Re: [linux-next:master 2782/3950] kernel/bpf/helpers.c:1784:17: warning: argument 2 null where non-null expected because argument 3 is nonzero

[Jakub Sitnicki <jakub@cloudflare.com>]

On Thu, Aug 21, 2025 at 05:24 PM +02, Jakub Sitnicki wrote:
> On Thu, Aug 21, 2025 at 08:53 PM +08, kernel test robot wrote:
>> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
>> head:   7fa4d8dc380fbd81a9d702a855c50690c9c6442c
>> commit: 6877cd392baecf816c2ba896a9d42874628004a5 [2782/3950] bpf: Enable
>> read/write access to skb metadata through a dynptr
>> config: sparc-randconfig-r063-20250821
>> (https://download.01.org/0day-ci/archive/20250821/202508212031.ir9b3B6Q-lkp@intel.com/config)
>> compiler: sparc-linux-gcc (GCC) 15.1.0
>> reproduce (this is a W=1 build):
>> (https://download.01.org/0day-ci/archive/20250821/202508212031.ir9b3B6Q-lkp@intel.com/reproduce)
>>

[...]

>> vim +1784 kernel/bpf/helpers.c
>>
>>   1754	
>>   1755	static int __bpf_dynptr_read(void *dst, u32 len, const struct bpf_dynptr_kern *src,
>>   1756				     u32 offset, u64 flags)
>>   1757	{
>>   1758		enum bpf_dynptr_type type;
>>   1759		int err;
>>   1760	
>>   1761		if (!src->data || flags)
>>   1762			return -EINVAL;
>>   1763	
>>   1764		err = bpf_dynptr_check_off_len(src, offset, len);
>>   1765		if (err)
>>   1766			return err;
>>   1767	
>>   1768		type = bpf_dynptr_get_type(src);
>>   1769	
>>   1770		switch (type) {
>>   1771		case BPF_DYNPTR_TYPE_LOCAL:
>>   1772		case BPF_DYNPTR_TYPE_RINGBUF:
>>   1773			/* Source and destination may possibly overlap, hence use memmove to
>>   1774			 * copy the data. E.g. bpf_dynptr_from_mem may create two dynptr
>>   1775			 * pointing to overlapping PTR_TO_MAP_VALUE regions.
>>   1776			 */
>>   1777			memmove(dst, src->data + src->offset + offset, len);
>>   1778			return 0;
>>   1779		case BPF_DYNPTR_TYPE_SKB:
>>   1780 return __bpf_skb_load_bytes(src->data, src->offset + offset, dst, len);
>>   1781		case BPF_DYNPTR_TYPE_XDP:
>>   1782 return __bpf_xdp_load_bytes(src->data, src->offset + offset, dst, len);
>>   1783		case BPF_DYNPTR_TYPE_SKB_META:
>>> 1784 memmove(dst, bpf_skb_meta_pointer(src->data, src->offset + offset), len);
>>   1785			return 0;
>>   1786		default:
>>   1787			WARN_ONCE(true, "bpf_dynptr_read: unknown dynptr type %d\n", type);
>>   1788			return -EFAULT;
>>   1789		}
>>   1790	}
>>   1791	
>
> Right. This happens with CONFIG_NET=n.
>
> I think in the end we need a simple wrapper around memmove to stub it
> out with -EOPNOTSUPP when CONFIG_NET is disabled.

Forgot to mention that this null-ptr-deref is not triggerable because
the bpf_dynptr_from_skb_meta kfunc is present only with CONFIG_NET=y.

So a fix is needed just for the sake of silencing compiler diagnostics.