From nobody Sat Feb 7 19:41:06 2026 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8FD963148D4 for ; Wed, 7 Jan 2026 12:22:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767788551; cv=none; b=EQNuG2uaYDFtubMLbfi+eMui8rhdKJ1HTz5vSGXZ6wDdZCJlllRRiNqiO+w30vZrZRbj+3/AY/sxYz7kTbCa3sWWyU6HnO6Mbz7YIZjSIObbUDCXmSVKWlDe6bs1k99iTsa/ziWSV+42CdCEkGWVOl3LJS1RZttuhFLZ1czTXI4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767788551; c=relaxed/simple; bh=6oDFp6ikqBgS4NvjQlEcN+NYxI3tGIrBI1QcoO9lYMw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=IlcQbkSlTuC9G/XDat5Ob1+jgzlvhUeQkeHxuxU08NQjqAH3Jj9eDmRT0lRvQqVEh9ybrCjiDkb/khPK9f6TZCVcPTxWC0GXtaAF+CKaDPFNx5KWobWSZAE1tT9OM8D5dw7RXw+kurjMGl+y995XGuO6+lF8q70cS6xfyBdLYvo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fHy6lYO6; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fHy6lYO6" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-34f2a0c4574so1722057a91.1 for ; Wed, 07 Jan 2026 04:22:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767788549; x=1768393349; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=ZxLt1bPb5cLdWg0B5PWvieuskeOyEx2nDLq7pSp3TII=; b=fHy6lYO6jp3lRLyMYZe3IygWIqqN7HP2cXK33FZo2crbhXlFtHJRk4jECq3kmTY7Jg z6EFkPFOCMC9YGdp+9txFypWOgbu7Ka98dxPJoypWsEiiJ3ZoxY3lxzZQ4FLPNdKD3J6 YE9atPKkJN+s+Hiu4+nxo8PtSh3ZlAn21OnVrvbGqUffnxC8ZhNh7tB4wW2n9RFGE6Ir 4YWp+1yrvHyvT3wvUjSaAz5AlnCzpdDaFpHJPRqiRhjFHmE6mBt2rEuQX2LVJ+exrlnX Vb4XUuuIP5D6YLY1HmNenG+mF7KQ0RW/otIr1SzC3qycaDPPKbPklOp2Y0qh+D8v/aYH tg1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767788549; x=1768393349; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ZxLt1bPb5cLdWg0B5PWvieuskeOyEx2nDLq7pSp3TII=; b=j04AUV1B45mCPpReV8wBUM9XKWL2cYq+lCVMd+/naWza5zrx9seTcHrYmKHArcfqGZ DTnj3jv5p3YbDIhSj9Dv++qBuA4llbqO3eBxwVFuGFVT+t+XuL3498Nr8zINjZBJFXER 1cscN3Og+ZzXNoHQcXDp4jxeWD+ROBC4G1XhrYMXFtl2Iqfgl04EJ662vImBLqpy+osL j2w+RazIjXunGWt6ainFuQYQ9wmLxVnb0ta38LNFqNJNUTsa6c+AFYdKKm7vNJehBH8U sRgc1qWOY1m0ndIu5o6JIOWMHRslGQ4crZ+AUR3Xczo/MHLuC56K1m8RAIoHLMbCs7H3 U4bw== X-Forwarded-Encrypted: i=1; AJvYcCX4z2MokwKvSt7INA/tTAJinB0XUBtO4JgXwtmxfxlA8W4/plpYH/ezFdXs5vwilMFoz42Aag/7sV82oR0=@vger.kernel.org X-Gm-Message-State: AOJu0YwuZZan2ThTYoN4SSPtxjTZkh7r3/6KYScprHuXkso6/CnWVSog N13ImNvHnKsmzm2+asXLz5Z4bCzjrqFAPCg+LuNUSTPWghHojp8dDuvd X-Gm-Gg: AY/fxX6dOokBL5PhTJsBSPBfw6pb2h4h3J8U3KHrE5c9qYlGpHgepGvuUVmZS9AG2GA y4bJszEPg6Nyy5I7LATpnpV90dY7arPxPl7eRFU89lbNGX3lM0YdX9zXmxYprJSj1K5CooADV1Y r15BsBSp9BuDsLod5O7M8TcEX2rRTZO79WjEKgRrvCGuhnJOW2yxy9/ITSzgkjl5ycqvtVnBMLO LhNxJi2ISXHBjDihvZ2ailRUgRiyTVXV7fZm3jtFthxfCBjRMWfiHW0S7MLsPLGd7yR8YHtxe7U tH780qlKdwSGTMWD+5w8HtQlJGABaTcFu+XTz2DPqZ7v53uXOdlKFysMPtAvuMt3g1UWdlEVOxo ZWy8PYiy3DAhBrhQgzARzQ2ygOOh4QROyqGD+mKF4zUBf599bmRhvHdtLjrEzbEJ9IT0brSBy2b cckDHTie32bNXo/4qUX8gWdw== X-Google-Smtp-Source: AGHT+IGMhHuRS5o+GTE6fiL+UGv/YA7yMKM0gxu6LQ29zfgnf2FGe0JFwDg0odk/A2Q3yA/ZyxafNA== X-Received: by 2002:a17:90b:4ad1:b0:34c:7d65:e4a with SMTP id 98e67ed59e1d1-34f68c62b7fmr2222804a91.31.1767788548263; Wed, 07 Jan 2026 04:22:28 -0800 (PST) Received: from [127.0.0.1] ([188.253.121.153]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34f5f8b1526sm5025946a91.14.2026.01.07.04.22.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 04:22:27 -0800 (PST) From: Zesen Liu Date: Wed, 07 Jan 2026 20:21:38 +0800 Subject: [PATCH bpf 1/2] bpf: Fix memory access flags in helper prototypes Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260107-helper_proto-v1-1-e387e08271cc@gmail.com> References: <20260107-helper_proto-v1-0-e387e08271cc@gmail.com> In-Reply-To: <20260107-helper_proto-v1-0-e387e08271cc@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Matt Bobrowski , Steven Rostedt , Masami Hiramatsu , Mathieu Desnoyers , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Xu Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, netdev@vger.kernel.org, Shuran Liu , Peili Gao , Haoran Ni , Zesen Liu X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=5550; i=ftyghome@gmail.com; h=from:subject:message-id; bh=6oDFp6ikqBgS4NvjQlEcN+NYxI3tGIrBI1QcoO9lYMw=; b=kA0DAAoWjB93TexNMocByyZiAGleT/Sj3Tw1qRS4iEQ5ZKqX/Zr0iIRtDyzucPnnik5D1j16s Ih1BAAWCgAdFiEEjfgx3alpNzO2PKDBjB93TexNMocFAmleT/QACgkQjB93TexNMocb3AEA8+Sn cCnGk681RIuEzT5Q4i2a/JxVXbY5lQnUlvxzD74BAMI+ocInMSeAHlMOLy27XdeCylBYw9c9DjP yt7LIErQP X-Developer-Key: i=ftyghome@gmail.com; a=openpgp; fpr=8DF831DDA9693733B63CA0C18C1F774DEC4D3287 After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type trac= king"), the verifier started relying on the access type flags in helper function prototypes to perform memory access optimizations. Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the verifier to incorrectly assume that the buffer contents are unchanged across the helper call. Consequently, the verifier may optimize away subsequent reads based on this wrong assumption, leading to correctness issues. For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM which correctly indicates write access to potentially uninitialized memory. Similar issues were recently addressed for specific helpers in commit ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer") and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name a= rgs"). Fix these prototypes by adding the correct memory access flags. Fixes: 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking") Co-developed-by: Shuran Liu Signed-off-by: Shuran Liu Co-developed-by: Peili Gao Signed-off-by: Peili Gao Co-developed-by: Haoran Ni Signed-off-by: Haoran Ni Signed-off-by: Zesen Liu --- kernel/bpf/helpers.c | 2 +- kernel/bpf/syscall.c | 2 +- kernel/trace/bpf_trace.c | 6 +++--- net/core/filter.c | 8 ++++---- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index db72b96f9c8c..f66284f8ec2c 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -1077,7 +1077,7 @@ const struct bpf_func_proto bpf_snprintf_proto =3D { .func =3D bpf_snprintf, .gpl_only =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM_OR_NULL, + .arg1_type =3D ARG_PTR_TO_MEM_OR_NULL | MEM_WRITE, .arg2_type =3D ARG_CONST_SIZE_OR_ZERO, .arg3_type =3D ARG_PTR_TO_CONST_STR, .arg4_type =3D ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY, diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 4ff82144f885..ee116a3b7baf 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -6407,7 +6407,7 @@ static const struct bpf_func_proto bpf_kallsyms_looku= p_name_proto =3D { .func =3D bpf_kallsyms_lookup_name, .gpl_only =3D false, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM, + .arg1_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg2_type =3D ARG_CONST_SIZE_OR_ZERO, .arg3_type =3D ARG_ANYTHING, .arg4_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_WRITE | MEM_A= LIGNED, diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index fe28d86f7c35..59c2394981c7 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -1022,7 +1022,7 @@ const struct bpf_func_proto bpf_snprintf_btf_proto = =3D { .func =3D bpf_snprintf_btf, .gpl_only =3D false, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM, + .arg1_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg2_type =3D ARG_CONST_SIZE, .arg3_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type =3D ARG_CONST_SIZE, @@ -1526,7 +1526,7 @@ static const struct bpf_func_proto bpf_read_branch_re= cords_proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM_OR_NULL, + .arg2_type =3D ARG_PTR_TO_MEM_OR_NULL | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, .arg4_type =3D ARG_ANYTHING, }; @@ -1661,7 +1661,7 @@ static const struct bpf_func_proto bpf_get_stack_prot= o_raw_tp =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, + .arg2_type =3D ARG_PTR_TO_UNINIT_MEM, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, .arg4_type =3D ARG_ANYTHING, }; diff --git a/net/core/filter.c b/net/core/filter.c index 616e0520a0bb..6e07bb994aa7 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -6399,7 +6399,7 @@ static const struct bpf_func_proto bpf_xdp_fib_lookup= _proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE, .arg4_type =3D ARG_ANYTHING, }; @@ -6454,7 +6454,7 @@ static const struct bpf_func_proto bpf_skb_fib_lookup= _proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE, .arg4_type =3D ARG_ANYTHING, }; @@ -8010,7 +8010,7 @@ static const struct bpf_func_proto bpf_tcp_raw_gen_sy= ncookie_ipv4_proto =3D { .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, .arg1_size =3D sizeof(struct iphdr), - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, }; =20 @@ -8042,7 +8042,7 @@ static const struct bpf_func_proto bpf_tcp_raw_gen_sy= ncookie_ipv6_proto =3D { .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, .arg1_size =3D sizeof(struct ipv6hdr), - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, }; =20 --=20 2.43.0 From nobody Sat Feb 7 19:41:06 2026 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0569C3164DC for ; Wed, 7 Jan 2026 12:22:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767788558; cv=none; b=cExNaUxurYt2h0LCVRVpp6Mwu2G+Z2ZBJXKvdXzEfqcvGPlYz2rF/7Zb4VuTGkAON890p9DpZyYrnhIp25iNtzqGzd4vcXYMJoSJLN8crYHYJXZMLFcLcc/a53zR/TsbN060PW083AebM0Q0qABXlXCWZvzZD7Z/9NeCfRrmPy4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767788558; c=relaxed/simple; bh=unytFKZ8LCGZbWiIqqle1BjuJ9OKga7Krn0YjNtEcU4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=DOp7dRIxumfbLxl7X+lNUr6je9BV+xNvYK7DmrV2LMPYIlUlaSBFb7u5JVF6RMzzQt5u4MVuYjT2wNdiycEZdkQMXhFJxjw4C48H15/exewcf5zG0LdwVCLXyPxgeSu3EOk8ANYvssLjLDh9H8Ld8xGT3NnCLzm0MDWXmcwGkyk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IPE49rnj; arc=none smtp.client-ip=209.85.216.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IPE49rnj" Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-34f634dbfd6so1098416a91.2 for ; Wed, 07 Jan 2026 04:22:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767788556; x=1768393356; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=htJmJ2nOl5HS2d4lrmu4G6awIswx3aqJ66sxEqxOU2k=; b=IPE49rnjTjtHNOBtLnU3aEWDBjoZx5aoL7s059ET3UMOTiQ/nA6pVAcCTiwASBZDZz dEPHicB+5eMr95lUShJLydiEOVzS/Pq0ts2IIL8m+lUMVjD0mJj1/JksKgGPqUj38+3Q tlbPNWe6NBaxjmO7u4RWTO1+5oo4esLYzm8dMi4RrlApnNkpdXQwNt1dLyYvSKCybrTQ sOaJTBT9RzwMbK1EuwKvmHMHkZxFF/QnLpIr/oaxJLVtQ6G2Y5fzKOjK4YAckBZyMn2m 98RJck2QDqsS1P1iaBBZ8j4enbxg0mUqyZDomxUbMb9/7+VQypljfgi4w07DMF3+Rmh4 E/pQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767788556; x=1768393356; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=htJmJ2nOl5HS2d4lrmu4G6awIswx3aqJ66sxEqxOU2k=; b=plk80hMd0HD5+NhkpVBdKe8Ltzw5X5/vfj91shXHWyFRVfRwDv4/2RijfyJQaQfbew j8ccBXePYU/1Ct4DB1lZUXwjd3nZEDj/EPdJSAsL0neZu98oiST5rp+dmpRaBOhNSQl5 sPbdy7hcoFijCxP4V1CMe/Ip9JjPfzzVhugPeIHP/MFyeD57bgfQxkD1ANuwMBym1O3+ JQ08+ORbYdsKK2rieEE8UZk/54VWtKNBN1WeeZDTllBi9iFCRO0HziMOLgVWkqTZWDOh ZkomA38bPL3NKC3Znbn371Y/48pNM59KQPrvs6c8i2J+HIF8SwsgBwp8p85bzL3Asi5c rb+Q== X-Forwarded-Encrypted: i=1; AJvYcCVB8RCqWwWZIiW8zRrxDJhMoMrQowyxQgYpzoDNCrN3E3CDb4ycx4PDOP/M3npXq3l9qOGUBiWFXxaC7hI=@vger.kernel.org X-Gm-Message-State: AOJu0YzLjSt+Ctfiao2Optfnk4zL+IP4X+AOiF0AsLBZzEbWkjo5+OpX +TXBAg6maNMoQo+oGBhFIgoK5McnQ0F4NspPK1vg/mPGwhlysZjvTGqE X-Gm-Gg: AY/fxX48UeYgS1WcEbh0UCOXm+cJrDMSeVaGSlYh09R6CdWYaON6kMavvo135VzRc2v a6fXdubzWxc4T7s0GogvpEnS+82GggoebcvmwA1vmu+vD40nOHF0A2ty0VkVLdehIf0bLj97epF zDmFAaulDZnHPBCRvsa/dk7paX1TGy3YYCc6e9xnVkXH8YuRfSXc4fF1eNeZwaSJQGt19w4/ays 8HeQ/2CfsepK9xNE/gEAY7i92b6Kwf4Xy8xwOc8bPqBg1e+lrhYAS2GnH+sFTlnOcvyzdWxVxuw vQkqKLUnuugv1P+PJmdNesGLRlrfgAWdprrzQKNQ54j51t/hifDwO2g/OCBEsUAC4kLWph7Y45Y ON3dqvjJhCuXOuEiUdbyP7HtVhlXCUtZkGxae9Ejv0DVFznPXYKgCf0WqYxzuVlP5aLKk0taCt5 4CYuS6A2g2yVM= X-Google-Smtp-Source: AGHT+IF4vumQ3UxDP/AczQhAuKSLCFCXdWDt3+3Ac3DseSrY7lK07U9RAIhVR1+386lDOWSI3dLtWg== X-Received: by 2002:a17:90b:540e:b0:343:5f43:933e with SMTP id 98e67ed59e1d1-34f68cbe0b5mr2124192a91.19.1767788555990; Wed, 07 Jan 2026 04:22:35 -0800 (PST) Received: from [127.0.0.1] ([188.253.121.153]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34f5f8b1526sm5025946a91.14.2026.01.07.04.22.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 04:22:35 -0800 (PST) From: Zesen Liu Date: Wed, 07 Jan 2026 20:21:39 +0800 Subject: [PATCH bpf 2/2] bpf: Require ARG_PTR_TO_MEM with memory flag Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260107-helper_proto-v1-2-e387e08271cc@gmail.com> References: <20260107-helper_proto-v1-0-e387e08271cc@gmail.com> In-Reply-To: <20260107-helper_proto-v1-0-e387e08271cc@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Matt Bobrowski , Steven Rostedt , Masami Hiramatsu , Mathieu Desnoyers , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Xu Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, netdev@vger.kernel.org, Shuran Liu , Peili Gao , Haoran Ni , Zesen Liu X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1786; i=ftyghome@gmail.com; h=from:subject:message-id; bh=unytFKZ8LCGZbWiIqqle1BjuJ9OKga7Krn0YjNtEcU4=; b=owGbwMvMwCXWI1/u+8bXqJ3xtFoSQ2ac/xdV2YfeZ4wuCJmHK+jVqLv8r746++XhqI33HeIWb 12tuTauo5SFQYyLQVZMkaX3h+HdlZnmxttsFhyEmcPKBDKEgYtTACYSPZ3hn9Xf5xONrlr+X8xp w3u4MqBS/ZX9+cne2x/Yf3gYWmhZ9YLhf4YZZ/bqW6kPMp8LaE/j6LdmUPfcu6VwpXSdpc3x3sx nvAA= X-Developer-Key: i=ftyghome@gmail.com; a=openpgp; fpr=8DF831DDA9693733B63CA0C18C1F774DEC4D3287 Add check to ensure that ARG_PTR_TO_MEM is used with either MEM_WRITE or MEM_RDONLY. Using ARG_PTR_TO_MEM alone without tags does not make sense because: - If the helper does not change the argument, missing MEM_RDONLY causes the verifier to incorrectly reject a read-only buffer. - If the helper does change the argument, missing MEM_WRITE causes the verifier to incorrectly assume the memory is unchanged, leading to errors in code optimization. Co-developed-by: Shuran Liu Signed-off-by: Shuran Liu Co-developed-by: Peili Gao Signed-off-by: Peili Gao Co-developed-by: Haoran Ni Signed-off-by: Haoran Ni Signed-off-by: Zesen Liu --- kernel/bpf/verifier.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index f0ca69f888fa..c7ebddb66385 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -10349,10 +10349,27 @@ static bool check_btf_id_ok(const struct bpf_func= _proto *fn) return true; } =20 +static bool check_mem_arg_rw_flag_ok(const struct bpf_func_proto *fn) +{ + int i; + + for (i =3D 0; i < ARRAY_SIZE(fn->arg_type); i++) { + enum bpf_arg_type arg_type =3D fn->arg_type[i]; + + if (base_type(arg_type) !=3D ARG_PTR_TO_MEM) + continue; + if (!(arg_type & (MEM_WRITE | MEM_RDONLY))) + return false; + } + + return true; +} + static int check_func_proto(const struct bpf_func_proto *fn, int func_id) { return check_raw_mode_ok(fn) && check_arg_pair_ok(fn) && + check_mem_arg_rw_flag_ok(fn) && check_btf_id_ok(fn) ? 0 : -EINVAL; } =20 --=20 2.43.0