From nobody Sun Feb 8 11:16:59 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0BEC330661 for ; Wed, 7 Jan 2026 13:22:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767792157; cv=none; b=EcuygMyXZ1uPc9z59SSEYviduxKj/EFnR+xZjdehpCiRnxE3v5R6WpzuKx1Ru01WkHjYiwhTO+QNuRe9rAFQdvy49TRAGyfuWzCIKoUXSUSYM02juBJOWXWzVnNg0RKHhdkZkPzDNkSfFUg48upIX6xxeopPwtC3cWV44+aTiv4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767792157; c=relaxed/simple; bh=xXffxQvzK07hZEuFa1ysfLfvbEICjMUXdPizVEPinUA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=TOKiIEXROTINm6NkneDBv/RcNZFKgVj+ZJd0NnLZC6wa9dfXjDMQ5d5SHsrIvcgVoVR4Uu2b2v7a05abpj/Qvc2SdDc9OTIfr/kRHDmk3oRRcEZMXrE1iAsig4ymuQu/oGtjlGkLjmzFrdHMv/dbyYK8tN6A1MYtzjDc+8VmGTE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=EfBIHpwA; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="EfBIHpwA" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2a0d67f1877so20341895ad.2 for ; Wed, 07 Jan 2026 05:22:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767792155; x=1768396955; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=eqap0FeAOULyYnI/LBiMZE3yIuHyBVsfjaQkrDWyRwY=; b=EfBIHpwA6hNRHXEyrVew6UgI6bIFjo/TK4MpytvSWf4dUaZjU2KKoGmlFPrt9hRuzq 34bE4Gdm0SDmybVWaL18ZUMG+xBJCU7FnxBNoC3DQS4tqkNBhGBVBNN7Nsvb1lJRG25Y OxVt+9Qx7U4KfeZ6XIKl+DsFKfWb0oldWoNipghQLkHgnSQl8OfpN26kjcuQvV2P4ZWx k5xY9yh0uTcjyq+LFFi+v4abuO+yLADeXMQYgIiLDI2PfkBFDb1/CGW9v3jnp6DXTZSE X99ArM/mlrxFt6wpNBI/3EeeI025h6gr+cxiT9/ez5wlDb3b9pkOEZY8LoCeajR5aam9 3jow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767792155; x=1768396955; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=eqap0FeAOULyYnI/LBiMZE3yIuHyBVsfjaQkrDWyRwY=; b=qUf54l3FGXm3Mqp2LO0k4kKLO34vz0JQCMES2HIub+239+3OcMl+OkU9K73hs4UQ2H m1JhUQ3nTnZqRpZ3IQ5cw9z1N+/H6kRv4Bxdo0IiO6cJ2LaqGlgyXbgEh2Sy+MfH01Mr 8ZUwfwLymxJ6d4+AWl+4n0buze7GKnNsEEaCGGkF5XHJfIRysRCDcUBAa6VeBixYfJwV P3hzW34h9fvSC+77dAdoPOnNp9lwCJrrUbSQw4MMz6XgmENc1YJs59zd9BjPMsbqzlyg bwlzmigDOtwxNb73S/YI/y30UlDXMfZAp1bVDsP6v3WlT8MTx6KAiSxDibXW7EuCLM+2 NEew== X-Forwarded-Encrypted: i=1; AJvYcCVnaPZftYQvXipKxBef0SHK68hrGylrZnirtSs7EJ4CKZcbpdkXtP58rQWVku7TFYP+N5SyGXSXRP+bxDk=@vger.kernel.org X-Gm-Message-State: AOJu0YzAk7CFbLd+fyKM2LEemsHd64WZeyXPzLArTy6PjATJJjul3Hfg QOkUKgbp7JEH+EuTKE0pHjatPHhtum0eeXgRD948AwIZ9CDWv1VOp1At X-Gm-Gg: AY/fxX5FR9gnEUhGLrWzQ3SAPlkN68CtVY/l0DDN7f23C2AxkBxCzN9gQU0O+rxRKNk chygx91Put6hZKPi9XRCScxAy0zhSZVRFl6EMLs9OUxR1o6tiyKQVpoo3OkJPplZtbvvHpTsHDm S2enMPamzWoxM4XUu3acxr9E64K39EJvyPZWnFVzzePaU6MC+PAAqT7RArvhUgUQZflUz/+l1Zo l1LSR0UaX/HHwfoI7hoUgBEiPQOh8QbeKaO5eSyVcAwDpJcQXlCD9IN3AEuEmeEO2Z7lw2GRavl ggB+y8SfBD7U0n/AiclkTxt/YjaDiwXh8kLxs8zv/hP8LYdqTTTQaR9le4jRk+NK00zFc64acan eFV82PMM8gGTohoc5VBriI5Xa/QAkA8beHOQ3fSbWlL8Zy/LTw27Cn7S4jQ9XSoC1JnuJavJFep x86QZdut4jX6s= X-Google-Smtp-Source: AGHT+IF8Z1XvPvEU9JH+6nhbgTh4mdDGv3c2qONLwulOVFY8IweNdpleopMfrZyDj6NNn080mcCIAA== X-Received: by 2002:a17:903:384d:b0:2a0:ea4c:51f3 with SMTP id d9443c01a7336-2a3ee4332aemr25418905ad.6.1767792154338; Wed, 07 Jan 2026 05:22:34 -0800 (PST) Received: from [127.0.0.1] ([188.253.121.152]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc7912sm52511685ad.67.2026.01.07.05.22.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 05:22:33 -0800 (PST) From: Zesen Liu Date: Wed, 07 Jan 2026 21:21:42 +0800 Subject: [PATCH bpf v2 1/2] bpf: Fix memory access flags in helper prototypes Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260107-helper_proto-v2-1-4c562bcca5a8@gmail.com> References: <20260107-helper_proto-v2-0-4c562bcca5a8@gmail.com> In-Reply-To: <20260107-helper_proto-v2-0-4c562bcca5a8@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Matt Bobrowski , Steven Rostedt , Masami Hiramatsu , Mathieu Desnoyers , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Xu Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, netdev@vger.kernel.org, Shuran Liu , Peili Gao , Haoran Ni , Zesen Liu X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=6857; i=ftyghome@gmail.com; h=from:subject:message-id; bh=xXffxQvzK07hZEuFa1ysfLfvbEICjMUXdPizVEPinUA=; b=owGbwMvMwCXWI1/u+8bXqJ3xtFoSQ2ZcHGeVyc4r2Y929ex7/c9jTtyy191dc5b1bmxQnlda4 yF10uRVRykLgxgXg6yYIkvvD8O7KzPNjbfZLDgIM4eVCWQIAxenAEzk6VdGhjNXWWekyVexd8a1 2ZYfan+x6lcW4x2zfltty4a4p9b3MhkZbviz7/q7WeDvmbMH0pftqdlaWr9mi5HTaucqI40JmmJ uHAA= X-Developer-Key: i=ftyghome@gmail.com; a=openpgp; fpr=8DF831DDA9693733B63CA0C18C1F774DEC4D3287 After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type trac= king"), the verifier started relying on the access type flags in helper function prototypes to perform memory access optimizations. Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the verifier to incorrectly assume that the buffer contents are unchanged across the helper call. Consequently, the verifier may optimize away subsequent reads based on this wrong assumption, leading to correctness issues. For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM which correctly indicates write access to potentially uninitialized memory. Similar issues were recently addressed for specific helpers in commit ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer") and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name a= rgs"). Fix these prototypes by adding the correct memory access flags. Fixes: 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking") Co-developed-by: Shuran Liu Signed-off-by: Shuran Liu Co-developed-by: Peili Gao Signed-off-by: Peili Gao Co-developed-by: Haoran Ni Signed-off-by: Haoran Ni Signed-off-by: Zesen Liu --- kernel/bpf/helpers.c | 2 +- kernel/bpf/syscall.c | 2 +- kernel/trace/bpf_trace.c | 6 +++--- net/core/filter.c | 20 ++++++++++---------- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index db72b96f9c8c..f66284f8ec2c 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -1077,7 +1077,7 @@ const struct bpf_func_proto bpf_snprintf_proto =3D { .func =3D bpf_snprintf, .gpl_only =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM_OR_NULL, + .arg1_type =3D ARG_PTR_TO_MEM_OR_NULL | MEM_WRITE, .arg2_type =3D ARG_CONST_SIZE_OR_ZERO, .arg3_type =3D ARG_PTR_TO_CONST_STR, .arg4_type =3D ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY, diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 4ff82144f885..ee116a3b7baf 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -6407,7 +6407,7 @@ static const struct bpf_func_proto bpf_kallsyms_looku= p_name_proto =3D { .func =3D bpf_kallsyms_lookup_name, .gpl_only =3D false, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM, + .arg1_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg2_type =3D ARG_CONST_SIZE_OR_ZERO, .arg3_type =3D ARG_ANYTHING, .arg4_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_WRITE | MEM_A= LIGNED, diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index fe28d86f7c35..59c2394981c7 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -1022,7 +1022,7 @@ const struct bpf_func_proto bpf_snprintf_btf_proto = =3D { .func =3D bpf_snprintf_btf, .gpl_only =3D false, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM, + .arg1_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg2_type =3D ARG_CONST_SIZE, .arg3_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type =3D ARG_CONST_SIZE, @@ -1526,7 +1526,7 @@ static const struct bpf_func_proto bpf_read_branch_re= cords_proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM_OR_NULL, + .arg2_type =3D ARG_PTR_TO_MEM_OR_NULL | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, .arg4_type =3D ARG_ANYTHING, }; @@ -1661,7 +1661,7 @@ static const struct bpf_func_proto bpf_get_stack_prot= o_raw_tp =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, + .arg2_type =3D ARG_PTR_TO_UNINIT_MEM, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, .arg4_type =3D ARG_ANYTHING, }; diff --git a/net/core/filter.c b/net/core/filter.c index 616e0520a0bb..18174e0d3fcf 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -6399,7 +6399,7 @@ static const struct bpf_func_proto bpf_xdp_fib_lookup= _proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE, .arg4_type =3D ARG_ANYTHING, }; @@ -6454,7 +6454,7 @@ static const struct bpf_func_proto bpf_skb_fib_lookup= _proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE, .arg4_type =3D ARG_ANYTHING, }; @@ -8008,9 +8008,9 @@ static const struct bpf_func_proto bpf_tcp_raw_gen_sy= ncookie_ipv4_proto =3D { .gpl_only =3D true, /* __cookie_v4_init_sequence() is GPL */ .pkt_access =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg1_size =3D sizeof(struct iphdr), - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, }; =20 @@ -8040,9 +8040,9 @@ static const struct bpf_func_proto bpf_tcp_raw_gen_sy= ncookie_ipv6_proto =3D { .gpl_only =3D true, /* __cookie_v6_init_sequence() is GPL */ .pkt_access =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg1_size =3D sizeof(struct ipv6hdr), - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, }; =20 @@ -8060,9 +8060,9 @@ static const struct bpf_func_proto bpf_tcp_raw_check_= syncookie_ipv4_proto =3D { .gpl_only =3D true, /* __cookie_v4_check is GPL */ .pkt_access =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg1_size =3D sizeof(struct iphdr), - .arg2_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg2_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg2_size =3D sizeof(struct tcphdr), }; =20 @@ -8084,9 +8084,9 @@ static const struct bpf_func_proto bpf_tcp_raw_check_= syncookie_ipv6_proto =3D { .gpl_only =3D true, /* __cookie_v6_check is GPL */ .pkt_access =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg1_size =3D sizeof(struct ipv6hdr), - .arg2_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg2_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg2_size =3D sizeof(struct tcphdr), }; #endif /* CONFIG_SYN_COOKIES */ --=20 2.43.0 From nobody Sun Feb 8 11:16:59 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D50CA331A6D for ; Wed, 7 Jan 2026 13:22:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767792166; cv=none; b=KyyoSGdEB8jTvZpaQXlQv2o05Jd8z0i7O6/lhAx5ZiRCCWJ6bTyhzQVnGbSz8dUA3TRslzbyqGmWkwFT5Q9M+MgpTTaNJIunFRoVIwesl8r+IahsuvU/1iKxdNo+oF+DNGLwAfuTzFXfnTuQ5ASLGIFx/wkXvB7ssuYkUSEXDFI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767792166; c=relaxed/simple; bh=unytFKZ8LCGZbWiIqqle1BjuJ9OKga7Krn0YjNtEcU4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Ap6S2gtAPv7whPaZlI45YCdpFGdpzxllmNu6k89Wi9Pgz/QEDvBcZGDB59q4PonvbjzVAZ09ZIq0pAzELVssVxNve8r+Ktj1C0M2I96AWtBv/1SU7NRqopWFIUymEjo8GYNuxKQg0gF3Huszg4ztE7iQdIajAR9Nq9328OvQdo8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SOnitJg+; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SOnitJg+" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2a12ed4d205so15726765ad.0 for ; Wed, 07 Jan 2026 05:22:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767792163; x=1768396963; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=htJmJ2nOl5HS2d4lrmu4G6awIswx3aqJ66sxEqxOU2k=; b=SOnitJg+hVNmVJlkwgk6o2H6/EhOte0DlJvlj8MJEn0dEWu0JMlQzYioj0qc3CIS1k H1ooZnU2xiniV7uT2rzxd2ZIa4Mx0SwC5yS3A0Covjgq5DzIslb14tDyddB/o55gYEaK Vp4Sw6tbLDxVZ6SXZDdKlQ4sJuiR0sfMbDzycke8XaMV9ujj0rh8S2F1dSUZBXjD+OBL gR1HN9GgQB5/GAZ3tNwHin6NSHdCnGj7UxjineA1dJuvAHI5Rxsgq+sQP7Quk3zSWnvS mUeb9TsipgTtm2aR2TMufCulDuurhfjCt6LCQ+WVoVyNsZCa1rSkK67jbZ4q0wUFBELL GguQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767792163; x=1768396963; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=htJmJ2nOl5HS2d4lrmu4G6awIswx3aqJ66sxEqxOU2k=; b=qsl9oYljzDRXMWK6NYoWzPe7mquLvx9p/H3hHarb/GMptuvG8niudMULaZB6Rl46+C 3beZm4HW+z0WOeneu544+fzg3QBfhy4gVw3UWdQsDud7hJK2uVYfype9ccHCH4kkOXqe lznt0eyqjYrISPrWtZZyA2yhPOn6SyDGHCbS1x1V2sGz79GAu1vgEL8NuZ4V4Bqv99mZ SLPOT0NjVcMDV0iTg1F5HiI5EjW8vSLCErsf5dOjJdncH6tUtp85NJ3AOEynT2QBpmQN C2TZO7pLAOr3tMrWSiqNJc/codbu9dorWmcfS/K2RhqoxvTyThP/w3pqcY2VIIadmWEV J/Fg== X-Forwarded-Encrypted: i=1; AJvYcCX2XoZrC3ivG4mG/smA+yug5JuUxWBXoOj9gGtxTSJ0XBc6aCScURj8aPH4elhhdx2kRcO0ZgFDKYfMKdo=@vger.kernel.org X-Gm-Message-State: AOJu0Yy1YT1/206nwR4HZfqpoPXbZ7t7jSUcgpoYIXcyh4ulBR70gor+ 0P5FUbBblDfZTJa1EXu8xTKZ1X2sWPCNxMNyFyXwPZTjfF2F2zT1dPX7 X-Gm-Gg: AY/fxX7lV9nipNcN7oDDW/UAjICXgH7F9Hcv3BmM+KlcZr6ebI+esKPKJS8fY0QagEv c0wETacYFcCxXFZPmsKHv+e/h7Bxa8qx9hpe6F5iKKCtQPvYF2fMnhFBkVZPp1J2wdFsRzrDFgm OFM95Lwu/WQB39NcuAa5cL/OYNVFbqTLXJ4EmZWqLEMTTstH5CxwG4UnZdmv8pHxCjlDxLDJM/z TZJnh8G/7yaRF6h0zx36M85DF0ANuTgWo507UgdTHOq2Y5VUZNUFzNlf/dJma68JHjTr4uUZa5n A2+Evo/Zn7sR3rtJ6KuGr0Ub3OwCyQMGo9TDFaZ+t3JuWvM0ep9sNY/b1QK3Yy0PYyCiqm7C2l2 WOsu92xya7P1LJrKchzjVKGurTd4SsGNsBjGGeOR7ox/tR5haWvp10don+q0K2SlXVam4e93x4d UhBw3OPMxhVdUyemPXSJVGWg== X-Google-Smtp-Source: AGHT+IEvtZa3zLpS6a5Y/+nmtOmpeeuGMbTxkqCETXk3Efe8UmRkWBRknzvf6eczc+NkOyxjXeazrg== X-Received: by 2002:a17:902:daca:b0:2a0:da38:96d8 with SMTP id d9443c01a7336-2a3ee443bf0mr20830455ad.25.1767792162588; Wed, 07 Jan 2026 05:22:42 -0800 (PST) Received: from [127.0.0.1] ([188.253.121.152]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc7912sm52511685ad.67.2026.01.07.05.22.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 05:22:42 -0800 (PST) From: Zesen Liu Date: Wed, 07 Jan 2026 21:21:43 +0800 Subject: [PATCH bpf v2 2/2] bpf: Require ARG_PTR_TO_MEM with memory flag Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260107-helper_proto-v2-2-4c562bcca5a8@gmail.com> References: <20260107-helper_proto-v2-0-4c562bcca5a8@gmail.com> In-Reply-To: <20260107-helper_proto-v2-0-4c562bcca5a8@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Matt Bobrowski , Steven Rostedt , Masami Hiramatsu , Mathieu Desnoyers , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Xu Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, netdev@vger.kernel.org, Shuran Liu , Peili Gao , Haoran Ni , Zesen Liu X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1786; i=ftyghome@gmail.com; h=from:subject:message-id; bh=unytFKZ8LCGZbWiIqqle1BjuJ9OKga7Krn0YjNtEcU4=; b=owGbwMvMwCXWI1/u+8bXqJ3xtFoSQ2ZcHKfXnRfM7Bz8sbOPtxaeKuSre5UuvjNs77NkU+Od5 73+er3tKGVhEONikBVTZOn9YXh3Zaa58TabBQdh5rAygQxh4OIUgIkcimX47yj3//irmXOKCkSf py4VeqYl3l5yOXj/g2anJTI2DKcUvjEydH6csH5bW6CMziyV3XniFTfVHzjWFVxWcK590+SR4Di LCQA= X-Developer-Key: i=ftyghome@gmail.com; a=openpgp; fpr=8DF831DDA9693733B63CA0C18C1F774DEC4D3287 Add check to ensure that ARG_PTR_TO_MEM is used with either MEM_WRITE or MEM_RDONLY. Using ARG_PTR_TO_MEM alone without tags does not make sense because: - If the helper does not change the argument, missing MEM_RDONLY causes the verifier to incorrectly reject a read-only buffer. - If the helper does change the argument, missing MEM_WRITE causes the verifier to incorrectly assume the memory is unchanged, leading to errors in code optimization. Co-developed-by: Shuran Liu Signed-off-by: Shuran Liu Co-developed-by: Peili Gao Signed-off-by: Peili Gao Co-developed-by: Haoran Ni Signed-off-by: Haoran Ni Signed-off-by: Zesen Liu --- kernel/bpf/verifier.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index f0ca69f888fa..c7ebddb66385 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -10349,10 +10349,27 @@ static bool check_btf_id_ok(const struct bpf_func= _proto *fn) return true; } =20 +static bool check_mem_arg_rw_flag_ok(const struct bpf_func_proto *fn) +{ + int i; + + for (i =3D 0; i < ARRAY_SIZE(fn->arg_type); i++) { + enum bpf_arg_type arg_type =3D fn->arg_type[i]; + + if (base_type(arg_type) !=3D ARG_PTR_TO_MEM) + continue; + if (!(arg_type & (MEM_WRITE | MEM_RDONLY))) + return false; + } + + return true; +} + static int check_func_proto(const struct bpf_func_proto *fn, int func_id) { return check_raw_mode_ok(fn) && check_arg_pair_ok(fn) && + check_mem_arg_rw_flag_ok(fn) && check_btf_id_ok(fn) ? 0 : -EINVAL; } =20 --=20 2.43.0