[PATCH bpf 0/2] bpf: Mark bpf_get_kmem_cache() as nullable

[PATCH bpf 0/2] bpf: Mark bpf_get_kmem_cache() as nullable

[Nuoqi Gui]

bpf_get_kmem_cache() can return NULL when the supplied address is not a
valid kernel address or when no slab is found for it. Its kfunc
registration does not currently advertise that to the verifier.

Add KF_RET_NULL to the registration and add verifier coverage for the direct
field-read case. The selftest rejects a read of s->size after
bpf_get_kmem_cache(0) without a null check, while the null-checked variant
remains accepted.

The issue dates back to a992d7a397912 ("mm/bpf: Add bpf_get_kmem_cache()
kfunc").

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
Nuoqi Gui (2):
      bpf: Mark bpf_get_kmem_cache() as nullable
      selftests/bpf: Cover bpf_get_kmem_cache() null return

 kernel/bpf/helpers.c                               |  2 +-
 .../bpf/progs/verifier_kfunc_prog_types.c          | 29 ++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)
---
base-commit: 76f62d237538b456354a44e796a541cde03c6e28
change-id: 20260617-f01-16-kmem-cache-ret-null-53a9f52fd835

Best regards,
--  
Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

[PATCH bpf 1/2] bpf: Mark bpf_get_kmem_cache() as nullable

[Nuoqi Gui]

bpf_get_kmem_cache() returns NULL when virt_addr_valid() rejects the
address or when virt_to_slab() does not find a slab. The verifier uses
KF_RET_NULL to add PTR_MAYBE_NULL to kfunc return registers, but the
registration currently lacks that flag.

Add KF_RET_NULL so callers have to prove that the returned kmem_cache
pointer is non-NULL before dereferencing fields.

Fixes: a992d7a397912 ("mm/bpf: Add bpf_get_kmem_cache() kfunc")
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 kernel/bpf/helpers.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index b5314c9fed3cf..57a6ab72ae3cc 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -4817,7 +4817,7 @@ BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY)
 BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_copy_from_user_task_str, KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_get_kmem_cache)
+BTF_ID_FLAGS(func, bpf_get_kmem_cache, KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_iter_kmem_cache_new, KF_ITER_NEW | KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_iter_kmem_cache_next, KF_ITER_NEXT | KF_RET_NULL | KF_SLEEPABLE)
 BTF_ID_FLAGS(func, bpf_iter_kmem_cache_destroy, KF_ITER_DESTROY | KF_SLEEPABLE)

-- 
2.34.1

[PATCH bpf 2/2] selftests/bpf: Cover bpf_get_kmem_cache() null return

[Nuoqi Gui]

Add verifier coverage for bpf_get_kmem_cache(0). A direct read from the
returned kmem_cache pointer must reject because the kfunc can return NULL,
while the same read after an explicit null check remains accepted.

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 .../bpf/progs/verifier_kfunc_prog_types.c          | 29 ++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c b/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c
index 1fce7a7e8d030..a062f3b7bc756 100644
--- a/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c
+++ b/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c
@@ -168,3 +168,32 @@ int BPF_PROG(cpumask_kfunc_perf_event)
 	cpumask_kfunc_load_test();
 	return 0;
 }
+
+/*********************
+ * kmem_cache kfunc *
+ *********************/
+
+extern struct kmem_cache *bpf_get_kmem_cache(u64 addr) __ksym;
+
+SEC("raw_tp")
+__failure __msg("R0 invalid mem access 'untrusted_ptr_or_null_'")
+int bpf_get_kmem_cache_no_null_check(void *ctx)
+{
+	struct kmem_cache *s;
+
+	s = bpf_get_kmem_cache(0);
+	return s->size;
+}
+
+SEC("raw_tp")
+__success
+int bpf_get_kmem_cache_null_check(void *ctx)
+{
+	struct kmem_cache *s;
+
+	s = bpf_get_kmem_cache(0);
+	if (!s)
+		return 0;
+
+	return s->size;
+}

-- 
2.34.1

Re: [PATCH bpf 1/2] bpf: Mark bpf_get_kmem_cache() as nullable

[Alexei Starovoitov]

On Sat Jun 20, 2026 at 8:47 AM PDT, Nuoqi Gui wrote:
> bpf_get_kmem_cache() returns NULL when virt_addr_valid() rejects the
> address or when virt_to_slab() does not find a slab. The verifier uses
> KF_RET_NULL to add PTR_MAYBE_NULL to kfunc return registers, but the
> registration currently lacks that flag.
>
> Add KF_RET_NULL so callers have to prove that the returned kmem_cache
> pointer is non-NULL before dereferencing fields.
>
> Fixes: a992d7a397912 ("mm/bpf: Add bpf_get_kmem_cache() kfunc")
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> ---
>  kernel/bpf/helpers.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index b5314c9fed3cf..57a6ab72ae3cc 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -4817,7 +4817,7 @@ BTF_ID_FLAGS(func, bpf_iter_bits_next, KF_ITER_NEXT | KF_RET_NULL)
>  BTF_ID_FLAGS(func, bpf_iter_bits_destroy, KF_ITER_DESTROY)
>  BTF_ID_FLAGS(func, bpf_copy_from_user_str, KF_SLEEPABLE)
>  BTF_ID_FLAGS(func, bpf_copy_from_user_task_str, KF_SLEEPABLE)
> -BTF_ID_FLAGS(func, bpf_get_kmem_cache)
> +BTF_ID_FLAGS(func, bpf_get_kmem_cache, KF_RET_NULL)

This is wrong. Nothing to fix.
It works as designed.
Instead of sending broken patches do your home work.
You're saying commit a992d7a397912 is buggy. Read its commit log, selftest
and the email thread and see why this patch is wrong.

Such poor quality patches undermine your other legitimate fixes.
You have to step up in quality.

pw-bot: cr