Re: [PATCH bpf-next 1/2] bpf: Reject offset refcount acquire arguments

[Eduard Zingerman]

On Fri, 2026-06-19 at 07:59 +0000, Yiyang Chen wrote:
> bpf_refcount_acquire() increments the refcount at the caller-supplied
> pointer plus the refcount field offset, then returns the caller-supplied
> pointer unchanged.
> 
> The verifier records the return value as a base pointer to the refcounted
> object.
> 
> bpf_list_pop_front() and bpf_rbtree_remove() can return embedded graph-node
> pointers as PTR_TO_BTF_ID | MEM_ALLOC with a fixed offset equal to the node
> field offset. Passing such a pointer directly to bpf_refcount_acquire()
> currently passes the refcounted-kptr type check.
> 
> That makes the runtime operation start from base + node_off while the
> verifier models the returned pointer as the object base.
> 
> Require refcount-acquire arguments to have zero offset. Programs can still
> acquire a refcount from a graph-node-derived pointer after normalizing it
> with container_of().
> 
> Fixes: 7c50b1cb76aca ("bpf: Add bpf_refcount_acquire kfunc")
> Signed-off-by: Yiyang Chen <chenyy23@xxxxxxxxxxxxxxxxxxxxx>
> ---

Hi Yiyang,

thank you for the bug report.

>  kernel/bpf/verifier.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 2abc79dbf..4510fe0b4 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12392,6 +12392,11 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  					reg_arg_name(env, argno));
>  				return -EINVAL;
>  			}
> +			if (reg->var_off.value != 0) {

I think this check should be handled by check_func_arg_reg_off() /
__check_ptr_off_reg(), could you please reorganize the code such that
it is handled there?

> +				verbose(env, "%s must have zero offset when passed to %s\n",
> +					reg_arg_name(env, argno), meta->func_name);
> +				return -EINVAL;
> +			}
>  			if (!type_is_non_owning_ref(reg->type))
>  				meta->arg_owning_ref = true;
>