From: sashiko-bot@kernel.org
To: "Amery Hung" <ameryhung@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v5 09/14] bpf: Fold ref_obj_id into id and introduce virtual references
Date: Tue, 19 May 2026 18:59:52 +0000 [thread overview]
Message-ID: <20260519185952.DF0181F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260519181314.2731658-10-ameryhung@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] check_reference_leak() incorrectly rejects valid struct_ops programs that return a pointer derived from a virtual reference (e.g., a casted pointer).
--
commit 4171c91972499af3939593f911ee11b4fbbe778d
Author: Amery Hung <ameryhung@gmail.com>
bpf: Fold ref_obj_id into id and introduce virtual references
This commit unifies pointer identity and lifetime tracking by replacing
ref_obj_id with id. It introduces virtual references to serve as lifetime
anchors for objects that share the same lifetime but need distinct identities,
such as pointer casts and referenced dynptr clones.
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
[ ... ]
> @@ -9854,7 +9920,7 @@ static int check_reference_leak(struct bpf_verifier_env *env, bool exception_exi
> * kernel. Type checks are performed later in check_return_code.
> */
> if (type == BPF_PROG_TYPE_STRUCT_OPS && !exception_exit &&
> - reg->ref_obj_id == state->refs[i].id)
> + reg->id == state->refs[i].id)
> continue;
[Severity: High]
Will this correctly handle struct_ops programs that return a pointer derived
from a virtual reference, such as a casted pointer?
Since a casted pointer in R0 receives a distinct non-reference id while the
virtual reference ID is stored in its parent_id, checking reg->id against
state->refs[i].id might fail here.
Could this cause the verifier to incorrectly flag an "Unreleased reference"
and reject valid struct_ops programs? Should this check also consider
reg->parent_id when the reference is virtual?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260519181314.2731658-1-ameryhung@gmail.com?part=9
next prev parent reply other threads:[~2026-05-19 18:59 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 18:12 [PATCH bpf-next v5 00/14] Refactor verifier object relationship tracking Amery Hung
2026-05-19 18:12 ` [PATCH bpf-next v5 01/14] bpf: Simplify mark_stack_slot_obj_read() and callers Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 02/14] bpf: Unify dynptr handling in the verifier Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 03/14] bpf: Assign reg->id when getting referenced kptr from ctx Amery Hung
2026-05-19 18:56 ` bot+bpf-ci
2026-05-19 20:17 ` Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 04/14] bpf: Preserve reg->id of pointer objects after null-check Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 05/14] bpf: Refactor object relationship tracking and fix dynptr UAF bug Amery Hung
2026-05-19 18:45 ` sashiko-bot
2026-05-19 18:51 ` Amery Hung
2026-05-20 21:47 ` Eduard Zingerman
2026-05-21 7:18 ` Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 06/14] bpf: Remove redundant dynptr arg check for helper Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 07/14] bpf: Unify referenced object tracking in verifier Amery Hung
2026-05-19 18:55 ` sashiko-bot
2026-05-19 19:57 ` Amery Hung
2026-05-20 22:28 ` Eduard Zingerman
2026-05-19 18:13 ` [PATCH bpf-next v5 08/14] bpf: Unify release handling for helpers and kfuncs Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 09/14] bpf: Fold ref_obj_id into id and introduce virtual references Amery Hung
2026-05-19 18:59 ` sashiko-bot [this message]
2026-05-19 20:13 ` Amery Hung
2026-05-22 5:40 ` Eduard Zingerman
2026-05-19 18:13 ` [PATCH bpf-next v5 10/14] bpf: Fix dynptr ref counting to scan all call frames Amery Hung
2026-05-19 19:03 ` sashiko-bot
2026-05-19 20:05 ` Amery Hung
2026-05-20 19:59 ` Eduard Zingerman
2026-05-20 22:41 ` Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 11/14] selftests/bpf: Test creating dynptr from dynptr data and slice Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 12/14] selftests/bpf: Test using dynptr after freeing the underlying object Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 13/14] selftests/bpf: Test using slice after invalidating dynptr clone Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 14/14] selftests/bpf: Test using file dynptr after the reference on file is dropped Amery Hung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519185952.DF0181F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=ameryhung@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox