From: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn>
To: bpf@vger.kernel.org
Cc: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Jiri Olsa <jolsa@kernel.org>,
Emil Tsalapatis <emil@etsalapatis.com>,
John Fastabend <john.fastabend@gmail.com>,
Shuah Khan <shuah@kernel.org>,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH bpf v4 0/2] bpf: Fix packet pointer invalidation for skb dynptr writes
Date: Mon, 15 Jun 2026 15:15:47 +0000 [thread overview]
Message-ID: <cover.1781535194.git.chenyy23@mails.tsinghua.edu.cn> (raw)
In-Reply-To: <cover.1781531784.git.chenyy23@mails.tsinghua.edu.cn>
skb-backed dynptr writers may mutate packet data and therefore must
invalidate checked direct packet pointers. The normal verifier path had
coverage for bpf_dynptr_write() with concrete skb dynptrs, but missed
unspecialized global subprogram dynptr arguments. skb dynptr writer
kfuncs also did not participate in packet pointer invalidation.
Fix both paths by adding conservative static CFG predicates for
bpf_dynptr_write() and skb dynptr writer kfuncs, while keeping the normal
verifier invalidation tied to the checked dynptr argument. Extend
dynptr_fail coverage for helper and kfunc writes, including global
subprogram caller-side and callee-side cases.
Validation, rebased and tested on bpf.git master 8cd9520d35a6
("Linux 7.1"):
git diff --check HEAD~2..HEAD: OK
scripts/checkpatch.pl --strict --no-tree: OK
make O=/tmp/patch008-v4-bpf-build olddefconfig: OK
make O=/tmp/patch008-v4-bpf-build -j$(nproc) \
kernel/bpf/verifier.o kernel/bpf/cfg.o: OK
clang --target=bpfel ... dynptr_fail.c: OK
make O=/tmp/patch008-v4-bpf-build -j$(nproc) bzImage: OK
QEMU replay on 7.1.0-g5a2ca20101d9: PATCH008_SUMMARY failures=0 total=8
Changes in v4:
- Rebase from bpf-next to current bpf.git master 8cd9520d35a6 to resolve
CI conflict.
- Address the helper-side global subprogram case for bpf_dynptr_write().
- Keep bpf_helper_changes_pkt_data() precise and add a separate static
bpf_helper_may_change_pkt_data() predicate for CFG summaries.
- Keep kfunc CFG summaries conservative while preserving checked-argument
precision in the normal verifier path.
- Extend selftests and QEMU replay coverage with bpf_dynptr_write()
global-subprogram cases.
- Link to v3: https://patch.msgid.link/cover.1781531784.git.chenyy23@mails.tsinghua.edu.cn
Yiyang Chen (2):
bpf: Fix packet pointer invalidation for skb dynptr writes
selftests/bpf: Add skb dynptr writer packet invalidation tests
include/linux/bpf_verifier.h | 3 +
include/linux/filter.h | 5 +
kernel/bpf/cfg.c | 4 +-
kernel/bpf/verifier.c | 88 ++++++++-
.../testing/selftests/bpf/progs/dynptr_fail.c | 183 ++++++++++++++++++
5 files changed, 278 insertions(+), 5 deletions(-)
base-commit: 8cd9520d35a6c38db6567e97dd93b1f11f185dc6
--
2.34.1
next prev parent reply other threads:[~2026-06-15 15:16 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-15 12:28 [PATCH bpf v2 0/2] bpf: Fix packet pointer invalidation for skb dynptr writes Yiyang Chen
2026-06-15 12:28 ` [PATCH bpf v2 1/2] " Yiyang Chen
2026-06-15 12:53 ` sashiko-bot
2026-06-15 12:28 ` [PATCH bpf v2 2/2] selftests/bpf: Add skb dynptr writer packet invalidation tests Yiyang Chen
2026-06-15 14:14 ` [PATCH bpf v3 0/2] bpf: Fix packet pointer invalidation for skb dynptr writes Yiyang Chen
2026-06-15 14:14 ` [PATCH bpf v3 1/2] " Yiyang Chen
2026-06-15 14:35 ` sashiko-bot
2026-06-15 15:52 ` Alexei Starovoitov
2026-06-15 16:46 ` Yiyang Chen
2026-06-15 17:30 ` Alexei Starovoitov
2026-06-15 17:59 ` Yiyang Chen
2026-06-15 14:14 ` [PATCH bpf v3 2/2] selftests/bpf: Add skb dynptr writer packet invalidation tests Yiyang Chen
2026-06-15 15:15 ` Yiyang Chen [this message]
2026-06-15 15:15 ` [PATCH bpf v4 1/2] bpf: Fix packet pointer invalidation for skb dynptr writes Yiyang Chen
2026-06-15 15:39 ` sashiko-bot
2026-06-15 15:15 ` [PATCH bpf v4 2/2] selftests/bpf: Add skb dynptr writer packet invalidation tests Yiyang Chen
2026-06-15 16:26 ` bot+bpf-ci
2026-06-15 17:49 ` [PATCH bpf v5 0/2] bpf: Fix packet pointer invalidation for skb dynptr writes Yiyang Chen
2026-06-15 17:49 ` [PATCH bpf v5 1/2] " Yiyang Chen
2026-06-15 17:52 ` Alexei Starovoitov
2026-06-15 22:10 ` sashiko-bot
2026-06-15 17:49 ` [PATCH bpf v5 2/2] selftests/bpf: Add skb dynptr writer packet invalidation tests Yiyang Chen
2026-06-15 18:39 ` bot+bpf-ci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1781535194.git.chenyy23@mails.tsinghua.edu.cn \
--to=chenyy23@mails.tsinghua.edu.cn \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox