From nobody Fri Dec 19 15:00:19 2025 Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 488BA2566D3 for ; Sat, 6 Dec 2025 14:12:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765030359; cv=none; b=pPuRhdAlOvQ21CL1ixl7CPEPDQflzCHfPwA2cyHSmNd9k6MkNKtzut8fAe3UgLwse8d9eqBD2oFWvrh/ANIYqR9qjQNWMYCg815Kog0FEx5eXsYBTR0IL8Dmv1sO6r1Lus8TJ62r5g6eTuer4d6mnYSGurR3ng5Was0hD3fSczE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765030359; c=relaxed/simple; bh=S+igu4aju7EwXWFRbjCCQgO7Bx4KXZSG7GeZGRqJ1fM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OKml10v1FPa/py21wFMYPkeiaPglDhtwPz3S2uROxLH18SeO9FKeQF3iQNvn3yn9pnfYm/DO2xA8TtieeRxtbM6mud0UaPbVrzXL7+lmI3hF1ZW7fnkHSGizXclMwGtFt/6MVsu/hQYJfqmnYeYcZQRQpo5hSpPYsyoFHYUI8CQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GmHhnHMJ; arc=none smtp.client-ip=209.85.128.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GmHhnHMJ" Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-787da30c50fso31214967b3.3 for ; Sat, 06 Dec 2025 06:12:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765030357; x=1765635157; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fX6x8dKVuvuScvQG43b+CJnQqhUVfctvBR8HYubZTkk=; b=GmHhnHMJtWXo5n9JfVX7awchSCfxN0g9ni8gmCegbPDs/e53eS0IOAmVGEuZot+rSa JV2GtmuVczlxmjS8CQCGvkN0JjMqGlIpo0RNGgQXztIsMZYYCkRFcqJDlnWSmfl5URtc zloliAFuImbfZqC2o07VWMhrYcucQrnnQ8+Tdoe0Ng7KkNrxEai8pByu5PLmaJr1vkTl v96uNKBpGlt7n7yflVkrYvwdHn6ruQMDVDjoM1wqwFb71AR9JA4LgljVUePly0p8x5vd 0kfBxp0ivJijzhOwD7GqNSrQpf9h9qlnapG0OLtpWe4NAde6qhE15/z0NR0jHeA9+E+b 6xbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765030357; x=1765635157; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=fX6x8dKVuvuScvQG43b+CJnQqhUVfctvBR8HYubZTkk=; b=h4tH/pT3h9Ai9dBXe8YRRLJtwi4dHwMmO0Ntl55D+ER+Aag0sS52s44dVHI06F/TLa ZFAjCgcgMBZp4KGdCKOLvKPBf8Xsz3cvMOowmVbwJs49LxAEZ10h2DMg69KhXEOrqqbU c94dClAUlQ0J4pPq2qdZHFfeOWa2miWMj8WtqbUbNMsQHCYpeQ3KbWYp3wqy740/aH8j 0JtscfeVZ0kr2vIml0O9dGdVnOw0imgLN9G+xpfpt6JQd0lCmisl+uwEyKb6LqEPCpz6 KbZEmlxLJKCb4EfZdzNZi1cemAZSk7gg+TakdzdUk7QiS/fOjqIeP/zqUWEQJgfeHKKh brEA== X-Forwarded-Encrypted: i=1; AJvYcCVwdhrMdFw1qbTYnER2NIJ3Wgq/tek/mHEEpPANtUkUS+t+qks4Eyf4IbddOu5KOTShYgJwXzfrVTaCeds=@vger.kernel.org X-Gm-Message-State: AOJu0YzYAKOHQD7pki01mCwPRMQlA90Sx53t0WYKWzz5qVaznzNk3Q5B UxVllqcJRhHZcLA+3gOn9edBR130TjdSvhuAOXkpPsBFUZHuZqvzWMeL X-Gm-Gg: ASbGnctBtCBJaKZV4i+vAIsL4AeafbeyoHl2Szq7xkI5xkQTZhXjKKf+ZRR7RXmWZHe 0LWIFstM49i3EpMsT1WSSlkVw3KYSKB8dXOPARQMSFXgHlWfW1t+YhFTQmwduzVxeh/xnafqWuZ MSh779lot92jd2Ad3XANTP3717AZUagN8DhKq/lfS18qkJF0+B8FUWXdsDqO78t9ujjn/aPr5ES 1+5+RqhtNxbM5Ekwz1MtGYC4Sx3+h5zz7ek56+vDyC92CCEZ4losU61QCQhqZF5VG+doEgFnEnt SVc5XU1kQPRljYq3D5xSbAqXATgKKSaKYBjm9ebAuhtpKaVENA5KhUnyzZ8536dPXS505VausEN GbWOFQ53R/+zGuZVvihKCflE0JEPCLGS6S06vQGzXt2ttF7objXlybkGqeHYlqzAvS7rr/dBUIL JWbniTCIuXssqX8AAQz6V6FjsIeAnZMQeVXn4zC6LTDKCqQ19rgKQ0yaQ/KstXGg== X-Google-Smtp-Source: AGHT+IHuF83mFXlkaMu6oHm6oMBi8mfMFdfNONlXiyds7RYNVDtirN1s6Te2e+85GpStdEubYV2j5g== X-Received: by 2002:a05:690c:64c2:b0:788:181b:869e with SMTP id 00721157ae682-78c33c171bemr42202787b3.40.1765030357161; Sat, 06 Dec 2025 06:12:37 -0800 (PST) Received: from localhost.localdomain (45.62.117.175.16clouds.com. [45.62.117.175]) by smtp.gmail.com with ESMTPSA id 00721157ae682-78c1b4ae534sm28038027b3.3.2025.12.06.06.12.31 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Sat, 06 Dec 2025 06:12:36 -0800 (PST) From: Shuran Liu To: song@kernel.org, mattbobrowski@google.com, bpf@vger.kernel.org Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com, yonghong.song@linux.dev, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org, rostedt@goodmis.org, mhiramat@kernel.org, mathieu.desnoyers@efficios.com, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, dxu@dxuuu.xyz, linux-kselftest@vger.kernel.org, shuah@kernel.org, electronlsr@gmail.com, Zesen Liu , Peili Gao , Haoran Ni Subject: [PATCH bpf v5 1/2] bpf: mark bpf_d_path() buffer as writeable Date: Sat, 6 Dec 2025 22:12:09 +0800 Message-ID: <20251206141210.3148-2-electronlsr@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20251206141210.3148-1-electronlsr@gmail.com> References: <20251206141210.3148-1-electronlsr@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking") started distinguishing read vs write accesses performed by helpers. The second argument of bpf_d_path() is a pointer to a buffer that the helper fills with the resulting path. However, its prototype currently uses ARG_PTR_TO_MEM without MEM_WRITE. Before 37cce22dbd51, helper accesses were conservatively treated as potential writes, so this mismatch did not cause issues. Since that commit, the verifier may incorrectly assume that the buffer contents are unchanged across the helper call and base its optimizations on this wrong assumption. This can lead to misbehaviour in BPF programs that read back the buffer, such as prefix comparisons on the returned path. Fix this by marking the second argument of bpf_d_path() as ARG_PTR_TO_MEM | MEM_WRITE so that the verifier correctly models the write to the caller-provided buffer. Fixes: 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking") Co-developed-by: Zesen Liu Signed-off-by: Zesen Liu Co-developed-by: Peili Gao Signed-off-by: Peili Gao Co-developed-by: Haoran Ni Signed-off-by: Haoran Ni Signed-off-by: Shuran Liu Reviewed-by: Matt Bobrowski --- kernel/trace/bpf_trace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 4f87c16d915a..49e0bdaa7a1b 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -965,7 +965,7 @@ static const struct bpf_func_proto bpf_d_path_proto =3D= { .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_BTF_ID, .arg1_btf_id =3D &bpf_d_path_btf_ids[0], - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, .allowed =3D bpf_d_path_allowed, }; --=20 2.52.0