Re: [PATCH bpf v5 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

[Eduard Zingerman]

On Mon, 2026-06-08 at 18:18 -0700, Ihor Solodrai wrote:

[...]

> > > > @@ -11885,9 +11885,27 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
> > > >  			continue;
> > > >  		}
> > > >  
> > > > -		if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
> > > > +		if (is_kfunc_arg_ignore(btf, &args[i]))
> > > >  			continue;
> > > >  
> > > > +		if (is_kfunc_arg_implicit(meta, i)) {
> > > > +			/* kfuncs with implicit args (e.g. 'off' parameter)
> > > > +			 * handled during verification in bpf_fixup_kfunc_call():
> > > > +			 * obj_new, percpu_obj_new, obj_drop, percpu_obj_drop,
> > > > +			 * refcount_acquire, list_push, rbtree_add. Don't flag them. */
> > > > +			if (is_bpf_obj_new_kfunc(meta->func_id) ||
> > > > +			    is_bpf_percpu_obj_new_kfunc(meta->func_id) ||
> > > > +			    is_bpf_obj_drop_kfunc(meta->func_id) ||
> > > > +			    is_bpf_percpu_obj_drop_kfunc(meta->func_id) ||
> > > > +			    is_bpf_refcount_acquire_kfunc(meta->func_id) ||
> > > > +			    is_bpf_list_push_kfunc(meta->func_id) ||
> > > > +			    is_bpf_rbtree_add_kfunc(meta->func_id))
> > > 
> > > Is the goal here to have a nice error message?
> > > 
> > > I think this will fail for other functions like bpf_wq_set_callback().
> > > For a proper check, the list must include every single kfunc with KF_IMPLICIT_ARGS, no?
> > > 
> > > If we go this route, then the list of flagged kfuncs can be collected automatically.
> > > I'm not sure we actually want to do this.
> > 
> > The calls to functions with implicit arguments are patched by
> > bpf_fixup_kfunc_call(). As far as I understand, this function:
> > - handles functions with implicit bpf_prog_aux generically
> > - handles the functions listed above on a case-by-case basis.
> > 
> > The goal is not to have a nice error message, but to prevent runtime
> > from reading garbage from a register.
> 
> In check_kfunc_args() we only needed to know whether the arg is implicit,
> independent of its type, which is_kfunc_arg_implicit() already does. To skip it.
> 
> For vmlinux kernel kfuncs this should be enough, I think.
> 
> To properly harden against reading garbage for a *module* kfunc, I think the 
> verifier would have to check for the specific BTF type, e.g. "are we patching a 
> struct bpf_prog_aux pointer?".

The only way for a module kfunc can have implicit args is to have
bpf_prog_aux parameter and an implicit args flag.
There are no module-specific callbacks to do custom implicit args patching.

The actual arguments patching is done by verifier.c:bpf_fixup_kfunc_call().
It has the following structure:

  int bpf_fixup_kfunc_call(...)
  {
	...

	if (is_bpf_obj_new_kfunc(desc->func_id) || is_bpf_percpu_obj_new_kfunc(desc->func_id)) {
		... patch args ...
	} else if (is_bpf_obj_drop_kfunc(desc->func_id) ||
		   is_bpf_percpu_obj_drop_kfunc(desc->func_id) ||
		   is_bpf_refcount_acquire_kfunc(desc->func_id)) {
		... patch args ...
	} else if (is_bpf_list_push_kfunc(desc->func_id) ||
		   is_bpf_rbtree_add_kfunc(desc->func_id)) {
                ... patch args ...
	} else if (desc->func_id == special_kfunc_list[KF_bpf_cast_to_kern_ctx] ||
		   desc->func_id == special_kfunc_list[KF_bpf_rdonly_cast]) {
		...
	} else if (desc->func_id == special_kfunc_list[KF_bpf_session_is_return] && ...) {
		...
	} else if (desc->func_id == special_kfunc_list[KF_bpf_session_cookie] && ...) {
		...
	}

	if (env->insn_aux_data[insn_idx].arg_prog) {
		u32 regno = env->insn_aux_data[insn_idx].arg_prog;
                ... patch bpf_prog_aux arg in `regno` ...
	}
	return 0;
  }
  
Also consider how check_kfunc_args() looks w/o this patch:

  static int check_kfunc_args(...)
  {
	...
	for (i = 0; i < nargs; i++) {
		...
		if (is_kfunc_arg_prog_aux(btf, &args[i])) {
			... set env->insn_aux_data[insn_idx].arg_prog ...
		}
		if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
			continue;
		...
	}
	return 0;
  }

The `is_kfunc_arg_prog_aux(btf, &args[i])` might return false in case of bogus BTF.
In such a case `insn_aux_data[insn_idx].arg_prog` won't be set and no patching
would happen in check_kfunc_args(). The kfunc call would remain and the kfunc would
read whatever happens to be in the should-have-been patched register.

So this patch modifies check_kfunc_args() to error out if function is
marked with implicit args flag, but neither of known good implicit
args cases is present.

> It could be done immediately before patching, but at that point the verification is
> complete, right?..

Actually, yes. The following should be a legit fix as well (I think):

  diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
  index b27352d72b4f..6d6f4ccf2021 100644
  --- a/include/linux/bpf_verifier.h
  +++ b/include/linux/bpf_verifier.h
  @@ -1606,6 +1606,7 @@ enum bpf_reg_arg_type {
   struct bpf_kfunc_desc {
          struct btf_func_model func_model;
          u32 func_id;
  +       u32 flags;
          s32 imm;
          u16 offset;
          unsigned long addr;
  diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
  index 02239c56801b..6e5f5a14a29c 100644
  --- a/kernel/bpf/verifier.c
  +++ b/kernel/bpf/verifier.c
  @@ -2752,6 +2752,7 @@ int bpf_add_kfunc_call(struct bpf_verifier_env *env, u32 func_id, u16 offset)
   
          desc = &tab->descs[tab->nr_descs++];
          desc->func_id = func_id;
  +       desc->flags = kfunc.flags ? *kfunc.flags : 0;
          desc->offset = offset;
          desc->addr = addr;
          desc->func_model = func_model;
  @@ -19753,9 +19754,7 @@ int bpf_fixup_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
                  insn_buf[4] = BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1);
                  insn_buf[5] = BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0);
                  *cnt = 6;
  -       }
  -
  -       if (env->insn_aux_data[insn_idx].arg_prog) {
  +       } else if (env->insn_aux_data[insn_idx].arg_prog) {
                  u32 regno = env->insn_aux_data[insn_idx].arg_prog;
                  struct bpf_insn ld_addrs[2] = { BPF_LD_IMM64(regno, (long)env->prog->aux) };
                  int idx = *cnt;
  @@ -19764,6 +19763,10 @@ int bpf_fixup_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
                  insn_buf[idx++] = ld_addrs[1];
                  insn_buf[idx++] = *insn;
                  *cnt = idx;
  +       } else if (desc->flags & KF_IMPLICIT_ARGS) {
  +               verbose(env, "don't know how to patch kfunc call at instruction %d, possible BTF mismatch, kfunc is marked with KF_IMPLICIT_ARGS\n",
  +                       insn_idx);
  +               return -EFAULT;
          }
          return 0;
   }

> Other than that we'd have to somehow pass through from check_kfunc_args() to
> bpf_fixup_kfunc_call() information like "arg 1 of this kfunc can be patched to prog_aux" etc.
> We sort of do that already with the meta->arg_prog = true
> 
> In a module one can define arbitrary kfuncs and add KF_IMPLICIT_ARGS to them, so
> proper hardening needs to be generic.
> 
> I think this boils down to whether we want to error-check module kfuncs or not.
> Not sure what the verifier strategy is here, but my understanding is that in general
> a custom module can easily make kernel read garbage, and it's not a kernel's problem.