From: "Emil Tsalapatis" <emil@etsalapatis.com>
To: "Puranjay Mohan" <puranjay@kernel.org>, <bpf@vger.kernel.org>
Cc: "Puranjay Mohan" <puranjay12@gmail.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Martin KaFai Lau" <martin.lau@kernel.org>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Kumar Kartikeya Dwivedi" <memxor@gmail.com>,
<kernel-team@meta.com>
Subject: Re: [PATCH bpf-next v2 1/9] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs
Date: Thu, 01 Jan 2026 19:15:03 -0500 [thread overview]
Message-ID: <DFDO4ZDORNS8.31JCAC7DL945M@etsalapatis.com> (raw)
In-Reply-To: <20251231171118.1174007-2-puranjay@kernel.org>
On Wed Dec 31, 2025 at 12:08 PM EST, Puranjay Mohan wrote:
> Change the verifier to make trusted args the default requirement for
> all kfuncs by removing is_kfunc_trusted_args() assuming it be to always
> return true.
>
> This works because:
> 1. Context pointers (xdp_md, __sk_buff, etc.) are handled through their
> own KF_ARG_PTR_TO_CTX case label and bypass the trusted check
> 2. Struct_ops callback arguments are already marked as PTR_TRUSTED during
> initialization and pass is_trusted_reg()
> 3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
> call sites (always checked with || alongside is_kfunc_trusted_args)
>
> This simple change makes all kfuncs require trusted args by default
> while maintaining correct behavior for all existing special cases.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
For sched-ext in particular, patchset works fine (as expected).
> ---
> Documentation/bpf/kfuncs.rst | 35 +++++++++++++++++------------------
> kernel/bpf/verifier.c | 14 +++-----------
> 2 files changed, 20 insertions(+), 29 deletions(-)
>
> diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
> index e38941370b90..22b5a970078c 100644
> --- a/Documentation/bpf/kfuncs.rst
> +++ b/Documentation/bpf/kfuncs.rst
> @@ -241,25 +241,23 @@ both are orthogonal to each other.
> The KF_RELEASE flag is used to indicate that the kfunc releases the pointer
> passed in to it. There can be only one referenced pointer that can be passed
> in. All copies of the pointer being released are invalidated as a result of
> -invoking kfunc with this flag. KF_RELEASE kfuncs automatically receive the
> -protection afforded by the KF_TRUSTED_ARGS flag described below.
> +invoking kfunc with this flag.
>
> -2.4.4 KF_TRUSTED_ARGS flag
> ---------------------------
> +2.4.4 KF_TRUSTED_ARGS (default behavior)
> +-----------------------------------------
>
> -The KF_TRUSTED_ARGS flag is used for kfuncs taking pointer arguments. It
> -indicates that the all pointer arguments are valid, and that all pointers to
> -BTF objects have been passed in their unmodified form (that is, at a zero
> -offset, and without having been obtained from walking another pointer, with one
> -exception described below).
> +All kfuncs now require trusted arguments by default. This means that all
> +pointer arguments must be valid, and all pointers to BTF objects must be
> +passed in their unmodified form (at a zero offset, and without having been
> +obtained from walking another pointer, with exceptions described below).
>
> -There are two types of pointers to kernel objects which are considered "valid":
> +There are two types of pointers to kernel objects which are considered "trusted":
>
> 1. Pointers which are passed as tracepoint or struct_ops callback arguments.
> 2. Pointers which were returned from a KF_ACQUIRE kfunc.
>
> Pointers to non-BTF objects (e.g. scalar pointers) may also be passed to
> -KF_TRUSTED_ARGS kfuncs, and may have a non-zero offset.
> +kfuncs, and may have a non-zero offset.
>
> The definition of "valid" pointers is subject to change at any time, and has
> absolutely no ABI stability guarantees.
> @@ -327,13 +325,14 @@ added later.
> 2.4.7 KF_RCU flag
> -----------------
>
> -The KF_RCU flag is a weaker version of KF_TRUSTED_ARGS. The kfuncs marked with
> -KF_RCU expect either PTR_TRUSTED or MEM_RCU arguments. The verifier guarantees
> -that the objects are valid and there is no use-after-free. The pointers are not
> -NULL, but the object's refcount could have reached zero. The kfuncs need to
> -consider doing refcnt != 0 check, especially when returning a KF_ACQUIRE
> -pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should very likely
> -also be KF_RET_NULL.
> +The KF_RCU flag allows kfuncs to opt out of the default trusted args
> +requirement and accept RCU pointers with weaker guarantees. The kfuncs marked
> +with KF_RCU expect either PTR_TRUSTED or MEM_RCU arguments. The verifier
> +guarantees that the objects are valid and there is no use-after-free. The
> +pointers are not NULL, but the object's refcount could have reached zero. The
> +kfuncs need to consider doing refcnt != 0 check, especially when returning a
> +KF_ACQUIRE pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should
> +very likely also be KF_RET_NULL.
>
> 2.4.8 KF_RCU_PROTECTED flag
> ---------------------------
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 0baae7828af2..a31eace4a67c 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12040,11 +12040,6 @@ static bool is_kfunc_release(struct bpf_kfunc_call_arg_meta *meta)
> return meta->kfunc_flags & KF_RELEASE;
> }
>
> -static bool is_kfunc_trusted_args(struct bpf_kfunc_call_arg_meta *meta)
> -{
> - return (meta->kfunc_flags & KF_TRUSTED_ARGS) || is_kfunc_release(meta);
> -}
> -
> static bool is_kfunc_sleepable(struct bpf_kfunc_call_arg_meta *meta)
> {
> return meta->kfunc_flags & KF_SLEEPABLE;
> @@ -13253,9 +13248,9 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
> return -EINVAL;
> }
>
> - if ((is_kfunc_trusted_args(meta) || is_kfunc_rcu(meta)) &&
> - (register_is_null(reg) || type_may_be_null(reg->type)) &&
> - !is_kfunc_arg_nullable(meta->btf, &args[i])) {
> + if ((register_is_null(reg) || type_may_be_null(reg->type)) &&
> + !is_kfunc_arg_nullable(meta->btf, &args[i]) &&
> + !is_kfunc_arg_optional(meta->btf, &args[i])) {
> verbose(env, "Possibly NULL pointer passed to trusted arg%d\n", i);
> return -EACCES;
> }
> @@ -13320,9 +13315,6 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
> fallthrough;
> case KF_ARG_PTR_TO_ALLOC_BTF_ID:
> case KF_ARG_PTR_TO_BTF_ID:
> - if (!is_kfunc_trusted_args(meta) && !is_kfunc_rcu(meta))
> - break;
> -
> if (!is_trusted_reg(reg)) {
> if (!is_kfunc_rcu(meta)) {
> verbose(env, "R%d must be referenced or trusted\n", regno);
next prev parent reply other threads:[~2026-01-02 0:15 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-31 17:08 [PATCH bpf-next v2 0/9] bpf: Make KF_TRUSTED_ARGS default Puranjay Mohan
2025-12-31 17:08 ` [PATCH bpf-next v2 1/9] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs Puranjay Mohan
2025-12-31 17:37 ` bot+bpf-ci
2025-12-31 18:37 ` Eduard Zingerman
2025-12-31 19:00 ` Puranjay Mohan
2025-12-31 19:10 ` Eduard Zingerman
2025-12-31 19:15 ` Puranjay Mohan
2026-01-02 0:15 ` Emil Tsalapatis [this message]
2025-12-31 17:08 ` [PATCH bpf-next v2 2/9] bpf: net: netfilter: Mark kfuncs accurately Puranjay Mohan
2025-12-31 17:08 ` [PATCH bpf-next v2 3/9] bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs Puranjay Mohan
2025-12-31 19:13 ` Eduard Zingerman
2026-01-02 0:19 ` Emil Tsalapatis
2025-12-31 17:08 ` [PATCH bpf-next v2 4/9] selftests: bpf: Update kfunc_param_nullable test for new error message Puranjay Mohan
2025-12-31 19:21 ` Eduard Zingerman
2026-01-02 1:45 ` Emil Tsalapatis
2025-12-31 17:08 ` [PATCH bpf-next v2 5/9] selftests: bpf: Update failure message for rbtree_fail Puranjay Mohan
2025-12-31 19:27 ` Eduard Zingerman
2025-12-31 19:44 ` Puranjay Mohan
2025-12-31 19:45 ` Eduard Zingerman
2026-01-02 1:44 ` Emil Tsalapatis
2025-12-31 17:08 ` [PATCH bpf-next v2 6/9] selftests: bpf: fix test_kfunc_dynptr_param Puranjay Mohan
2025-12-31 19:29 ` Eduard Zingerman
2025-12-31 19:39 ` Puranjay Mohan
2025-12-31 19:44 ` Eduard Zingerman
2025-12-31 23:29 ` Puranjay Mohan
2026-01-02 1:44 ` Emil Tsalapatis
2025-12-31 17:08 ` [PATCH bpf-next v2 7/9] selftests: bpf: fix cgroup_hierarchical_stats Puranjay Mohan
2025-12-31 19:40 ` Eduard Zingerman
2026-01-02 1:48 ` Emil Tsalapatis
2025-12-31 17:08 ` [PATCH bpf-next v2 8/9] bpf: xfrm: drop dead NULL check in bpf_xdp_get_xfrm_state() Puranjay Mohan
2025-12-31 19:48 ` Eduard Zingerman
2025-12-31 17:08 ` [PATCH bpf-next v2 9/9] HID: bpf: drop dead NULL checks in kfuncs Puranjay Mohan
2025-12-31 18:20 ` Alexei Starovoitov
2025-12-31 18:25 ` Puranjay Mohan
2026-01-05 14:52 ` Benjamin Tissoires
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DFDO4ZDORNS8.31JCAC7DL945M@etsalapatis.com \
--to=emil@etsalapatis.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
--cc=memxor@gmail.com \
--cc=puranjay12@gmail.com \
--cc=puranjay@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox