalid access to flow keys off=%d size=%d\n",
> @@ -6239,7 +6252,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, struct b
>  			return -EACCES;
>  		}
>
> -		err = check_flow_keys_access(env, off, size);
> +		err = check_flow_keys_access(env, regno, off, size);
                                                       ^^^^^

Does this code compile? Looking at check_mem_access(), the function signature
is:

static int check_mem_access(struct bpf_verifier_env *env, int insn_idx,
                           struct bpf_reg_state *reg, argno_t argno,
                           int off, int bpf_size, enum bpf_access_type t,
                           int value_regno, bool strict_alignment_once,
                           bool is_ldsx)

There is no 'regno' parameter or local variable. The register information is
passed as 'argno_t argno' and 'struct bpf_reg_state *reg'.

The established pattern in this file for obtaining a register number from an
argno_t is reg_from_argno(argno), used throughout verifier.c. For example:

verifier.c:1791:
    u32 regno = reg_from_argno(argno);

verifier.c:6859:
    regno = reg_from_argno(argno);

The call should be:

    err = check_flow_keys_access(env, reg_from_argno(argno), off, size);

This matches check_flow_keys_access()'s new signature where it does
reg_state(env, regno) to look up the register state, which should equal the
'reg' parameter already held by check_mem_access.

>  		if (!err && t == BPF_READ && value_regno >= 0)
>  			mark_reg_unknown(env, regs, value_regno);
>  	} else if (type_is_sk_pointer(reg->type)) {


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26970818032