From: Yuan Chen <chenyuan@kylinos.cn>

v1: https://lore.kernel.org/bpf/20260407080900.551797-1-chenyuan_fl@163.com/

v1 made btf_types_are_same() cross-BTF aware by comparing kind, size
and name.  Alan Maguire pointed out that this would be too permissive
since two different structs can share the same name and size.

v2 used a name-based classifier (get_kfunc_arg_inject_type).

v3 splits the combined is_kfunc_arg_ignore || is_kfunc_arg_implicit
check in check_kfunc_args(), so that an implicit argument reaching
is_kfunc_arg_implicit() without any prior handler is rejected with
-EFAULT instead of silently skipped (Eduard Zingerman).  This prevents
the silent fallthrough that occurred when module BTF was inconsistent
with vmlinux (e.g. pahole 1.30 breaking distilled base dedup).

v4: fix a build error in the selftest (test_st_ops_assoc_reuse used
the wrong skeleton for the new variable).

Patch 2 adds a positive regression test for the injection path.
Yonghong Song pointed out that with pahole 1.31 available in CI the
test will always pass, so it cannot reproduce the original BTF mismatch
scenario.  The test still serves as a useful regression guard for the
injection mechanism itself, however, and would catch any accidental
breakage in the future.

Thanks to everyone who reviewed and provided feedback on this series.

Yuan Chen (2):
  bpf: Fix kfunc implicit arg inject type detection to prevent invalid
    pointer deref
  selftests/bpf: Add regression test for kfunc implicit arg injection

 kernel/bpf/verifier.c                              | 15 +++++++-
 .../bpf/prog_tests/test_struct_ops_assoc.c         |  6 ++++
 .../testing/selftests/bpf/progs/struct_ops_assoc.c | 40 ++++++++++++++++++++++
 .../testing/selftests/bpf/test_kmods/bpf_testmod.c |  9 +++++
 .../selftests/bpf/test_kmods/bpf_testmod_kfunc.h   |  1 +
 5 files changed, 70 insertions(+), 1 deletion(-)

-- 
2.47.2