Re: [PATCH bpf v5 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref
From: Eduard Zingerman
Date: Mon Jun 08 2026 - 21:02:19 EST
On Mon, 2026-06-08 at 17:54 -0700, Ihor Solodrai wrote:
> On 6/8/26 7:26 AM, chenyuan_fl@xxxxxxx wrote:
> > From: Yuan Chen <chenyuan@xxxxxxxxxx>
> >
> > When a module kfunc declares an implicit struct bpf_prog_aux * argument,
> > the verifier must identify it so the kernel injects env->prog->aux into
> > the correct register at runtime. The original check used
> > is_kfunc_arg_prog_aux() which calls btf_types_are_same() to compare the
> > module BTF type against vmlinux.
> >
> > Root Cause
> >
> > This issue was triggered by pahole 1.30 generating module BTF with
> > incorrect type information, which caused the kernel's distilled base
> > BTF deduplication for modules to fail. As a result, the module retained
> > its own copy of struct bpf_prog_aux with a different BTF ID than
> > vmlinux's definition. While pahole 1.31 fixed the BTF generation issue,
> > the kernel must be robust against such inconsistencies: a BTF mismatch
> > should result in a clean rejection, not a kernel crash or information
> > disclosure.
> >
> > When the distilled base dedup fails and btf_types_are_same() cannot
> > match the module's bpf_prog_aux type against vmlinux's,
> > is_kfunc_arg_prog_aux() returned false and the code fell through
> > silently without setting arg_prog. The kfunc then received whatever
> > value was in the argument register and dereferenced it as a
> > bpf_prog_aux pointer, leading to:
> >
> > BUG: kernel invalid pointer dereference, address: 00000000000009e2
> > RIP: bpf_prog_get_assoc_struct_ops+0xa/0xc0
> > RDI: 0x000000000000046d (stale register value)
> >
> > In the observed crash the stale value was the process PID, causing a
> > dereference within the unmapped NULL page. However, an attacker able
> > to control the register value -- for example by writing a BPF program
> > that explicitly sets R2 before calling a KF_IMPLICIT_ARGS kfunc --
> > could redirect the dereference to arbitrary kernel memory, turning
> > this into an information disclosure. The fix ensures the verifier
> > either validates and injects the correct bpf_prog_aux pointer, or
> > rejects the program outright -- no silent fallthrough that could
> > be exploited.
> >
> > Crash Stack Trace
> >
> > PID: 1133 TASK: ffff8881057d3900 CPU: 3 COMMAND: "test_progs"
> > #0 machine_kexec at ffffffff812f6e26
> > #1 __crash_kexec at ffffffff8145a788
> > #2 crash_kexec at ffffffff8145ac24
> > #3 oops_end at ffffffff812bb67c
> > #4 page_fault_oops at ffffffff813053a1
> > #5 exc_page_fault at ffffffff828e60a1
> > #6 asm_exc_page_fault at ffffffff810012a6
> > [exception RIP: bpf_prog_get_assoc_struct_ops+10]
> > RIP: ffffffff815c024a RSP: ffffc90001b57e48 RFLAGS: 00010283
> > RAX: ffff8881057d3900 RBX: ffffc90001b57e68 RCX: ffff8881057d3900
> > RDX: 0000607d4d1768b8 RSI: 000000000000046d RDI: 000000000000046d
> > #7 bpf_kfunc_multi_st_ops_test_1_assoc at ffffffffc0013a85 [bpf_testmod]
> > #8 bpf_trace_run2 at ffffffff814f8332
> > #9 __traceiter_sys_enter at ffffffff81415f45
> > #10 trace_syscall_enter at ffffffff81416735
> > #11 do_syscall_64 at ffffffff828e06a1
> >
> > Fix
> >
> > Split the combined is_kfunc_arg_ignore() || is_kfunc_arg_implicit()
> > check in check_kfunc_args() so that an implicit argument reaching
> > is_kfunc_arg_implicit() without being handled by a prior handler is
> > rejected with -EFAULT, instead of silently skipped. Existing implicit
> > args in bpf_fixup_kfunc_call() (obj_new, percpu_obj_new, obj_drop,
> > percpu_obj_drop, refcount_acquire, list_push, rbtree_add) are
> > explicitly allowed.
> >
> > Suggested-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
> > Fixes: 64e1360524b9 ("bpf: Verifier support for KF_IMPLICIT_ARGS")
> > Signed-off-by: Yuan Chen <chenyuan@xxxxxxxxxx>
> > ---
> > kernel/bpf/verifier.c | 20 +++++++++++++++++++-
> > 1 file changed, 19 insertions(+), 1 deletion(-)
> >
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 8ed484cb1a8a..91aaed7a5eeb 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -11885,9 +11885,27 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
> > continue;
> > }
> >
> > - if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
> > + if (is_kfunc_arg_ignore(btf, &args[i]))
> > continue;
> >
> > + if (is_kfunc_arg_implicit(meta, i)) {
> > + /* kfuncs with implicit args (e.g. 'off' parameter)
> > + * handled during verification in bpf_fixup_kfunc_call():
> > + * obj_new, percpu_obj_new, obj_drop, percpu_obj_drop,
> > + * refcount_acquire, list_push, rbtree_add. Don't flag them. */
> > + if (is_bpf_obj_new_kfunc(meta->func_id) ||
> > + is_bpf_percpu_obj_new_kfunc(meta->func_id) ||
> > + is_bpf_obj_drop_kfunc(meta->func_id) ||
> > + is_bpf_percpu_obj_drop_kfunc(meta->func_id) ||
> > + is_bpf_refcount_acquire_kfunc(meta->func_id) ||
> > + is_bpf_list_push_kfunc(meta->func_id) ||
> > + is_bpf_rbtree_add_kfunc(meta->func_id))
>
> Is the goal here to have a nice error message?
>
> I think this will fail for other functions like bpf_wq_set_callback().
> For a proper check, the list must include every single kfunc with KF_IMPLICIT_ARGS, no?
>
> If we go this route, then the list of flagged kfuncs can be collected automatically.
> I'm not sure we actually want to do this.
The calls to functions with implicit arguments are patched by
bpf_fixup_kfunc_call(). As far as I understand, this function:
- handles functions with implicit bpf_prog_aux generically
- handles the functions listed above on a case-by-case basis.
The goal is not to have a nice error message, but to prevent runtime
from reading garbage from a register.
>
> > + continue;
> > + verbose(env, "%s unrecognized implicit argument, possible BTF mismatch\n",
> > + reg_arg_name(env, argno));
> > + return -EFAULT;
> > + }
> > +
> > t = btf_type_skip_modifiers(btf, args[i].type, NULL);
> >
> > if (btf_type_is_scalar(t)) {