[PATCH bpf-next 0/7] bpf: Make KF_TRUSTED_ARGS default

[PATCH bpf-next 0/7] bpf: Make KF_TRUSTED_ARGS default

[Puranjay Mohan]

This set makes the verifier assume KF_TRUSTED_ARGS by default for all
kfunc and gets rid of this flag.

This works because:
  1. Context pointers (xdp_md, __sk_buff, etc.) are handled through
  their own KF_ARG_PTR_TO_CTX case label and bypass the trusted check

  2. Struct_ops callback arguments are already marked as PTR_TRUSTED
  during initialization and pass is_trusted_reg()

  3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
  call sites.

Puranjay Mohan (7):
  bpf: Make KF_TRUSTED_ARGS the default for all kfuncs
  bpf: net: netfilter: Mark kfuncs accurately
  bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs
  selftests: bpf: Update kfunc_param_nullable test for new error message
  selftests: bpf: Update failure message for rbtree_fail
  selftests: bpf: fix test_kfunc_dynptr_param
  selftests: bpf: fix cgroup_hierarchical_stats

 Documentation/bpf/kfuncs.rst                  | 35 +++++++++----------
 fs/bpf_fs_kfuncs.c                            | 13 ++++---
 fs/verity/measure.c                           |  2 +-
 include/linux/btf.h                           |  3 +-
 kernel/bpf/arena.c                            |  6 ++--
 kernel/bpf/cpumask.c                          |  2 +-
 kernel/bpf/helpers.c                          | 20 +++++------
 kernel/bpf/map_iter.c                         |  2 +-
 kernel/bpf/verifier.c                         | 14 ++------
 kernel/sched/ext.c                            |  8 ++---
 mm/bpf_memcontrol.c                           | 10 +++---
 net/core/filter.c                             | 10 +++---
 net/core/xdp.c                                |  2 +-
 net/netfilter/nf_conntrack_bpf.c              | 30 ++++++++--------
 net/netfilter/nf_flow_table_bpf.c             |  2 +-
 net/netfilter/nf_nat_bpf.c                    |  2 +-
 net/sched/bpf_qdisc.c                         | 12 +++----
 .../bpf/progs/cgroup_hierarchical_stats.c     |  6 ++--
 .../testing/selftests/bpf/progs/rbtree_fail.c |  2 +-
 .../bpf/progs/test_kfunc_dynptr_param.c       |  2 +-
 .../bpf/progs/test_kfunc_param_nullable.c     |  2 +-
 .../selftests/bpf/test_kmods/bpf_testmod.c    | 20 +++++------
 22 files changed, 98 insertions(+), 107 deletions(-)


base-commit: f14cdb1367b947d373215e36cfe9c69768dbafc9
-- 
2.47.3

[PATCH bpf-next 1/7] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Puranjay Mohan]

Change the verifier to make trusted args the default requirement for
all kfuncs by removing is_kfunc_trusted_args() assuming it be to always
return true.

This works because:
1. Context pointers (xdp_md, __sk_buff, etc.) are handled through their
   own KF_ARG_PTR_TO_CTX case label and bypass the trusted check
2. Struct_ops callback arguments are already marked as PTR_TRUSTED during
   initialization and pass is_trusted_reg()
3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
   call sites (always checked with || alongside is_kfunc_trusted_args)

This simple change makes all kfuncs require trusted args by default
while maintaining correct behavior for all existing special cases.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 Documentation/bpf/kfuncs.rst | 35 +++++++++++++++++------------------
 kernel/bpf/verifier.c        | 14 +++-----------
 2 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
index e38941370b90..22b5a970078c 100644
--- a/Documentation/bpf/kfuncs.rst
+++ b/Documentation/bpf/kfuncs.rst
@@ -241,25 +241,23 @@ both are orthogonal to each other.
 The KF_RELEASE flag is used to indicate that the kfunc releases the pointer
 passed in to it. There can be only one referenced pointer that can be passed
 in. All copies of the pointer being released are invalidated as a result of
-invoking kfunc with this flag. KF_RELEASE kfuncs automatically receive the
-protection afforded by the KF_TRUSTED_ARGS flag described below.
+invoking kfunc with this flag.
 
-2.4.4 KF_TRUSTED_ARGS flag
---------------------------
+2.4.4 KF_TRUSTED_ARGS (default behavior)
+-----------------------------------------
 
-The KF_TRUSTED_ARGS flag is used for kfuncs taking pointer arguments. It
-indicates that the all pointer arguments are valid, and that all pointers to
-BTF objects have been passed in their unmodified form (that is, at a zero
-offset, and without having been obtained from walking another pointer, with one
-exception described below).
+All kfuncs now require trusted arguments by default. This means that all
+pointer arguments must be valid, and all pointers to BTF objects must be
+passed in their unmodified form (at a zero offset, and without having been
+obtained from walking another pointer, with exceptions described below).
 
-There are two types of pointers to kernel objects which are considered "valid":
+There are two types of pointers to kernel objects which are considered "trusted":
 
 1. Pointers which are passed as tracepoint or struct_ops callback arguments.
 2. Pointers which were returned from a KF_ACQUIRE kfunc.
 
 Pointers to non-BTF objects (e.g. scalar pointers) may also be passed to
-KF_TRUSTED_ARGS kfuncs, and may have a non-zero offset.
+kfuncs, and may have a non-zero offset.
 
 The definition of "valid" pointers is subject to change at any time, and has
 absolutely no ABI stability guarantees.
@@ -327,13 +325,14 @@ added later.
 2.4.7 KF_RCU flag
 -----------------
 
-The KF_RCU flag is a weaker version of KF_TRUSTED_ARGS. The kfuncs marked with
-KF_RCU expect either PTR_TRUSTED or MEM_RCU arguments. The verifier guarantees
-that the objects are valid and there is no use-after-free. The pointers are not
-NULL, but the object's refcount could have reached zero. The kfuncs need to
-consider doing refcnt != 0 check, especially when returning a KF_ACQUIRE
-pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should very likely
-also be KF_RET_NULL.
+The KF_RCU flag allows kfuncs to opt out of the default trusted args
+requirement and accept RCU pointers with weaker guarantees. The kfuncs marked
+with KF_RCU expect either PTR_TRUSTED or MEM_RCU arguments. The verifier
+guarantees that the objects are valid and there is no use-after-free. The
+pointers are not NULL, but the object's refcount could have reached zero. The
+kfuncs need to consider doing refcnt != 0 check, especially when returning a
+KF_ACQUIRE pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should
+very likely also be KF_RET_NULL.
 
 2.4.8 KF_RCU_PROTECTED flag
 ---------------------------
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2de1a736ef69..049a485fde35 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12040,11 +12040,6 @@ static bool is_kfunc_release(struct bpf_kfunc_call_arg_meta *meta)
 	return meta->kfunc_flags & KF_RELEASE;
 }
 
-static bool is_kfunc_trusted_args(struct bpf_kfunc_call_arg_meta *meta)
-{
-	return (meta->kfunc_flags & KF_TRUSTED_ARGS) || is_kfunc_release(meta);
-}
-
 static bool is_kfunc_sleepable(struct bpf_kfunc_call_arg_meta *meta)
 {
 	return meta->kfunc_flags & KF_SLEEPABLE;
@@ -13253,9 +13248,9 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
 			return -EINVAL;
 		}
 
-		if ((is_kfunc_trusted_args(meta) || is_kfunc_rcu(meta)) &&
-		    (register_is_null(reg) || type_may_be_null(reg->type)) &&
-			!is_kfunc_arg_nullable(meta->btf, &args[i])) {
+		if ((register_is_null(reg) || type_may_be_null(reg->type)) &&
+		    !is_kfunc_arg_nullable(meta->btf, &args[i]) &&
+		    !is_kfunc_arg_optional(meta->btf, &args[i])) {
 			verbose(env, "Possibly NULL pointer passed to trusted arg%d\n", i);
 			return -EACCES;
 		}
@@ -13320,9 +13315,6 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
 			fallthrough;
 		case KF_ARG_PTR_TO_ALLOC_BTF_ID:
 		case KF_ARG_PTR_TO_BTF_ID:
-			if (!is_kfunc_trusted_args(meta) && !is_kfunc_rcu(meta))
-				break;
-
 			if (!is_trusted_reg(reg)) {
 				if (!is_kfunc_rcu(meta)) {
 					verbose(env, "R%d must be referenced or trusted\n", regno);
-- 
2.47.3

[PATCH bpf-next 2/7] bpf: net: netfilter: Mark kfuncs accurately

[Puranjay Mohan]

bpf_xdp_ct_lookup() and bpf_skb_ct_lookup() receive bpf_tuple and opts
parameter that are then checked for NULL by __bpf_nf_ct_lookup(), so
these kfuns expects these arguments to be NULL.

Mark bpf_tuple and opts with __nullable so verifier allows passing NULL
pointer for these arguments.

This change is now required because verfier will now assume that every
kfunc expects trusted arguments by default, so even though these kfuns
don't have the KF_TRSUTED_ARGS flag, all arguments will be treated by
as KF_TRSUTED_ARGS by default.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 net/netfilter/nf_conntrack_bpf.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
index 4a136fc3a9c0..308e47c2aeaa 100644
--- a/net/netfilter/nf_conntrack_bpf.c
+++ b/net/netfilter/nf_conntrack_bpf.c
@@ -324,18 +324,19 @@ bpf_xdp_ct_alloc(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple,
  *		    Must be NF_BPF_CT_OPTS_SZ (16) or 12
  */
 __bpf_kfunc struct nf_conn *
-bpf_xdp_ct_lookup(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple,
-		  u32 tuple__sz, struct bpf_ct_opts *opts, u32 opts__sz)
+bpf_xdp_ct_lookup(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple__nullable,
+		  u32 tuple__sz, struct bpf_ct_opts *opts__nullable, u32 opts__sz)
 {
 	struct xdp_buff *ctx = (struct xdp_buff *)xdp_ctx;
 	struct net *caller_net;
 	struct nf_conn *nfct;
 
 	caller_net = dev_net(ctx->rxq->dev);
-	nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple, tuple__sz, opts, opts__sz);
+	nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple__nullable, tuple__sz, opts__nullable,
+				  opts__sz);
 	if (IS_ERR(nfct)) {
-		if (opts)
-			opts->error = PTR_ERR(nfct);
+		if (opts__nullable)
+			opts__nullable->error = PTR_ERR(nfct);
 		return NULL;
 	}
 	return nfct;
@@ -392,18 +393,19 @@ bpf_skb_ct_alloc(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple,
  *		    Must be NF_BPF_CT_OPTS_SZ (16) or 12
  */
 __bpf_kfunc struct nf_conn *
-bpf_skb_ct_lookup(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple,
-		  u32 tuple__sz, struct bpf_ct_opts *opts, u32 opts__sz)
+bpf_skb_ct_lookup(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple__nullable,
+		  u32 tuple__sz, struct bpf_ct_opts *opts__nullable, u32 opts__sz)
 {
 	struct sk_buff *skb = (struct sk_buff *)skb_ctx;
 	struct net *caller_net;
 	struct nf_conn *nfct;
 
 	caller_net = skb->dev ? dev_net(skb->dev) : sock_net(skb->sk);
-	nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple, tuple__sz, opts, opts__sz);
+	nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple__nullable, tuple__sz, opts__nullable,
+				  opts__sz);
 	if (IS_ERR(nfct)) {
-		if (opts)
-			opts->error = PTR_ERR(nfct);
+		if (opts__nullable)
+			opts__nullable->error = PTR_ERR(nfct);
 		return NULL;
 	}
 	return nfct;
-- 
2.47.3

[PATCH bpf-next 3/7] bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs

[Puranjay Mohan]

Now that KF_TRUSTED_ARGS is the default for all kfuncs, remove the
explicit KF_TRUSTED_ARGS flag from all kfunc definitions and remove the
flag itself.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 fs/bpf_fs_kfuncs.c                            | 13 ++++++------
 fs/verity/measure.c                           |  2 +-
 include/linux/btf.h                           |  3 +--
 kernel/bpf/arena.c                            |  6 +++---
 kernel/bpf/cpumask.c                          |  2 +-
 kernel/bpf/helpers.c                          | 20 +++++++++----------
 kernel/bpf/map_iter.c                         |  2 +-
 kernel/sched/ext.c                            |  8 ++++----
 mm/bpf_memcontrol.c                           | 10 +++++-----
 net/core/filter.c                             | 10 +++++-----
 net/core/xdp.c                                |  2 +-
 net/netfilter/nf_conntrack_bpf.c              |  8 ++++----
 net/netfilter/nf_flow_table_bpf.c             |  2 +-
 net/netfilter/nf_nat_bpf.c                    |  2 +-
 net/sched/bpf_qdisc.c                         | 12 +++++------
 .../selftests/bpf/test_kmods/bpf_testmod.c    | 20 +++++++++----------
 16 files changed, 60 insertions(+), 62 deletions(-)

diff --git a/fs/bpf_fs_kfuncs.c b/fs/bpf_fs_kfuncs.c
index 5ace2511fec5..a15d31690e0b 100644
--- a/fs/bpf_fs_kfuncs.c
+++ b/fs/bpf_fs_kfuncs.c
@@ -359,14 +359,13 @@ __bpf_kfunc int bpf_cgroup_read_xattr(struct cgroup *cgroup, const char *name__s
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(bpf_fs_kfunc_set_ids)
-BTF_ID_FLAGS(func, bpf_get_task_exe_file,
-	     KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL)
+BTF_ID_FLAGS(func, bpf_get_task_exe_file, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE)
-BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_path_d_path)
+BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE)
 BTF_KFUNCS_END(bpf_fs_kfunc_set_ids)
 
 static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id)
diff --git a/fs/verity/measure.c b/fs/verity/measure.c
index 388734132f01..6a35623ebdf0 100644
--- a/fs/verity/measure.c
+++ b/fs/verity/measure.c
@@ -162,7 +162,7 @@ __bpf_kfunc int bpf_get_fsverity_digest(struct file *file, struct bpf_dynptr *di
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(fsverity_set_ids)
-BTF_ID_FLAGS(func, bpf_get_fsverity_digest, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_get_fsverity_digest)
 BTF_KFUNCS_END(fsverity_set_ids)
 
 static int bpf_get_fsverity_digest_filter(const struct bpf_prog *prog, u32 kfunc_id)
diff --git a/include/linux/btf.h b/include/linux/btf.h
index f06976ffb63f..691f09784933 100644
--- a/include/linux/btf.h
+++ b/include/linux/btf.h
@@ -34,7 +34,7 @@
  *
  * And the following kfunc:
  *
- *	BTF_ID_FLAGS(func, bpf_task_acquire, KF_ACQUIRE | KF_TRUSTED_ARGS)
+ *	BTF_ID_FLAGS(func, bpf_task_acquire, KF_ACQUIRE)
  *
  * All invocations to the kfunc must pass the unmodified, unwalked task:
  *
@@ -66,7 +66,6 @@
  *	return 0;
  * }
  */
-#define KF_TRUSTED_ARGS (1 << 4) /* kfunc only takes trusted pointer arguments */
 #define KF_SLEEPABLE    (1 << 5) /* kfunc may sleep */
 #define KF_DESTRUCTIVE  (1 << 6) /* kfunc performs destructive actions */
 #define KF_RCU          (1 << 7) /* kfunc takes either rcu or trusted pointer arguments */
diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
index 456ac989269d..2274319a95e6 100644
--- a/kernel/bpf/arena.c
+++ b/kernel/bpf/arena.c
@@ -890,9 +890,9 @@ __bpf_kfunc int bpf_arena_reserve_pages(void *p__map, void *ptr__ign, u32 page_c
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(arena_kfuncs)
-BTF_ID_FLAGS(func, bpf_arena_alloc_pages, KF_TRUSTED_ARGS | KF_ARENA_RET | KF_ARENA_ARG2)
-BTF_ID_FLAGS(func, bpf_arena_free_pages, KF_TRUSTED_ARGS | KF_ARENA_ARG2)
-BTF_ID_FLAGS(func, bpf_arena_reserve_pages, KF_TRUSTED_ARGS | KF_ARENA_ARG2)
+BTF_ID_FLAGS(func, bpf_arena_alloc_pages, KF_ARENA_RET | KF_ARENA_ARG2)
+BTF_ID_FLAGS(func, bpf_arena_free_pages, KF_ARENA_ARG2)
+BTF_ID_FLAGS(func, bpf_arena_reserve_pages, KF_ARENA_ARG2)
 BTF_KFUNCS_END(arena_kfuncs)
 
 static const struct btf_kfunc_id_set common_kfunc_set = {
diff --git a/kernel/bpf/cpumask.c b/kernel/bpf/cpumask.c
index 9876c5fe6c2a..b8c805b4b06a 100644
--- a/kernel/bpf/cpumask.c
+++ b/kernel/bpf/cpumask.c
@@ -477,7 +477,7 @@ __bpf_kfunc_end_defs();
 BTF_KFUNCS_START(cpumask_kfunc_btf_ids)
 BTF_ID_FLAGS(func, bpf_cpumask_create, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_cpumask_release, KF_RELEASE)
-BTF_ID_FLAGS(func, bpf_cpumask_acquire, KF_ACQUIRE | KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_cpumask_acquire, KF_ACQUIRE)
 BTF_ID_FLAGS(func, bpf_cpumask_first, KF_RCU)
 BTF_ID_FLAGS(func, bpf_cpumask_first_zero, KF_RCU)
 BTF_ID_FLAGS(func, bpf_cpumask_first_and, KF_RCU)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index db72b96f9c8c..2c15f77c74db 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -4427,7 +4427,7 @@ BTF_ID_FLAGS(func, bpf_task_from_pid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_task_from_vpid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_throw)
 #ifdef CONFIG_BPF_EVENTS
-BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_send_signal_task)
 #endif
 #ifdef CONFIG_KEYS
 BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE)
@@ -4467,14 +4467,14 @@ BTF_ID_FLAGS(func, bpf_iter_task_vma_new, KF_ITER_NEW | KF_RCU)
 BTF_ID_FLAGS(func, bpf_iter_task_vma_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_task_vma_destroy, KF_ITER_DESTROY)
 #ifdef CONFIG_CGROUPS
-BTF_ID_FLAGS(func, bpf_iter_css_task_new, KF_ITER_NEW | KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_iter_css_task_new, KF_ITER_NEW)
 BTF_ID_FLAGS(func, bpf_iter_css_task_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_css_task_destroy, KF_ITER_DESTROY)
-BTF_ID_FLAGS(func, bpf_iter_css_new, KF_ITER_NEW | KF_TRUSTED_ARGS | KF_RCU_PROTECTED)
+BTF_ID_FLAGS(func, bpf_iter_css_new, KF_ITER_NEW | KF_RCU_PROTECTED)
 BTF_ID_FLAGS(func, bpf_iter_css_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_css_destroy, KF_ITER_DESTROY)
 #endif
-BTF_ID_FLAGS(func, bpf_iter_task_new, KF_ITER_NEW | KF_TRUSTED_ARGS | KF_RCU_PROTECTED)
+BTF_ID_FLAGS(func, bpf_iter_task_new, KF_ITER_NEW | KF_RCU_PROTECTED)
 BTF_ID_FLAGS(func, bpf_iter_task_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_task_destroy, KF_ITER_DESTROY)
 BTF_ID_FLAGS(func, bpf_dynptr_adjust)
@@ -4510,8 +4510,8 @@ BTF_ID_FLAGS(func, bpf_probe_read_user_str_dynptr)
 BTF_ID_FLAGS(func, bpf_probe_read_kernel_str_dynptr)
 BTF_ID_FLAGS(func, bpf_copy_from_user_dynptr, KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_copy_from_user_str_dynptr, KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_copy_from_user_task_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_copy_from_user_task_str_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_copy_from_user_task_dynptr, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_copy_from_user_task_str_dynptr, KF_SLEEPABLE)
 #endif
 #ifdef CONFIG_DMA_SHARED_BUFFER
 BTF_ID_FLAGS(func, bpf_iter_dmabuf_new, KF_ITER_NEW | KF_SLEEPABLE)
@@ -4536,10 +4536,10 @@ BTF_ID_FLAGS(func, bpf_strncasestr);
 #if defined(CONFIG_BPF_LSM) && defined(CONFIG_CGROUPS)
 BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU)
 #endif
-BTF_ID_FLAGS(func, bpf_stream_vprintk_impl, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_task_work_schedule_signal_impl, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_task_work_schedule_resume_impl, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_dynptr_from_file, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_stream_vprintk_impl)
+BTF_ID_FLAGS(func, bpf_task_work_schedule_signal_impl)
+BTF_ID_FLAGS(func, bpf_task_work_schedule_resume_impl)
+BTF_ID_FLAGS(func, bpf_dynptr_from_file)
 BTF_ID_FLAGS(func, bpf_dynptr_file_discard)
 BTF_KFUNCS_END(common_btf_ids)
 
diff --git a/kernel/bpf/map_iter.c b/kernel/bpf/map_iter.c
index 9575314f40a6..261a03ea73d3 100644
--- a/kernel/bpf/map_iter.c
+++ b/kernel/bpf/map_iter.c
@@ -214,7 +214,7 @@ __bpf_kfunc s64 bpf_map_sum_elem_count(const struct bpf_map *map)
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(bpf_map_iter_kfunc_ids)
-BTF_ID_FLAGS(func, bpf_map_sum_elem_count, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_map_sum_elem_count)
 BTF_KFUNCS_END(bpf_map_iter_kfunc_ids)
 
 static const struct btf_kfunc_id_set bpf_map_iter_kfunc_set = {
diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index 94164f2dec6d..fd5423428dde 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -7229,9 +7229,9 @@ BTF_ID_FLAGS(func, scx_bpf_dsq_peek, KF_RCU_PROTECTED | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_scx_dsq_new, KF_ITER_NEW | KF_RCU_PROTECTED)
 BTF_ID_FLAGS(func, bpf_iter_scx_dsq_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_scx_dsq_destroy, KF_ITER_DESTROY)
-BTF_ID_FLAGS(func, scx_bpf_exit_bstr, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, scx_bpf_error_bstr, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, scx_bpf_dump_bstr, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, scx_bpf_exit_bstr)
+BTF_ID_FLAGS(func, scx_bpf_error_bstr)
+BTF_ID_FLAGS(func, scx_bpf_dump_bstr)
 BTF_ID_FLAGS(func, scx_bpf_reenqueue_local___v2)
 BTF_ID_FLAGS(func, scx_bpf_cpuperf_cap)
 BTF_ID_FLAGS(func, scx_bpf_cpuperf_cur)
@@ -7250,7 +7250,7 @@ BTF_ID_FLAGS(func, scx_bpf_cpu_curr, KF_RET_NULL | KF_RCU_PROTECTED)
 BTF_ID_FLAGS(func, scx_bpf_task_cgroup, KF_RCU | KF_ACQUIRE)
 #endif
 BTF_ID_FLAGS(func, scx_bpf_now)
-BTF_ID_FLAGS(func, scx_bpf_events, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, scx_bpf_events)
 BTF_KFUNCS_END(scx_kfunc_ids_any)
 
 static const struct btf_kfunc_id_set scx_kfunc_set_any = {
diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
index e8fa7f5855f9..716df49d7647 100644
--- a/mm/bpf_memcontrol.c
+++ b/mm/bpf_memcontrol.c
@@ -166,11 +166,11 @@ BTF_ID_FLAGS(func, bpf_get_root_mem_cgroup, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_get_mem_cgroup, KF_ACQUIRE | KF_RET_NULL | KF_RCU)
 BTF_ID_FLAGS(func, bpf_put_mem_cgroup, KF_RELEASE)
 
-BTF_ID_FLAGS(func, bpf_mem_cgroup_vm_events, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_mem_cgroup_memory_events, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_mem_cgroup_usage, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_mem_cgroup_page_state, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_mem_cgroup_flush_stats, KF_TRUSTED_ARGS | KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_vm_events)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_memory_events)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_usage)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_page_state)
+BTF_ID_FLAGS(func, bpf_mem_cgroup_flush_stats, KF_SLEEPABLE)
 
 BTF_KFUNCS_END(bpf_memcontrol_kfuncs)
 
diff --git a/net/core/filter.c b/net/core/filter.c
index 616e0520a0bb..d43df98e1ded 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -12438,11 +12438,11 @@ int bpf_dynptr_from_skb_rdonly(struct __sk_buff *skb, u64 flags,
 }
 
 BTF_KFUNCS_START(bpf_kfunc_check_set_skb)
-BTF_ID_FLAGS(func, bpf_dynptr_from_skb, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_dynptr_from_skb)
 BTF_KFUNCS_END(bpf_kfunc_check_set_skb)
 
 BTF_KFUNCS_START(bpf_kfunc_check_set_skb_meta)
-BTF_ID_FLAGS(func, bpf_dynptr_from_skb_meta, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_dynptr_from_skb_meta)
 BTF_KFUNCS_END(bpf_kfunc_check_set_skb_meta)
 
 BTF_KFUNCS_START(bpf_kfunc_check_set_xdp)
@@ -12455,11 +12455,11 @@ BTF_ID_FLAGS(func, bpf_sock_addr_set_sun_path)
 BTF_KFUNCS_END(bpf_kfunc_check_set_sock_addr)
 
 BTF_KFUNCS_START(bpf_kfunc_check_set_tcp_reqsk)
-BTF_ID_FLAGS(func, bpf_sk_assign_tcp_reqsk, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_sk_assign_tcp_reqsk)
 BTF_KFUNCS_END(bpf_kfunc_check_set_tcp_reqsk)
 
 BTF_KFUNCS_START(bpf_kfunc_check_set_sock_ops)
-BTF_ID_FLAGS(func, bpf_sock_ops_enable_tx_tstamp, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_sock_ops_enable_tx_tstamp)
 BTF_KFUNCS_END(bpf_kfunc_check_set_sock_ops)
 
 static const struct btf_kfunc_id_set bpf_kfunc_set_skb = {
@@ -12554,7 +12554,7 @@ __bpf_kfunc int bpf_sock_destroy(struct sock_common *sock)
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(bpf_sk_iter_kfunc_ids)
-BTF_ID_FLAGS(func, bpf_sock_destroy, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_sock_destroy)
 BTF_KFUNCS_END(bpf_sk_iter_kfunc_ids)
 
 static int tracing_iter_filter(const struct bpf_prog *prog, u32 kfunc_id)
diff --git a/net/core/xdp.c b/net/core/xdp.c
index 9100e160113a..fee6d080ee85 100644
--- a/net/core/xdp.c
+++ b/net/core/xdp.c
@@ -964,7 +964,7 @@ __bpf_kfunc int bpf_xdp_metadata_rx_vlan_tag(const struct xdp_md *ctx,
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(xdp_metadata_kfunc_ids)
-#define XDP_METADATA_KFUNC(_, __, name, ___) BTF_ID_FLAGS(func, name, KF_TRUSTED_ARGS)
+#define XDP_METADATA_KFUNC(_, __, name, ___) BTF_ID_FLAGS(func, name)
 XDP_METADATA_KFUNC_xxx
 #undef XDP_METADATA_KFUNC
 BTF_KFUNCS_END(xdp_metadata_kfunc_ids)
diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
index 308e47c2aeaa..c02e1c943847 100644
--- a/net/netfilter/nf_conntrack_bpf.c
+++ b/net/netfilter/nf_conntrack_bpf.c
@@ -518,10 +518,10 @@ BTF_ID_FLAGS(func, bpf_skb_ct_alloc, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_skb_ct_lookup, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_ct_insert_entry, KF_ACQUIRE | KF_RET_NULL | KF_RELEASE)
 BTF_ID_FLAGS(func, bpf_ct_release, KF_RELEASE)
-BTF_ID_FLAGS(func, bpf_ct_set_timeout, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_ct_change_timeout, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_ct_set_status, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_ct_change_status, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_ct_set_timeout)
+BTF_ID_FLAGS(func, bpf_ct_change_timeout)
+BTF_ID_FLAGS(func, bpf_ct_set_status)
+BTF_ID_FLAGS(func, bpf_ct_change_status)
 BTF_KFUNCS_END(nf_ct_kfunc_set)
 
 static const struct btf_kfunc_id_set nf_conntrack_kfunc_set = {
diff --git a/net/netfilter/nf_flow_table_bpf.c b/net/netfilter/nf_flow_table_bpf.c
index 4a5f5195f2d2..cbd5b97a6329 100644
--- a/net/netfilter/nf_flow_table_bpf.c
+++ b/net/netfilter/nf_flow_table_bpf.c
@@ -105,7 +105,7 @@ __diag_pop()
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(nf_ft_kfunc_set)
-BTF_ID_FLAGS(func, bpf_xdp_flow_lookup, KF_TRUSTED_ARGS | KF_RET_NULL)
+BTF_ID_FLAGS(func, bpf_xdp_flow_lookup, KF_RET_NULL)
 BTF_KFUNCS_END(nf_ft_kfunc_set)
 
 static const struct btf_kfunc_id_set nf_flow_kfunc_set = {
diff --git a/net/netfilter/nf_nat_bpf.c b/net/netfilter/nf_nat_bpf.c
index 481be15609b1..f9dd85ccea01 100644
--- a/net/netfilter/nf_nat_bpf.c
+++ b/net/netfilter/nf_nat_bpf.c
@@ -55,7 +55,7 @@ __bpf_kfunc int bpf_ct_set_nat_info(struct nf_conn___init *nfct,
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(nf_nat_kfunc_set)
-BTF_ID_FLAGS(func, bpf_ct_set_nat_info, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_ct_set_nat_info)
 BTF_KFUNCS_END(nf_nat_kfunc_set)
 
 static const struct btf_kfunc_id_set nf_bpf_nat_kfunc_set = {
diff --git a/net/sched/bpf_qdisc.c b/net/sched/bpf_qdisc.c
index adcb618a2bfc..b9771788b9b3 100644
--- a/net/sched/bpf_qdisc.c
+++ b/net/sched/bpf_qdisc.c
@@ -271,14 +271,14 @@ __bpf_kfunc void bpf_qdisc_bstats_update(struct Qdisc *sch, const struct sk_buff
 __bpf_kfunc_end_defs();
 
 BTF_KFUNCS_START(qdisc_kfunc_ids)
-BTF_ID_FLAGS(func, bpf_skb_get_hash, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_skb_get_hash)
 BTF_ID_FLAGS(func, bpf_kfree_skb, KF_RELEASE)
 BTF_ID_FLAGS(func, bpf_qdisc_skb_drop, KF_RELEASE)
-BTF_ID_FLAGS(func, bpf_dynptr_from_skb, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_qdisc_watchdog_schedule, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_qdisc_init_prologue, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_qdisc_reset_destroy_epilogue, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_qdisc_bstats_update, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_dynptr_from_skb)
+BTF_ID_FLAGS(func, bpf_qdisc_watchdog_schedule)
+BTF_ID_FLAGS(func, bpf_qdisc_init_prologue)
+BTF_ID_FLAGS(func, bpf_qdisc_reset_destroy_epilogue)
+BTF_ID_FLAGS(func, bpf_qdisc_bstats_update)
 BTF_KFUNCS_END(qdisc_kfunc_ids)
 
 BTF_SET_START(qdisc_common_kfunc_set)
diff --git a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
index 90c4b1a51de6..1c41d03bd5a1 100644
--- a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
+++ b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
@@ -693,9 +693,9 @@ BTF_ID_FLAGS(func, bpf_kfunc_dynptr_test)
 BTF_ID_FLAGS(func, bpf_kfunc_nested_acquire_nonzero_offset_test, KF_ACQUIRE)
 BTF_ID_FLAGS(func, bpf_kfunc_nested_acquire_zero_offset_test, KF_ACQUIRE)
 BTF_ID_FLAGS(func, bpf_kfunc_nested_release_test, KF_RELEASE)
-BTF_ID_FLAGS(func, bpf_kfunc_trusted_vma_test, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_kfunc_trusted_task_test, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_kfunc_trusted_num_test, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_kfunc_trusted_vma_test)
+BTF_ID_FLAGS(func, bpf_kfunc_trusted_task_test)
+BTF_ID_FLAGS(func, bpf_kfunc_trusted_num_test)
 BTF_ID_FLAGS(func, bpf_kfunc_rcu_task_test, KF_RCU)
 BTF_ID_FLAGS(func, bpf_kfunc_ret_rcu_test, KF_RET_NULL | KF_RCU_PROTECTED)
 BTF_ID_FLAGS(func, bpf_kfunc_ret_rcu_test_nostruct, KF_RET_NULL | KF_RCU_PROTECTED)
@@ -1158,7 +1158,7 @@ BTF_ID_FLAGS(func, bpf_kfunc_call_test_pass2)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail1)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail2)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail3)
-BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_TRUSTED_ARGS | KF_RCU)
+BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_RCU)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_destructive, KF_DESTRUCTIVE)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_static_unused_arg)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_offset)
@@ -1172,12 +1172,12 @@ BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_sendmsg, KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_kfunc_call_sock_sendmsg, KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_getsockname, KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_getpeername, KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_prologue, KF_TRUSTED_ARGS | KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_epilogue, KF_TRUSTED_ARGS | KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_pro_epilogue, KF_TRUSTED_ARGS | KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_kfunc_st_ops_inc10, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1, KF_TRUSTED_ARGS)
-BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1_impl, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_prologue, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_epilogue, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_pro_epilogue, KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_kfunc_st_ops_inc10)
+BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1)
+BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1_impl)
 BTF_KFUNCS_END(bpf_testmod_check_kfunc_ids)
 
 static int bpf_testmod_ops_init(struct btf *btf)
-- 
2.47.3

[PATCH bpf-next 4/7] selftests: bpf: Update kfunc_param_nullable test for new error message

[Puranjay Mohan]

With trusted args now being the default, the NULL pointer check runs
before type-specific validation. Update test3 to expect the new error
message "Possibly NULL pointer passed to trusted arg0" instead of the
old dynptr-specific error message.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c b/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c
index 0ad1bf1ede8d..967081bbcfe1 100644
--- a/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c
+++ b/tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c
@@ -29,7 +29,7 @@ int kfunc_dynptr_nullable_test2(struct __sk_buff *skb)
 }
 
 SEC("tc")
-__failure __msg("expected pointer to stack or const struct bpf_dynptr")
+__failure __msg("Possibly NULL pointer passed to trusted arg0")
 int kfunc_dynptr_nullable_test3(struct __sk_buff *skb)
 {
 	struct bpf_dynptr data;
-- 
2.47.3

[PATCH bpf-next 5/7] selftests: bpf: Update failure message for rbtree_fail

[Puranjay Mohan]

The rbtree_api_use_unchecked_remove_retval() selftest passes a pointer
received from bpf_rbtree_remove() to bpf_rbtree_add() without checking
for NULL, this was earlier caught by __check_ptr_off_reg() in the
verifier. Now the verifier assumes every kfunc only takes trusted pointer
arguments, so it catches this NULL pointer earlier in the path and
provides a more accurate failure message.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 tools/testing/selftests/bpf/progs/rbtree_fail.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/progs/rbtree_fail.c b/tools/testing/selftests/bpf/progs/rbtree_fail.c
index 4acb6af2dfe3..70b7baf9304b 100644
--- a/tools/testing/selftests/bpf/progs/rbtree_fail.c
+++ b/tools/testing/selftests/bpf/progs/rbtree_fail.c
@@ -153,7 +153,7 @@ long rbtree_api_add_to_multiple_trees(void *ctx)
 }
 
 SEC("?tc")
-__failure __msg("dereference of modified ptr_or_null_ ptr R2 off=16 disallowed")
+__failure __msg("Possibly NULL pointer passed to trusted arg1")
 long rbtree_api_use_unchecked_remove_retval(void *ctx)
 {
 	struct bpf_rb_node *res;
-- 
2.47.3

[PATCH bpf-next 6/7] selftests: bpf: fix test_kfunc_dynptr_param

[Puranjay Mohan]

As verifier now assumes that all kfuncs only takes trusted pointer
arguments, passing 0 (NULL) to a kfunc that doesn't mark the argument as
__nullable or __opt will be rejected with a failure message of: Possibly
NULL pointer passed to trusted arg<n>

Pass a non-null value to the kfunc to test the expected failure mode.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
index 061befb004c2..11e57002ea43 100644
--- a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
+++ b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
@@ -48,7 +48,7 @@ SEC("?lsm.s/bpf")
 __failure __msg("arg#0 expected pointer to stack or const struct bpf_dynptr")
 int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size, bool kernel)
 {
-	unsigned long val = 0;
+	unsigned long val = 1;
 
 	return bpf_verify_pkcs7_signature((struct bpf_dynptr *)val,
 					  (struct bpf_dynptr *)val, NULL);
-- 
2.47.3

[PATCH bpf-next 7/7] selftests: bpf: fix cgroup_hierarchical_stats

[Puranjay Mohan]

The cgroup_hierarchical_stats selftests uses an fentry program attached
to cgroup_attach_task and then passes the received &dst_cgrp->self to
the css_rstat_updated() kfunc. The verifier now assumes that all kfuncs
only takes trusted pointer arguments, and pointers received by fentry
are not marked trustes by default.

Use a tp_btf program in place for fentry for this test, pointers
received by tp_btf programs are marked trusted by the verifier.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 .../testing/selftests/bpf/progs/cgroup_hierarchical_stats.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c b/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c
index ff189a736ad8..8fc38592a87b 100644
--- a/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c
+++ b/tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c
@@ -62,9 +62,9 @@ static int create_attach_counter(__u64 cg_id, __u64 state, __u64 pending)
 				   &init, BPF_NOEXIST);
 }
 
-SEC("fentry/cgroup_attach_task")
-int BPF_PROG(counter, struct cgroup *dst_cgrp, struct task_struct *leader,
-	     bool threadgroup)
+SEC("tp_btf/cgroup_attach_task")
+int BPF_PROG(counter, struct cgroup *dst_cgrp, const char *path,
+	     struct task_struct *task, bool threadgroup)
 {
 	__u64 cg_id = cgroup_id(dst_cgrp);
 	struct percpu_attach_counter *pcpu_counter = bpf_map_lookup_elem(
-- 
2.47.3

Re: [PATCH bpf-next 1/7] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Eduard Zingerman]

On Wed, 2025-12-24 at 11:24 -0800, Puranjay Mohan wrote:
> Change the verifier to make trusted args the default requirement for
> all kfuncs by removing is_kfunc_trusted_args() assuming it be to always
> return true.
>
> This works because:
> 1. Context pointers (xdp_md, __sk_buff, etc.) are handled through their
>    own KF_ARG_PTR_TO_CTX case label and bypass the trusted check
> 2. Struct_ops callback arguments are already marked as PTR_TRUSTED during
>    initialization and pass is_trusted_reg()
> 3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
>    call sites (always checked with || alongside is_kfunc_trusted_args)
>
> This simple change makes all kfuncs require trusted args by default
> while maintaining correct behavior for all existing special cases.

While I like the idea behind this patch, I don't think this is 100%
backwards compatible change. Not unless you check definition of every
kfunc in the kernel and add appropriate __nullable annotations,
like you do for some in patch #2.

For example, consider the following kfunc from drivers/hid/bpf/hid_bpf_dispatch.c:

  __bpf_kfunc int
  hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz,
                     enum hid_report_type rtype, enum hid_class_request reqtype)
          ... __hid_bpf_hw_check_params(ctx, buf, &size, rtype); ...


  static int
  __hid_bpf_hw_check_params(struct hid_bpf_ctx *ctx, __u8 *buf, size_t *buf__sz,
                            enum hid_report_type rtype)
          ...
          if (... !buf)
                  return -EINVAL;

  BTF_ID_FLAGS(func, hid_bpf_hw_request, KF_SLEEPABLE)

Currently, it is possible to pass 'buf' parameter as NULL.
In this particular case it would lead to an error code returned from
the function, but is it the case for all kfuncs in the kernel?
For some kfuncs NULL parameter might be expected as a part of a
non-error scenario.
Also, there is a question about kfuncs declared in out of tree modules.

So, I think there are two questions to be answered:
- a review of all kfuncs in the kernel checking if there are
  sufficient __nullable annotations;
- are we ready to potentially break BPF programs working with kfuncs
  defined in out-of-tree modules?
  
Wdyt?

[...]

Re: [PATCH bpf-next 1/7] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Alexei Starovoitov]

On Tue, Dec 30, 2025 at 3:49 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> On Wed, 2025-12-24 at 11:24 -0800, Puranjay Mohan wrote:
> > Change the verifier to make trusted args the default requirement for
> > all kfuncs by removing is_kfunc_trusted_args() assuming it be to always
> > return true.
> >
> > This works because:
> > 1. Context pointers (xdp_md, __sk_buff, etc.) are handled through their
> >    own KF_ARG_PTR_TO_CTX case label and bypass the trusted check
> > 2. Struct_ops callback arguments are already marked as PTR_TRUSTED during
> >    initialization and pass is_trusted_reg()
> > 3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
> >    call sites (always checked with || alongside is_kfunc_trusted_args)
> >
> > This simple change makes all kfuncs require trusted args by default
> > while maintaining correct behavior for all existing special cases.
>
> While I like the idea behind this patch, I don't think this is 100%
> backwards compatible change. Not unless you check definition of every
> kfunc in the kernel and add appropriate __nullable annotations,
> like you do for some in patch #2.
>
> For example, consider the following kfunc from drivers/hid/bpf/hid_bpf_dispatch.c:
>
>   __bpf_kfunc int
>   hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz,
>                      enum hid_report_type rtype, enum hid_class_request reqtype)
>           ... __hid_bpf_hw_check_params(ctx, buf, &size, rtype); ...
>
>
>   static int
>   __hid_bpf_hw_check_params(struct hid_bpf_ctx *ctx, __u8 *buf, size_t *buf__sz,
>                             enum hid_report_type rtype)
>           ...
>           if (... !buf)
>                   return -EINVAL;
>
>   BTF_ID_FLAGS(func, hid_bpf_hw_request, KF_SLEEPABLE)
>
> Currently, it is possible to pass 'buf' parameter as NULL.
> In this particular case it would lead to an error code returned from
> the function, but is it the case for all kfuncs in the kernel?
> For some kfuncs NULL parameter might be expected as a part of a
> non-error scenario.
> Also, there is a question about kfuncs declared in out of tree modules.
>
> So, I think there are two questions to be answered:
> - a review of all kfuncs in the kernel checking if there are
>   sufficient __nullable annotations;

right. that's necessary and HID was missed, because it has its own
selftests that are not part of bpf ci.
sched-ext kfuncs need to be reviewed as well.

> - are we ready to potentially break BPF programs working with kfuncs
>   defined in out-of-tree modules?

Absolutely. That's not even the question worth asking.

Re: [PATCH bpf-next 1/7] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Puranjay Mohan]

On Tue, Dec 30, 2025 at 11:49 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> On Wed, 2025-12-24 at 11:24 -0800, Puranjay Mohan wrote:
> > Change the verifier to make trusted args the default requirement for
> > all kfuncs by removing is_kfunc_trusted_args() assuming it be to always
> > return true.
> >
> > This works because:
> > 1. Context pointers (xdp_md, __sk_buff, etc.) are handled through their
> >    own KF_ARG_PTR_TO_CTX case label and bypass the trusted check
> > 2. Struct_ops callback arguments are already marked as PTR_TRUSTED during
> >    initialization and pass is_trusted_reg()
> > 3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
> >    call sites (always checked with || alongside is_kfunc_trusted_args)
> >
> > This simple change makes all kfuncs require trusted args by default
> > while maintaining correct behavior for all existing special cases.
>
> While I like the idea behind this patch, I don't think this is 100%
> backwards compatible change. Not unless you check definition of every
> kfunc in the kernel and add appropriate __nullable annotations,
> like you do for some in patch #2.

Yes, I tried to add __nullable to places where I could find using
breaking selftests,
and if a kfunc expects some parameter to be NULL then we will have to
add it to every place.

>
> For example, consider the following kfunc from drivers/hid/bpf/hid_bpf_dispatch.c:
>
>   __bpf_kfunc int
>   hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz,
>                      enum hid_report_type rtype, enum hid_class_request reqtype)
>           ... __hid_bpf_hw_check_params(ctx, buf, &size, rtype); ...
>
>
>   static int
>   __hid_bpf_hw_check_params(struct hid_bpf_ctx *ctx, __u8 *buf, size_t *buf__sz,
>                             enum hid_report_type rtype)
>           ...
>           if (... !buf)
>                   return -EINVAL;
>
>   BTF_ID_FLAGS(func, hid_bpf_hw_request, KF_SLEEPABLE)
>
> Currently, it is possible to pass 'buf' parameter as NULL.
> In this particular case it would lead to an error code returned from
> the function, but is it the case for all kfuncs in the kernel?
> For some kfuncs NULL parameter might be expected as a part of a
> non-error scenario.

Yes, if the kfunc expects a parameter to be NULL for both error and
valid cases, it should mark the parameter as __nullable and then the
kfunc needs to take care of handling the NULL value, and the verifier
will allow it.

> Also, there is a question about kfuncs declared in out of tree modules.
>
> So, I think there are two questions to be answered:
> - a review of all kfuncs in the kernel checking if there are
>   sufficient __nullable annotations;
> - are we ready to potentially break BPF programs working with kfuncs
>   defined in out-of-tree modules?
>
> Wdyt?


As Alexei said, the out-of-tree modules are not relevant to the
upstream kernel. I wish to do a full review of all kfuncs and make
sure either they are tagged with correct __nullable, __opt annotation
or fixed to make sure they are doing the right thing. But currently I
just made sure all selftests pass, some of the kfuncs might not have
self tests and would need manual analysis and I will have to do that.

Some kfuncs will have breaking changes, I am not sure how to work
around that case, for example css_rstat_updated() could be
successfully called from fentry programs like the selftest fixed in
Patch 7, it worked because css_rstat_updated() doesn't mark the
parameters with KF_TRUSTED_ARGS, but now KF_TRUSTED_ARGS is the
default so this kfunc can't be called from fentry programs as fentry's
parameters are not marked as trusted.


Looking at the code of css_rstat_updated() it seems that it assumes
the parameters to be trusted and therefore not allowing it to be
called from fentry would be the right thing to do, but it could break
perfectly working BPF programs.

Re: [PATCH bpf-next 1/7] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Eduard Zingerman]

On Wed, 2025-12-31 at 00:08 +0000, Puranjay Mohan wrote:

[...]

> I wish to do a full review of all kfuncs and make
> sure either they are tagged with correct __nullable, __opt annotation
> or fixed to make sure they are doing the right thing. But currently I
> just made sure all selftests pass, some of the kfuncs might not have
> self tests and would need manual analysis and I will have to do that.

Ack, sounds like a plan.

> Some kfuncs will have breaking changes, I am not sure how to work
> around that case, for example css_rstat_updated() could be
> successfully called from fentry programs like the selftest fixed in
> Patch 7, it worked because css_rstat_updated() doesn't mark the
> parameters with KF_TRUSTED_ARGS, but now KF_TRUSTED_ARGS is the
> default so this kfunc can't be called from fentry programs as fentry's
> parameters are not marked as trusted.
> 
> 
> Looking at the code of css_rstat_updated() it seems that it assumes
> the parameters to be trusted and therefore not allowing it to be
> called from fentry would be the right thing to do,
> but it could break perfectly working BPF programs.

Indeed, it expects 'css' to be not NULL as it dereferences the
pointer immediately.

Re: [PATCH bpf-next 6/7] selftests: bpf: fix test_kfunc_dynptr_param

[Alexei Starovoitov]

On Wed, Dec 24, 2025 at 11:25 AM Puranjay Mohan <puranjay@kernel.org> wrote:
>
> As verifier now assumes that all kfuncs only takes trusted pointer
> arguments, passing 0 (NULL) to a kfunc that doesn't mark the argument as
> __nullable or __opt will be rejected with a failure message of: Possibly
> NULL pointer passed to trusted arg<n>
>
> Pass a non-null value to the kfunc to test the expected failure mode.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---
>  tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
> index 061befb004c2..11e57002ea43 100644
> --- a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
> +++ b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
> @@ -48,7 +48,7 @@ SEC("?lsm.s/bpf")
>  __failure __msg("arg#0 expected pointer to stack or const struct bpf_dynptr")
>  int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size, bool kernel)
>  {
> -       unsigned long val = 0;
> +       unsigned long val = 1;

1 as a pointer looks odd here.
Let's not introduce an oddity here that people will be tempted to copy paste.
Make it a real pointer that is not ptr_to_stack and not CONST_PTR_TO_DYNPTR.
static struct bpf_dynptr val;
may do ?

>         return bpf_verify_pkcs7_signature((struct bpf_dynptr *)val,
>                                           (struct bpf_dynptr *)val, NULL);
> --
> 2.47.3
>

Re: [PATCH bpf-next 1/7] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Puranjay Mohan]

On Wed, Dec 31, 2025 at 12:29 AM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> On Wed, 2025-12-31 at 00:08 +0000, Puranjay Mohan wrote:
>
> [...]
>
> > I wish to do a full review of all kfuncs and make
> > sure either they are tagged with correct __nullable, __opt annotation
> > or fixed to make sure they are doing the right thing. But currently I
> > just made sure all selftests pass, some of the kfuncs might not have
> > self tests and would need manual analysis and I will have to do that.
>
> Ack, sounds like a plan.
>
> > Some kfuncs will have breaking changes, I am not sure how to work
> > around that case, for example css_rstat_updated() could be
> > successfully called from fentry programs like the selftest fixed in
> > Patch 7, it worked because css_rstat_updated() doesn't mark the
> > parameters with KF_TRUSTED_ARGS, but now KF_TRUSTED_ARGS is the
> > default so this kfunc can't be called from fentry programs as fentry's
> > parameters are not marked as trusted.
> >
> >
> > Looking at the code of css_rstat_updated() it seems that it assumes
> > the parameters to be trusted and therefore not allowing it to be
> > called from fentry would be the right thing to do,
> > but it could break perfectly working BPF programs.
>
> Indeed, it expects 'css' to be not NULL as it dereferences the
> pointer immediately.

So what do you think is the right way to move forward? it will break
some programs but for their good. I think correctness and security
outweigh backwards compatibility.

Re: [PATCH bpf-next 1/7] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Alexei Starovoitov]

On Wed, Dec 31, 2025 at 4:35 AM Puranjay Mohan <puranjay@kernel.org> wrote:
>
> On Wed, Dec 31, 2025 at 12:29 AM Eduard Zingerman <eddyz87@gmail.com> wrote:
> >
> > On Wed, 2025-12-31 at 00:08 +0000, Puranjay Mohan wrote:
> >
> > [...]
> >
> > > I wish to do a full review of all kfuncs and make
> > > sure either they are tagged with correct __nullable, __opt annotation
> > > or fixed to make sure they are doing the right thing. But currently I
> > > just made sure all selftests pass, some of the kfuncs might not have
> > > self tests and would need manual analysis and I will have to do that.
> >
> > Ack, sounds like a plan.
> >
> > > Some kfuncs will have breaking changes, I am not sure how to work
> > > around that case, for example css_rstat_updated() could be
> > > successfully called from fentry programs like the selftest fixed in
> > > Patch 7, it worked because css_rstat_updated() doesn't mark the
> > > parameters with KF_TRUSTED_ARGS, but now KF_TRUSTED_ARGS is the
> > > default so this kfunc can't be called from fentry programs as fentry's
> > > parameters are not marked as trusted.
> > >
> > >
> > > Looking at the code of css_rstat_updated() it seems that it assumes
> > > the parameters to be trusted and therefore not allowing it to be
> > > called from fentry would be the right thing to do,
> > > but it could break perfectly working BPF programs.
> >
> > Indeed, it expects 'css' to be not NULL as it dereferences the
> > pointer immediately.
>
> So what do you think is the right way to move forward? it will break
> some programs but for their good. I think correctness and security
> outweigh backwards compatibility.

Fix HID kfuncs, and sched-ext (if needed) and respin.
We're definitely removing KF_TRUSTED_ARGS. That was the plan all along.