From nobody Sat Feb 7 06:20:40 2026 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3AD19238C36 for ; Sun, 18 Jan 2026 08:17:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768724250; cv=none; b=l75+uMfVlMVxlAL9k8DKNbXy2YwoVEsEggH3nQfTU//wEtCqC6+lpJMMGalefDGUb8VKh5fO5WgKpQow4c8aOL3JeFVx1UHYYb+WF30tAPzmynrmvgDpv6b/Sd+chbu9Y1aXs6bRS8rWl6++Kgn/7ebpf+YAft8n9WzF6i7ESyU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768724250; c=relaxed/simple; bh=xXffxQvzK07hZEuFa1ysfLfvbEICjMUXdPizVEPinUA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=pfjX4wcXIw4bET1jsDbkV9nfhzi8M084lNf4BOB9IuXsXwweD7aLcl3A+ErmPII54yrWzumBTT9hpjSg4J0M0wU+0POTCtS/+aUMeA+BNlQTPbIsKY4MQ8VyVFHFwnwsNL7KucMBGDRpxeQJhP00f317xBLgj5A8I0WKgnDdrOk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CU7W6Ufg; arc=none smtp.client-ip=209.85.215.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CU7W6Ufg" Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-bcfd82f55ebso1730975a12.1 for ; Sun, 18 Jan 2026 00:17:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768724248; x=1769329048; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=eqap0FeAOULyYnI/LBiMZE3yIuHyBVsfjaQkrDWyRwY=; b=CU7W6UfgHxgGUDattkOnwD4rm9du3cFzq44/zp2pb6B5BAwADEhYhGfySdt/YY0e8m 9a6pkDSo22qRflJcfcg9B8N2My1jTXbt/lUCC4OAmrMYclxR2zLhJAioC89OoOSm5Wyz qCX9PDShwt/cjAJgu6DKnZqZ8F2sXy2Be2qaVxf5EbaDUp4lm40QL6c0qMGX9lz7/N9I 5u7o/MWCTR1yD/a7ybYIYoTLa92VTMraTh7AYE010+oB3BVquTCUh5msFQ+MHvJgvvgN XbGPZn7Pu+ne+qlt+DDOyYYGl5ae61wuZYFBJoRshZbOe+z2XLujIer4CRMJhqpUVBmH 9h0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768724248; x=1769329048; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=eqap0FeAOULyYnI/LBiMZE3yIuHyBVsfjaQkrDWyRwY=; b=NEd2IYjwuKRLi2RRlXIGqtm4YHi7feGoVcWpq38xGyfdm9H8NPeB+MT1RRlWgETJWm hkvphqliFAmHMNTnCGaQyZ0VgHvBt2h8wx6TpWMr6ksK6GAhxUFcDb5kYD6MI6AF1zcw 0Ni3ygommf3ayQqvsYHsdh59jY9oHPie4cs3YRwxbGbLEjxwKpGyIrO837Hm+LrqblPk 8pFs/1q9fHFHk0dajZmngE8Izf0yt46rtD6GAhShWT0ptfUtGOJgDGrQP46ko+2tlwEg +B2vwhbZaR5E8IUUlt7Jw1bo3Qx1I3CUblUBDKNezy/b5OQTjqq/0n1WhQ3K1l2hcO2m kXww== X-Forwarded-Encrypted: i=1; AJvYcCXccbQJuZUB2ESqBvA5EocpvSwUxHyNo+tYM0rJ13FEsgE9S96yrUWUlhboIYOkgwp95hH0ekIaawGclPM=@vger.kernel.org X-Gm-Message-State: AOJu0YzZZZtCy+GK9rl/9mVVwR+kJZ2RdeUedKc5ofVnlu1hGq0Nz5vC E5L9ZwPwnSLTFyMB287+KQ3IcafJ4X4fC7JfSozGF1O/dJc1KLTFxVFDtfyPUXUuUHQ= X-Gm-Gg: AY/fxX59Nw5pcZpUNClGN0rfOzH2Ph6R/2NLzAFxqx8JGya5IsCRtVLgQYieEqQJ8OI 3CrvEX4OzQg3abAKigFWf2MNKT7IFPeHoZ7QS/O+RWAPjbeBYPfIS5z5mlPppNNQXdn8UrDZ3j8 zDAD42ayDj27XNto7+QybibcYmFivV1MtHJrwwqcbyM+6ZnKkhFDa2K70cFQ/sdTZs8aXD9hSm+ 6IFWuwEWTEvrqMxeG4Ia3d4bHgC/fgGMTmX317dN7/izaxpWuyZooj0Dg2t4ijcU2Zim1vnzwIT pW9jUe+ckZaAbsQ68pV+QISZcK33dDF4c5aedZX2YQPYSrIOWLnsIMMsLdIV08eh7WcgvIrUX1Z 0GH5KH/LCi1yT7/nvMg3B6w8flc5gm6ir7qjFZCB5drf0mq3zQjhqWNW6div2E9iGTBbVS1hnMt hHNBwqhOd+yCrdtoJHqaA= X-Received: by 2002:a05:6a20:6a24:b0:366:14b0:4afd with SMTP id adf61e73a8af0-38deeb9fb64mr12423998637.36.1768724248066; Sun, 18 Jan 2026 00:17:28 -0800 (PST) Received: from [127.0.0.1] ([38.207.158.11]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c5edf32d1f1sm5917393a12.22.2026.01.18.00.17.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 18 Jan 2026 00:17:27 -0800 (PST) From: Zesen Liu Date: Sun, 18 Jan 2026 16:16:39 +0800 Subject: [PATCH bpf RESEND v2 1/2] bpf: Fix memory access flags in helper prototypes Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260118-helper_proto-v2-1-ab3a1337e755@gmail.com> References: <20260118-helper_proto-v2-0-ab3a1337e755@gmail.com> In-Reply-To: <20260118-helper_proto-v2-0-ab3a1337e755@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Matt Bobrowski , Steven Rostedt , Masami Hiramatsu , Mathieu Desnoyers , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Xu Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, netdev@vger.kernel.org, Shuran Liu , Peili Gao , Haoran Ni , Zesen Liu X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=6857; i=ftyghome@gmail.com; h=from:subject:message-id; bh=xXffxQvzK07hZEuFa1ysfLfvbEICjMUXdPizVEPinUA=; b=owGbwMvMwCXWI1/u+8bXqJ3xtFoSQ2bOdE7JM/0zd8fYWIZaTbFpclQ+/K66QXGX5pawPKnHu 14Vq73tKGVhEONikBVTZOn9YXh3Zaa58TabBQdh5rAygQxh4OIUgIm8t2P4w/FxdXRBrlLH1mMK v1d7FzG/OnJLtvCcMvOpSd8/TRC4+4yRYVZoxk794PIVPUZqKdmuqRKTeVObVtW87mJoyu39Os+ AAwA= X-Developer-Key: i=ftyghome@gmail.com; a=openpgp; fpr=8DF831DDA9693733B63CA0C18C1F774DEC4D3287 After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type trac= king"), the verifier started relying on the access type flags in helper function prototypes to perform memory access optimizations. Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the verifier to incorrectly assume that the buffer contents are unchanged across the helper call. Consequently, the verifier may optimize away subsequent reads based on this wrong assumption, leading to correctness issues. For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM which correctly indicates write access to potentially uninitialized memory. Similar issues were recently addressed for specific helpers in commit ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer") and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name a= rgs"). Fix these prototypes by adding the correct memory access flags. Fixes: 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking") Co-developed-by: Shuran Liu Signed-off-by: Shuran Liu Co-developed-by: Peili Gao Signed-off-by: Peili Gao Co-developed-by: Haoran Ni Signed-off-by: Haoran Ni Signed-off-by: Zesen Liu --- kernel/bpf/helpers.c | 2 +- kernel/bpf/syscall.c | 2 +- kernel/trace/bpf_trace.c | 6 +++--- net/core/filter.c | 20 ++++++++++---------- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index db72b96f9c8c..f66284f8ec2c 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -1077,7 +1077,7 @@ const struct bpf_func_proto bpf_snprintf_proto =3D { .func =3D bpf_snprintf, .gpl_only =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM_OR_NULL, + .arg1_type =3D ARG_PTR_TO_MEM_OR_NULL | MEM_WRITE, .arg2_type =3D ARG_CONST_SIZE_OR_ZERO, .arg3_type =3D ARG_PTR_TO_CONST_STR, .arg4_type =3D ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY, diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 4ff82144f885..ee116a3b7baf 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -6407,7 +6407,7 @@ static const struct bpf_func_proto bpf_kallsyms_looku= p_name_proto =3D { .func =3D bpf_kallsyms_lookup_name, .gpl_only =3D false, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM, + .arg1_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg2_type =3D ARG_CONST_SIZE_OR_ZERO, .arg3_type =3D ARG_ANYTHING, .arg4_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_WRITE | MEM_A= LIGNED, diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index fe28d86f7c35..59c2394981c7 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -1022,7 +1022,7 @@ const struct bpf_func_proto bpf_snprintf_btf_proto = =3D { .func =3D bpf_snprintf_btf, .gpl_only =3D false, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_MEM, + .arg1_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg2_type =3D ARG_CONST_SIZE, .arg3_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg4_type =3D ARG_CONST_SIZE, @@ -1526,7 +1526,7 @@ static const struct bpf_func_proto bpf_read_branch_re= cords_proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM_OR_NULL, + .arg2_type =3D ARG_PTR_TO_MEM_OR_NULL | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, .arg4_type =3D ARG_ANYTHING, }; @@ -1661,7 +1661,7 @@ static const struct bpf_func_proto bpf_get_stack_prot= o_raw_tp =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, + .arg2_type =3D ARG_PTR_TO_UNINIT_MEM, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, .arg4_type =3D ARG_ANYTHING, }; diff --git a/net/core/filter.c b/net/core/filter.c index 616e0520a0bb..18174e0d3fcf 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -6399,7 +6399,7 @@ static const struct bpf_func_proto bpf_xdp_fib_lookup= _proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE, .arg4_type =3D ARG_ANYTHING, }; @@ -6454,7 +6454,7 @@ static const struct bpf_func_proto bpf_skb_fib_lookup= _proto =3D { .gpl_only =3D true, .ret_type =3D RET_INTEGER, .arg1_type =3D ARG_PTR_TO_CTX, - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_WRITE, .arg3_type =3D ARG_CONST_SIZE, .arg4_type =3D ARG_ANYTHING, }; @@ -8008,9 +8008,9 @@ static const struct bpf_func_proto bpf_tcp_raw_gen_sy= ncookie_ipv4_proto =3D { .gpl_only =3D true, /* __cookie_v4_init_sequence() is GPL */ .pkt_access =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg1_size =3D sizeof(struct iphdr), - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, }; =20 @@ -8040,9 +8040,9 @@ static const struct bpf_func_proto bpf_tcp_raw_gen_sy= ncookie_ipv6_proto =3D { .gpl_only =3D true, /* __cookie_v6_init_sequence() is GPL */ .pkt_access =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg1_size =3D sizeof(struct ipv6hdr), - .arg2_type =3D ARG_PTR_TO_MEM, + .arg2_type =3D ARG_PTR_TO_MEM | MEM_RDONLY, .arg3_type =3D ARG_CONST_SIZE_OR_ZERO, }; =20 @@ -8060,9 +8060,9 @@ static const struct bpf_func_proto bpf_tcp_raw_check_= syncookie_ipv4_proto =3D { .gpl_only =3D true, /* __cookie_v4_check is GPL */ .pkt_access =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg1_size =3D sizeof(struct iphdr), - .arg2_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg2_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg2_size =3D sizeof(struct tcphdr), }; =20 @@ -8084,9 +8084,9 @@ static const struct bpf_func_proto bpf_tcp_raw_check_= syncookie_ipv6_proto =3D { .gpl_only =3D true, /* __cookie_v6_check is GPL */ .pkt_access =3D true, .ret_type =3D RET_INTEGER, - .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg1_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg1_size =3D sizeof(struct ipv6hdr), - .arg2_type =3D ARG_PTR_TO_FIXED_SIZE_MEM, + .arg2_type =3D ARG_PTR_TO_FIXED_SIZE_MEM | MEM_RDONLY, .arg2_size =3D sizeof(struct tcphdr), }; #endif /* CONFIG_SYN_COOKIES */ --=20 2.43.0 From nobody Sat Feb 7 06:20:40 2026 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 26DF92836A4 for ; Sun, 18 Jan 2026 08:17:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768724257; cv=none; b=To8p3Fzy1PlxEKOobjwyiRWftQsGTJAaWgP9JrewpE4zFRH5HfRjGV0myCkrtUfaoeIBmrGjgJM57wrdPzlzOYAFv4PnjFNzPvsAAIUqwd3mHR25Y6keyBomGEO0Cy+aYU7NzkBV32p2D2A1FQXfoKyvYNGnPkxNJmf6lC24c+M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768724257; c=relaxed/simple; bh=unytFKZ8LCGZbWiIqqle1BjuJ9OKga7Krn0YjNtEcU4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=mmfwajxv4Pjur+nWqkk/vyDSLBP58oTI/NLAUW0YkSU46vgSWzzgeHmnOWGdJpJQTwiT9yDj2h+urvFfNT1Op0I1L0ufhN+0OnUuQ2WDKjBGG7PPzzS+6EuTAVZ2tNIleSDKm22Q0oJylNfeiIXeHPvs3RSskAFHtP9ghvm4Xmo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LT8HcWPT; arc=none smtp.client-ip=209.85.210.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LT8HcWPT" Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-81f4a1a3181so1805559b3a.3 for ; Sun, 18 Jan 2026 00:17:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768724255; x=1769329055; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=htJmJ2nOl5HS2d4lrmu4G6awIswx3aqJ66sxEqxOU2k=; b=LT8HcWPT5bXV14eQDbR5ZpADYcB04gn6IGQCq4nyl0W5Hdn/8dKzg9pCLSK/5GvtBY 6y02qMyV3dQ2jWNBIuvKp+CjLIQLwhP3uU9fzwAFBNxrgoqYKxMn/1wick1vZjexyuCo T/UfBI2WnLHDpPBfHDn5rSsrYobZKRh5l+eEwh8r6dl5hZYXB6TSPKErke42DIbYjmlp qSvBNz20IXpCiEJECeyzDQchEBxIZ28vN8ff3cXN57RHhodD6y2Y5FXAAVaVIy1KoL4+ jduGOWhZAKNrP1nASDi6ypzQNZOSUVMlqqSfhKRAv63IdghKIWU06TihC9gQ2aOFU9SZ YoAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768724255; x=1769329055; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=htJmJ2nOl5HS2d4lrmu4G6awIswx3aqJ66sxEqxOU2k=; b=n/GTkVZXP2A+l5qzRXe3XkIqreRxfAkMJfrUAGE2Kmv/fP6hitd/n1aFGbNxfqHW8a u61mgf90AThXbaW+HV8fxP0EfN2CUhBAyJ6uprY5k7NRo6+76wVAAAYE8JzqWEhxcoSx 24ZJoDijUlGSG6iX0ZUZvubGiKInVv7S6JchumlMvdj6njcmdDoFg9MlaI3FF1WT1A5D JwSs2ywyN/F0W8B1CRYxiRUe6bOH8txr5zuVmPQoLC4qY+jL1fHt3BW/VvcD29fvSnS+ SwnsBvP9qkmfSsCNfJH4rdN/0knZ4fbfXzTKKf9ht5rFt8ma4l2KYfnCZYOaB/FQYZpx s/qQ== X-Forwarded-Encrypted: i=1; AJvYcCWBsAxVPG96Ya/JaMrybs8ydIwgPOCS4DpsFTvDSlzhdIZtdFiQVJNtJY1CglcJFDOY6iP9HWTMteQ6YGU=@vger.kernel.org X-Gm-Message-State: AOJu0YxwqSa7zs6Koen/YVXN2YXEO/ZBYTjCseI7c318kbE93qRhWviu 1CSbwwo0Jvrfm0u9PGhoNloPhdbva/HipSXi0+8oAyLAcIw5tvxVCiDW X-Gm-Gg: AY/fxX6WhWiJBLkUKHiDbLPhtFwYQ99fCzcvCxn6ZU2rIyH43Xd9iku80NJncd69MHu C4HzNuROozBrtM/PN6QhG4xz1GSZghwhps6cC+dzz9AUe5D7m1oDZNW/olY+QuvWhj2XJmttp0T T9W5vQQOykzl4Y3EDNyzW4pcbhmczzz4mhM3pyjYBjTrr/sCkQBaf0fPQOYNM9LBUKkcaMRozWJ UOIqohGa0+dUs6gqt8KaYnzcKpqVkREq1Hfu5DbZr48PG0XMYf7prXkcjiX7worMCfzkdTMYNfZ /8mkYlg4x07VT7TZlKjUd5WKp1DXEdFwgwj+SNV5hnuKg2yWZyiLbL3LURBma3xNH+007Eaerc9 iH5Lq7sStoFcc//H3wS5unyLUJlZCX9TXvImC5pEqzQjiF1A5lcwdsWyRF4nY2gH9RDX8WVjiiY Sij5FVmX6zMQCkXHqSjMs= X-Received: by 2002:a05:6a21:7001:b0:366:581e:1a11 with SMTP id adf61e73a8af0-38dfe7b7928mr7482687637.57.1768724255185; Sun, 18 Jan 2026 00:17:35 -0800 (PST) Received: from [127.0.0.1] ([38.207.158.11]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c5edf32d1f1sm5917393a12.22.2026.01.18.00.17.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 18 Jan 2026 00:17:34 -0800 (PST) From: Zesen Liu Date: Sun, 18 Jan 2026 16:16:40 +0800 Subject: [PATCH bpf RESEND v2 2/2] bpf: Require ARG_PTR_TO_MEM with memory flag Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260118-helper_proto-v2-2-ab3a1337e755@gmail.com> References: <20260118-helper_proto-v2-0-ab3a1337e755@gmail.com> In-Reply-To: <20260118-helper_proto-v2-0-ab3a1337e755@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Matt Bobrowski , Steven Rostedt , Masami Hiramatsu , Mathieu Desnoyers , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Xu Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, netdev@vger.kernel.org, Shuran Liu , Peili Gao , Haoran Ni , Zesen Liu X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1786; i=ftyghome@gmail.com; h=from:subject:message-id; bh=unytFKZ8LCGZbWiIqqle1BjuJ9OKga7Krn0YjNtEcU4=; b=kA0DAAoWjB93TexNMocByyZiAGlslwmgYRVZhTO3qL3UsMid+RZOeXbWOpsd0zTWdjPWIO6Ej oh1BAAWCgAdFiEEjfgx3alpNzO2PKDBjB93TexNMocFAmlslwkACgkQjB93TexNMofGegD/bVmx NpxLhZpwcPmfmGiSQe9wtkkYlM/Yn1TmaXKzOsAA/2BlLQ18OzDlgrEM7caUN9DYcUNOzu5Pyqb v0hd78ZcC X-Developer-Key: i=ftyghome@gmail.com; a=openpgp; fpr=8DF831DDA9693733B63CA0C18C1F774DEC4D3287 Add check to ensure that ARG_PTR_TO_MEM is used with either MEM_WRITE or MEM_RDONLY. Using ARG_PTR_TO_MEM alone without tags does not make sense because: - If the helper does not change the argument, missing MEM_RDONLY causes the verifier to incorrectly reject a read-only buffer. - If the helper does change the argument, missing MEM_WRITE causes the verifier to incorrectly assume the memory is unchanged, leading to errors in code optimization. Co-developed-by: Shuran Liu Signed-off-by: Shuran Liu Co-developed-by: Peili Gao Signed-off-by: Peili Gao Co-developed-by: Haoran Ni Signed-off-by: Haoran Ni Signed-off-by: Zesen Liu --- kernel/bpf/verifier.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index f0ca69f888fa..c7ebddb66385 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -10349,10 +10349,27 @@ static bool check_btf_id_ok(const struct bpf_func= _proto *fn) return true; } =20 +static bool check_mem_arg_rw_flag_ok(const struct bpf_func_proto *fn) +{ + int i; + + for (i =3D 0; i < ARRAY_SIZE(fn->arg_type); i++) { + enum bpf_arg_type arg_type =3D fn->arg_type[i]; + + if (base_type(arg_type) !=3D ARG_PTR_TO_MEM) + continue; + if (!(arg_type & (MEM_WRITE | MEM_RDONLY))) + return false; + } + + return true; +} + static int check_func_proto(const struct bpf_func_proto *fn, int func_id) { return check_raw_mode_ok(fn) && check_arg_pair_ok(fn) && + check_mem_arg_rw_flag_ok(fn) && check_btf_id_ok(fn) ? 0 : -EINVAL; } =20 --=20 2.43.0