From: "Alexei Starovoitov" <alexei.starovoitov@gmail.com>
To: "Amery Hung" <ameryhung@gmail.com>
Cc: <bpf@vger.kernel.org>, <netdev@vger.kernel.org>,
<andrii@kernel.org>, <daniel@iogearbox.net>, <eddyz87@gmail.com>,
<memxor@gmail.com>, <martin.lau@kernel.org>,
<mykyta.yatsenko5@gmail.com>, <kernel-team@meta.com>
Subject: Re: [PATCH bpf-next v3 0/9] Refactor verifier object relationship tracking
Date: Fri, 24 Apr 2026 06:55:09 -0700 [thread overview]
Message-ID: <DI1FPX3685EI.3QPD29NY965FO@gmail.com> (raw)
In-Reply-To: <CAMB2axMg=Y5q=9CEFs=8rHLQJipT-5rYkg3wp2BhWgDwVvOUQw@mail.gmail.com>
On Thu Apr 23, 2026 at 10:44 PM PDT, Amery Hung wrote:
> On Thu, Apr 23, 2026 at 5:55 PM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
>>
>> On Tue Apr 21, 2026 at 3:10 PM PDT, Amery Hung wrote:
>> >
>> > (3) Referenced dynptr with referenced parent:
>> >
>> > file (1,1,0)
>> > ^ ^
>> > bpf_dynptr_from_file | +-------------------------------+
>> > | bpf_dynptr_clone(A, C) |
>> > dynptr A (2,3,1) dynptr C (4,3,1)
>> > ^ ^
>> > | |
>> > dynptr A and C have the same lifetime
>>
>> If I understand the proposal correctly above should be:
>>
>> file (1,0,0)
>> ^
>> bpf_dynptr_from_file +-------------------------------+
>>
>> ref_obj_id will be inited bpf_dynptr_clone() as 3 into A and C.
>> but original file->ref_obj_id will be zero.
>>
>> ?
>
> This is the existing behavior. bpf_get_task_exe_file() is tagged with
> (KF_ACQUIRE | KF_RET_NULL). Therefore, file will have id and
> ref_obj_id both initialized to the same value. Here is the
> corresponding verifier code:
>
> if (is_kfunc_acquire(&meta)) {
> int id = acquire_reference(env, insn_idx);
>
> if (id < 0)
> return id;
> if (is_kfunc_ret_null(&meta))
> regs[BPF_REG_0].id = id;
> regs[BPF_REG_0].ref_obj_id = id;
ok, but the arrow should still point to first '1', since that's
what parent_id inherits?
next prev parent reply other threads:[~2026-04-24 13:55 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-21 22:10 [PATCH bpf-next v3 0/9] Refactor verifier object relationship tracking Amery Hung
2026-04-21 22:10 ` [PATCH bpf-next v3 1/9] bpf: Unify dynptr handling in the verifier Amery Hung
2026-04-21 22:52 ` bot+bpf-ci
2026-04-23 14:56 ` Mykyta Yatsenko
2026-04-24 0:04 ` Andrii Nakryiko
2026-04-24 5:34 ` Amery Hung
2026-04-24 16:22 ` Andrii Nakryiko
2026-04-21 22:10 ` [PATCH bpf-next v3 2/9] bpf: Assign reg->id when getting referenced kptr from ctx Amery Hung
2026-04-22 21:46 ` Eduard Zingerman
2026-04-22 22:45 ` Amery Hung
2026-04-22 22:50 ` Eduard Zingerman
2026-04-23 22:46 ` Amery Hung
2026-04-24 0:04 ` Andrii Nakryiko
2026-04-21 22:10 ` [PATCH bpf-next v3 3/9] bpf: Preserve reg->id of pointer objects after null-check Amery Hung
2026-04-21 22:52 ` bot+bpf-ci
2026-04-22 22:46 ` Eduard Zingerman
2026-04-24 0:04 ` Andrii Nakryiko
2026-04-21 22:10 ` [PATCH bpf-next v3 4/9] bpf: Refactor object relationship tracking and fix dynptr UAF bug Amery Hung
2026-04-23 18:19 ` Mykyta Yatsenko
2026-04-23 18:44 ` Amery Hung
2026-04-24 0:04 ` Andrii Nakryiko
2026-04-24 6:46 ` Amery Hung
2026-04-27 20:23 ` Amery Hung
2026-04-24 22:48 ` Eduard Zingerman
2026-04-27 20:21 ` Amery Hung
2026-04-28 7:05 ` Eduard Zingerman
2026-04-21 22:10 ` [PATCH bpf-next v3 5/9] bpf: Remove redundant dynptr arg check for helper Amery Hung
2026-04-21 22:10 ` [PATCH bpf-next v3 6/9] selftests/bpf: Test creating dynptr from dynptr data and slice Amery Hung
2026-04-21 22:10 ` [PATCH bpf-next v3 7/9] selftests/bpf: Test using dynptr after freeing the underlying object Amery Hung
2026-04-21 22:10 ` [PATCH bpf-next v3 8/9] selftests/bpf: Test using slice after invalidating dynptr clone Amery Hung
2026-04-21 22:10 ` [PATCH bpf-next v3 9/9] selftests/bpf: Test using file dynptr after the reference on file is dropped Amery Hung
2026-04-24 0:04 ` [PATCH bpf-next v3 0/9] Refactor verifier object relationship tracking Andrii Nakryiko
2026-04-24 0:55 ` Alexei Starovoitov
2026-04-24 5:44 ` Amery Hung
2026-04-24 13:55 ` Alexei Starovoitov [this message]
2026-04-24 16:19 ` Amery Hung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DI1FPX3685EI.3QPD29NY965FO@gmail.com \
--to=alexei.starovoitov@gmail.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
--cc=memxor@gmail.com \
--cc=mykyta.yatsenko5@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.