From: Yuan Chen <chenyuan@kylinos.cn>

v1: https://lore.kernel.org/bpf/20260407080900.551797-1-chenyuan_fl@163.com/

v1 made btf_types_are_same() cross-BTF aware by comparing kind, size
and name.  Alan Maguire pointed out that this would be too permissive
since two different structs can share the same name and size.

v2 used a name-based classifier (get_kfunc_arg_inject_type).

v3 (this revision) splits the combined is_kfunc_arg_ignore ||
is_kfunc_arg_implicit check in check_kfunc_args(), so that an implicit
argument reaching is_kfunc_arg_implicit() without any prior handler is
rejected with -EFAULT instead of silently skipped (Eduard Zingerman).
This prevents the silent fallthrough that occurred when module BTF was
inconsistent with vmlinux (e.g. pahole 1.30 breaking distilled base
dedup).

Patch 2 adds a positive regression test for the injection path.
Yonghong Song pointed out that with pahole 1.31 available in CI the
test will always pass, so it cannot reproduce the original BTF mismatch
scenario.  The test still serves as a useful regression guard for the
injection mechanism itself, however, and would catch any accidental
breakage in the future.

Thanks to everyone who reviewed and provided feedback on this series.

Yuan Chen (2):
  bpf: Fix kfunc implicit arg inject type detection to prevent invalid
    pointer deref
  selftests/bpf: Add regression test for kfunc implicit arg injection

 kernel/bpf/verifier.c                              | 15 +++++++-
 .../bpf/prog_tests/test_struct_ops_assoc.c         |  7 ++++
 .../testing/selftests/bpf/progs/struct_ops_assoc.c | 40 ++++++++++++++++++++++
 .../testing/selftests/bpf/test_kmods/bpf_testmod.c |  9 +++++
 .../selftests/bpf/test_kmods/bpf_testmod_kfunc.h   |  1 +
 5 files changed, 71 insertions(+), 1 deletion(-)

-- 
2.47.2