Re: [PATCH bpf v5 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

[bot+bpf-ci]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 7fb88e1cd7c4..7e5b68c31c34 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12082,9 +12082,27 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  			continue;
>  		}
>
> -		if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
> +		if (is_kfunc_arg_ignore(btf, &args[i]))
>  			continue;
>
> +		if (is_kfunc_arg_implicit(meta, i)) {
> +			/* kfuncs with implicit args (e.g. 'off' parameter)
> +			 * handled during verification in bpf_fixup_kfunc_call():
> +			 * obj_new, percpu_obj_new, obj_drop, percpu_obj_drop,
> +			 * refcount_acquire, list_push, rbtree_add. Don't flag them. */
> +			if (is_bpf_obj_new_kfunc(meta->func_id) ||
> +			    is_bpf_percpu_obj_new_kfunc(meta->func_id) ||
> +			    is_bpf_obj_drop_kfunc(meta->func_id) ||
> +			    is_bpf_percpu_obj_drop_kfunc(meta->func_id) ||
> +			    is_bpf_refcount_acquire_kfunc(meta->func_id) ||
> +			    is_bpf_list_push_kfunc(meta->func_id) ||
> +			    is_bpf_rbtree_add_kfunc(meta->func_id))
> +				continue;
> +			verbose(env, "%s unrecognized implicit argument, possible BTF mismatch\n",
> +				reg_arg_name(env, argno));

Does this reference an undeclared 'argno'?  The for-loop in
check_kfunc_args() declares only 'i' and 'regno = i + 1', and there is no
'argno' in scope here.  The only 'argno' identifiers in this file are
parameters of get_kfunc_ptr_arg_type() and process_kf_arg_ptr_to_btf_id(),
neither of which is visible inside check_kfunc_args().

Would this fail to compile with "error: 'argno' undeclared (first use in
this function)" and break the build of kernel/bpf/verifier.c?

There is also a type concern.  reg_arg_name()'s second parameter has type
argno_t, which is a struct:

  typedef struct argno { int argno; } argno_t;

so substituting the in-scope u32 'regno' would be a type mismatch rather
than a fix.  The other diagnostics in this function pass the u32 'regno'
directly, for example:

  verbose(env, "R%d is not a scalar\n", regno);

Was 'regno' (with a matching format) the intended argument here, or is an
argno_t value needed?

The range b75a2e8e..687e2f6c was checked and no later commit corrects
this, so the build break does not appear to be fixed later in the series.

> +			return -EFAULT;
> +		}
> +
>  		t = btf_type_skip_modifiers(btf, args[i].type, NULL);
>
>  		if (btf_type_is_scalar(t)) {


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27144762590