Re: [PATCH bpf-next v2 2/5] verifier: parse BTF type tags for function arguments

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] btf_scan_type_tags incorrectly rejects valid BPF programs containing unrecognized type tags (e.g., __user, __rcu) by returning -EOPNOTSUPP.
- [High] btf_scan_type_tags fails to discover valid type tags if they are separated from the pointer by other BTF modifiers (like CONST, VOLATILE, or TYPEDEF).
--

commit c938604636d812339744a9ba91c4659c3d79392c
Author: Emil Tsalapatis <emil@etsalapatis.com>

verifier: parse BTF type tags for function arguments

This patch extracts BTF decl tag parsing into a new function and
introduces type tag parsing for function arguments, specifically
looking for the arena type tag on pointers.

> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 17d4ab0a82068..c6a930aca67ec 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c

[ ... ]

> +static int btf_scan_type_tags(struct bpf_verifier_env *env,
> +			      const struct btf *btf, u32 type_id,
> +			      u32 *tags)
> +{
> +	const struct btf_type *t;
> +
> +	/* Find the first pointer type in the chain. */
> +	t = btf_type_skip_modifiers(btf, type_id, NULL);
> +	if (!t || !btf_type_is_ptr(t))
> +		return 0;
> +
> +	/* We got a pointer, get all associated type tags. */
> +	t = btf_type_by_id(btf, t->type);
> +	while (t && btf_type_is_type_tag(t)) {

[Severity: High]
Does this loop terminate prematurely if the type tag is preceded by other
modifiers like CONST, VOLATILE, or TYPEDEF?

If the target type of the pointer is structured as:
PTR -> CONST -> TYPE_TAG("arena") -> INT

It appears btf_type_is_type_tag(t) would evaluate to false at the CONST
modifier, causing the loop to exit and valid arena tags to be missed
entirely.

> +		const char *tag = __btf_name_by_offset(btf, t->name_off);
> +
> +		if (strcmp(tag, "arena") == 0) {
> +			*tags |= ARG_TAG_ARENA;
> +		} else {
> +			bpf_log(&env->log, "function signature member has unsupported type tag '%s'\n",
> +				tag);
> +			return -EOPNOTSUPP;
> +		}

[Severity: High]
Will this unconditionally reject valid BPF programs that contain
unrecognized type tags like __user or __rcu?

Prior to this change, standard kernel type tags on pointer arguments were
naturally skipped by the verifier. Returning -EOPNOTSUPP here for anything
other than arena seems like it might cause a backward compatibility
regression for existing global subprograms that accept standard tagged
pointers.

> +
> +		t = btf_type_by_id(btf, t->type);
> +	}
> +
> +	return 0;
> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260530002259.4505-1-emil@etsalapatis.com?part=2