[PATCH bpf-next v1 0/2] Allow referenced dynptr to be overwritten when siblings exists

[PATCH bpf-next v1 0/2] Allow referenced dynptr to be overwritten when siblings exists

[Amery Hung]

The patchset conditionally allow a referenced dynptr to be overwritten
when its siblings (original dynptr or dynptr clone) exist. Do it before
the verifier relation tracking refactor to mimimize verifier changes at
a time.

Amery Hung (2):
  bpf: Allow overwriting referenced dynptr when refcnt > 1
  selftests/bpf: Test overwriting referenced dynptr

 kernel/bpf/verifier.c                         |  23 +++-
 .../testing/selftests/bpf/progs/dynptr_fail.c | 115 ++++++++++++++++++
 2 files changed, 136 insertions(+), 2 deletions(-)

-- 
2.52.0

[PATCH bpf-next v1 1/2] bpf: Allow overwriting referenced dynptr when refcnt > 1

[Amery Hung]

The verifier currently does not allow overwriting a referenced dynptr's
stack slot to prevent resource leak. This is because referenced dynptr
holds additional resources that requires calling specific helpers to
release. This limitation can be relaxed when there are multiple copies
of the same dynptr. Whether it is the orignial dynptr or one of its
clones, as long as there exists at least one other dynptr with the same
ref_obj_id (to be used to release the reference), its stack slot should
be allowed to be overwritten.

Suggested-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
 kernel/bpf/verifier.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 9523db3fe90d..147495099a23 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -934,8 +934,27 @@ static int destroy_if_dynptr_stack_slot(struct bpf_verifier_env *env,
 		spi = spi + 1;
 
 	if (dynptr_type_refcounted(state->stack[spi].spilled_ptr.dynptr.type)) {
-		verbose(env, "cannot overwrite referenced dynptr\n");
-		return -EINVAL;
+		int ref_obj_id = state->stack[spi].spilled_ptr.ref_obj_id;
+		int ref_cnt = 0;
+
+		/*
+		 * A referenced dynptr can be overwritten only if there is at
+		 * least one other dynptr sharing the same ref_obj_id,
+		 * ensuring the reference can still be properly released.
+		 */
+		for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
+			if (state->stack[i].slot_type[0] != STACK_DYNPTR)
+				continue;
+			if (!state->stack[i].spilled_ptr.dynptr.first_slot)
+				continue;
+			if (state->stack[i].spilled_ptr.ref_obj_id == ref_obj_id)
+				ref_cnt++;
+		}
+
+		if (ref_cnt <= 1) {
+			verbose(env, "cannot overwrite referenced dynptr\n");
+			return -EINVAL;
+		}
 	}
 
 	mark_stack_slot_scratched(env, spi);
-- 
2.52.0

Re: [PATCH bpf-next v1 1/2] bpf: Allow overwriting referenced dynptr when refcnt > 1

[Kumar Kartikeya Dwivedi]

On Mon, 6 Apr 2026 at 17:05, Amery Hung <ameryhung@gmail.com> wrote:
>
> The verifier currently does not allow overwriting a referenced dynptr's
> stack slot to prevent resource leak. This is because referenced dynptr
> holds additional resources that requires calling specific helpers to
> release. This limitation can be relaxed when there are multiple copies
> of the same dynptr. Whether it is the orignial dynptr or one of its
> clones, as long as there exists at least one other dynptr with the same
> ref_obj_id (to be used to release the reference), its stack slot should
> be allowed to be overwritten.
>
> Suggested-by: Andrii Nakryiko <andrii@kernel.org>
> Signed-off-by: Amery Hung <ameryhung@gmail.com>
> ---

Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

> [...]

Re: [PATCH bpf-next v1 1/2] bpf: Allow overwriting referenced dynptr when refcnt > 1

[Alexei Starovoitov]

On Mon, Apr 6, 2026 at 8:05 AM Amery Hung <ameryhung@gmail.com> wrote:
>
> The verifier currently does not allow overwriting a referenced dynptr's
> stack slot to prevent resource leak. This is because referenced dynptr
> holds additional resources that requires calling specific helpers to
> release. This limitation can be relaxed when there are multiple copies
> of the same dynptr. Whether it is the orignial dynptr or one of its
> clones, as long as there exists at least one other dynptr with the same
> ref_obj_id (to be used to release the reference), its stack slot should
> be allowed to be overwritten.
>
> Suggested-by: Andrii Nakryiko <andrii@kernel.org>
> Signed-off-by: Amery Hung <ameryhung@gmail.com>
> ---
>  kernel/bpf/verifier.c | 23 +++++++++++++++++++++--
>  1 file changed, 21 insertions(+), 2 deletions(-)

Why ?
I understand that it's ok to allow, but the features
adds more verifier complexity and more things to worry
about in the future?
What's wrong with disallowing?

Re: [PATCH bpf-next v1 1/2] bpf: Allow overwriting referenced dynptr when refcnt > 1

[Amery Hung]

On Tue, Apr 7, 2026 at 2:27 PM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Mon, Apr 6, 2026 at 8:05 AM Amery Hung <ameryhung@gmail.com> wrote:
> >
> > The verifier currently does not allow overwriting a referenced dynptr's
> > stack slot to prevent resource leak. This is because referenced dynptr
> > holds additional resources that requires calling specific helpers to
> > release. This limitation can be relaxed when there are multiple copies
> > of the same dynptr. Whether it is the orignial dynptr or one of its
> > clones, as long as there exists at least one other dynptr with the same
> > ref_obj_id (to be used to release the reference), its stack slot should
> > be allowed to be overwritten.
> >
> > Suggested-by: Andrii Nakryiko <andrii@kernel.org>
> > Signed-off-by: Amery Hung <ameryhung@gmail.com>
> > ---
> >  kernel/bpf/verifier.c | 23 +++++++++++++++++++++--
> >  1 file changed, 21 insertions(+), 2 deletions(-)
>
> Why ?
> I understand that it's ok to allow, but the features
> adds more verifier complexity and more things to worry
> about in the future?
> What's wrong with disallowing?

The current limitation seems a bit arbitrary and adds more complexity
to the mental model of dynptr object relation (some dynptr slots can
be overwritten but some cannot).

Actually I think about it again, the check here may not be necessary
at all (like below). Even if a referenced dynptr and all its clones'
stack slots are overwritten, the verifier should still reject the
program and report reference leak.

-        if (dynptr_type_refcounted(state->stack[spi].spilled_ptr.dynptr.type))
{
-               verbose(env, "cannot overwrite referenced dynptr\n");
-               return -EINVAL;
-        }

Re: [PATCH bpf-next v1 1/2] bpf: Allow overwriting referenced dynptr when refcnt > 1

[Kumar Kartikeya Dwivedi]

On Wed, 8 Apr 2026 at 00:05, Amery Hung <ameryhung@gmail.com> wrote:
>
> On Tue, Apr 7, 2026 at 2:27 PM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
> >
> > On Mon, Apr 6, 2026 at 8:05 AM Amery Hung <ameryhung@gmail.com> wrote:
> > >
> > > The verifier currently does not allow overwriting a referenced dynptr's
> > > stack slot to prevent resource leak. This is because referenced dynptr
> > > holds additional resources that requires calling specific helpers to
> > > release. This limitation can be relaxed when there are multiple copies
> > > of the same dynptr. Whether it is the orignial dynptr or one of its
> > > clones, as long as there exists at least one other dynptr with the same
> > > ref_obj_id (to be used to release the reference), its stack slot should
> > > be allowed to be overwritten.
> > >
> > > Suggested-by: Andrii Nakryiko <andrii@kernel.org>
> > > Signed-off-by: Amery Hung <ameryhung@gmail.com>
> > > ---
> > >  kernel/bpf/verifier.c | 23 +++++++++++++++++++++--
> > >  1 file changed, 21 insertions(+), 2 deletions(-)
> >
> > Why ?
> > I understand that it's ok to allow, but the features
> > adds more verifier complexity and more things to worry
> > about in the future?
> > What's wrong with disallowing?
>
> The current limitation seems a bit arbitrary and adds more complexity
> to the mental model of dynptr object relation (some dynptr slots can
> be overwritten but some cannot).
>
> Actually I think about it again, the check here may not be necessary
> at all (like below). Even if a referenced dynptr and all its clones'
> stack slots are overwritten, the verifier should still reject the
> program and report reference leak.
>

That's true, but when we last addressed this, the message was kept
here early to make the error easier for the user to comprehend.
Keeping it here was preferable to showing "Unreleased reference" at
the end of the program, which is inevitable once all references are
overwritten.


> -        if (dynptr_type_refcounted(state->stack[spi].spilled_ptr.dynptr.type))
> {
> -               verbose(env, "cannot overwrite referenced dynptr\n");
> -               return -EINVAL;
> -        }

[PATCH bpf-next v1 2/2] selftests/bpf: Test overwriting referenced dynptr

[Amery Hung]

Test overwriting referenced dynptr and clones to make sure it is only
allow when there is at least one other dynptr with the same ref_obj_id.
Also make sure slice is still invalidated after the dynptr's stack slot
is destroyed.

Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
 .../testing/selftests/bpf/progs/dynptr_fail.c | 115 ++++++++++++++++++
 1 file changed, 115 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/dynptr_fail.c b/tools/testing/selftests/bpf/progs/dynptr_fail.c
index 8f2ae9640886..b62773ce5219 100644
--- a/tools/testing/selftests/bpf/progs/dynptr_fail.c
+++ b/tools/testing/selftests/bpf/progs/dynptr_fail.c
@@ -1993,3 +1993,118 @@ int test_dynptr_reg_type(void *ctx)
 	global_call_bpf_dynptr((const struct bpf_dynptr *)current);
 	return 0;
 }
+
+/* Overwriting a referenced dynptr is allowed if a clone still holds the ref */
+SEC("?raw_tp")
+__success
+int dynptr_overwrite_ref_with_clone(void *ctx)
+{
+	struct bpf_dynptr ptr, clone;
+
+	bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr);
+
+	bpf_dynptr_clone(&ptr, &clone);
+
+	/* Overwrite the original - clone still holds the ref */
+	*(volatile __u8 *)&ptr = 0;
+
+	bpf_ringbuf_discard_dynptr(&clone, 0);
+
+	return 0;
+}
+
+/* Overwriting the last referenced dynptr should still be rejected */
+SEC("?raw_tp")
+__failure __msg("cannot overwrite referenced dynptr")
+int dynptr_overwrite_ref_last_clone(void *ctx)
+{
+	struct bpf_dynptr ptr, clone;
+
+	bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr);
+
+	bpf_dynptr_clone(&ptr, &clone);
+
+	/* Overwrite the original - clone still holds the ref, OK */
+	*(volatile __u8 *)&ptr = 0;
+
+	/* Overwrite the last holder - this should fail */
+	*(volatile __u8 *)&clone = 0;
+
+	return 0;
+}
+
+/* Overwriting a clone should be allowed if the original still holds the ref */
+SEC("?raw_tp")
+__success
+int dynptr_overwrite_clone_with_original(void *ctx)
+{
+	struct bpf_dynptr ptr, clone;
+
+	bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr);
+
+	bpf_dynptr_clone(&ptr, &clone);
+
+	/* Overwrite the clone - original still holds the ref */
+	*(volatile __u8 *)&clone = 0;
+
+	bpf_ringbuf_discard_dynptr(&ptr, 0);
+
+	return 0;
+}
+
+/* Data slices from the destroyed dynptr should be invalidated */
+SEC("?raw_tp")
+__failure __msg("invalid mem access 'scalar'")
+int dynptr_overwrite_ref_invalidate_slice(void *ctx)
+{
+	struct bpf_dynptr ptr, clone;
+	int *data;
+
+	bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
+
+	data = bpf_dynptr_data(&ptr, 0, sizeof(val));
+	if (!data)
+		return 0;
+
+	bpf_dynptr_clone(&ptr, &clone);
+
+	/* Overwrite the original - clone holds the ref */
+	*(volatile __u8 *)&ptr = 0;
+
+	/* data was from the original dynptr, should be invalid now */
+	*data = 123;
+
+	return 0;
+}
+
+/*
+ * Data slices from a dynptr clone should remain valid after
+ * overwriting the original dynptr
+ */
+SEC("?raw_tp")
+__success
+int dynptr_overwrite_ref_clone_slice_valid(void *ctx)
+{
+	struct bpf_dynptr ptr, clone;
+	int *data;
+
+	bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
+
+	bpf_dynptr_clone(&ptr, &clone);
+
+	data = bpf_dynptr_data(&clone, 0, sizeof(val));
+	if (!data) {
+		bpf_ringbuf_discard_dynptr(&clone, 0);
+		return 0;
+	}
+
+	/* Overwrite the original - clone holds the ref */
+	*(volatile __u8 *)&ptr = 0;
+
+	/* data is from the clone, should still be valid */
+	*data = 123;
+
+	bpf_ringbuf_discard_dynptr(&clone, 0);
+
+	return 0;
+}
-- 
2.52.0

Re: [PATCH bpf-next v1 2/2] selftests/bpf: Test overwriting referenced dynptr

[Kumar Kartikeya Dwivedi]

On Mon, 6 Apr 2026 at 17:05, Amery Hung <ameryhung@gmail.com> wrote:
>
> Test overwriting referenced dynptr and clones to make sure it is only
> allow when there is at least one other dynptr with the same ref_obj_id.
> Also make sure slice is still invalidated after the dynptr's stack slot
> is destroyed.
>
> Signed-off-by: Amery Hung <ameryhung@gmail.com>
> ---

Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

> [...]

Re: [PATCH bpf-next v1 0/2] Allow referenced dynptr to be overwritten when siblings exists

[patchwork-bot+netdevbpf]

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Mon,  6 Apr 2026 08:05:46 -0700 you wrote:
> The patchset conditionally allow a referenced dynptr to be overwritten
> when its siblings (original dynptr or dynptr clone) exist. Do it before
> the verifier relation tracking refactor to mimimize verifier changes at
> a time.
> 
> Amery Hung (2):
>   bpf: Allow overwriting referenced dynptr when refcnt > 1
>   selftests/bpf: Test overwriting referenced dynptr
> 
> [...]

Here is the summary with links:
  - [bpf-next,v1,1/2] bpf: Allow overwriting referenced dynptr when refcnt > 1
    https://git.kernel.org/bpf/bpf-next/c/017f5c4ef73c
  - [bpf-next,v1,2/2] selftests/bpf: Test overwriting referenced dynptr
    https://git.kernel.org/bpf/bpf-next/c/4cfb09a38357

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html