Re: [PATCH] bpf: Fix refcount check in check_struct_ops_btf_id()

Next message: Jakub Kicinski: "Re: [PATCH net 2/5] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial"
Previous message: Danilo Machado: "ENC: AMDGPU Tonga suspend regression identified between kernel 6.3 and 6.4 ( Danilo Machado )"
In reply to: sun jian: "Re: [PATCH] bpf: Fix refcount check in check_struct_ops_btf_id()"
Next in thread: Amery Hung: "Re: [PATCH] bpf: Fix refcount check in check_struct_ops_btf_id()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Emil Tsalapatis

Date: Fri Mar 20 2026 - 21:44:46 EST

On Fri Mar 20, 2026 at 9:02 AM EDT, Keisuke Nishimura wrote:
> The current implementation only checks whether the first argument is
> refcounted. Fix this by iterating over all arguments.
>
Second Sun's recommendation to add a selftest for this.

> Signed-off-by: Keisuke Nishimura <keisuke.nishimura@xxxxxxxx>
> Fixes: 38f1e66abd184 ("bpf: Do not allow tail call in strcut_ops program with __ref argument")
Nit: strcut_ops -> struct_ops

Once you add the selftest, feel free to add:

Reviewed-by: Emil Tsalapatis <emil@xxxxxxxxxxxxxxx>
> ---
> kernel/bpf/verifier.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 159b25f8269d..278443118a23 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -24853,7 +24853,7 @@ static int check_struct_ops_btf_id(struct bpf_verifier_env *env)
> }
>
> for (i = 0; i < st_ops_desc->arg_info[member_idx].cnt; i++) {
> - if (st_ops_desc->arg_info[member_idx].info->refcounted) {
> + if (st_ops_desc->arg_info[member_idx].info[i].refcounted) {
> has_refcounted_arg = true;
> break;
> }