[PATCH bpf-next 0/2] bpf: Reject flexible-array allocation types

Next message: Selvamani Rajagopal: "RE: [PATCH 0/2] Fix to possible skb leak due to race condtion in tx path"
Previous message: Yiyang Chen: "[PATCH bpf-next 2/2] selftests/bpf: Cover flexible-array allocation rejection"
Next in thread: Yiyang Chen: "[PATCH bpf-next 1/2] bpf: Reject flexible-array allocation types"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yiyang Chen

Date: Mon Jun 22 2026 - 00:57:58 EST

bpf_obj_new() and bpf_percpu_obj_new() allocate only the static BTF size
for the selected program-BTF type.

A program-BTF struct can nevertheless end with a zero-length flexible array.
Generic BTF struct walks have special handling for such trailing arrays, and
can validate field accesses beyond the allocated static object size.

Patch 1 rejects allocation kfunc types with trailing flexible arrays.
Patch 2 adds a linked_list negative loader case for the rejection.

Yiyang Chen (2):
bpf: Reject flexible-array allocation types
selftests/bpf: Cover flexible-array allocation rejection

kernel/bpf/verifier.c | 28 +++++++++++++++++++
.../selftests/bpf/prog_tests/linked_list.c | 2 ++
.../selftests/bpf/progs/linked_list_fail.c | 23 +++++++++++++++
3 files changed, 53 insertions(+)

base-commit: a975094bf98ca97be9146f9d3b5681a6f9cf5ce3
--
2.34.1