BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Tejun Heo" <tj@kernel.org>
Cc: sched-ext@lists.linux.dev, bpf@vger.kernel.org
Subject: Re: [PATCHSET SLOP RFC 1/6] bpf: Support __arena suffix for kfunc arguments
Date: Mon, 13 Jul 2026 02:58:19 +0000	[thread overview]
Message-ID: <20260713025819.A302C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260713024414.3759854-2-tj@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The verifier skips size and bounds checks for `__arena` kfunc arguments, relying entirely on a 32KB hardware guard region. This allows a malicious BPF program to overshoot the guard region and cause a kernel oops by passing an offset that results in reading or writing a large struct or buffer.
--

--- Patch [1]: [PATCHSET SLOP RFC 1/6] bpf: Support __arena suffix for kfunc arguments ---
commit 228de70b9e4499793706318f5047bb9d51313346
Author: Tejun Heo <tj@kernel.org>

bpf: Support __arena suffix for kfunc arguments
    
This patch adds the __arena suffix for kfunc arguments, allowing BPF
programs to pass arena pointers directly to kfuncs. The verifier rebases
the register at the call site, avoiding the need for open-coded translation
in every kfunc.

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 6515d4d3c0032..71d1459c8f2a0 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -11975,6 +11980,32 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  			continue;
>  		}
>  
> +		if (is_kfunc_arg_arena(btf, &args[i])) {
> +			t = btf_type_skip_modifiers(btf, args[i].type, NULL);
> +			if (verifier_bug_if(!btf_type_is_ptr(t), env,
> +					    "kfunc %s arg#%d has __arena tag on non-pointer",
> +					    func_name, i))
> +				return -EFAULT;

[ ... ]

> +			if (reg->type != PTR_TO_ARENA && reg->type != SCALAR_VALUE) {
> +				verbose(env, "%s is not a pointer to arena or scalar\n",
> +					reg_arg_name(env, argno));
> +				return -EINVAL;
> +			}
> +			cur_aux(env)->arg_arena_regs |= BIT(regno - BPF_REG_1);
> +			continue;
> +		}

[Severity: High]
Does skipping the rest of the checks here bypass BTF memory size and buffer
bounds tracking for __arena arguments?

Because this relies entirely on the hardware guard region to catch out-of-bounds
accesses, could a BPF program pass an offset close to the 4GB arena limit 
(like 4GB - 1) to a kfunc that takes a large struct or buffer size parameter?

The fault handler strictly limits recovery to the 4GB limit plus a 32KB
guard region:

kernel/bpf/arena.c:bpf_arena_handle_page_fault() {
    ...
    if (page_addr < kbase || page_addr >= kbase + SZ_4G + GUARD_SZ / 2)
        return false;
    ...
}

If a kfunc access extends beyond this guard region, it seems like it would
bypass the fault handler and cause a kernel oops or memory corruption.

Should there be size validation for __arena arguments similar to other memory
pointers?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260713024414.3759854-1-tj@kernel.org?part=1

  reply	other threads:[~2026-07-13  2:58 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-13  2:44 [PATCHSET SLOP RFC 0/6] bpf: make arena pointers first-class kfunc and struct_ops arguments Tejun Heo
2026-07-13  2:44 ` [PATCHSET SLOP RFC 1/6] bpf: Support __arena suffix for kfunc arguments Tejun Heo
2026-07-13  2:58   ` sashiko-bot [this message]
2026-07-13 19:38     ` Tejun Heo
2026-07-13 21:45   ` Kumar Kartikeya Dwivedi
2026-07-13  2:44 ` [PATCHSET SLOP RFC 2/6] selftests/bpf: Add kfunc __arena argument tests Tejun Heo
2026-07-13  3:16   ` sashiko-bot
2026-07-13 19:38     ` Tejun Heo
2026-07-13  2:44 ` [PATCHSET SLOP RFC 3/6] bpf: Support __arena suffix on struct_ops stub arguments Tejun Heo
2026-07-13  2:59   ` sashiko-bot
2026-07-13 19:37   ` [PATCH v2 " Tejun Heo
2026-07-13  2:44 ` [PATCHSET SLOP RFC 4/6] selftests/bpf: Add struct_ops __arena argument tests Tejun Heo
2026-07-13  2:55   ` sashiko-bot
2026-07-13 19:38     ` Tejun Heo
2026-07-13  2:44 ` [PATCHSET SLOP RFC 5/6] sched_ext: Pass a kernel arena pointer to ops_cid.set_cmask() Tejun Heo
2026-07-13  2:44 ` [PATCHSET SLOP RFC 6/6] sched_ext: Convert scx_bpf_cid_override() to take an arena pointer Tejun Heo
2026-07-13  2:59   ` sashiko-bot
2026-07-13 19:38     ` Tejun Heo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260713025819.A302C1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=sched-ext@lists.linux.dev \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox