Re: [PATCH bpf v6 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

[bot+bpf-ci]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 7fb88e1cd7c4..806c86388984 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12082,9 +12082,28 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  		continue;
>  	}
>
> -	if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
> +	if (is_kfunc_arg_ignore(btf, &args[i]))
>  		continue;
>
> +	if (is_kfunc_arg_implicit(meta, i)) {
> +		/*
> +		 * This is an exhaustive list of the non-bpf_prog_aux
> +		 * implicit args kfuncs, which are handled
> +		 * post-verification by bpf_fixup_kfunc_call().
> +		 */
> +		if (is_bpf_obj_new_kfunc(meta->func_id) ||
> +		    is_bpf_percpu_obj_new_kfunc(meta->func_id) ||
> +		    is_bpf_obj_drop_kfunc(meta->func_id) ||
> +		    is_bpf_percpu_obj_drop_kfunc(meta->func_id) ||
> +		    is_bpf_refcount_acquire_kfunc(meta->func_id) ||
> +		    is_bpf_list_push_kfunc(meta->func_id) ||
> +		    is_bpf_rbtree_add_kfunc(meta->func_id))
> +			continue;
> +		verbose(env, "%s unrecognized implicit argument, possible BTF mismatch\n",
> +			reg_arg_name(env, argno));
> +		return -EFAULT;
> +	}
> +

Does this code compile? The call to reg_arg_name(env, argno) references
two symbols that don't exist at this commit. The function reg_arg_name()
is not defined in the tree: searching kernel/bpf/verifier.c finds the
identifier only once at this call site, and a tree-wide search yields no
definition. The variable argno is also undeclared: check_kfunc_args()
declares 'u32 regno = i + 1, ref_id, type_size;' but has no argno local.

Both trigger build failures (implicit declaration of function and
undeclared variable). The intended register is likely regno, matching the
pattern used elsewhere in this function:

    verbose(env, "R%d ...", regno);

Looking at the comment by Ihor Solodrai on Mon, 8 Jun 2026 17:54:36 -0700
(https://lore.kernel.org/bpf/eab4e479-2023-49b8-9915-1c8ef2356837@xxxxxxxxx/),
the list of allowed kfuncs is incomplete. It omits bpf_wq_set_callback,
bpf_stream_vprintk, bpf_stream_print_stack, bpf_task_work_schedule_signal,
and bpf_task_work_schedule_resume, all of which have KF_IMPLICIT_ARGS and
would trigger the new error path incorrectly.

Eduard Zingerman's response on Mon, 08 Jun 2026 23:20:36 -0700
(https://lore.kernel.org/bpf/0d63a8d68bf0778d6e931ed27892a5bcb151295d.camel@xxxxxxxxx/)
suggested an alternative fix: instead of enumerating kfuncs in the
verifier, check in bpf_fixup_kfunc_call() whether an implicit arg has the
KF_IMPLICIT_ARGS flag but wasn't filled by an earlier handler. This would
catch the BTF mismatch case without needing to maintain a list and without
breaking valid kfuncs.

The comment claims the list is exhaustive, but it's missing at least five
kfuncs. Should this use Eduard's suggested approach in bpf_fixup_kfunc_call()
instead?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27208267613