From: Yuan Chen <chenyuan@kylinos.cn>

v5: https://lore.kernel.org/bpf/20260608142618.3064380-1-chenyuan_fl@163.com/

v1 made btf_types_are_same() cross-BTF aware by comparing kind, size
and name.  Alan Maguire pointed out that this would be too permissive
since two different structs can share the same name and size.

v2 used a name-based classifier (get_kfunc_arg_inject_type).

v3 splits the combined is_kfunc_arg_ignore || is_kfunc_arg_implicit
check in check_kfunc_args(), so that an implicit argument reaching
is_kfunc_arg_implicit() without any prior handler is rejected with
-EFAULT instead of silently skipped (Eduard Zingerman).  This prevents
the silent fallthrough that occurred when module BTF was inconsistent
with vmlinux (e.g. pahole 1.30 breaking distilled base dedup).

v4: fix a build error in the selftest.

v5 changes:
- Patch 1: extend the kfunc allow-list to cover all KF_IMPLICIT_ARGS
  kfuncs handled in bpf_fixup_kfunc_call(): obj_new, percpu_obj_new,
  obj_drop, percpu_obj_drop, refcount_acquire, list_push, rbtree_add.
- Patch 2: simplify the selftest by verifying aux->name in
  bpf_kfunc_implicit_arg() instead of adding a separate struct_ops
  test program with inline assembly.

v6 changes:
- Patch 1: fix comment formatting to follow kernel style (Eduard
  Zingerman).

Yuan Chen (2):
  bpf: Fix kfunc implicit arg inject type detection to prevent invalid
    pointer deref
  selftests/bpf: strengthen bpf_kfunc_implicit_arg to verify aux injection

 kernel/bpf/verifier.c                              | 20 +++++++++++++++++++-
 .../testing/selftests/bpf/test_kmods/bpf_testmod.c |  6 +++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

-- 
2.54.0