Re: [PATCH bpf v3 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

New issues:
- [Low] The patch introduces a fatal compilation error by using an undeclared variable `argno` and an undefined function `reg_arg_name`.

Pre-existing issues:
- [Critical] Module BTF dedup failures cause special pointer types (like bpf_timer, bpf_list_head, bpf_spin_lock) to fall back to KF_ARG_PTR_TO_MEM, allowing BPF programs to pass attacker-controlled memory instead of valid map-backed objects.
--

commit 198d635479b994ffecc7d0ff675e91259613ce61
Author: Yuan Chen <chenyuan@kylinos.cn>
Subject: bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

When a module kfunc declares an implicit struct bpf_prog_aux * argument,
the verifier must identify it so the kernel injects env->prog->aux into
the correct register at runtime. This patch ensures the verifier either
validates and injects the correct bpf_prog_aux pointer, or rejects the
program outright if BTF type matching fails.

> Root Cause
> 
> This issue was triggered by pahole 1.30 generating module BTF with
> incorrect type information, which caused the kernel's distilled base
> BTF deduplication for modules to fail.

[Severity: Critical]
This is a pre-existing issue, but since module BTF dedup failures cause
btf_types_are_same() to return false, does this also affect explicit special
kfunc arguments?

When __is_kfunc_ptr_arg_type() in kernel/bpf/verifier.c fails to match types
like bpf_timer or bpf_list_head, the verifier falls through to the fallback
logic in get_kfunc_ptr_arg_type():

kernel/bpf/verifier.c:get_kfunc_ptr_arg_type() {
    ...
	if (!btf_type_is_scalar(ref_t) && !__btf_type_is_scalar_struct(env, meta->btf, ref_t, 0) &&
	    (arg_mem_size ? !btf_type_is_void(ref_t) : 1)) {
		...
	}
	return arg_mem_size ? KF_ARG_PTR_TO_MEM_SIZE : KF_ARG_PTR_TO_MEM;
}

Because structs like bpf_timer and bpf_list_head are composed solely of
scalars, __btf_type_is_scalar_struct() evaluates to true, and they are
categorized as KF_ARG_PTR_TO_MEM.

Does this allow BPF programs to pass a pointer to attacker-controlled memory
(like a stack buffer) to a module kfunc expecting a valid, map-backed kernel
object?

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 7fb88e1cd7c4d..57e5fdf9f7e06 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c

[ ... ]

> @@ -12082,9 +12082,22 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  			continue;
>  		}
>  
> -		if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
> +		if (is_kfunc_arg_ignore(btf, &args[i]))
>  			continue;
>  
> +		if (is_kfunc_arg_implicit(meta, i)) {
> +			/* list_push / rbtree_add kfuncs have implicit args
> +			 * (e.g. 'off' parameter) handled during verification
> +			 * in bpf_fixup_kfunc_call().  Don't flag them.
> +			 */
> +			if (is_bpf_list_push_kfunc(meta->func_id) ||
> +			    is_bpf_rbtree_add_kfunc(meta->func_id))
> +				continue;
> +			verbose(env, "%s unrecognized implicit argument, possible BTF mismatch\n",
> +				reg_arg_name(env, argno));

[Severity: Low]
Will this compile?  It looks like argno is neither declared nor defined in
check_kfunc_args(), and reg_arg_name() is undefined in the kernel source tree.

Should this use regno instead of argno, and a different way to format the
register name?

> +			return -EFAULT;
> +		}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260602085827.2562222-1-chenyuan_fl@163.com?part=1