From: Puranjay Mohan <puranjay@kernel.org>
To: bpf@vger.kernel.org
Cc: Puranjay Mohan <puranjay@kernel.org>,
Puranjay Mohan <puranjay12@gmail.com>,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
kernel-team@meta.com
Subject: [PATCH bpf-next 2/7] bpf: net: netfilter: Mark kfuncs accurately
Date: Wed, 24 Dec 2025 11:24:31 -0800 [thread overview]
Message-ID: <20251224192448.3176531-3-puranjay@kernel.org> (raw)
In-Reply-To: <20251224192448.3176531-1-puranjay@kernel.org>
bpf_xdp_ct_lookup() and bpf_skb_ct_lookup() receive bpf_tuple and opts
parameter that are then checked for NULL by __bpf_nf_ct_lookup(), so
these kfuns expects these arguments to be NULL.
Mark bpf_tuple and opts with __nullable so verifier allows passing NULL
pointer for these arguments.
This change is now required because verfier will now assume that every
kfunc expects trusted arguments by default, so even though these kfuns
don't have the KF_TRSUTED_ARGS flag, all arguments will be treated by
as KF_TRSUTED_ARGS by default.
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
net/netfilter/nf_conntrack_bpf.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
index 4a136fc3a9c0..308e47c2aeaa 100644
--- a/net/netfilter/nf_conntrack_bpf.c
+++ b/net/netfilter/nf_conntrack_bpf.c
@@ -324,18 +324,19 @@ bpf_xdp_ct_alloc(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple,
* Must be NF_BPF_CT_OPTS_SZ (16) or 12
*/
__bpf_kfunc struct nf_conn *
-bpf_xdp_ct_lookup(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple,
- u32 tuple__sz, struct bpf_ct_opts *opts, u32 opts__sz)
+bpf_xdp_ct_lookup(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple__nullable,
+ u32 tuple__sz, struct bpf_ct_opts *opts__nullable, u32 opts__sz)
{
struct xdp_buff *ctx = (struct xdp_buff *)xdp_ctx;
struct net *caller_net;
struct nf_conn *nfct;
caller_net = dev_net(ctx->rxq->dev);
- nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple, tuple__sz, opts, opts__sz);
+ nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple__nullable, tuple__sz, opts__nullable,
+ opts__sz);
if (IS_ERR(nfct)) {
- if (opts)
- opts->error = PTR_ERR(nfct);
+ if (opts__nullable)
+ opts__nullable->error = PTR_ERR(nfct);
return NULL;
}
return nfct;
@@ -392,18 +393,19 @@ bpf_skb_ct_alloc(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple,
* Must be NF_BPF_CT_OPTS_SZ (16) or 12
*/
__bpf_kfunc struct nf_conn *
-bpf_skb_ct_lookup(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple,
- u32 tuple__sz, struct bpf_ct_opts *opts, u32 opts__sz)
+bpf_skb_ct_lookup(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple__nullable,
+ u32 tuple__sz, struct bpf_ct_opts *opts__nullable, u32 opts__sz)
{
struct sk_buff *skb = (struct sk_buff *)skb_ctx;
struct net *caller_net;
struct nf_conn *nfct;
caller_net = skb->dev ? dev_net(skb->dev) : sock_net(skb->sk);
- nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple, tuple__sz, opts, opts__sz);
+ nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple__nullable, tuple__sz, opts__nullable,
+ opts__sz);
if (IS_ERR(nfct)) {
- if (opts)
- opts->error = PTR_ERR(nfct);
+ if (opts__nullable)
+ opts__nullable->error = PTR_ERR(nfct);
return NULL;
}
return nfct;
--
2.47.3
next prev parent reply other threads:[~2025-12-24 19:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-24 19:24 [PATCH bpf-next 0/7] bpf: Make KF_TRUSTED_ARGS default Puranjay Mohan
2025-12-24 19:24 ` [PATCH bpf-next 1/7] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs Puranjay Mohan
2025-12-30 23:49 ` Eduard Zingerman
2025-12-30 23:56 ` Alexei Starovoitov
2025-12-31 0:08 ` Puranjay Mohan
2025-12-31 0:29 ` Eduard Zingerman
2025-12-31 12:34 ` Puranjay Mohan
2025-12-31 16:45 ` Alexei Starovoitov
2025-12-24 19:24 ` Puranjay Mohan [this message]
2025-12-24 19:24 ` [PATCH bpf-next 3/7] bpf: Remove redundant KF_TRUSTED_ARGS flag from " Puranjay Mohan
2025-12-24 19:24 ` [PATCH bpf-next 4/7] selftests: bpf: Update kfunc_param_nullable test for new error message Puranjay Mohan
2025-12-24 19:24 ` [PATCH bpf-next 5/7] selftests: bpf: Update failure message for rbtree_fail Puranjay Mohan
2025-12-24 19:24 ` [PATCH bpf-next 6/7] selftests: bpf: fix test_kfunc_dynptr_param Puranjay Mohan
2025-12-31 2:04 ` Alexei Starovoitov
2025-12-24 19:24 ` [PATCH bpf-next 7/7] selftests: bpf: fix cgroup_hierarchical_stats Puranjay Mohan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251224192448.3176531-3-puranjay@kernel.org \
--to=puranjay@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
--cc=memxor@gmail.com \
--cc=puranjay12@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox