Re: [PATCH bpf v5 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

From: Eduard Zingerman

Date: Mon Jun 08 2026 - 14:08:53 EST


On Mon, 2026-06-08 at 22:26 +0800, chenyuan_fl@xxxxxxx wrote:
> From: Yuan Chen <chenyuan@xxxxxxxxxx>

[...]

> Fix
>
> Split the combined is_kfunc_arg_ignore() || is_kfunc_arg_implicit()
> check in check_kfunc_args() so that an implicit argument reaching
> is_kfunc_arg_implicit() without being handled by a prior handler is
> rejected with -EFAULT, instead of silently skipped. Existing implicit
> args in bpf_fixup_kfunc_call() (obj_new, percpu_obj_new, obj_drop,
> percpu_obj_drop, refcount_acquire, list_push, rbtree_add) are
> explicitly allowed.
>
> Suggested-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
> Fixes: 64e1360524b9 ("bpf: Verifier support for KF_IMPLICIT_ARGS")
> Signed-off-by: Yuan Chen <chenyuan@xxxxxxxxxx>
> ---

Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>

> kernel/bpf/verifier.c | 20 +++++++++++++++++++-
> 1 file changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 8ed484cb1a8a..91aaed7a5eeb 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -11885,9 +11885,27 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
> continue;
> }
>
> - if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
> + if (is_kfunc_arg_ignore(btf, &args[i]))
> continue;
>
> + if (is_kfunc_arg_implicit(meta, i)) {
> + /* kfuncs with implicit args (e.g. 'off' parameter)
> + * handled during verification in bpf_fixup_kfunc_call():
> + * obj_new, percpu_obj_new, obj_drop, percpu_obj_drop,
> + * refcount_acquire, list_push, rbtree_add. Don't flag them. */

Nit: comment does not follow formatting rules and the two lines
listing relevant kfuncs are redundant.

/*
* This an exhaustive list of the non-bpf_prog_aux implicit args kfuncs,
* which are handled post-verification by bpf_fixup_kfunc_call().
*/

> + if (is_bpf_obj_new_kfunc(meta->func_id) ||
> + is_bpf_percpu_obj_new_kfunc(meta->func_id) ||
> + is_bpf_obj_drop_kfunc(meta->func_id) ||
> + is_bpf_percpu_obj_drop_kfunc(meta->func_id) ||
> + is_bpf_refcount_acquire_kfunc(meta->func_id) ||
> + is_bpf_list_push_kfunc(meta->func_id) ||
> + is_bpf_rbtree_add_kfunc(meta->func_id))
> + continue;
> + verbose(env, "%s unrecognized implicit argument, possible BTF mismatch\n",
> + reg_arg_name(env, argno));
> + return -EFAULT;
> + }
> +
> t = btf_type_skip_modifiers(btf, args[i].type, NULL);
>
> if (btf_type_is_scalar(t)) {