Re: [PATCH bpf v5 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Low] The patch introduces references to an undeclared variable `argno` and an undefined function `reg_arg_name`, causing an unconditional build failure.
--

commit 07d82a6816de40e50bec7a27a6fdfd4ab3af2c6d
Author: Yuan Chen <chenyuan@kylinos.cn>
bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

This patch modifies the verifier's check_kfunc_args() to explicitly reject
unrecognized implicit kfunc arguments with -EFAULT instead of silently skipping
them. It ensures that BTF mismatches result in a clean rejection rather than
leading to a kernel crash or information disclosure.

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 7fb88e1cd7c4d..7e5b68c31c349 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12082,9 +12082,27 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_

[ ... ]

> +		if (is_kfunc_arg_implicit(meta, i)) {
> +			/* kfuncs with implicit args (e.g. 'off' parameter)
> +			 * handled during verification in bpf_fixup_kfunc_call():
> +			 * obj_new, percpu_obj_new, obj_drop, percpu_obj_drop,
> +			 * refcount_acquire, list_push, rbtree_add. Don't flag them. */
> +			if (is_bpf_obj_new_kfunc(meta->func_id) ||
> +			    is_bpf_percpu_obj_new_kfunc(meta->func_id) ||
> +			    is_bpf_obj_drop_kfunc(meta->func_id) ||
> +			    is_bpf_percpu_obj_drop_kfunc(meta->func_id) ||
> +			    is_bpf_refcount_acquire_kfunc(meta->func_id) ||
> +			    is_bpf_list_push_kfunc(meta->func_id) ||
> +			    is_bpf_rbtree_add_kfunc(meta->func_id))
> +				continue;
> +			verbose(env, "%s unrecognized implicit argument, possible BTF mismatch\n",
> +				reg_arg_name(env, argno));

[Severity: Low]
Will this compile successfully? It looks like argno is not declared in this
scope (perhaps the intended variable was i or regno?), and the function
reg_arg_name() does not appear to be defined in the kernel tree. Could this
cause an unconditional build failure?

> +			return -EFAULT;
> +		}
> +
>  		t = btf_type_skip_modifiers(btf, args[i].type, NULL);
>  
>  		if (btf_type_is_scalar(t)) {

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260608142618.3064380-1-chenyuan_fl@163.com?part=1