[PATCH bpf-next v2 0/2] bpf: Reject MEM_ALLOC BTF accesses past bounds

From: Yiyang Chen

Date: Tue Jun 23 2026 - 13:40:48 EST


BTF struct walks can relax the top-level struct-size check for trailing
flexible arrays. That relaxation must not let a PTR_TO_BTF_ID | MEM_ALLOC
access escape the bytes allocated by bpf_obj_new() or bpf_percpu_obj_new().

Patch 1 rejects MEM_ALLOC BTF walks whose access range reaches past the
current struct size before applying the flexible-array relaxation. Patch 2
adds a linked_list negative loader case for this path.

Changes in v2:
- Move the check from bpf_obj_new() type validation to BTF struct walking.
- Reject MEM_ALLOC accesses that reach past the allocated object bounds.
- Update the selftest expected verifier error and carry Eduard's Acked-by.

v1:
https://lore.kernel.org/bpf/cover.1782100805.git.chenyy23@xxxxxxxxxxxxxxxxxxxxx/

Yiyang Chen (2):
bpf: Reject MEM_ALLOC BTF accesses past object bounds
selftests/bpf: Cover MEM_ALLOC access past object bounds

kernel/bpf/btf.c | 14 +++++++----
.../selftests/bpf/prog_tests/linked_list.c | 1 +
.../selftests/bpf/progs/linked_list_fail.c | 23 +++++++++++++++++++
3 files changed, 33 insertions(+), 5 deletions(-)


base-commit: a975094bf98ca97be9146f9d3b5681a6f9cf5ce3
--
2.34.1