Re: [PATCH bpf-next v2 1/2] bpf: Reject offset refcount acquire arguments

[Alexei Starovoitov]

On Sat Jun 20, 2026 at 8:04 AM PDT, Yiyang Chen wrote:
> bpf_refcount_acquire() increments the refcount at the caller-supplied
> pointer plus the refcount field offset, then returns the caller-supplied
> pointer unchanged.
>
> The verifier records the return value as a base pointer to the refcounted
> object.
>
> bpf_list_pop_front() and bpf_rbtree_remove() can return embedded
> graph-node pointers as PTR_TO_BTF_ID | MEM_ALLOC with a fixed offset equal
> to the node field offset. Passing such a pointer directly to
> bpf_refcount_acquire() currently passes the refcounted-kptr type check.
>
> That makes the runtime operation start from base + node_off while the
> verifier models the returned pointer as the object base.
>
> Require refcount-acquire arguments to have zero fixed offset by carrying
> the requirement through check_func_arg_reg_off() to __check_ptr_off_reg().
> Programs can still acquire a refcount from a graph-node-derived pointer
> after normalizing it with container_of().
>
> Fixes: 7c50b1cb76aca ("bpf: Add bpf_refcount_acquire kfunc")
> Signed-off-by: Yiyang Chen <chenyy23@xxxxxxxxxxxxxxxxxxxxx>
> ---
>  include/linux/bpf.h   |  3 +++
>  kernel/bpf/verifier.c | 18 +++++++++++-------
>  2 files changed, 14 insertions(+), 7 deletions(-)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 7719f6528..b9b7d19cb 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -859,6 +859,9 @@ enum bpf_type_flag {
>  	/* DYNPTR points to file */
>  	DYNPTR_TYPE_FILE	= BIT(20 + BPF_BASE_TYPE_BITS),
>  
> +	/* PTR argument cannot have a fixed offset. */
> +	PTR_ZERO_OFF		= BIT(21 + BPF_BASE_TYPE_BITS),

No. We're not going to burn the bit.

pw-bot: cr