Re: [PATCH bpf-next v2 1/9] bpf: Make KF_TRUSTED_ARGS the default for all kfuncs

[Eduard Zingerman <eddyz87@gmail.com>]

On Wed, 2025-12-31 at 09:08 -0800, Puranjay Mohan wrote:
> Change the verifier to make trusted args the default requirement for
> all kfuncs by removing is_kfunc_trusted_args() assuming it be to always
> return true.
>
> This works because:
> 1. Context pointers (xdp_md, __sk_buff, etc.) are handled through their
>    own KF_ARG_PTR_TO_CTX case label and bypass the trusted check
> 2. Struct_ops callback arguments are already marked as PTR_TRUSTED during
>    initialization and pass is_trusted_reg()
> 3. KF_RCU kfuncs are handled separately via is_kfunc_rcu() checks at
>    call sites (always checked with || alongside is_kfunc_trusted_args)
>
> This simple change makes all kfuncs require trusted args by default
> while maintaining correct behavior for all existing special cases.
>
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

Nit: I found two more textual appearances for KF_TRUSTED_ARGS:

  File: fs/bpf_fs_kfuncs.c
  71:65: * used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS
  379:47:/* bpf_[set|remove]_dentry_xattr.* hooks have KF_TRUSTED_ARGS and

  File: include/linux/bpf.h
  756:15:  * passed to KF_TRUSTED_ARGS kfuncs or BPF helper functions.

  File: kernel/bpf/verifier.c
  12622:39:        * enforce strict matching for plain KF_TRUSTED_ARGS kfuncs by default,

  File: tools/testing/selftests/bpf/progs/cpumask_failure.c
  113:21:  /* NULL passed to KF_TRUSTED_ARGS kfunc. */

>  Documentation/bpf/kfuncs.rst | 35 +++++++++++++++++------------------
>  kernel/bpf/verifier.c        | 14 +++-----------
>  2 files changed, 20 insertions(+), 29 deletions(-)
>
> diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
> index e38941370b90..22b5a970078c 100644
> --- a/Documentation/bpf/kfuncs.rst
> +++ b/Documentation/bpf/kfuncs.rst
> @@ -241,25 +241,23 @@ both are orthogonal to each other.
>  The KF_RELEASE flag is used to indicate that the kfunc releases the pointer
>  passed in to it. There can be only one referenced pointer that can be passed
>  in. All copies of the pointer being released are invalidated as a result of
> -invoking kfunc with this flag. KF_RELEASE kfuncs automatically receive the
> -protection afforded by the KF_TRUSTED_ARGS flag described below.
> +invoking kfunc with this flag.
>
> -2.4.4 KF_TRUSTED_ARGS flag
> ---------------------------
> +2.4.4 KF_TRUSTED_ARGS (default behavior)
> +-----------------------------------------

Nit:
I think section should be renamed to 'kfunc parameters' and moved to a
separate section before '2.2 Annotating kfunc parameters'.
Sorry, should have commented about this yesterday.

[...]