[PATCH bpf-next v2 0/9] bpf: Make KF_TRUSTED_ARGS default

[PATCH bpf-next v2 0/9] bpf: Make KF_TRUSTED_ARGS default

[Puranjay Mohan]

v1: https://lore.kernel.org/all/20251224192448.3176531-1-puranjay@kernel.org/
Changes in v1->v2:
- Update kfunc_dynptr_param selftest to use a real pointer that is not
  ptr_to_stack and not CONST_PTR_TO_DYNPTR rather than casting 1
  (Alexei)
- Thoroughly review all kfuncs in the to find regressions or missing
  annotations. (Eduard)
- Fix kfuncs found from the above step.

This series makes trusted arguments the default requirement for all BPF
kfuncs, inverting the current opt-in model. Instead of requiring
explicit KF_TRUSTED_ARGS flags, kfuncs now require trusted arguments by
default and must explicitly opt-out using __nullable/__opt annotations
or the KF_RCU flag.

This improves security and type safety by preventing BPF programs from
passing untrusted or NULL pointers to kernel functions at verification
time, while maintaining flexibility for the small number of kfuncs that
legitimately need to accept NULL or RCU pointers.

MOTIVATION

The current opt-in model is error-prone and inconsistent. Most kfuncs already
require trusted pointers from sources like KF_ACQUIRE, struct_ops callbacks, or
tracepoints. Making trusted arguments the default:

- Prevents NULL pointer dereferences at verification time
- Reduces defensive NULL checks in kernel code
- Provides better error messages for invalid BPF programs
- Aligns with existing patterns (context pointers, struct_ops already trusted)

IMPACT ANALYSIS

Comprehensive analysis of all 304+ kfuncs across 37 kernel files found:
- Most kfuncs (299/304) are already safe and require no changes
- Only 4 kfuncs required fixes (all included in this series)
- 0 regressions found in independent verification

TECHNICAL DETAILS

The verifier now validates kfunc arguments in this order:
1. NULL check (runs first): Rejects NULL unless parameter has __nullable/__opt
2. Trusted check: Rejects untrusted pointers unless kfunc has KF_RCU

Special cases that bypass trusted checking:
- Context pointers (xdp_md, __sk_buff): Handled via KF_ARG_PTR_TO_CTX
- Struct_ops callbacks: Pre-marked as PTR_TRUSTED during initialization
- KF_RCU kfuncs: Have separate validation path for RCU pointers

BACKWARD COMPATIBILITY

This affects BPF program verification, not runtime:
- Valid programs passing trusted pointers: Continue to work
- Programs with bugs: May now fail verification (preventing runtime crashes)

Puranjay Mohan (9):
  bpf: Make KF_TRUSTED_ARGS the default for all kfuncs
  bpf: net: netfilter: Mark kfuncs accurately
  bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs
  selftests: bpf: Update kfunc_param_nullable test for new error message
  selftests: bpf: Update failure message for rbtree_fail
  selftests: bpf: fix test_kfunc_dynptr_param
  selftests: bpf: fix cgroup_hierarchical_stats
  bpf: xfrm: drop dead NULL check in bpf_xdp_get_xfrm_state()
  HID: bpf: drop dead NULL checks in kfuncs

 Documentation/bpf/kfuncs.rst                  | 35 +++++++-------
 drivers/hid/bpf/hid_bpf_dispatch.c            |  5 +-
 fs/bpf_fs_kfuncs.c                            | 13 +++---
 fs/verity/measure.c                           |  2 +-
 include/linux/btf.h                           |  3 +-
 kernel/bpf/arena.c                            |  6 +--
 kernel/bpf/cpumask.c                          |  2 +-
 kernel/bpf/helpers.c                          | 20 ++++----
 kernel/bpf/map_iter.c                         |  2 +-
 kernel/bpf/verifier.c                         | 14 ++----
 kernel/sched/ext.c                            |  8 ++--
 mm/bpf_memcontrol.c                           | 10 ++--
 net/core/filter.c                             | 10 ++--
 net/core/xdp.c                                |  2 +-
 net/netfilter/nf_conntrack_bpf.c              | 46 ++++++++++---------
 net/netfilter/nf_flow_table_bpf.c             |  2 +-
 net/netfilter/nf_nat_bpf.c                    |  2 +-
 net/sched/bpf_qdisc.c                         | 12 ++---
 net/xfrm/xfrm_state_bpf.c                     |  2 +-
 .../bpf/progs/cgroup_hierarchical_stats.c     |  6 +--
 .../testing/selftests/bpf/progs/rbtree_fail.c |  2 +-
 .../bpf/progs/test_kfunc_dynptr_param.c       |  5 +-
 .../bpf/progs/test_kfunc_param_nullable.c     |  2 +-
 .../selftests/bpf/test_kmods/bpf_testmod.c    | 20 ++++----
 24 files changed, 109 insertions(+), 122 deletions(-)


base-commit: ccaa6d2c9635a8db06a494d67ef123b56b967a78
-- 
2.47.3

[PATCH bpf-next v2 1/9] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Puranjay Mohan]

Change the verifier to make trusted args the default requirement for
all kfuncs by removing is_kfunc_trusted_args() assuming it be to always
return true.

This works because:
1. Context pointers (xdp_md, __sk_buff, etc.) are handled through their
   own KF_ARG_PTR_TO_CTX case label and bypass the trusted check
2. Struct_ops callback arguments are already marked as PTR_TRUSTED during
   initialization and pass is_trusted_reg()
3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
   call sites (always checked with || alongside is_kfunc_trusted_args)

This simple change makes all kfuncs require trusted args by default
while maintaining correct behavior for all existing special cases.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 Documentation/bpf/kfuncs.rst | 35 +++++++++++++++++------------------
 kernel/bpf/verifier.c        | 14 +++-----------
 2 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
index e38941370b90..22b5a970078c 100644
--- a/Documentation/bpf/kfuncs.rst
+++ b/Documentation/bpf/kfuncs.rst
@@ -241,25 +241,23 @@ both are orthogonal to each other.
 The KF_RELEASE flag is used to indicate that the kfunc releases the pointer
 passed in to it. There can be only one referenced pointer that can be passed
 in. All copies of the pointer being released are invalidated as a result of
-invoking kfunc with this flag. KF_RELEASE kfuncs automatically receive the
-protection afforded by the KF_TRUSTED_ARGS flag described below.
+invoking kfunc with this flag.
 
-2.4.4 KF_TRUSTED_ARGS flag
---------------------------
+2.4.4 KF_TRUSTED_ARGS (default behavior)
+-----------------------------------------
 
-The KF_TRUSTED_ARGS flag is used for kfuncs taking pointer arguments. It
-indicates that the all pointer arguments are valid, and that all pointers to
-BTF objects have been passed in their unmodified form (that is, at a zero
-offset, and without having been obtained from walking another pointer, with one
-exception described below).
+All kfuncs now require trusted arguments by default. This means that all
+pointer arguments must be valid, and all pointers to BTF objects must be
+passed in their unmodified form (at a zero offset, and without having been
+obtained from walking another pointer, with exceptions described below).
 
-There are two types of pointers to kernel objects which are considered "valid":
+There are two types of pointers to kernel objects which are considered "trusted":
 
 1. Pointers which are passed as tracepoint or struct_ops callback arguments.
 2. Pointers which were returned from a KF_ACQUIRE kfunc.
 
 Pointers to non-BTF objects (e.g. scalar pointers) may also be passed to
-KF_TRUSTED_ARGS kfuncs, and may have a non-zero offset.
+kfuncs, and may have a non-zero offset.
 
 The definition of "valid" pointers is subject to change at any time, and has
 absolutely no ABI stability guarantees.
@@ -327,13 +325,14 @@ added later.
 2.4.7 KF_RCU flag
 -----------------
 
-The KF_RCU flag is a weaker version of KF_TRUSTED_ARGS. The kfuncs marked with
-KF_RCU expect either PTR_TRUSTED or MEM_RCU arguments. The verifier guarantees
-that the objects are valid and there is no use-after-free. The pointers are not
-NULL, but the object's refcount could have reached zero. The kfuncs need to
-consider doing refcnt != 0 check, especially when returning a KF_ACQUIRE
-pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should very likely
-also be KF_RET_NULL.
+The KF_RCU flag allows kfuncs to opt out of the default trusted args
+requirement and accept RCU pointers with weaker guarantees. The kfuncs marked
+with KF_RCU expect either PTR_TRUSTED or MEM_RCU arguments. The verifier
+guarantees that the objects are valid and there is no use-after-free. The
+pointers are not NULL, but the object's refcount could have reached zero. The
+kfuncs need to consider doing refcnt != 0 check, especially when returning a
+KF_ACQUIRE pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should
+very likely also be KF_RET_NULL.
 
 2.4.8 KF_RCU_PROTECTED flag
 ---------------------------
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0baae7828af2..a31eace4a67c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12040,11 +12040,6 @@ static bool is_kfunc_release(struct bpf_kfunc_call_arg_meta *meta)
 	return meta->kfunc_flags & KF_RELEASE;
 }
 
-static bool is_kfunc_trusted_args(struct bpf_kfunc_call_arg_meta *meta)
-{
-	return (meta->kfunc_flags & KF_TRUSTED_ARGS) || is_kfunc_release(meta);
-}
-
 static bool is_kfunc_sleepable(struct bpf_kfunc_call_arg_meta *meta)
 {
 	return meta->kfunc_flags & KF_SLEEPABLE;
@@ -13253,9 +13248,9 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
 			return -EINVAL;
 		}
 
-		if ((is_kfunc_trusted_args(meta) || is_kfunc_rcu(meta)) &&
-		    (register_is_null(reg) || type_may_be_null(reg->type)) &&
-			!is_kfunc_arg_nullable(meta->btf, &args[i])) {
+		if ((register_is_null(reg) || type_may_be_null(reg->type)) &&
+		    !is_kfunc_arg_nullable(meta->btf, &args[i]) &&
+		    !is_kfunc_arg_optional(meta->btf, &args[i])) {
 			verbose(env, "Possibly NULL pointer passed to trusted arg%d\n", i);
 			return -EACCES;
 		}
@@ -13320,9 +13315,6 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
 			fallthrough;
 		case KF_ARG_PTR_TO_ALLOC_BTF_ID:
 		case KF_ARG_PTR_TO_BTF_ID:
-			if (!is_kfunc_trusted_args(meta) && !is_kfunc_rcu(meta))
-				break;
-
 			if (!is_trusted_reg(reg)) {
 				if (!is_kfunc_rcu(meta)) {
 					verbose(env, "R%d must be referenced or trusted\n", regno);
-- 
2.47.3

[PATCH bpf-next v2 2/9] bpf: net: netfilter: Mark kfuncs accurately

[Puranjay Mohan]

bpf_xdp_ct_lookup() and bpf_skb_ct_lookup() receive bpf_tuple and opts
parameter that are then checked for NULL by __bpf_nf_ct_lookup(), so
these kfuns expects these arguments to be NULL.

Mark bpf_tuple and opts with __nullable so verifier allows passing NULL
pointer for these arguments.

This change is now required because verfier will now assume that every
kfunc expects trusted arguments by default, so even though these kfuns
don't have the KF_TRSUTED_ARGS flag, all arguments will be treated by
as KF_TRSUTED_ARGS by default.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 net/netfilter/nf_conntrack_bpf.c | 38 +++++++++++++++++---------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
index 4a136fc3a9c0..a9f4b7d23fe0 100644
--- a/net/netfilter/nf_conntrack_bpf.c
+++ b/net/netfilter/nf_conntrack_bpf.c
@@ -291,16 +291,16 @@ __bpf_kfunc_start_defs();
  */
 __bpf_kfunc struct nf_conn___init *
 bpf_xdp_ct_alloc(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple,
-		 u32 tuple__sz, struct bpf_ct_opts *opts, u32 opts__sz)
+		 u32 tuple__sz, struct bpf_ct_opts *opts__nullable, u32 opts__sz)
 {
 	struct xdp_buff *ctx = (struct xdp_buff *)xdp_ctx;
 	struct nf_conn *nfct;
 
 	nfct = __bpf_nf_ct_alloc_entry(dev_net(ctx->rxq->dev), bpf_tuple, tuple__sz,
-				       opts, opts__sz, 10);
+				       opts__nullable, opts__sz, 10);
 	if (IS_ERR(nfct)) {
-		if (opts)
-			opts->error = PTR_ERR(nfct);
+		if (opts__nullable)
+			opts__nullable->error = PTR_ERR(nfct);
 		return NULL;
 	}
 
@@ -324,18 +324,19 @@ bpf_xdp_ct_alloc(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple,
  *		    Must be NF_BPF_CT_OPTS_SZ (16) or 12
  */
 __bpf_kfunc struct nf_conn *
-bpf_xdp_ct_lookup(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple,
-		  u32 tuple__sz, struct bpf_ct_opts *opts, u32 opts__sz)
+bpf_xdp_ct_lookup(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple__nullable,
+		  u32 tuple__sz, struct bpf_ct_opts *opts__nullable, u32 opts__sz)
 {
 	struct xdp_buff *ctx = (struct xdp_buff *)xdp_ctx;
 	struct net *caller_net;
 	struct nf_conn *nfct;
 
 	caller_net = dev_net(ctx->rxq->dev);
-	nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple, tuple__sz, opts, opts__sz);
+	nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple__nullable, tuple__sz, opts__nullable,
+				  opts__sz);
 	if (IS_ERR(nfct)) {
-		if (opts)
-			opts->error = PTR_ERR(nfct);
+		if (opts__nullable)
+			opts__nullable->error = PTR_ERR(nfct);
 		return NULL;
 	}
 	return nfct;
@@ -358,17 +359,17 @@ bpf_xdp_ct_lookup(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple,
  */
 __bpf_kfunc struct nf_conn___init *
 bpf_skb_ct_alloc(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple,
-		 u32 tuple__sz, struct bpf_ct_opts *opts, u32 opts__sz)
+		 u32 tuple__sz, struct bpf_ct_opts *opts__nullable, u32 opts__sz)
 {
 	struct sk_buff *skb = (struct sk_buff *)skb_ctx;
 	struct nf_conn *nfct;
 	struct net *net;
 
 	net = skb->dev ? dev_net(skb->dev) : sock_net(skb->sk);
-	nfct = __bpf_nf_ct_alloc_entry(net, bpf_tuple, tuple__sz, opts, opts__sz, 10);
+	nfct = __bpf_nf_ct_alloc_entry(net, bpf_tuple, tuple__sz, opts__nullable, opts__sz, 10);
 	if (IS_ERR(nfct)) {
-		if (opts)
-			opts->error = PTR_ERR(nfct);
+		if (opts__nullable)
+			opts__nullable->error = PTR_ERR(nfct);
 		return NULL;
 	}
 
@@ -392,18 +393,19 @@ bpf_skb_ct_alloc(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple,
  *		    Must be NF_BPF_CT_OPTS_SZ (16) or 12
  */
 __bpf_kfunc struct nf_conn *
-bpf_skb_ct_lookup(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple,
-		  u32 tuple__sz, struct bpf_ct_opts *opts, u32 opts__sz)
+bpf_skb_ct_lookup(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple__nullable,
+		  u32 tuple__sz, struct bpf_ct_opts *opts__nullable, u32 opts__sz)
 {
 	struct sk_buff *skb = (struct sk_buff *)skb_ctx;
 	struct net *caller_net;
 	struct nf_conn *nfct;
 
 	caller_net = skb->dev ? dev_net(skb->dev) : sock_net(skb->sk);
-	nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple, tuple__sz, opts, opts__sz);
+	nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple__nullable, tuple__sz, opts__nullable,
+				  opts__sz);
 	if (IS_ERR(nfct)) {
-		if (opts)
-			opts->error = PTR_ERR(nfct);
+		if (opts__nullable)
+			opts__nullable->error = PTR_ERR(nfct);
 		return NULL;
 	}
 	return nfct;
-- 
2.47.3

[PATCH bpf-next v2 3/9] bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs

[Puranjay Mohan]

Now that KF_TRUSTED_ARGS is the default for all kfuncs, remove the
explicit KF_TRUSTED_ARGS flag from all kfunc definitions and remove the
flag itself.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 fs/bpf_fs_kfuncs.c                            | 13 ++++++------
 fs/verity/measure.c                           |  2 +-
 include/linux/btf.h                           |  3 +--
 kernel/bpf/arena.c                            |  6 +++---
 kernel/bpf/cpumask.c                          |  2 +-
 kernel/bpf/helpers.c                          | 20 +++++++++----------
 kernel/bpf/map_iter.c                         |  2 +-
 kernel/sched/ext.c                            |  8 ++++----
 mm/bpf_memcontrol.c                           | 10 +++++-----
 net/core/filter.c                             | 10 +++++-----
 net/core/xdp.c                                |  2 +-
 net/netfilter/nf_conntrack_bpf.c              |  8 ++++----
 net/netfilter/nf_flow_table_bpf.c             |  2 +-
 net/netfilter/nf_nat_bpf.c                    |  2 +-
 net/sched/bpf_qdisc.c                         | 12 +++++------
 .../selftests/bpf/test_kmods/bpf_testmod.c    | 20 +++++++++----------
 16 files changed, 60 insertions(+), 62 deletions(-)

diff --git a/fs/bpf_fs_kfuncs.c b/fs/bpf_fs_kfuncs.c
index 5ace2511fec5..a15d31690e0b 100644
--- a/fs/bpf_fs_kfuncs.c
+++ b/fs/bpf_fs_kfuncs.c
@@ -359,14 +359,13 @@ __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__s
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
-BTF_ID_FLAGS(func, bpf_get_task_exe_file,
-	     KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL)
+BTF_ID_FLAGS(func, bpf_get_task_exe_file, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)
-BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_path_d_path)
+BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE)
 BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
 
 static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
diff --git a/fs/verity/measure.c b/fs/verity/measure.c
index 388734132f01..6a35623ebdf0 100644
--- a/fs/verity/measure.c
+++ b/fs/verity/measure.c
@@ -162,7 +162,7 @@ __bpf_kfunc int bpf_get_fsverity_digest(struct file *file, struct bpf_dynptr *di
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(fsverity_set_ids)
-BTF_ID_FLAGS(func, bpf_get_fsverity_digest, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_get_fsverity_digest)
 BTF_KFUNCS_END(fsverity_set_ids)
 
 static int bpf_get_fsverity_digest_filter(const struct bpf_prog *prog, u32 kfunc_id)
diff --git a/include/linux/btf.h b/include/linux/btf.h
index f06976ffb63f..691f09784933 100644
--- a/include/linux/btf.h
+++ b/include/linux/btf.h
@@ -34,7 +34,7 @@
  *
  * And the following kfunc:
  *
- *	BTF_ID_FLAGS(func, bpf_task_acquire, KF_ACQUIRE | KF_TRUSTED_ARGS)
+ *	BTF_ID_FLAGS(func, bpf_task_acquire, KF_ACQUIRE)
  *
  * All invocations to the kfunc must pass the unmodified, unwalked task:
  *
@@ -66,7 +66,6 @@
  *	return 0;
  * }
  */
-#define KF_TRUSTED_ARGS (1 << 4) /* kfunc only takes trusted pointer arguments */
 #define KF_SLEEPABLE    (1 << 5) /* kfunc may sleep */
 #define KF_DESTRUCTIVE  (1 << 6) /* kfunc performs destructive actions */
 #define KF_RCU          (1 << 7) /* kfunc takes either rcu or trusted pointer arguments */
diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
index 456ac989269d..2274319a95e6 100644
--- a/kernel/bpf/arena.c
+++ b/kernel/bpf/arena.c
@@ -890,9 +890,9 @@ __bpf_kfunc int bpf_arena_reserve_pages(void *p__map, void *ptr__ign, u32 page_c
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(arena_kfuncs)
-BTF_ID_FLAGS(func, bpf_arena_alloc_pages, KF_TRUSTED_ARGS | KF_ARENA_RET | KF_ARENA_ARG2)
-BTF_ID_FLAGS(func, bpf_arena_free_pages, KF_TRUSTED_ARGS | KF_ARENA_ARG2)
-BTF_ID_FLAGS(func, bpf_arena_reserve_pages, KF_TRUSTED_ARGS | KF_ARENA_ARG2)
+BTF_ID_FLAGS(func, bpf_arena_alloc_pages, KF_ARENA_RET | KF_ARENA_ARG2)
+BTF_ID_FLAGS(func, bpf_arena_free_pages, KF_ARENA_ARG2)
+BTF_ID_FLAGS(func, bpf_arena_reserve_pages, KF_ARENA_ARG2)
 BTF_KFUNCS_END(arena_kfuncs)
 
 static const struct btf_kfunc_id_set common_kfunc_set = {
diff --git a/kernel/bpf/cpumask.c b/kernel/bpf/cpumask.c
index 9876c5fe6c2a..b8c805b4b06a 100644
--- a/kernel/bpf/cpumask.c
+++ b/kernel/bpf/cpumask.c
@@ -477,7 +477,7 @@ __bpf_kfunc_end_defs();
 BTF_KFUNCS_START(cpumask_kfunc_btf_ids)
 BTF_ID_FLAGS(func, bpf_cpumask_create, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_cpumask_release, KF_RELEASE)
-BTF_ID_FLAGS(func, bpf_cpumask_acquire, KF_ACQUIRE | KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_cpumask_acquire, KF_ACQUIRE)
 BTF_ID_FLAGS(func, bpf_cpumask_first, KF_RCU)
 BTF_ID_FLAGS(func, bpf_cpumask_first_zero, KF_RCU)
 BTF_ID_FLAGS(func, bpf_cpumask_first_and, KF_RCU)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index db72b96f9c8c..2c15f77c74db 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -4427,7 +4427,7 @@ BTF_ID_FLAGS(func, bpf_task_from_pid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_task_from_vpid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_throw)
 #ifdef CONFIG_BPF_EVENTS
-BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_send_signal_task)
 #endif
 #ifdef CONFIG_KEYS
 BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE)
@@ -4467,14 +4467,14 @@ BTF_ID_FLAGS(func, bpf_iter_task_vma_new, KF_ITER_NEW | KF_RCU)
 BTF_ID_FLAGS(func, bpf_iter_task_vma_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_task_vma_destroy, KF_ITER_DESTROY)
 #ifdef CONFIG_CGROUPS
-BTF_ID_FLAGS(func, bpf_iter_css_task_new, KF_ITER_NEW | KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_iter_css_task_new, KF_ITER_NEW)
 BTF_ID_FLAGS(func, bpf_iter_css_task_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_css_task_destroy, KF_ITER_DESTROY)
-BTF_ID_FLAGS(func, bpf_iter_css_new, KF_ITER_NEW | KF_TRUSTED_ARGS | KF_RCU_PROTECTED)
+BTF_ID_FLAGS(func, bpf_iter_css_new, KF_ITER_NEW | KF_RCU_PROTECTED)
 BTF_ID_FLAGS(func, bpf_iter_css_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_css_destroy, KF_ITER_DESTROY)
 #endif
-BTF_ID_FLAGS(func, bpf_iter_task_new, KF_ITER_NEW | KF_TRUSTED_ARGS | KF_RCU_PROTECTED)
+BTF_ID_FLAGS(func, bpf_iter_task_new, KF_ITER_NEW | KF_RCU_PROTECTED)
 BTF_ID_FLAGS(func, bpf_iter_task_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_task_destroy, KF_ITER_DESTROY)
 BTF_ID_FLAGS(func, bpf_dynptr_adjust)
@@ -4510,8 +4510,8 @@ BTF_ID_FLAGS(func, bpf_probe_read_user_str_dynptr)
 BTF_ID_FLAGS(func, bpf_probe_read_kernel_str_dynptr)
 BTF_ID_FLAGS(func, bpf_copy_from_user_dynptr, KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_copy_from_user_str_dynptr, KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_copy_from_user_task_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_copy_from_user_task_str_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_copy_from_user_task_dynptr, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_copy_from_user_task_str_dynptr, KF_SLEEPABLE)
 #endif
 #ifdef CONFIG_DMA_SHARED_BUFFER
 BTF_ID_FLAGS(func, bpf_iter_dmabuf_new, KF_ITER_NEW | KF_SLEEPABLE)
@@ -4536,10 +4536,10 @@ BTF_ID_FLAGS(func, bpf_strncasestr);
 #if defined(CONFIG_BPF_LSM) && defined(CONFIG_CGROUPS)
 BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU)
 #endif
-BTF_ID_FLAGS(func, bpf_stream_vprintk_impl, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_task_work_schedule_signal_impl, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_task_work_schedule_resume_impl, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_dynptr_from_file, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_stream_vprintk_impl)
+BTF_ID_FLAGS(func, bpf_task_work_schedule_signal_impl)
+BTF_ID_FLAGS(func, bpf_task_work_schedule_resume_impl)
+BTF_ID_FLAGS(func, bpf_dynptr_from_file)
 BTF_ID_FLAGS(func, bpf_dynptr_file_discard)
 BTF_KFUNCS_END(common_btf_ids)
 
diff --git a/kernel/bpf/map_iter.c b/kernel/bpf/map_iter.c
index 9575314f40a6..261a03ea73d3 100644
--- a/kernel/bpf/map_iter.c
+++ b/kernel/bpf/map_iter.c
@@ -214,7 +214,7 @@ __bpf_kfunc s64 bpf_map_sum_elem_count(const struct bpf_map *map)
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(bpf_map_iter_kfunc_ids)
-BTF_ID_FLAGS(func, bpf_map_sum_elem_count, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_map_sum_elem_count)
 BTF_KFUNCS_END(bpf_map_iter_kfunc_ids)
 
 static const struct btf_kfunc_id_set bpf_map_iter_kfunc_set = {
diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index 94164f2dec6d..fd5423428dde 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -7229,9 +7229,9 @@ BTF_ID_FLAGS(func, scx_bpf_dsq_peek, KF_RCU_PROTECTED | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_scx_dsq_new, KF_ITER_NEW | KF_RCU_PROTECTED)
 BTF_ID_FLAGS(func, bpf_iter_scx_dsq_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_scx_dsq_destroy, KF_ITER_DESTROY)
-BTF_ID_FLAGS(func, scx_bpf_exit_bstr, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, scx_bpf_error_bstr, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, scx_bpf_dump_bstr, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, scx_bpf_exit_bstr)
+BTF_ID_FLAGS(func, scx_bpf_error_bstr)
+BTF_ID_FLAGS(func, scx_bpf_dump_bstr)
 BTF_ID_FLAGS(func, scx_bpf_reenqueue_local___v2)
 BTF_ID_FLAGS(func, scx_bpf_cpuperf_cap)
 BTF_ID_FLAGS(func, scx_bpf_cpuperf_cur)
@@ -7250,7 +7250,7 @@ BTF_ID_FLAGS(func, scx_bpf_cpu_curr, KF_RET_NULL | KF_RCU_PROTECTED)
 BTF_ID_FLAGS(func, scx_bpf_task_cgroup, KF_RCU | KF_ACQUIRE)
 #endif
 BTF_ID_FLAGS(func, scx_bpf_now)
-BTF_ID_FLAGS(func, scx_bpf_events, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, scx_bpf_events)
 BTF_KFUNCS_END(scx_kfunc_ids_any)
 
 static const struct btf_kfunc_id_set scx_kfunc_set_any = {
diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
index e8fa7f5855f9..716df49d7647 100644
--- a/mm/bpf_memcontrol.c
+++ b/mm/bpf_memcontrol.c
@@ -166,11 +166,11 @@ BTF_ID_FLAGS(func, bpf_get_root_mem_cgroup, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_get_mem_cgroup, KF_ACQUIRE | KF_RET_NULL | KF_RCU)
 BTF_ID_FLAGS(func, bpf_put_mem_cgroup, KF_RELEASE)
 
-BTF_ID_FLAGS(func, bpf_mem_cgroup_vm_events, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_mem_cgroup_memory_events, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_mem_cgroup_usage, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_mem_cgroup_page_state, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_mem_cgroup_flush_stats, KF_TRUSTED_ARGS | KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_vm_events)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_memory_events)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_usage)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_page_state)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_flush_stats, KF_SLEEPABLE)
 
 BTF_KFUNCS_END(bpf_memcontrol_kfuncs)
 
diff --git a/net/core/filter.c b/net/core/filter.c
index 616e0520a0bb..d43df98e1ded 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -12438,11 +12438,11 @@ int bpf_dynptr_from_skb_rdonly(struct __sk_buff *skb, u64 flags,
 }
 
 BTF_KFUNCS_START(bpf_kfunc_check_set_skb)
-BTF_ID_FLAGS(func, bpf_dynptr_from_skb, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_dynptr_from_skb)
 BTF_KFUNCS_END(bpf_kfunc_check_set_skb)
 
 BTF_KFUNCS_START(bpf_kfunc_check_set_skb_meta)
-BTF_ID_FLAGS(func, bpf_dynptr_from_skb_meta, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_dynptr_from_skb_meta)
 BTF_KFUNCS_END(bpf_kfunc_check_set_skb_meta)
 
 BTF_KFUNCS_START(bpf_kfunc_check_set_xdp)
@@ -12455,11 +12455,11 @@ BTF_ID_FLAGS(func, bpf_sock_addr_set_sun_path)
 BTF_KFUNCS_END(bpf_kfunc_check_set_sock_addr)
 
 BTF_KFUNCS_START(bpf_kfunc_check_set_tcp_reqsk)
-BTF_ID_FLAGS(func, bpf_sk_assign_tcp_reqsk, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_sk_assign_tcp_reqsk)
 BTF_KFUNCS_END(bpf_kfunc_check_set_tcp_reqsk)
 
 BTF_KFUNCS_START(bpf_kfunc_check_set_sock_ops)
-BTF_ID_FLAGS(func, bpf_sock_ops_enable_tx_tstamp, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_sock_ops_enable_tx_tstamp)
 BTF_KFUNCS_END(bpf_kfunc_check_set_sock_ops)
 
 static const struct btf_kfunc_id_set bpf_kfunc_set_skb = {
@@ -12554,7 +12554,7 @@ __bpf_kfunc int bpf_sock_destroy(struct sock_common *sock)
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(bpf_sk_iter_kfunc_ids)
-BTF_ID_FLAGS(func, bpf_sock_destroy, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_sock_destroy)
 BTF_KFUNCS_END(bpf_sk_iter_kfunc_ids)
 
 static int tracing_iter_filter(const struct bpf_prog *prog, u32 kfunc_id)
diff --git a/net/core/xdp.c b/net/core/xdp.c
index 9100e160113a..fee6d080ee85 100644
--- a/net/core/xdp.c
+++ b/net/core/xdp.c
@@ -964,7 +964,7 @@ __bpf_kfunc int bpf_xdp_metadata_rx_vlan_tag(const struct xdp_md *ctx,
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(xdp_metadata_kfunc_ids)
-#define XDP_METADATA_KFUNC(_, __, name, ___) BTF_ID_FLAGS(func, name, KF_TRUSTED_ARGS)
+#define XDP_METADATA_KFUNC(_, __, name, ___) BTF_ID_FLAGS(func, name)
 XDP_METADATA_KFUNC_xxx
 #undef XDP_METADATA_KFUNC
 BTF_KFUNCS_END(xdp_metadata_kfunc_ids)
diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
index a9f4b7d23fe0..a82d3388c0dd 100644
--- a/net/netfilter/nf_conntrack_bpf.c
+++ b/net/netfilter/nf_conntrack_bpf.c
@@ -518,10 +518,10 @@ BTF_ID_FLAGS(func, bpf_skb_ct_alloc, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_skb_ct_lookup, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_ct_insert_entry, KF_ACQUIRE | KF_RET_NULL | KF_RELEASE)
 BTF_ID_FLAGS(func, bpf_ct_release, KF_RELEASE)
-BTF_ID_FLAGS(func, bpf_ct_set_timeout, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_ct_change_timeout, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_ct_set_status, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_ct_change_status, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_ct_set_timeout)
+BTF_ID_FLAGS(func, bpf_ct_change_timeout)
+BTF_ID_FLAGS(func, bpf_ct_set_status)
+BTF_ID_FLAGS(func, bpf_ct_change_status)
 BTF_KFUNCS_END(nf_ct_kfunc_set)
 
 static const struct btf_kfunc_id_set nf_conntrack_kfunc_set = {
diff --git a/net/netfilter/nf_flow_table_bpf.c b/net/netfilter/nf_flow_table_bpf.c
index 4a5f5195f2d2..cbd5b97a6329 100644
--- a/net/netfilter/nf_flow_table_bpf.c
+++ b/net/netfilter/nf_flow_table_bpf.c
@@ -105,7 +105,7 @@ __diag_pop()
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(nf_ft_kfunc_set)
-BTF_ID_FLAGS(func, bpf_xdp_flow_lookup, KF_TRUSTED_ARGS | KF_RET_NULL)
+BTF_ID_FLAGS(func, bpf_xdp_flow_lookup, KF_RET_NULL)
 BTF_KFUNCS_END(nf_ft_kfunc_set)
 
 static const struct btf_kfunc_id_set nf_flow_kfunc_set = {
diff --git a/net/netfilter/nf_nat_bpf.c b/net/netfilter/nf_nat_bpf.c
index 481be15609b1..f9dd85ccea01 100644
--- a/net/netfilter/nf_nat_bpf.c
+++ b/net/netfilter/nf_nat_bpf.c
@@ -55,7 +55,7 @@ __bpf_kfunc int bpf_ct_set_nat_info(struct nf_conn___init *nfct,
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(nf_nat_kfunc_set)
-BTF_ID_FLAGS(func, bpf_ct_set_nat_info, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_ct_set_nat_info)
 BTF_KFUNCS_END(nf_nat_kfunc_set)
 
 static const struct btf_kfunc_id_set nf_bpf_nat_kfunc_set = {
diff --git a/net/sched/bpf_qdisc.c b/net/sched/bpf_qdisc.c
index adcb618a2bfc..b9771788b9b3 100644
--- a/net/sched/bpf_qdisc.c
+++ b/net/sched/bpf_qdisc.c
@@ -271,14 +271,14 @@ __bpf_kfunc void bpf_qdisc_bstats_update(struct Qdisc *sch, const struct sk_buff
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(qdisc_kfunc_ids)
-BTF_ID_FLAGS(func, bpf_skb_get_hash, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_skb_get_hash)
 BTF_ID_FLAGS(func, bpf_kfree_skb, KF_RELEASE)
 BTF_ID_FLAGS(func, bpf_qdisc_skb_drop, KF_RELEASE)
-BTF_ID_FLAGS(func, bpf_dynptr_from_skb, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_qdisc_watchdog_schedule, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_qdisc_init_prologue, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_qdisc_reset_destroy_epilogue, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_qdisc_bstats_update, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_dynptr_from_skb)
+BTF_ID_FLAGS(func, bpf_qdisc_watchdog_schedule)
+BTF_ID_FLAGS(func, bpf_qdisc_init_prologue)
+BTF_ID_FLAGS(func, bpf_qdisc_reset_destroy_epilogue)
+BTF_ID_FLAGS(func, bpf_qdisc_bstats_update)
 BTF_KFUNCS_END(qdisc_kfunc_ids)
 
 BTF_SET_START(qdisc_common_kfunc_set)
diff --git a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
index 90c4b1a51de6..1c41d03bd5a1 100644
--- a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
+++ b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
@@ -693,9 +693,9 @@ BTF_ID_FLAGS(func, bpf_kfunc_dynptr_test)
 BTF_ID_FLAGS(func, bpf_kfunc_nested_acquire_nonzero_offset_test, KF_ACQUIRE)
 BTF_ID_FLAGS(func, bpf_kfunc_nested_acquire_zero_offset_test, KF_ACQUIRE)
 BTF_ID_FLAGS(func, bpf_kfunc_nested_release_test, KF_RELEASE)
-BTF_ID_FLAGS(func, bpf_kfunc_trusted_vma_test, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_kfunc_trusted_task_test, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_kfunc_trusted_num_test, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_kfunc_trusted_vma_test)
+BTF_ID_FLAGS(func, bpf_kfunc_trusted_task_test)
+BTF_ID_FLAGS(func, bpf_kfunc_trusted_num_test)
 BTF_ID_FLAGS(func, bpf_kfunc_rcu_task_test, KF_RCU)
 BTF_ID_FLAGS(func, bpf_kfunc_ret_rcu_test, KF_RET_NULL | KF_RCU_PROTECTED)
 BTF_ID_FLAGS(func, bpf_kfunc_ret_rcu_test_nostruct, KF_RET_NULL | KF_RCU_PROTECTED)
@@ -1158,7 +1158,7 @@ BTF_ID_FLAGS(func, bpf_kfunc_call_test_pass2)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail1)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail2)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail3)
-BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_TRUSTED_ARGS | KF_RCU)
+BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_RCU)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_destructive, KF_DESTRUCTIVE)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_static_unused_arg)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_offset)
@@ -1172,12 +1172,12 @@ BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_sendmsg, KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_kfunc_call_sock_sendmsg, KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_getsockname, KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_getpeername, KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_prologue, KF_TRUSTED_ARGS | KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_epilogue, KF_TRUSTED_ARGS | KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_pro_epilogue, KF_TRUSTED_ARGS | KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_kfunc_st_ops_inc10, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1_impl, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_prologue, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_epilogue, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_pro_epilogue, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_kfunc_st_ops_inc10)
+BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1)
+BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1_impl)
 BTF_KFUNCS_END(bpf_testmod_check_kfunc_ids)
 
 static int bpf_testmod_ops_init(struct btf *btf)
-- 
2.47.3

[PATCH bpf-next v2 4/9] selftests: bpf: Update kfunc_param_nullable test for new error message

[Puranjay Mohan]

With trusted args now being the default, the NULL pointer check runs
before type-specific validation. Update test3 to expect the new error
message "Possibly NULL pointer passed to trusted arg0" instead of the
old dynptr-specific error message.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c b/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c
index 0ad1bf1ede8d..967081bbcfe1 100644
--- a/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c
+++ b/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c
@@ -29,7 +29,7 @@ int kfunc_dynptr_nullable_test2(struct __sk_buff *skb)
 }
 
 SEC("tc")
-__failure __msg("expected pointer to stack or const struct bpf_dynptr")
+__failure __msg("Possibly NULL pointer passed to trusted arg0")
 int kfunc_dynptr_nullable_test3(struct __sk_buff *skb)
 {
 	struct bpf_dynptr data;
-- 
2.47.3

[PATCH bpf-next v2 5/9] selftests: bpf: Update failure message for rbtree_fail

[Puranjay Mohan]

The rbtree_api_use_unchecked_remove_retval() selftest passes a pointer
received from bpf_rbtree_remove() to bpf_rbtree_add() without checking
for NULL, this was earlier caught by __check_ptr_off_reg() in the
verifier. Now the verifier assumes every kfunc only takes trusted pointer
arguments, so it catches this NULL pointer earlier in the path and
provides a more accurate failure message.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 tools/testing/selftests/bpf/progs/rbtree_fail.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/progs/rbtree_fail.c b/tools/testing/selftests/bpf/progs/rbtree_fail.c
index 4acb6af2dfe3..70b7baf9304b 100644
--- a/tools/testing/selftests/bpf/progs/rbtree_fail.c
+++ b/tools/testing/selftests/bpf/progs/rbtree_fail.c
@@ -153,7 +153,7 @@ long rbtree_api_add_to_multiple_trees(void *ctx)
 }
 
 SEC("?tc")
-__failure __msg("dereference of modified ptr_or_null_ ptr R2 off=16 disallowed")
+__failure __msg("Possibly NULL pointer passed to trusted arg1")
 long rbtree_api_use_unchecked_remove_retval(void *ctx)
 {
 	struct bpf_rb_node *res;
-- 
2.47.3

[PATCH bpf-next v2 6/9] selftests: bpf: fix test_kfunc_dynptr_param

[Puranjay Mohan]

As verifier now assumes that all kfuncs only takes trusted pointer
arguments, passing 0 (NULL) to a kfunc that doesn't mark the argument as
__nullable or __opt will be rejected with a failure message of: Possibly
NULL pointer passed to trusted arg<n>

Pass a non-null value to the kfunc to test the expected failure mode.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
index 061befb004c2..d249113ed657 100644
--- a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
+++ b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
@@ -48,10 +48,9 @@ SEC("?lsm.s/bpf")
 __failure __msg("arg#0 expected pointer to stack or const struct bpf_dynptr")
 int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size, bool kernel)
 {
-	unsigned long val = 0;
+	static struct bpf_dynptr val;
 
-	return bpf_verify_pkcs7_signature((struct bpf_dynptr *)val,
-					  (struct bpf_dynptr *)val, NULL);
+	return bpf_verify_pkcs7_signature(&val, &val, NULL);
 }
 
 SEC("lsm.s/bpf")
-- 
2.47.3

[PATCH bpf-next v2 7/9] selftests: bpf: fix cgroup_hierarchical_stats

[Puranjay Mohan]

The cgroup_hierarchical_stats selftests uses an fentry program attached
to cgroup_attach_task and then passes the received &dst_cgrp->self to
the css_rstat_updated() kfunc. The verifier now assumes that all kfuncs
only takes trusted pointer arguments, and pointers received by fentry
are not marked trustes by default.

Use a tp_btf program in place for fentry for this test, pointers
received by tp_btf programs are marked trusted by the verifier.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 .../testing/selftests/bpf/progs/cgroup_hierarchical_stats.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c b/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c
index ff189a736ad8..8fc38592a87b 100644
--- a/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c
+++ b/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c
@@ -62,9 +62,9 @@ static int create_attach_counter(__u64 cg_id, __u64 state, __u64 pending)
 				   &init, BPF_NOEXIST);
 }
 
-SEC("fentry/cgroup_attach_task")
-int BPF_PROG(counter, struct cgroup *dst_cgrp, struct task_struct *leader,
-	     bool threadgroup)
+SEC("tp_btf/cgroup_attach_task")
+int BPF_PROG(counter, struct cgroup *dst_cgrp, const char *path,
+	     struct task_struct *task, bool threadgroup)
 {
 	__u64 cg_id = cgroup_id(dst_cgrp);
 	struct percpu_attach_counter *pcpu_counter = bpf_map_lookup_elem(
-- 
2.47.3

[PATCH bpf-next v2 8/9] bpf: xfrm: drop dead NULL check in bpf_xdp_get_xfrm_state()

[Puranjay Mohan]

As KF_TRUSTED_ARGS is now considered the default for all kfuncs, the
opts parameter in bpf_xdp_get_xfrm_state() can never be NULL. Verifier
will detect this at load time and will not allow passing NULL to this
function. This matches the documentation above the kfunc that says this
parameter (opts) Cannot be NULL.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 net/xfrm/xfrm_state_bpf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_state_bpf.c b/net/xfrm/xfrm_state_bpf.c
index 2248eda741f8..4180c317f9bc 100644
--- a/net/xfrm/xfrm_state_bpf.c
+++ b/net/xfrm/xfrm_state_bpf.c
@@ -68,7 +68,7 @@ bpf_xdp_get_xfrm_state(struct xdp_md *ctx, struct bpf_xfrm_state_opts *opts, u32
 	struct net *net = dev_net(xdp->rxq->dev);
 	struct xfrm_state *x;
 
-	if (!opts || opts__sz < sizeof(opts->error))
+	if (opts__sz < sizeof(opts->error))
 		return NULL;
 
 	if (opts__sz != BPF_XFRM_STATE_OPTS_SZ) {
-- 
2.47.3

[PATCH bpf-next v2 9/9] HID: bpf: drop dead NULL checks in kfuncs

[Puranjay Mohan]

As KF_TRUSTED_ARGS is now considered default for all kfuns, the verifier
will not allow passing NULL pointers to these kfuns. These checks for
NULL pointers can therefore be removed.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 drivers/hid/bpf/hid_bpf_dispatch.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
index 9a06f9b0e4ef..892aca026ffa 100644
--- a/drivers/hid/bpf/hid_bpf_dispatch.c
+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -295,9 +295,6 @@ hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t rdwr
 {
 	struct hid_bpf_ctx_kern *ctx_kern;
 
-	if (!ctx)
-		return NULL;
-
 	ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
 
 	if (rdwr_buf_size + offset > ctx->allocated_size)
@@ -364,7 +361,7 @@ __hid_bpf_hw_check_params(struct hid_bpf_ctx *ctx, __u8 *buf, size_t *buf__sz,
 	u32 report_len;
 
 	/* check arguments */
-	if (!ctx || !hid_ops || !buf)
+	if (!hid_ops)
 		return -EINVAL;
 
 	switch (rtype) {
-- 
2.47.3

Re: [PATCH bpf-next v2 1/9] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 2151 bytes --]

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 3d44c5d06623..359a962d69a1 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c

[ ... ]

> @@ -13253,9 +13248,9 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
> 			return -EINVAL;
> 		}
>
> -		if ((is_kfunc_trusted_args(meta) || is_kfunc_rcu(meta)) &&
> -		    (register_is_null(reg) || type_may_be_null(reg->type)) &&
> -			!is_kfunc_arg_nullable(meta->btf, &args[i])) {
> +		if ((register_is_null(reg) || type_may_be_null(reg->type)) &&
> +		    !is_kfunc_arg_nullable(meta->btf, &args[i]) &&
> +		    !is_kfunc_arg_optional(meta->btf, &args[i])) {
> 			verbose(env, "Possibly NULL pointer passed to trusted arg%d\n", i);
> 			return -EACCES;
> 		}

The NULL check guard (is_kfunc_trusted_args || is_kfunc_rcu) is removed here,
making the check unconditional for all kfuncs. This means kfuncs that
previously accepted NULL pointers without KF_TRUSTED_ARGS will now reject
NULL at verification time.

Several netfilter kfuncs are affected: bpf_xdp_ct_lookup(), bpf_skb_ct_lookup(),
bpf_xdp_ct_alloc(), and bpf_skb_ct_alloc() all accept NULL for their bpf_tuple
and opts parameters internally (checked in __bpf_nf_ct_lookup), but after this
change the verifier rejects NULL before the kfunc is even called.

I see this is addressed in the series by commit 4ca5896ad640 ("bpf: net:
netfilter: Mark kfuncs accurately") which adds the __nullable suffix to
these parameters.

> @@ -13320,9 +13315,6 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
> 			fallthrough;
> 		case KF_ARG_PTR_TO_ALLOC_BTF_ID:
> 		case KF_ARG_PTR_TO_BTF_ID:
> -			if (!is_kfunc_trusted_args(meta) && !is_kfunc_rcu(meta))
> -				break;
> -
> 			if (!is_trusted_reg(reg)) {
> 				if (!is_kfunc_rcu(meta)) {
> 					verbose(env, "R%d must be referenced or trusted\n", regno);

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20623776553

Re: [PATCH bpf-next v2 9/9] HID: bpf: drop dead NULL checks in kfuncs

[Alexei Starovoitov]

On Wed, Dec 31, 2025 at 9:12 AM Puranjay Mohan <puranjay@kernel.org> wrote:
>
> As KF_TRUSTED_ARGS is now considered default for all kfuns, the verifier
> will not allow passing NULL pointers to these kfuns. These checks for
> NULL pointers can therefore be removed.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---
>  drivers/hid/bpf/hid_bpf_dispatch.c | 5 +----
>  1 file changed, 1 insertion(+), 4 deletions(-)

Benjamin,

please run this patch set through your testsuite.
We don't expect breakage, but please double check and ack.

> diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
> index 9a06f9b0e4ef..892aca026ffa 100644
> --- a/drivers/hid/bpf/hid_bpf_dispatch.c
> +++ b/drivers/hid/bpf/hid_bpf_dispatch.c
> @@ -295,9 +295,6 @@ hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t rdwr
>  {
>         struct hid_bpf_ctx_kern *ctx_kern;
>
> -       if (!ctx)
> -               return NULL;
> -
>         ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
>
>         if (rdwr_buf_size + offset > ctx->allocated_size)
> @@ -364,7 +361,7 @@ __hid_bpf_hw_check_params(struct hid_bpf_ctx *ctx, __u8 *buf, size_t *buf__sz,
>         u32 report_len;
>
>         /* check arguments */
> -       if (!ctx || !hid_ops || !buf)
> +       if (!hid_ops)
>                 return -EINVAL;
>
>         switch (rtype) {
> --
> 2.47.3
>

Re: [PATCH bpf-next v2 9/9] HID: bpf: drop dead NULL checks in kfuncs

[Puranjay Mohan]

On Wed, Dec 31, 2025 at 6:20 PM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Wed, Dec 31, 2025 at 9:12 AM Puranjay Mohan <puranjay@kernel.org> wrote:
> >
> > As KF_TRUSTED_ARGS is now considered default for all kfuns, the verifier
> > will not allow passing NULL pointers to these kfuns. These checks for
> > NULL pointers can therefore be removed.
> >
> > Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> > ---
> >  drivers/hid/bpf/hid_bpf_dispatch.c | 5 +----
> >  1 file changed, 1 insertion(+), 4 deletions(-)
>
> Benjamin,
>
> please run this patch set through your testsuite.
> We don't expect breakage, but please double check and ack.
>

I did run the hid bpf selftests, I am not sure if this is enough:

[root@alarm hid]# ./hid_bpf
TAP version 13
1..20
# Starting 20 tests from 1 test cases.
#  RUN           hid_bpf.test_create_uhid ...
hid-generic 0003:0001:0A36.0001: hidraw0: USB HID v0.00 Device
[test-uhid-device-268] on 268
#            OK  hid_bpf.test_create_uhid
ok 1 hid_bpf.test_create_uhid
#  RUN           hid_bpf.raw_event ...
hid-generic 0003:0001:0A36.0002: hidraw0: USB HID v0.00 Device
[test-uhid-device-268] on 268
#            OK  hid_bpf.raw_event
ok 2 hid_bpf.raw_event
#  RUN           hid_bpf.subprog_raw_event ...
hid-generic 0003:0001:0A36.0003: hidraw0: USB HID v0.00 Device
[test-uhid-device-268] on 268
#            OK  hid_bpf.subprog_raw_event
ok 3 hid_bpf.subprog_raw_event
#  RUN           hid_bpf.multiple_attach ...
hid-generic 0003:0001:0A36.0004: hidraw0: USB HID v0.00 Device
[test-uhid-device-268] on 268
#            OK  hid_bpf.multiple_attach
ok 4 hid_bpf.multiple_attach
#  RUN           hid_bpf.test_attach_detach ...
hid-generic 0003:0001:0A36.0005: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_attach_detach
ok 5 hid_bpf.test_attach_detach
#  RUN           hid_bpf.test_hid_change_report ...
hid-generic 0003:0001:0A36.0006: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_hid_change_report
ok 6 hid_bpf.test_hid_change_report
#  RUN           hid_bpf.test_hid_user_input_report_call ...
hid-generic 0003:0001:0A36.0007: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_hid_user_input_report_call
ok 7 hid_bpf.test_hid_user_input_report_call
#  RUN           hid_bpf.test_hid_user_output_report_call ...
hid-generic 0003:0001:0A36.0008: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_hid_user_output_report_call
ok 8 hid_bpf.test_hid_user_output_report_call
#  RUN           hid_bpf.test_hid_user_raw_request_call ...
hid-generic 0003:0001:0A36.0009: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_hid_user_raw_request_call
ok 9 hid_bpf.test_hid_user_raw_request_call
#  RUN           hid_bpf.test_hid_filter_raw_request_call ...
hid-generic 0003:0001:0A36.000A: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_hid_filter_raw_request_call
ok 10 hid_bpf.test_hid_filter_raw_request_call
#  RUN           hid_bpf.test_hid_change_raw_request_call ...
hid-generic 0003:0001:0A36.000B: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_hid_change_raw_request_call
ok 11 hid_bpf.test_hid_change_raw_request_call
#  RUN           hid_bpf.test_hid_infinite_loop_raw_request_call ...
hid-generic 0003:0001:0A36.000C: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_hid_infinite_loop_raw_request_call
ok 12 hid_bpf.test_hid_infinite_loop_raw_request_call
#  RUN           hid_bpf.test_hid_filter_output_report_call ...
hid-generic 0003:0001:0A36.000D: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_hid_filter_output_report_call
ok 13 hid_bpf.test_hid_filter_output_report_call
#  RUN           hid_bpf.test_hid_change_output_report_call ...
hid-generic 0003:0001:0A36.000E: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_hid_change_output_report_call
ok 14 hid_bpf.test_hid_change_output_report_call
#  RUN           hid_bpf.test_hid_infinite_loop_output_report_call ...
hid-generic 0003:0001:0A36.000F: hidraw0: USB HID v0.00 Device
[test-uhid-device-520] on 520
#            OK  hid_bpf.test_hid_infinite_loop_output_report_call
ok 15 hid_bpf.test_hid_infinite_loop_output_report_call
#  RUN           hid_bpf.test_multiply_events_wq ...
hid-generic 0003:0001:0A36.0010: hidraw0: USB HID v0.00 Device
[test-uhid-device-309] on 309
#            OK  hid_bpf.test_multiply_events_wq
ok 16 hid_bpf.test_multiply_events_wq
#  RUN           hid_bpf.test_multiply_events ...
hid-generic 0003:0001:0A36.0011: hidraw0: USB HID v0.00 Device
[test-uhid-device-309] on 309
#            OK  hid_bpf.test_multiply_events
ok 17 hid_bpf.test_multiply_events
#  RUN           hid_bpf.test_hid_infinite_loop_input_report_call ...
hid-generic 0003:0001:0A36.0012: hidraw0: USB HID v0.00 Device
[test-uhid-device-309] on 309
#            OK  hid_bpf.test_hid_infinite_loop_input_report_call
ok 18 hid_bpf.test_hid_infinite_loop_input_report_call
#  RUN           hid_bpf.test_hid_attach_flags ...
hid-generic 0003:0001:0A36.0013: hidraw0: USB HID v0.00 Device
[test-uhid-device-309] on 309
#            OK  hid_bpf.test_hid_attach_flags
ok 19 hid_bpf.test_hid_attach_flags
#  RUN           hid_bpf.test_rdesc_fixup ...
hid-generic 0003:0001:0A36.0014: hidraw0: USB HID v0.00 Device
[test-uhid-device-309] on 309
hid-generic 0003:0001:0A36.0014: hidraw0: USB HID v0.00 Device
[test-uhid-device-309] on 309
#            OK  hid_bpf.test_rdesc_fixup
ok 20 hid_bpf.test_rdesc_fixup
# PASSED: 20 / 20 tests passed.
# Totals: pass:20 fail:0 xfail:0 xpass:0 skip:0 error:0

Re: [PATCH bpf-next v2 1/9] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Eduard Zingerman]

On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> Change the verifier to make trusted args the default requirement for
> all kfuncs by removing is_kfunc_trusted_args() assuming it be to always
> return true.
>
> This works because:
> 1. Context pointers (xdp_md, __sk_buff, etc.) are handled through their
>    own KF_ARG_PTR_TO_CTX case label and bypass the trusted check
> 2. Struct_ops callback arguments are already marked as PTR_TRUSTED during
>    initialization and pass is_trusted_reg()
> 3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
>    call sites (always checked with || alongside is_kfunc_trusted_args)
>
> This simple change makes all kfuncs require trusted args by default
> while maintaining correct behavior for all existing special cases.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

Nit: I found two more textual appearances for KF_TRUSTED_ARGS:

  File: fs/bpf_fs_kfuncs.c
  71:65: * used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS
  379:47:/* bpf_[set|remove]_dentry_xattr.* hooks have KF_TRUSTED_ARGS and

  File: include/linux/bpf.h
  756:15:  * passed to KF_TRUSTED_ARGS kfuncs or BPF helper functions.

  File: kernel/bpf/verifier.c
  12622:39:        * enforce strict matching for plain KF_TRUSTED_ARGS kfuncs by default,

  File: tools/testing/selftests/bpf/progs/cpumask_failure.c
  113:21:  /* NULL passed to KF_TRUSTED_ARGS kfunc. */

>  Documentation/bpf/kfuncs.rst | 35 +++++++++++++++++------------------
>  kernel/bpf/verifier.c        | 14 +++-----------
>  2 files changed, 20 insertions(+), 29 deletions(-)
>
> diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
> index e38941370b90..22b5a970078c 100644
> --- a/Documentation/bpf/kfuncs.rst
> +++ b/Documentation/bpf/kfuncs.rst
> @@ -241,25 +241,23 @@ both are orthogonal to each other.
>  The KF_RELEASE flag is used to indicate that the kfunc releases the pointer
>  passed in to it. There can be only one referenced pointer that can be passed
>  in. All copies of the pointer being released are invalidated as a result of
> -invoking kfunc with this flag. KF_RELEASE kfuncs automatically receive the
> -protection afforded by the KF_TRUSTED_ARGS flag described below.
> +invoking kfunc with this flag.
>
> -2.4.4 KF_TRUSTED_ARGS flag
> ---------------------------
> +2.4.4 KF_TRUSTED_ARGS (default behavior)
> +-----------------------------------------

Nit:
I think section should be renamed to 'kfunc parameters' and moved to a
separate section before '2.2 Annotating kfunc parameters'.
Sorry, should have commented about this yesterday.

[...]

Re: [PATCH bpf-next v2 1/9] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Puranjay Mohan]

On Wed, Dec 31, 2025 at 6:38 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> > Change the verifier to make trusted args the default requirement for
> > all kfuncs by removing is_kfunc_trusted_args() assuming it be to always
> > return true.
> >
> > This works because:
> > 1. Context pointers (xdp_md, __sk_buff, etc.) are handled through their
> >    own KF_ARG_PTR_TO_CTX case label and bypass the trusted check
> > 2. Struct_ops callback arguments are already marked as PTR_TRUSTED during
> >    initialization and pass is_trusted_reg()
> > 3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
> >    call sites (always checked with || alongside is_kfunc_trusted_args)
> >
> > This simple change makes all kfuncs require trusted args by default
> > while maintaining correct behavior for all existing special cases.
> >
> > Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> > ---
>
> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
>
> Nit: I found two more textual appearances for KF_TRUSTED_ARGS:
>
>   File: fs/bpf_fs_kfuncs.c
>   71:65: * used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS
>   379:47:/* bpf_[set|remove]_dentry_xattr.* hooks have KF_TRUSTED_ARGS and
>
>   File: include/linux/bpf.h
>   756:15:  * passed to KF_TRUSTED_ARGS kfuncs or BPF helper functions.
>
>   File: kernel/bpf/verifier.c
>   12622:39:        * enforce strict matching for plain KF_TRUSTED_ARGS kfuncs by default,
>
>   File: tools/testing/selftests/bpf/progs/cpumask_failure.c
>   113:21:  /* NULL passed to KF_TRUSTED_ARGS kfunc. */
>
> >  Documentation/bpf/kfuncs.rst | 35 +++++++++++++++++------------------
> >  kernel/bpf/verifier.c        | 14 +++-----------
> >  2 files changed, 20 insertions(+), 29 deletions(-)
> >
> > diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
> > index e38941370b90..22b5a970078c 100644
> > --- a/Documentation/bpf/kfuncs.rst
> > +++ b/Documentation/bpf/kfuncs.rst
> > @@ -241,25 +241,23 @@ both are orthogonal to each other.
> >  The KF_RELEASE flag is used to indicate that the kfunc releases the pointer
> >  passed in to it. There can be only one referenced pointer that can be passed
> >  in. All copies of the pointer being released are invalidated as a result of
> > -invoking kfunc with this flag. KF_RELEASE kfuncs automatically receive the
> > -protection afforded by the KF_TRUSTED_ARGS flag described below.
> > +invoking kfunc with this flag.
> >
> > -2.4.4 KF_TRUSTED_ARGS flag
> > ---------------------------
> > +2.4.4 KF_TRUSTED_ARGS (default behavior)
> > +-----------------------------------------
>
> Nit:
> I think section should be renamed to 'kfunc parameters' and moved to a
> separate section before '2.2 Annotating kfunc parameters'.
> Sorry, should have commented about this yesterday.
>
> [...]

Thanks for finding these, I will make these changes and re-spin after
I get reviews from others too.

There is another aspect I want your opinion one:

Assume a kfunc returns an error when you pass in a NULL pointer for
some parameter, it checks for NULL as if it is not valid usage, it
returns an error. After this change, this kfunc will not return an
error at runtime, rather will be rejected by the verifier itself. This
should not be a problem for real programs right? I think we should
drop the second patch: "bpf: net: netfilter: Mark kfuncs accurately"
because these kfuncs have no real use case with NULL being passed to
them, only a self test tries to call them with NULL parameters, I
think we should change the self test to detect load failure and leave
these kfuncs without __nullable annotation. What do you think?

Re: [PATCH bpf-next v2 1/9] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Eduard Zingerman]

On Wed, 2025-12-31 at 19:00 +0000, Puranjay Mohan wrote:

[...]

> There is another aspect I want your opinion one:
> 
> Assume a kfunc returns an error when you pass in a NULL pointer for
> some parameter, it checks for NULL as if it is not valid usage, it
> returns an error. After this change, this kfunc will not return an
> error at runtime, rather will be rejected by the verifier itself. This
> should not be a problem for real programs right?

Yes, makes sense.

> I think we should drop the second patch: "bpf: net: netfilter: Mark
> kfuncs accurately" because these kfuncs have no real use case with
> NULL being passed to them, only a self test tries to call them with
> NULL parameters, I think we should change the self test to detect
> load failure and leave these kfuncs without __nullable
> annotation. What do you think?

Actually, I was going to ack that patch :)
But you are right, each of those kfuncs is a wrapper and functions
they wrap, like __bpf_nf_ct_alloc_entry, require 'opts' not to be null
or return an error.

Re: [PATCH bpf-next v2 3/9] bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs

[Eduard Zingerman]

On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> Now that KF_TRUSTED_ARGS is the default for all kfuncs, remove the
> explicit KF_TRUSTED_ARGS flag from all kfunc definitions and remove the
> flag itself.
> 
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

[...]

Re: [PATCH bpf-next v2 1/9] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Puranjay Mohan]

On Wed, Dec 31, 2025 at 7:10 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> On Wed, 2025-12-31 at 19:00 +0000, Puranjay Mohan wrote:
>
> [...]
>
> > There is another aspect I want your opinion one:
> >
> > Assume a kfunc returns an error when you pass in a NULL pointer for
> > some parameter, it checks for NULL as if it is not valid usage, it
> > returns an error. After this change, this kfunc will not return an
> > error at runtime, rather will be rejected by the verifier itself. This
> > should not be a problem for real programs right?
>
> Yes, makes sense.
>
> > I think we should drop the second patch: "bpf: net: netfilter: Mark
> > kfuncs accurately" because these kfuncs have no real use case with
> > NULL being passed to them, only a self test tries to call them with
> > NULL parameters, I think we should change the self test to detect
> > load failure and leave these kfuncs without __nullable
> > annotation. What do you think?
>
> Actually, I was going to ack that patch :)
> But you are right, each of those kfuncs is a wrapper and functions
> they wrap, like __bpf_nf_ct_alloc_entry, require 'opts' not to be null
> or return an error.

Okay, in the next version I will drop that and fix the self test. But
this will be a change in behaviour of these kfuncs, I just hope no one
is passing NULL to these kfuncs for a weird real use case.

Re: [PATCH bpf-next v2 4/9] selftests: bpf: Update kfunc_param_nullable test for new error message

[Eduard Zingerman]

On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> With trusted args now being the default, the NULL pointer check runs
> before type-specific validation. Update test3 to expect the new error
> message "Possibly NULL pointer passed to trusted arg0" instead of the
> old dynptr-specific error message.
> 
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

Re: [PATCH bpf-next v2 5/9] selftests: bpf: Update failure message for rbtree_fail

[Eduard Zingerman]

On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> The rbtree_api_use_unchecked_remove_retval() selftest passes a pointer
> received from bpf_rbtree_remove() to bpf_rbtree_add() without checking
> for NULL, this was earlier caught by __check_ptr_off_reg() in the
> verifier. Now the verifier assumes every kfunc only takes trusted pointer
> arguments, so it catches this NULL pointer earlier in the path and
> provides a more accurate failure message.
> 
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

>  tools/testing/selftests/bpf/progs/rbtree_fail.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/testing/selftests/bpf/progs/rbtree_fail.c b/tools/testing/selftests/bpf/progs/rbtree_fail.c
> index 4acb6af2dfe3..70b7baf9304b 100644
> --- a/tools/testing/selftests/bpf/progs/rbtree_fail.c
> +++ b/tools/testing/selftests/bpf/progs/rbtree_fail.c
> @@ -153,7 +153,7 @@ long rbtree_api_add_to_multiple_trees(void *ctx)
>  }
>  
>  SEC("?tc")
> -__failure __msg("dereference of modified ptr_or_null_ ptr R2 off=16 disallowed")
> +__failure __msg("Possibly NULL pointer passed to trusted arg1")
>  long rbtree_api_use_unchecked_remove_retval(void *ctx)
>  {
>  	struct bpf_rb_node *res;

Do you happen to know how did it infer off=16 for R2?
From the test I would infer that the off is zero.

Re: [PATCH bpf-next v2 6/9] selftests: bpf: fix test_kfunc_dynptr_param

[Eduard Zingerman]

On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> As verifier now assumes that all kfuncs only takes trusted pointer
> arguments, passing 0 (NULL) to a kfunc that doesn't mark the argument as
> __nullable or __opt will be rejected with a failure message of: Possibly
> NULL pointer passed to trusted arg<n>
> 
> Pass a non-null value to the kfunc to test the expected failure mode.
> 
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

Unrelated to this patch-set:
what do you think about merging __nullable and __opt?

[...]

Re: [PATCH bpf-next v2 6/9] selftests: bpf: fix test_kfunc_dynptr_param

[Puranjay Mohan]

On Wed, Dec 31, 2025 at 7:29 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> > As verifier now assumes that all kfuncs only takes trusted pointer
> > arguments, passing 0 (NULL) to a kfunc that doesn't mark the argument as
> > __nullable or __opt will be rejected with a failure message of: Possibly
> > NULL pointer passed to trusted arg<n>
> >
> > Pass a non-null value to the kfunc to test the expected failure mode.
> >
> > Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> > ---
>
> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
>
> Unrelated to this patch-set:
> what do you think about merging __nullable and __opt?


Yes, I think we should only have __nullable, because that is how
programmers are used to think about functions, just pass NULL if it is
unused. But I will see what the verifier expects differently from
these two and send a patch to merge them.

Re: [PATCH bpf-next v2 7/9] selftests: bpf: fix cgroup_hierarchical_stats

[Eduard Zingerman]

On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> The cgroup_hierarchical_stats selftests uses an fentry program attached
> to cgroup_attach_task and then passes the received &dst_cgrp->self to
> the css_rstat_updated() kfunc. The verifier now assumes that all kfuncs
> only takes trusted pointer arguments, and pointers received by fentry
> are not marked trustes by default.
> 
> Use a tp_btf program in place for fentry for this test, pointers
> received by tp_btf programs are marked trusted by the verifier.
> 
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

Looking at the cgroup_attach_task() source code, the trace point is
executed before function exit and only if attachment is successful.
Which differs from 'fentry/' attachment.
However, prog_tests/cgroup_hierarchical_stats.c:attach_processes()
errors out and terminates the test, if attachment fails.
So this change should be fine.

[...]

Re: [PATCH bpf-next v2 5/9] selftests: bpf: Update failure message for rbtree_fail

[Puranjay Mohan]

On Wed, Dec 31, 2025 at 7:27 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> > The rbtree_api_use_unchecked_remove_retval() selftest passes a pointer
> > received from bpf_rbtree_remove() to bpf_rbtree_add() without checking
> > for NULL, this was earlier caught by __check_ptr_off_reg() in the
> > verifier. Now the verifier assumes every kfunc only takes trusted pointer
> > arguments, so it catches this NULL pointer earlier in the path and
> > provides a more accurate failure message.
> >
> > Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> > ---
>
> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
>
> >  tools/testing/selftests/bpf/progs/rbtree_fail.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/tools/testing/selftests/bpf/progs/rbtree_fail.c b/tools/testing/selftests/bpf/progs/rbtree_fail.c
> > index 4acb6af2dfe3..70b7baf9304b 100644
> > --- a/tools/testing/selftests/bpf/progs/rbtree_fail.c
> > +++ b/tools/testing/selftests/bpf/progs/rbtree_fail.c
> > @@ -153,7 +153,7 @@ long rbtree_api_add_to_multiple_trees(void *ctx)
> >  }
> >
> >  SEC("?tc")
> > -__failure __msg("dereference of modified ptr_or_null_ ptr R2 off=16 disallowed")
> > +__failure __msg("Possibly NULL pointer passed to trusted arg1")
> >  long rbtree_api_use_unchecked_remove_retval(void *ctx)
> >  {
> >       struct bpf_rb_node *res;
>
> Do you happen to know how did it infer off=16 for R2?
> From the test I would infer that the off is zero.

I thought about that too,

struct node_data {
    long key;
    long data;
    struct bpf_rb_node node;
};

the node is at an offset of 16 and bpf_rbtree_remove() returns the
pointer to this node.

Re: [PATCH bpf-next v2 6/9] selftests: bpf: fix test_kfunc_dynptr_param

[Eduard Zingerman]

On Wed, 2025-12-31 at 19:39 +0000, Puranjay Mohan wrote:
> On Wed, Dec 31, 2025 at 7:29 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
> > 
> > On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> > > As verifier now assumes that all kfuncs only takes trusted pointer
> > > arguments, passing 0 (NULL) to a kfunc that doesn't mark the argument as
> > > __nullable or __opt will be rejected with a failure message of: Possibly
> > > NULL pointer passed to trusted arg<n>
> > > 
> > > Pass a non-null value to the kfunc to test the expected failure mode.
> > > 
> > > Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> > > ---
> > 
> > Acked-by: Eduard Zingerman <eddyz87@gmail.com>
> > 
> > Unrelated to this patch-set:
> > what do you think about merging __nullable and __opt?
> 
> 
> Yes, I think we should only have __nullable, because that is how
> programmers are used to think about functions, just pass NULL if it is
> unused. But I will see what the verifier expects differently from
> these two and send a patch to merge them.

Ack, thank you.
After cursory examination seems doable to me.
__nullable was introduced [1] after __opt, but mailing list discussion
does not mention __opt at all.

[1] https://lore.kernel.org/all/20231018061746.111364-7-zhouchuyi@bytedance.com/T/#u

Re: [PATCH bpf-next v2 5/9] selftests: bpf: Update failure message for rbtree_fail

[Eduard Zingerman]

On Wed, 2025-12-31 at 19:44 +0000, Puranjay Mohan wrote:
> On Wed, Dec 31, 2025 at 7:27 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
> > 
> > On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> > > The rbtree_api_use_unchecked_remove_retval() selftest passes a pointer
> > > received from bpf_rbtree_remove() to bpf_rbtree_add() without checking
> > > for NULL, this was earlier caught by __check_ptr_off_reg() in the
> > > verifier. Now the verifier assumes every kfunc only takes trusted pointer
> > > arguments, so it catches this NULL pointer earlier in the path and
> > > provides a more accurate failure message.
> > > 
> > > Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> > > ---
> > 
> > Acked-by: Eduard Zingerman <eddyz87@gmail.com>
> > 
> > >  tools/testing/selftests/bpf/progs/rbtree_fail.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/tools/testing/selftests/bpf/progs/rbtree_fail.c b/tools/testing/selftests/bpf/progs/rbtree_fail.c
> > > index 4acb6af2dfe3..70b7baf9304b 100644
> > > --- a/tools/testing/selftests/bpf/progs/rbtree_fail.c
> > > +++ b/tools/testing/selftests/bpf/progs/rbtree_fail.c
> > > @@ -153,7 +153,7 @@ long rbtree_api_add_to_multiple_trees(void *ctx)
> > >  }
> > > 
> > >  SEC("?tc")
> > > -__failure __msg("dereference of modified ptr_or_null_ ptr R2 off=16 disallowed")
> > > +__failure __msg("Possibly NULL pointer passed to trusted arg1")
> > >  long rbtree_api_use_unchecked_remove_retval(void *ctx)
> > >  {
> > >       struct bpf_rb_node *res;
> > 
> > Do you happen to know how did it infer off=16 for R2?
> > From the test I would infer that the off is zero.
> 
> I thought about that too,
> 
> struct node_data {
>     long key;
>     long data;
>     struct bpf_rb_node node;
> };
> 
> the node is at an offset of 16 and bpf_rbtree_remove() returns the
> pointer to this node.

Oh, makes sense, thank you.

Re: [PATCH bpf-next v2 8/9] bpf: xfrm: drop dead NULL check in bpf_xdp_get_xfrm_state()

[Eduard Zingerman]

On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> As KF_TRUSTED_ARGS is now considered the default for all kfuncs, the
> opts parameter in bpf_xdp_get_xfrm_state() can never be NULL. Verifier
> will detect this at load time and will not allow passing NULL to this
> function. This matches the documentation above the kfunc that says this
> parameter (opts) Cannot be NULL.
> 
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

[...]

Re: [PATCH bpf-next v2 6/9] selftests: bpf: fix test_kfunc_dynptr_param

[Puranjay Mohan]

On Wed, Dec 31, 2025 at 7:44 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> On Wed, 2025-12-31 at 19:39 +0000, Puranjay Mohan wrote:
> > On Wed, Dec 31, 2025 at 7:29 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
> > >
> > > On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> > > > As verifier now assumes that all kfuncs only takes trusted pointer
> > > > arguments, passing 0 (NULL) to a kfunc that doesn't mark the argument as
> > > > __nullable or __opt will be rejected with a failure message of: Possibly
> > > > NULL pointer passed to trusted arg<n>
> > > >
> > > > Pass a non-null value to the kfunc to test the expected failure mode.
> > > >
> > > > Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> > > > ---
> > >
> > > Acked-by: Eduard Zingerman <eddyz87@gmail.com>
> > >
> > > Unrelated to this patch-set:
> > > what do you think about merging __nullable and __opt?
> >
> >
> > Yes, I think we should only have __nullable, because that is how
> > programmers are used to think about functions, just pass NULL if it is
> > unused. But I will see what the verifier expects differently from
> > these two and send a patch to merge them.
>
> Ack, thank you.
> After cursory examination seems doable to me.
> __nullable was introduced [1] after __opt, but mailing list discussion
> does not mention __opt at all.
>
> [1] https://lore.kernel.org/all/20231018061746.111364-7-zhouchuyi@bytedance.com/T/#u

It wasn't that difficult:
https://lore.kernel.org/bpf/20251231232623.2713255-1-puranjay@kernel.org/

I guess this should be merged before default trusted_args.

Re: [PATCH bpf-next v2 1/9] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Emil Tsalapatis]

On Wed Dec 31, 2025 at 12:08 PM EST, Puranjay Mohan wrote:
> Change the verifier to make trusted args the default requirement for
> all kfuncs by removing is_kfunc_trusted_args() assuming it be to always
> return true.
>
> This works because:
> 1. Context pointers (xdp_md, __sk_buff, etc.) are handled through their
>    own KF_ARG_PTR_TO_CTX case label and bypass the trusted check
> 2. Struct_ops callback arguments are already marked as PTR_TRUSTED during
>    initialization and pass is_trusted_reg()
> 3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
>    call sites (always checked with || alongside is_kfunc_trusted_args)
>
> This simple change makes all kfuncs require trusted args by default
> while maintaining correct behavior for all existing special cases.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

For sched-ext in particular, patchset works fine (as expected).

> ---
>  Documentation/bpf/kfuncs.rst | 35 +++++++++++++++++------------------
>  kernel/bpf/verifier.c        | 14 +++-----------
>  2 files changed, 20 insertions(+), 29 deletions(-)
>
> diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
> index e38941370b90..22b5a970078c 100644
> --- a/Documentation/bpf/kfuncs.rst
> +++ b/Documentation/bpf/kfuncs.rst
> @@ -241,25 +241,23 @@ both are orthogonal to each other.
>  The KF_RELEASE flag is used to indicate that the kfunc releases the pointer
>  passed in to it. There can be only one referenced pointer that can be passed
>  in. All copies of the pointer being released are invalidated as a result of
> -invoking kfunc with this flag. KF_RELEASE kfuncs automatically receive the
> -protection afforded by the KF_TRUSTED_ARGS flag described below.
> +invoking kfunc with this flag.
>  
> -2.4.4 KF_TRUSTED_ARGS flag
> ---------------------------
> +2.4.4 KF_TRUSTED_ARGS (default behavior)
> +-----------------------------------------
>  
> -The KF_TRUSTED_ARGS flag is used for kfuncs taking pointer arguments. It
> -indicates that the all pointer arguments are valid, and that all pointers to
> -BTF objects have been passed in their unmodified form (that is, at a zero
> -offset, and without having been obtained from walking another pointer, with one
> -exception described below).
> +All kfuncs now require trusted arguments by default. This means that all
> +pointer arguments must be valid, and all pointers to BTF objects must be
> +passed in their unmodified form (at a zero offset, and without having been
> +obtained from walking another pointer, with exceptions described below).
>  
> -There are two types of pointers to kernel objects which are considered "valid":
> +There are two types of pointers to kernel objects which are considered "trusted":
>  
>  1. Pointers which are passed as tracepoint or struct_ops callback arguments.
>  2. Pointers which were returned from a KF_ACQUIRE kfunc.
>  
>  Pointers to non-BTF objects (e.g. scalar pointers) may also be passed to
> -KF_TRUSTED_ARGS kfuncs, and may have a non-zero offset.
> +kfuncs, and may have a non-zero offset.
>  
>  The definition of "valid" pointers is subject to change at any time, and has
>  absolutely no ABI stability guarantees.
> @@ -327,13 +325,14 @@ added later.
>  2.4.7 KF_RCU flag
>  -----------------
>  
> -The KF_RCU flag is a weaker version of KF_TRUSTED_ARGS. The kfuncs marked with
> -KF_RCU expect either PTR_TRUSTED or MEM_RCU arguments. The verifier guarantees
> -that the objects are valid and there is no use-after-free. The pointers are not
> -NULL, but the object's refcount could have reached zero. The kfuncs need to
> -consider doing refcnt != 0 check, especially when returning a KF_ACQUIRE
> -pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should very likely
> -also be KF_RET_NULL.
> +The KF_RCU flag allows kfuncs to opt out of the default trusted args
> +requirement and accept RCU pointers with weaker guarantees. The kfuncs marked
> +with KF_RCU expect either PTR_TRUSTED or MEM_RCU arguments. The verifier
> +guarantees that the objects are valid and there is no use-after-free. The
> +pointers are not NULL, but the object's refcount could have reached zero. The
> +kfuncs need to consider doing refcnt != 0 check, especially when returning a
> +KF_ACQUIRE pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should
> +very likely also be KF_RET_NULL.
>  
>  2.4.8 KF_RCU_PROTECTED flag
>  ---------------------------
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 0baae7828af2..a31eace4a67c 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12040,11 +12040,6 @@ static bool is_kfunc_release(struct bpf_kfunc_call_arg_meta *meta)
>  	return meta->kfunc_flags & KF_RELEASE;
>  }
>  
> -static bool is_kfunc_trusted_args(struct bpf_kfunc_call_arg_meta *meta)
> -{
> -	return (meta->kfunc_flags & KF_TRUSTED_ARGS) || is_kfunc_release(meta);
> -}
> -
>  static bool is_kfunc_sleepable(struct bpf_kfunc_call_arg_meta *meta)
>  {
>  	return meta->kfunc_flags & KF_SLEEPABLE;
> @@ -13253,9 +13248,9 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  			return -EINVAL;
>  		}
>  
> -		if ((is_kfunc_trusted_args(meta) || is_kfunc_rcu(meta)) &&
> -		    (register_is_null(reg) || type_may_be_null(reg->type)) &&
> -			!is_kfunc_arg_nullable(meta->btf, &args[i])) {
> +		if ((register_is_null(reg) || type_may_be_null(reg->type)) &&
> +		    !is_kfunc_arg_nullable(meta->btf, &args[i]) &&
> +		    !is_kfunc_arg_optional(meta->btf, &args[i])) {
>  			verbose(env, "Possibly NULL pointer passed to trusted arg%d\n", i);
>  			return -EACCES;
>  		}
> @@ -13320,9 +13315,6 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>  			fallthrough;
>  		case KF_ARG_PTR_TO_ALLOC_BTF_ID:
>  		case KF_ARG_PTR_TO_BTF_ID:
> -			if (!is_kfunc_trusted_args(meta) && !is_kfunc_rcu(meta))
> -				break;
> -
>  			if (!is_trusted_reg(reg)) {
>  				if (!is_kfunc_rcu(meta)) {
>  					verbose(env, "R%d must be referenced or trusted\n", regno);

Re: [PATCH bpf-next v2 3/9] bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs

[Emil Tsalapatis]

On Wed Dec 31, 2025 at 12:08 PM EST, Puranjay Mohan wrote:
> Now that KF_TRUSTED_ARGS is the default for all kfuncs, remove the
> explicit KF_TRUSTED_ARGS flag from all kfunc definitions and remove the
> flag itself.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

> ---
>  fs/bpf_fs_kfuncs.c                            | 13 ++++++------
>  fs/verity/measure.c                           |  2 +-
>  include/linux/btf.h                           |  3 +--
>  kernel/bpf/arena.c                            |  6 +++---
>  kernel/bpf/cpumask.c                          |  2 +-
>  kernel/bpf/helpers.c                          | 20 +++++++++----------
>  kernel/bpf/map_iter.c                         |  2 +-
>  kernel/sched/ext.c                            |  8 ++++----
>  mm/bpf_memcontrol.c                           | 10 +++++-----
>  net/core/filter.c                             | 10 +++++-----
>  net/core/xdp.c                                |  2 +-
>  net/netfilter/nf_conntrack_bpf.c              |  8 ++++----
>  net/netfilter/nf_flow_table_bpf.c             |  2 +-
>  net/netfilter/nf_nat_bpf.c                    |  2 +-
>  net/sched/bpf_qdisc.c                         | 12 +++++------
>  .../selftests/bpf/test_kmods/bpf_testmod.c    | 20 +++++++++----------
>  16 files changed, 60 insertions(+), 62 deletions(-)
>
> diff --git a/fs/bpf_fs_kfuncs.c b/fs/bpf_fs_kfuncs.c
> index 5ace2511fec5..a15d31690e0b 100644
> --- a/fs/bpf_fs_kfuncs.c
> +++ b/fs/bpf_fs_kfuncs.c
> @@ -359,14 +359,13 @@ __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__s
>  __bpf_kfunc_end_defs();
>  
>  BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
> -BTF_ID_FLAGS(func, bpf_get_task_exe_file,
> -	     KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL)
> +BTF_ID_FLAGS(func, bpf_get_task_exe_file, KF_ACQUIRE | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)
> -BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_path_d_path)
> +BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE)
> +BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE)
> +BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE)
> +BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE)
>  BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
>  
>  static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
> diff --git a/fs/verity/measure.c b/fs/verity/measure.c
> index 388734132f01..6a35623ebdf0 100644
> --- a/fs/verity/measure.c
> +++ b/fs/verity/measure.c
> @@ -162,7 +162,7 @@ __bpf_kfunc int bpf_get_fsverity_digest(struct file *file, struct bpf_dynptr *di
>  __bpf_kfunc_end_defs();
>  
>  BTF_KFUNCS_START(fsverity_set_ids)
> -BTF_ID_FLAGS(func, bpf_get_fsverity_digest, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_get_fsverity_digest)
>  BTF_KFUNCS_END(fsverity_set_ids)
>  
>  static int bpf_get_fsverity_digest_filter(const struct bpf_prog *prog, u32 kfunc_id)
> diff --git a/include/linux/btf.h b/include/linux/btf.h
> index f06976ffb63f..691f09784933 100644
> --- a/include/linux/btf.h
> +++ b/include/linux/btf.h
> @@ -34,7 +34,7 @@
>   *
>   * And the following kfunc:
>   *
> - *	BTF_ID_FLAGS(func, bpf_task_acquire, KF_ACQUIRE | KF_TRUSTED_ARGS)
> + *	BTF_ID_FLAGS(func, bpf_task_acquire, KF_ACQUIRE)
>   *
>   * All invocations to the kfunc must pass the unmodified, unwalked task:
>   *
> @@ -66,7 +66,6 @@
>   *	return 0;
>   * }
>   */
> -#define KF_TRUSTED_ARGS (1 << 4) /* kfunc only takes trusted pointer arguments */
>  #define KF_SLEEPABLE    (1 << 5) /* kfunc may sleep */
>  #define KF_DESTRUCTIVE  (1 << 6) /* kfunc performs destructive actions */
>  #define KF_RCU          (1 << 7) /* kfunc takes either rcu or trusted pointer arguments */
> diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
> index 456ac989269d..2274319a95e6 100644
> --- a/kernel/bpf/arena.c
> +++ b/kernel/bpf/arena.c
> @@ -890,9 +890,9 @@ __bpf_kfunc int bpf_arena_reserve_pages(void *p__map, void *ptr__ign, u32 page_c
>  __bpf_kfunc_end_defs();
>  
>  BTF_KFUNCS_START(arena_kfuncs)
> -BTF_ID_FLAGS(func, bpf_arena_alloc_pages, KF_TRUSTED_ARGS | KF_ARENA_RET | KF_ARENA_ARG2)
> -BTF_ID_FLAGS(func, bpf_arena_free_pages, KF_TRUSTED_ARGS | KF_ARENA_ARG2)
> -BTF_ID_FLAGS(func, bpf_arena_reserve_pages, KF_TRUSTED_ARGS | KF_ARENA_ARG2)
> +BTF_ID_FLAGS(func, bpf_arena_alloc_pages, KF_ARENA_RET | KF_ARENA_ARG2)
> +BTF_ID_FLAGS(func, bpf_arena_free_pages, KF_ARENA_ARG2)
> +BTF_ID_FLAGS(func, bpf_arena_reserve_pages, KF_ARENA_ARG2)
>  BTF_KFUNCS_END(arena_kfuncs)
>  
>  static const struct btf_kfunc_id_set common_kfunc_set = {
> diff --git a/kernel/bpf/cpumask.c b/kernel/bpf/cpumask.c
> index 9876c5fe6c2a..b8c805b4b06a 100644
> --- a/kernel/bpf/cpumask.c
> +++ b/kernel/bpf/cpumask.c
> @@ -477,7 +477,7 @@ __bpf_kfunc_end_defs();
>  BTF_KFUNCS_START(cpumask_kfunc_btf_ids)
>  BTF_ID_FLAGS(func, bpf_cpumask_create, KF_ACQUIRE | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_cpumask_release, KF_RELEASE)
> -BTF_ID_FLAGS(func, bpf_cpumask_acquire, KF_ACQUIRE | KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_cpumask_acquire, KF_ACQUIRE)
>  BTF_ID_FLAGS(func, bpf_cpumask_first, KF_RCU)
>  BTF_ID_FLAGS(func, bpf_cpumask_first_zero, KF_RCU)
>  BTF_ID_FLAGS(func, bpf_cpumask_first_and, KF_RCU)
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index db72b96f9c8c..2c15f77c74db 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -4427,7 +4427,7 @@ BTF_ID_FLAGS(func, bpf_task_from_pid, KF_ACQUIRE | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_task_from_vpid, KF_ACQUIRE | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_throw)
>  #ifdef CONFIG_BPF_EVENTS
> -BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_send_signal_task)
>  #endif
>  #ifdef CONFIG_KEYS
>  BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE)
> @@ -4467,14 +4467,14 @@ BTF_ID_FLAGS(func, bpf_iter_task_vma_new, KF_ITER_NEW | KF_RCU)
>  BTF_ID_FLAGS(func, bpf_iter_task_vma_next, KF_ITER_NEXT | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_iter_task_vma_destroy, KF_ITER_DESTROY)
>  #ifdef CONFIG_CGROUPS
> -BTF_ID_FLAGS(func, bpf_iter_css_task_new, KF_ITER_NEW | KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_iter_css_task_new, KF_ITER_NEW)
>  BTF_ID_FLAGS(func, bpf_iter_css_task_next, KF_ITER_NEXT | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_iter_css_task_destroy, KF_ITER_DESTROY)
> -BTF_ID_FLAGS(func, bpf_iter_css_new, KF_ITER_NEW | KF_TRUSTED_ARGS | KF_RCU_PROTECTED)
> +BTF_ID_FLAGS(func, bpf_iter_css_new, KF_ITER_NEW | KF_RCU_PROTECTED)
>  BTF_ID_FLAGS(func, bpf_iter_css_next, KF_ITER_NEXT | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_iter_css_destroy, KF_ITER_DESTROY)
>  #endif
> -BTF_ID_FLAGS(func, bpf_iter_task_new, KF_ITER_NEW | KF_TRUSTED_ARGS | KF_RCU_PROTECTED)
> +BTF_ID_FLAGS(func, bpf_iter_task_new, KF_ITER_NEW | KF_RCU_PROTECTED)
>  BTF_ID_FLAGS(func, bpf_iter_task_next, KF_ITER_NEXT | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_iter_task_destroy, KF_ITER_DESTROY)
>  BTF_ID_FLAGS(func, bpf_dynptr_adjust)
> @@ -4510,8 +4510,8 @@ BTF_ID_FLAGS(func, bpf_probe_read_user_str_dynptr)
>  BTF_ID_FLAGS(func, bpf_probe_read_kernel_str_dynptr)
>  BTF_ID_FLAGS(func, bpf_copy_from_user_dynptr, KF_SLEEPABLE)
>  BTF_ID_FLAGS(func, bpf_copy_from_user_str_dynptr, KF_SLEEPABLE)
> -BTF_ID_FLAGS(func, bpf_copy_from_user_task_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_copy_from_user_task_str_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_copy_from_user_task_dynptr, KF_SLEEPABLE)
> +BTF_ID_FLAGS(func, bpf_copy_from_user_task_str_dynptr, KF_SLEEPABLE)
>  #endif
>  #ifdef CONFIG_DMA_SHARED_BUFFER
>  BTF_ID_FLAGS(func, bpf_iter_dmabuf_new, KF_ITER_NEW | KF_SLEEPABLE)
> @@ -4536,10 +4536,10 @@ BTF_ID_FLAGS(func, bpf_strncasestr);
>  #if defined(CONFIG_BPF_LSM) && defined(CONFIG_CGROUPS)
>  BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU)
>  #endif
> -BTF_ID_FLAGS(func, bpf_stream_vprintk_impl, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_task_work_schedule_signal_impl, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_task_work_schedule_resume_impl, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_dynptr_from_file, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_stream_vprintk_impl)
> +BTF_ID_FLAGS(func, bpf_task_work_schedule_signal_impl)
> +BTF_ID_FLAGS(func, bpf_task_work_schedule_resume_impl)
> +BTF_ID_FLAGS(func, bpf_dynptr_from_file)
>  BTF_ID_FLAGS(func, bpf_dynptr_file_discard)
>  BTF_KFUNCS_END(common_btf_ids)
>  
> diff --git a/kernel/bpf/map_iter.c b/kernel/bpf/map_iter.c
> index 9575314f40a6..261a03ea73d3 100644
> --- a/kernel/bpf/map_iter.c
> +++ b/kernel/bpf/map_iter.c
> @@ -214,7 +214,7 @@ __bpf_kfunc s64 bpf_map_sum_elem_count(const struct bpf_map *map)
>  __bpf_kfunc_end_defs();
>  
>  BTF_KFUNCS_START(bpf_map_iter_kfunc_ids)
> -BTF_ID_FLAGS(func, bpf_map_sum_elem_count, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_map_sum_elem_count)
>  BTF_KFUNCS_END(bpf_map_iter_kfunc_ids)
>  
>  static const struct btf_kfunc_id_set bpf_map_iter_kfunc_set = {
> diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
> index 94164f2dec6d..fd5423428dde 100644
> --- a/kernel/sched/ext.c
> +++ b/kernel/sched/ext.c
> @@ -7229,9 +7229,9 @@ BTF_ID_FLAGS(func, scx_bpf_dsq_peek, KF_RCU_PROTECTED | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_iter_scx_dsq_new, KF_ITER_NEW | KF_RCU_PROTECTED)
>  BTF_ID_FLAGS(func, bpf_iter_scx_dsq_next, KF_ITER_NEXT | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_iter_scx_dsq_destroy, KF_ITER_DESTROY)
> -BTF_ID_FLAGS(func, scx_bpf_exit_bstr, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, scx_bpf_error_bstr, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, scx_bpf_dump_bstr, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, scx_bpf_exit_bstr)
> +BTF_ID_FLAGS(func, scx_bpf_error_bstr)
> +BTF_ID_FLAGS(func, scx_bpf_dump_bstr)
>  BTF_ID_FLAGS(func, scx_bpf_reenqueue_local___v2)
>  BTF_ID_FLAGS(func, scx_bpf_cpuperf_cap)
>  BTF_ID_FLAGS(func, scx_bpf_cpuperf_cur)
> @@ -7250,7 +7250,7 @@ BTF_ID_FLAGS(func, scx_bpf_cpu_curr, KF_RET_NULL | KF_RCU_PROTECTED)
>  BTF_ID_FLAGS(func, scx_bpf_task_cgroup, KF_RCU | KF_ACQUIRE)
>  #endif
>  BTF_ID_FLAGS(func, scx_bpf_now)
> -BTF_ID_FLAGS(func, scx_bpf_events, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, scx_bpf_events)
>  BTF_KFUNCS_END(scx_kfunc_ids_any)
>  
>  static const struct btf_kfunc_id_set scx_kfunc_set_any = {
> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
> index e8fa7f5855f9..716df49d7647 100644
> --- a/mm/bpf_memcontrol.c
> +++ b/mm/bpf_memcontrol.c
> @@ -166,11 +166,11 @@ BTF_ID_FLAGS(func, bpf_get_root_mem_cgroup, KF_ACQUIRE | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_get_mem_cgroup, KF_ACQUIRE | KF_RET_NULL | KF_RCU)
>  BTF_ID_FLAGS(func, bpf_put_mem_cgroup, KF_RELEASE)
>  
> -BTF_ID_FLAGS(func, bpf_mem_cgroup_vm_events, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_mem_cgroup_memory_events, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_mem_cgroup_usage, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_mem_cgroup_page_state, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_mem_cgroup_flush_stats, KF_TRUSTED_ARGS | KF_SLEEPABLE)
> +BTF_ID_FLAGS(func, bpf_mem_cgroup_vm_events)
> +BTF_ID_FLAGS(func, bpf_mem_cgroup_memory_events)
> +BTF_ID_FLAGS(func, bpf_mem_cgroup_usage)
> +BTF_ID_FLAGS(func, bpf_mem_cgroup_page_state)
> +BTF_ID_FLAGS(func, bpf_mem_cgroup_flush_stats, KF_SLEEPABLE)
>  
>  BTF_KFUNCS_END(bpf_memcontrol_kfuncs)
>  
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 616e0520a0bb..d43df98e1ded 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -12438,11 +12438,11 @@ int bpf_dynptr_from_skb_rdonly(struct __sk_buff *skb, u64 flags,
>  }
>  
>  BTF_KFUNCS_START(bpf_kfunc_check_set_skb)
> -BTF_ID_FLAGS(func, bpf_dynptr_from_skb, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_dynptr_from_skb)
>  BTF_KFUNCS_END(bpf_kfunc_check_set_skb)
>  
>  BTF_KFUNCS_START(bpf_kfunc_check_set_skb_meta)
> -BTF_ID_FLAGS(func, bpf_dynptr_from_skb_meta, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_dynptr_from_skb_meta)
>  BTF_KFUNCS_END(bpf_kfunc_check_set_skb_meta)
>  
>  BTF_KFUNCS_START(bpf_kfunc_check_set_xdp)
> @@ -12455,11 +12455,11 @@ BTF_ID_FLAGS(func, bpf_sock_addr_set_sun_path)
>  BTF_KFUNCS_END(bpf_kfunc_check_set_sock_addr)
>  
>  BTF_KFUNCS_START(bpf_kfunc_check_set_tcp_reqsk)
> -BTF_ID_FLAGS(func, bpf_sk_assign_tcp_reqsk, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_sk_assign_tcp_reqsk)
>  BTF_KFUNCS_END(bpf_kfunc_check_set_tcp_reqsk)
>  
>  BTF_KFUNCS_START(bpf_kfunc_check_set_sock_ops)
> -BTF_ID_FLAGS(func, bpf_sock_ops_enable_tx_tstamp, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_sock_ops_enable_tx_tstamp)
>  BTF_KFUNCS_END(bpf_kfunc_check_set_sock_ops)
>  
>  static const struct btf_kfunc_id_set bpf_kfunc_set_skb = {
> @@ -12554,7 +12554,7 @@ __bpf_kfunc int bpf_sock_destroy(struct sock_common *sock)
>  __bpf_kfunc_end_defs();
>  
>  BTF_KFUNCS_START(bpf_sk_iter_kfunc_ids)
> -BTF_ID_FLAGS(func, bpf_sock_destroy, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_sock_destroy)
>  BTF_KFUNCS_END(bpf_sk_iter_kfunc_ids)
>  
>  static int tracing_iter_filter(const struct bpf_prog *prog, u32 kfunc_id)
> diff --git a/net/core/xdp.c b/net/core/xdp.c
> index 9100e160113a..fee6d080ee85 100644
> --- a/net/core/xdp.c
> +++ b/net/core/xdp.c
> @@ -964,7 +964,7 @@ __bpf_kfunc int bpf_xdp_metadata_rx_vlan_tag(const struct xdp_md *ctx,
>  __bpf_kfunc_end_defs();
>  
>  BTF_KFUNCS_START(xdp_metadata_kfunc_ids)
> -#define XDP_METADATA_KFUNC(_, __, name, ___) BTF_ID_FLAGS(func, name, KF_TRUSTED_ARGS)
> +#define XDP_METADATA_KFUNC(_, __, name, ___) BTF_ID_FLAGS(func, name)
>  XDP_METADATA_KFUNC_xxx
>  #undef XDP_METADATA_KFUNC
>  BTF_KFUNCS_END(xdp_metadata_kfunc_ids)
> diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
> index a9f4b7d23fe0..a82d3388c0dd 100644
> --- a/net/netfilter/nf_conntrack_bpf.c
> +++ b/net/netfilter/nf_conntrack_bpf.c
> @@ -518,10 +518,10 @@ BTF_ID_FLAGS(func, bpf_skb_ct_alloc, KF_ACQUIRE | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_skb_ct_lookup, KF_ACQUIRE | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_ct_insert_entry, KF_ACQUIRE | KF_RET_NULL | KF_RELEASE)
>  BTF_ID_FLAGS(func, bpf_ct_release, KF_RELEASE)
> -BTF_ID_FLAGS(func, bpf_ct_set_timeout, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_ct_change_timeout, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_ct_set_status, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_ct_change_status, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_ct_set_timeout)
> +BTF_ID_FLAGS(func, bpf_ct_change_timeout)
> +BTF_ID_FLAGS(func, bpf_ct_set_status)
> +BTF_ID_FLAGS(func, bpf_ct_change_status)
>  BTF_KFUNCS_END(nf_ct_kfunc_set)
>  
>  static const struct btf_kfunc_id_set nf_conntrack_kfunc_set = {
> diff --git a/net/netfilter/nf_flow_table_bpf.c b/net/netfilter/nf_flow_table_bpf.c
> index 4a5f5195f2d2..cbd5b97a6329 100644
> --- a/net/netfilter/nf_flow_table_bpf.c
> +++ b/net/netfilter/nf_flow_table_bpf.c
> @@ -105,7 +105,7 @@ __diag_pop()
>  __bpf_kfunc_end_defs();
>  
>  BTF_KFUNCS_START(nf_ft_kfunc_set)
> -BTF_ID_FLAGS(func, bpf_xdp_flow_lookup, KF_TRUSTED_ARGS | KF_RET_NULL)
> +BTF_ID_FLAGS(func, bpf_xdp_flow_lookup, KF_RET_NULL)
>  BTF_KFUNCS_END(nf_ft_kfunc_set)
>  
>  static const struct btf_kfunc_id_set nf_flow_kfunc_set = {
> diff --git a/net/netfilter/nf_nat_bpf.c b/net/netfilter/nf_nat_bpf.c
> index 481be15609b1..f9dd85ccea01 100644
> --- a/net/netfilter/nf_nat_bpf.c
> +++ b/net/netfilter/nf_nat_bpf.c
> @@ -55,7 +55,7 @@ __bpf_kfunc int bpf_ct_set_nat_info(struct nf_conn___init *nfct,
>  __bpf_kfunc_end_defs();
>  
>  BTF_KFUNCS_START(nf_nat_kfunc_set)
> -BTF_ID_FLAGS(func, bpf_ct_set_nat_info, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_ct_set_nat_info)
>  BTF_KFUNCS_END(nf_nat_kfunc_set)
>  
>  static const struct btf_kfunc_id_set nf_bpf_nat_kfunc_set = {
> diff --git a/net/sched/bpf_qdisc.c b/net/sched/bpf_qdisc.c
> index adcb618a2bfc..b9771788b9b3 100644
> --- a/net/sched/bpf_qdisc.c
> +++ b/net/sched/bpf_qdisc.c
> @@ -271,14 +271,14 @@ __bpf_kfunc void bpf_qdisc_bstats_update(struct Qdisc *sch, const struct sk_buff
>  __bpf_kfunc_end_defs();
>  
>  BTF_KFUNCS_START(qdisc_kfunc_ids)
> -BTF_ID_FLAGS(func, bpf_skb_get_hash, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_skb_get_hash)
>  BTF_ID_FLAGS(func, bpf_kfree_skb, KF_RELEASE)
>  BTF_ID_FLAGS(func, bpf_qdisc_skb_drop, KF_RELEASE)
> -BTF_ID_FLAGS(func, bpf_dynptr_from_skb, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_qdisc_watchdog_schedule, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_qdisc_init_prologue, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_qdisc_reset_destroy_epilogue, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_qdisc_bstats_update, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_dynptr_from_skb)
> +BTF_ID_FLAGS(func, bpf_qdisc_watchdog_schedule)
> +BTF_ID_FLAGS(func, bpf_qdisc_init_prologue)
> +BTF_ID_FLAGS(func, bpf_qdisc_reset_destroy_epilogue)
> +BTF_ID_FLAGS(func, bpf_qdisc_bstats_update)
>  BTF_KFUNCS_END(qdisc_kfunc_ids)
>  
>  BTF_SET_START(qdisc_common_kfunc_set)
> diff --git a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
> index 90c4b1a51de6..1c41d03bd5a1 100644
> --- a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
> +++ b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
> @@ -693,9 +693,9 @@ BTF_ID_FLAGS(func, bpf_kfunc_dynptr_test)
>  BTF_ID_FLAGS(func, bpf_kfunc_nested_acquire_nonzero_offset_test, KF_ACQUIRE)
>  BTF_ID_FLAGS(func, bpf_kfunc_nested_acquire_zero_offset_test, KF_ACQUIRE)
>  BTF_ID_FLAGS(func, bpf_kfunc_nested_release_test, KF_RELEASE)
> -BTF_ID_FLAGS(func, bpf_kfunc_trusted_vma_test, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_kfunc_trusted_task_test, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_kfunc_trusted_num_test, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_kfunc_trusted_vma_test)
> +BTF_ID_FLAGS(func, bpf_kfunc_trusted_task_test)
> +BTF_ID_FLAGS(func, bpf_kfunc_trusted_num_test)
>  BTF_ID_FLAGS(func, bpf_kfunc_rcu_task_test, KF_RCU)
>  BTF_ID_FLAGS(func, bpf_kfunc_ret_rcu_test, KF_RET_NULL | KF_RCU_PROTECTED)
>  BTF_ID_FLAGS(func, bpf_kfunc_ret_rcu_test_nostruct, KF_RET_NULL | KF_RCU_PROTECTED)
> @@ -1158,7 +1158,7 @@ BTF_ID_FLAGS(func, bpf_kfunc_call_test_pass2)
>  BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail1)
>  BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail2)
>  BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail3)
> -BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_TRUSTED_ARGS | KF_RCU)
> +BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_RCU)
>  BTF_ID_FLAGS(func, bpf_kfunc_call_test_destructive, KF_DESTRUCTIVE)
>  BTF_ID_FLAGS(func, bpf_kfunc_call_test_static_unused_arg)
>  BTF_ID_FLAGS(func, bpf_kfunc_call_test_offset)
> @@ -1172,12 +1172,12 @@ BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_sendmsg, KF_SLEEPABLE)
>  BTF_ID_FLAGS(func, bpf_kfunc_call_sock_sendmsg, KF_SLEEPABLE)
>  BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_getsockname, KF_SLEEPABLE)
>  BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_getpeername, KF_SLEEPABLE)
> -BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_prologue, KF_TRUSTED_ARGS | KF_SLEEPABLE)
> -BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_epilogue, KF_TRUSTED_ARGS | KF_SLEEPABLE)
> -BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_pro_epilogue, KF_TRUSTED_ARGS | KF_SLEEPABLE)
> -BTF_ID_FLAGS(func, bpf_kfunc_st_ops_inc10, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1, KF_TRUSTED_ARGS)
> -BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1_impl, KF_TRUSTED_ARGS)
> +BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_prologue, KF_SLEEPABLE)
> +BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_epilogue, KF_SLEEPABLE)
> +BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_pro_epilogue, KF_SLEEPABLE)
> +BTF_ID_FLAGS(func, bpf_kfunc_st_ops_inc10)
> +BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1)
> +BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1_impl)
>  BTF_KFUNCS_END(bpf_testmod_check_kfunc_ids)
>  
>  static int bpf_testmod_ops_init(struct btf *btf)

Re: [PATCH bpf-next v2 6/9] selftests: bpf: fix test_kfunc_dynptr_param

[Emil Tsalapatis]

On Wed Dec 31, 2025 at 12:08 PM EST, Puranjay Mohan wrote:
> As verifier now assumes that all kfuncs only takes trusted pointer
> arguments, passing 0 (NULL) to a kfunc that doesn't mark the argument as
> __nullable or __opt will be rejected with a failure message of: Possibly
> NULL pointer passed to trusted arg<n>
>
> Pass a non-null value to the kfunc to test the expected failure mode.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

> ---
>  tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
> index 061befb004c2..d249113ed657 100644
> --- a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
> +++ b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
> @@ -48,10 +48,9 @@ SEC("?lsm.s/bpf")
>  __failure __msg("arg#0 expected pointer to stack or const struct bpf_dynptr")
>  int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size, bool kernel)
>  {
> -	unsigned long val = 0;
> +	static struct bpf_dynptr val;
>  
> -	return bpf_verify_pkcs7_signature((struct bpf_dynptr *)val,
> -					  (struct bpf_dynptr *)val, NULL);
> +	return bpf_verify_pkcs7_signature(&val, &val, NULL);
>  }
>  
>  SEC("lsm.s/bpf")

Re: [PATCH bpf-next v2 5/9] selftests: bpf: Update failure message for rbtree_fail

[Emil Tsalapatis]

On Wed Dec 31, 2025 at 12:08 PM EST, Puranjay Mohan wrote:
> The rbtree_api_use_unchecked_remove_retval() selftest passes a pointer
> received from bpf_rbtree_remove() to bpf_rbtree_add() without checking
> for NULL, this was earlier caught by __check_ptr_off_reg() in the
> verifier. Now the verifier assumes every kfunc only takes trusted pointer
> arguments, so it catches this NULL pointer earlier in the path and
> provides a more accurate failure message.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

> ---
>  tools/testing/selftests/bpf/progs/rbtree_fail.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/bpf/progs/rbtree_fail.c b/tools/testing/selftests/bpf/progs/rbtree_fail.c
> index 4acb6af2dfe3..70b7baf9304b 100644
> --- a/tools/testing/selftests/bpf/progs/rbtree_fail.c
> +++ b/tools/testing/selftests/bpf/progs/rbtree_fail.c
> @@ -153,7 +153,7 @@ long rbtree_api_add_to_multiple_trees(void *ctx)
>  }
>  
>  SEC("?tc")
> -__failure __msg("dereference of modified ptr_or_null_ ptr R2 off=16 disallowed")
> +__failure __msg("Possibly NULL pointer passed to trusted arg1")
>  long rbtree_api_use_unchecked_remove_retval(void *ctx)
>  {
>  	struct bpf_rb_node *res;

Re: [PATCH bpf-next v2 4/9] selftests: bpf: Update kfunc_param_nullable test for new error message

[Emil Tsalapatis]

On Wed Dec 31, 2025 at 12:08 PM EST, Puranjay Mohan wrote:
> With trusted args now being the default, the NULL pointer check runs
> before type-specific validation. Update test3 to expect the new error
> message "Possibly NULL pointer passed to trusted arg0" instead of the
> old dynptr-specific error message.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

> ---
>  tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c b/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c
> index 0ad1bf1ede8d..967081bbcfe1 100644
> --- a/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c
> +++ b/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c
> @@ -29,7 +29,7 @@ int kfunc_dynptr_nullable_test2(struct __sk_buff *skb)
>  }
>  
>  SEC("tc")
> -__failure __msg("expected pointer to stack or const struct bpf_dynptr")
> +__failure __msg("Possibly NULL pointer passed to trusted arg0")
>  int kfunc_dynptr_nullable_test3(struct __sk_buff *skb)
>  {
>  	struct bpf_dynptr data;

Re: [PATCH bpf-next v2 7/9] selftests: bpf: fix cgroup_hierarchical_stats

[Emil Tsalapatis]

On Wed Dec 31, 2025 at 12:08 PM EST, Puranjay Mohan wrote:
> The cgroup_hierarchical_stats selftests uses an fentry program attached
> to cgroup_attach_task and then passes the received &dst_cgrp->self to
> the css_rstat_updated() kfunc. The verifier now assumes that all kfuncs
> only takes trusted pointer arguments, and pointers received by fentry
> are not marked trustes by default.
>
> Use a tp_btf program in place for fentry for this test, pointers
> received by tp_btf programs are marked trusted by the verifier.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

> ---
>  .../testing/selftests/bpf/progs/cgroup_hierarchical_stats.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c b/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c
> index ff189a736ad8..8fc38592a87b 100644
> --- a/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c
> +++ b/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c
> @@ -62,9 +62,9 @@ static int create_attach_counter(__u64 cg_id, __u64 state, __u64 pending)
>  				   &init, BPF_NOEXIST);
>  }
>  
> -SEC("fentry/cgroup_attach_task")
> -int BPF_PROG(counter, struct cgroup *dst_cgrp, struct task_struct *leader,
> -	     bool threadgroup)
> +SEC("tp_btf/cgroup_attach_task")
> +int BPF_PROG(counter, struct cgroup *dst_cgrp, const char *path,
> +	     struct task_struct *task, bool threadgroup)
>  {
>  	__u64 cg_id = cgroup_id(dst_cgrp);
>  	struct percpu_attach_counter *pcpu_counter = bpf_map_lookup_elem(

Re: [PATCH bpf-next v2 9/9] HID: bpf: drop dead NULL checks in kfuncs

[Benjamin Tissoires]

On Dec 31 2025, Puranjay Mohan wrote:
> On Wed, Dec 31, 2025 at 6:20 PM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
> >
> > On Wed, Dec 31, 2025 at 9:12 AM Puranjay Mohan <puranjay@kernel.org> wrote:
> > >
> > > As KF_TRUSTED_ARGS is now considered default for all kfuns, the verifier
> > > will not allow passing NULL pointers to these kfuns. These checks for
> > > NULL pointers can therefore be removed.
> > >
> > > Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> > > ---
> > >  drivers/hid/bpf/hid_bpf_dispatch.c | 5 +----
> > >  1 file changed, 1 insertion(+), 4 deletions(-)
> >
> > Benjamin,
> >
> > please run this patch set through your testsuite.
> > We don't expect breakage, but please double check and ack.
> >
> 
> I did run the hid bpf selftests, I am not sure if this is enough:

Yep, this is enough, the C selftests are supposed to be comprehensive
enough.

Acked-by: Benjamin Tissoires <bentiss@kernel.org>

Cheers,
Benjamin

> 
> [root@alarm hid]# ./hid_bpf
> TAP version 13
> 1..20
> # Starting 20 tests from 1 test cases.
> #  RUN           hid_bpf.test_create_uhid ...
> hid-generic 0003:0001:0A36.0001: hidraw0: USB HID v0.00 Device
> [test-uhid-device-268] on 268
> #            OK  hid_bpf.test_create_uhid
> ok 1 hid_bpf.test_create_uhid
> #  RUN           hid_bpf.raw_event ...
> hid-generic 0003:0001:0A36.0002: hidraw0: USB HID v0.00 Device
> [test-uhid-device-268] on 268
> #            OK  hid_bpf.raw_event
> ok 2 hid_bpf.raw_event
> #  RUN           hid_bpf.subprog_raw_event ...
> hid-generic 0003:0001:0A36.0003: hidraw0: USB HID v0.00 Device
> [test-uhid-device-268] on 268
> #            OK  hid_bpf.subprog_raw_event
> ok 3 hid_bpf.subprog_raw_event
> #  RUN           hid_bpf.multiple_attach ...
> hid-generic 0003:0001:0A36.0004: hidraw0: USB HID v0.00 Device
> [test-uhid-device-268] on 268
> #            OK  hid_bpf.multiple_attach
> ok 4 hid_bpf.multiple_attach
> #  RUN           hid_bpf.test_attach_detach ...
> hid-generic 0003:0001:0A36.0005: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_attach_detach
> ok 5 hid_bpf.test_attach_detach
> #  RUN           hid_bpf.test_hid_change_report ...
> hid-generic 0003:0001:0A36.0006: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_hid_change_report
> ok 6 hid_bpf.test_hid_change_report
> #  RUN           hid_bpf.test_hid_user_input_report_call ...
> hid-generic 0003:0001:0A36.0007: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_hid_user_input_report_call
> ok 7 hid_bpf.test_hid_user_input_report_call
> #  RUN           hid_bpf.test_hid_user_output_report_call ...
> hid-generic 0003:0001:0A36.0008: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_hid_user_output_report_call
> ok 8 hid_bpf.test_hid_user_output_report_call
> #  RUN           hid_bpf.test_hid_user_raw_request_call ...
> hid-generic 0003:0001:0A36.0009: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_hid_user_raw_request_call
> ok 9 hid_bpf.test_hid_user_raw_request_call
> #  RUN           hid_bpf.test_hid_filter_raw_request_call ...
> hid-generic 0003:0001:0A36.000A: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_hid_filter_raw_request_call
> ok 10 hid_bpf.test_hid_filter_raw_request_call
> #  RUN           hid_bpf.test_hid_change_raw_request_call ...
> hid-generic 0003:0001:0A36.000B: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_hid_change_raw_request_call
> ok 11 hid_bpf.test_hid_change_raw_request_call
> #  RUN           hid_bpf.test_hid_infinite_loop_raw_request_call ...
> hid-generic 0003:0001:0A36.000C: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_hid_infinite_loop_raw_request_call
> ok 12 hid_bpf.test_hid_infinite_loop_raw_request_call
> #  RUN           hid_bpf.test_hid_filter_output_report_call ...
> hid-generic 0003:0001:0A36.000D: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_hid_filter_output_report_call
> ok 13 hid_bpf.test_hid_filter_output_report_call
> #  RUN           hid_bpf.test_hid_change_output_report_call ...
> hid-generic 0003:0001:0A36.000E: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_hid_change_output_report_call
> ok 14 hid_bpf.test_hid_change_output_report_call
> #  RUN           hid_bpf.test_hid_infinite_loop_output_report_call ...
> hid-generic 0003:0001:0A36.000F: hidraw0: USB HID v0.00 Device
> [test-uhid-device-520] on 520
> #            OK  hid_bpf.test_hid_infinite_loop_output_report_call
> ok 15 hid_bpf.test_hid_infinite_loop_output_report_call
> #  RUN           hid_bpf.test_multiply_events_wq ...
> hid-generic 0003:0001:0A36.0010: hidraw0: USB HID v0.00 Device
> [test-uhid-device-309] on 309
> #            OK  hid_bpf.test_multiply_events_wq
> ok 16 hid_bpf.test_multiply_events_wq
> #  RUN           hid_bpf.test_multiply_events ...
> hid-generic 0003:0001:0A36.0011: hidraw0: USB HID v0.00 Device
> [test-uhid-device-309] on 309
> #            OK  hid_bpf.test_multiply_events
> ok 17 hid_bpf.test_multiply_events
> #  RUN           hid_bpf.test_hid_infinite_loop_input_report_call ...
> hid-generic 0003:0001:0A36.0012: hidraw0: USB HID v0.00 Device
> [test-uhid-device-309] on 309
> #            OK  hid_bpf.test_hid_infinite_loop_input_report_call
> ok 18 hid_bpf.test_hid_infinite_loop_input_report_call
> #  RUN           hid_bpf.test_hid_attach_flags ...
> hid-generic 0003:0001:0A36.0013: hidraw0: USB HID v0.00 Device
> [test-uhid-device-309] on 309
> #            OK  hid_bpf.test_hid_attach_flags
> ok 19 hid_bpf.test_hid_attach_flags
> #  RUN           hid_bpf.test_rdesc_fixup ...
> hid-generic 0003:0001:0A36.0014: hidraw0: USB HID v0.00 Device
> [test-uhid-device-309] on 309
> hid-generic 0003:0001:0A36.0014: hidraw0: USB HID v0.00 Device
> [test-uhid-device-309] on 309
> #            OK  hid_bpf.test_rdesc_fixup
> ok 20 hid_bpf.test_rdesc_fixup
> # PASSED: 20 / 20 tests passed.
> # Totals: pass:20 fail:0 xfail:0 xpass:0 skip:0 error:0