Re: [PATCH bpf v4 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

[Eduard Zingerman]

On Tue, 2026-06-02 at 17:38 +0800, chenyuan_fl@xxxxxxx wrote:

[...]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 8dd79b735a69..55c74d064e4e 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -11916,9 +11916,22 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  			continue;
>  		}
>
> -		if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
> +		if (is_kfunc_arg_ignore(btf, &args[i]))
>  			continue;
>
> +		if (is_kfunc_arg_implicit(meta, i)) {
> +			/* list_push / rbtree_add kfuncs have implicit args
> +			 * (e.g. 'off' parameter) handled during verification
> +			 * in bpf_fixup_kfunc_call().  Don't flag them.
> +			 */
> +			if (is_bpf_list_push_kfunc(meta->func_id) ||
> +			    is_bpf_rbtree_add_kfunc(meta->func_id))

I took a second look at the verifier.c:bpf_fixup_kfunc_call() and it
appears it handles more functions with implicit args. The following
predicates are used there:
- is_bpf_obj_new_kfunc
- is_bpf_percpu_obj_new_kfunc
- is_bpf_obj_drop_kfunc
- is_bpf_percpu_obj_drop_kfunc
- is_bpf_refcount_acquire_kfunc
- is_bpf_list_push_kfunc
- is_bpf_rbtree_add_kfunc

Could you please extend this check?

> +				continue;
> +			verbose(env, "%s unrecognized implicit argument, possible BTF mismatch\n",
> +				reg_arg_name(env, argno));
> +			return -EFAULT;
> +		}
> +
>  		t = btf_type_skip_modifiers(btf, args[i].type, NULL);
>
>  		if (btf_type_is_scalar(t)) {