* [PATCH bpf 0/2] bpf: Mark bpf_get_kmem_cache() as nullable
@ 2026-06-20 15:47 Nuoqi Gui
2026-06-20 15:47 ` [PATCH bpf 1/2] " Nuoqi Gui
2026-06-20 15:47 ` [PATCH bpf 2/2] selftests/bpf: Cover bpf_get_kmem_cache() null return Nuoqi Gui
0 siblings, 2 replies; 4+ messages in thread
From: Nuoqi Gui @ 2026-06-20 15:47 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Eduard Zingerman, Kumar Kartikeya Dwivedi
Cc: Martin KaFai Lau, Song Liu, Yonghong Song, Jiri Olsa, Shuah Khan,
bpf, linux-kselftest, linux-kernel, Nuoqi Gui
bpf_get_kmem_cache() can return NULL when the supplied address is not a
valid kernel address or when no slab is found for it. Its kfunc
registration does not currently advertise that to the verifier.
Add KF_RET_NULL to the registration and add verifier coverage for the direct
field-read case. The selftest rejects a read of s->size after
bpf_get_kmem_cache(0) without a null check, while the null-checked variant
remains accepted.
The issue dates back to a992d7a397912 ("mm/bpf: Add bpf_get_kmem_cache()
kfunc").
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
Nuoqi Gui (2):
bpf: Mark bpf_get_kmem_cache() as nullable
selftests/bpf: Cover bpf_get_kmem_cache() null return
kernel/bpf/helpers.c | 2 +-
.../bpf/progs/verifier_kfunc_prog_types.c | 29 ++++++++++++++++++++++
2 files changed, 30 insertions(+), 1 deletion(-)
---
base-commit: 76f62d237538b456354a44e796a541cde03c6e28
change-id: 20260617-f01-16-kmem-cache-ret-null-53a9f52fd835
Best regards,
--
Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH bpf 1/2] bpf: Mark bpf_get_kmem_cache() as nullable 2026-06-20 15:47 [PATCH bpf 0/2] bpf: Mark bpf_get_kmem_cache() as nullable Nuoqi Gui @ 2026-06-20 15:47 ` Nuoqi Gui 2026-06-20 17:47 ` Alexei Starovoitov 2026-06-20 15:47 ` [PATCH bpf 2/2] selftests/bpf: Cover bpf_get_kmem_cache() null return Nuoqi Gui 1 sibling, 1 reply; 4+ messages in thread From: Nuoqi Gui @ 2026-06-20 15:47 UTC (permalink / raw) To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi Cc: Martin KaFai Lau, Song Liu, Yonghong Song, Jiri Olsa, Shuah Khan, bpf, linux-kselftest, linux-kernel, Nuoqi Gui bpf_get_kmem_cache() returns NULL when virt_addr_valid() rejects the address or when virt_to_slab() does not find a slab. The verifier uses KF_RET_NULL to add PTR_MAYBE_NULL to kfunc return registers, but the registration currently lacks that flag. Add KF_RET_NULL so callers have to prove that the returned kmem_cache pointer is non-NULL before dereferencing fields. Fixes: a992d7a397912 ("mm/bpf: Add bpf_get_kmem_cache() kfunc") Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> --- kernel/bpf/helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index b5314c9fed3cf..57a6ab72ae3cc 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -4817,7 +4817,7 @@ BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL) BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY) BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE) BTF_ID_FLAGS(func, bpf_copy_from_user_task_str, KF_SLEEPABLE) -BTF_ID_FLAGS(func, bpf_get_kmem_cache) +BTF_ID_FLAGS(func, bpf_get_kmem_cache, KF_RET_NULL) BTF_ID_FLAGS(func, bpf_iter_kmem_cache_new, KF_ITER_NEW | KF_SLEEPABLE) BTF_ID_FLAGS(func, bpf_iter_kmem_cache_next, KF_ITER_NEXT | KF_RET_NULL | KF_SLEEPABLE) BTF_ID_FLAGS(func, bpf_iter_kmem_cache_destroy, KF_ITER_DESTROY | KF_SLEEPABLE) -- 2.34.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH bpf 1/2] bpf: Mark bpf_get_kmem_cache() as nullable 2026-06-20 15:47 ` [PATCH bpf 1/2] " Nuoqi Gui @ 2026-06-20 17:47 ` Alexei Starovoitov 0 siblings, 0 replies; 4+ messages in thread From: Alexei Starovoitov @ 2026-06-20 17:47 UTC (permalink / raw) To: Nuoqi Gui, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi Cc: Martin KaFai Lau, Song Liu, Yonghong Song, Jiri Olsa, Shuah Khan, bpf, linux-kselftest, linux-kernel On Sat Jun 20, 2026 at 8:47 AM PDT, Nuoqi Gui wrote: > bpf_get_kmem_cache() returns NULL when virt_addr_valid() rejects the > address or when virt_to_slab() does not find a slab. The verifier uses > KF_RET_NULL to add PTR_MAYBE_NULL to kfunc return registers, but the > registration currently lacks that flag. > > Add KF_RET_NULL so callers have to prove that the returned kmem_cache > pointer is non-NULL before dereferencing fields. > > Fixes: a992d7a397912 ("mm/bpf: Add bpf_get_kmem_cache() kfunc") > Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> > --- > kernel/bpf/helpers.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c > index b5314c9fed3cf..57a6ab72ae3cc 100644 > --- a/kernel/bpf/helpers.c > +++ b/kernel/bpf/helpers.c > @@ -4817,7 +4817,7 @@ BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL) > BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY) > BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE) > BTF_ID_FLAGS(func, bpf_copy_from_user_task_str, KF_SLEEPABLE) > -BTF_ID_FLAGS(func, bpf_get_kmem_cache) > +BTF_ID_FLAGS(func, bpf_get_kmem_cache, KF_RET_NULL) This is wrong. Nothing to fix. It works as designed. Instead of sending broken patches do your home work. You're saying commit a992d7a397912 is buggy. Read its commit log, selftest and the email thread and see why this patch is wrong. Such poor quality patches undermine your other legitimate fixes. You have to step up in quality. pw-bot: cr ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH bpf 2/2] selftests/bpf: Cover bpf_get_kmem_cache() null return 2026-06-20 15:47 [PATCH bpf 0/2] bpf: Mark bpf_get_kmem_cache() as nullable Nuoqi Gui 2026-06-20 15:47 ` [PATCH bpf 1/2] " Nuoqi Gui @ 2026-06-20 15:47 ` Nuoqi Gui 1 sibling, 0 replies; 4+ messages in thread From: Nuoqi Gui @ 2026-06-20 15:47 UTC (permalink / raw) To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi Cc: Martin KaFai Lau, Song Liu, Yonghong Song, Jiri Olsa, Shuah Khan, bpf, linux-kselftest, linux-kernel, Nuoqi Gui Add verifier coverage for bpf_get_kmem_cache(0). A direct read from the returned kmem_cache pointer must reject because the kfunc can return NULL, while the same read after an explicit null check remains accepted. Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> --- .../bpf/progs/verifier_kfunc_prog_types.c | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c b/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c index 1fce7a7e8d030..a062f3b7bc756 100644 --- a/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c +++ b/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c @@ -168,3 +168,32 @@ int BPF_PROG(cpumask_kfunc_perf_event) cpumask_kfunc_load_test(); return 0; } + +/********************* + * kmem_cache kfunc * + *********************/ + +extern struct kmem_cache *bpf_get_kmem_cache(u64 addr) __ksym; + +SEC("raw_tp") +__failure __msg("R0 invalid mem access 'untrusted_ptr_or_null_'") +int bpf_get_kmem_cache_no_null_check(void *ctx) +{ + struct kmem_cache *s; + + s = bpf_get_kmem_cache(0); + return s->size; +} + +SEC("raw_tp") +__success +int bpf_get_kmem_cache_null_check(void *ctx) +{ + struct kmem_cache *s; + + s = bpf_get_kmem_cache(0); + if (!s) + return 0; + + return s->size; +} -- 2.34.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-20 17:47 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-20 15:47 [PATCH bpf 0/2] bpf: Mark bpf_get_kmem_cache() as nullable Nuoqi Gui 2026-06-20 15:47 ` [PATCH bpf 1/2] " Nuoqi Gui 2026-06-20 17:47 ` Alexei Starovoitov 2026-06-20 15:47 ` [PATCH bpf 2/2] selftests/bpf: Cover bpf_get_kmem_cache() null return Nuoqi Gui
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.