From: Amery Hung <ameryhung@gmail.com>
To: bpf@vger.kernel.org
Cc: netdev@vger.kernel.org, alexei.starovoitov@gmail.com,
andrii@kernel.org, daniel@iogearbox.net, eddyz87@gmail.com,
memxor@gmail.com, martin.lau@kernel.org,
mykyta.yatsenko5@gmail.com, ameryhung@gmail.com,
kernel-team@meta.com
Subject: [PATCH bpf-next v5 10/14] bpf: Fix dynptr ref counting to scan all call frames
Date: Tue, 19 May 2026 11:13:08 -0700 [thread overview]
Message-ID: <20260519181314.2731658-11-ameryhung@gmail.com> (raw)
In-Reply-To: <20260519181314.2731658-1-ameryhung@gmail.com>
When checking whether a referenced dynptr can be overwritten,
destroy_if_dynptr_stack_slot only counted sibling dynptrs in the
current call frame. If a clone sharing the same virtual ref parent
existed in a different frame (e.g., passed to a subprog), it would
not be counted, causing the verifier to incorrectly reject the
overwrite with "cannot overwrite referenced dynptr".
Fix by extracting the counting into dynptr_ref_cnt() which uses
bpf_for_each_reg_in_vstate_mask() to scan dynptr stack slots across
all call frames.
Fixes: 017f5c4ef73c ("bpf: Allow overwriting referenced dynptr when refcnt > 1")
Reported-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
kernel/bpf/verifier.c | 52 +++++++++++--------
.../selftests/bpf/progs/wakeup_source_fail.c | 2 +-
2 files changed, 30 insertions(+), 24 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b7984c42ca14..97eb8033d732 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -786,10 +786,29 @@ static void mark_reg_invalid(const struct bpf_verifier_env *env, struct bpf_reg_
__mark_reg_unknown(env, reg);
}
+static int dynptr_ref_cnt(struct bpf_verifier_env *env, int v_parent_id)
+{
+ struct bpf_stack_state *stack;
+ struct bpf_func_state *state;
+ struct bpf_reg_state *reg;
+ int ref_cnt = 0;
+
+ bpf_for_each_reg_in_vstate_mask(env->cur_state, state, reg, stack, 1 << STACK_DYNPTR, ({
+ if (!stack || stack->slot_type[0] != STACK_DYNPTR)
+ continue;
+ if (!stack->spilled_ptr.dynptr.first_slot)
+ continue;
+ if (stack->spilled_ptr.parent_id == v_parent_id)
+ ref_cnt++;
+ }));
+
+ return ref_cnt;
+}
+
static int destroy_if_dynptr_stack_slot(struct bpf_verifier_env *env,
struct bpf_func_state *state, int spi)
{
- int i, err = 0;
+ int err = 0;
/* We always ensure that STACK_DYNPTR is never set partially,
* hence just checking for slot_type[0] is enough. This is
@@ -803,28 +822,15 @@ static int destroy_if_dynptr_stack_slot(struct bpf_verifier_env *env,
if (!state->stack[spi].spilled_ptr.dynptr.first_slot)
spi = spi + 1;
- if (dynptr_type_referenced(state->stack[spi].spilled_ptr.dynptr.type)) {
- int v_parent_id = state->stack[spi].spilled_ptr.parent_id;
- int ref_cnt = 0;
-
- /*
- * A referenced dynptr can be overwritten only if there is at
- * least one other dynptr sharing the same virtual ref parent,
- * ensuring the reference can still be properly released.
- */
- for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
- if (state->stack[i].slot_type[0] != STACK_DYNPTR)
- continue;
- if (!state->stack[i].spilled_ptr.dynptr.first_slot)
- continue;
- if (state->stack[i].spilled_ptr.parent_id == v_parent_id)
- ref_cnt++;
- }
-
- if (ref_cnt <= 1) {
- verbose(env, "cannot overwrite referenced dynptr\n");
- return -EINVAL;
- }
+ /*
+ * A referenced dynptr can be overwritten only if there is at
+ * least one other dynptr sharing the same virtual ref parent,
+ * ensuring the reference can still be properly released.
+ */
+ if (dynptr_type_referenced(state->stack[spi].spilled_ptr.dynptr.type) &&
+ dynptr_ref_cnt(env, state->stack[spi].spilled_ptr.parent_id) <= 1) {
+ verbose(env, "cannot overwrite referenced dynptr\n");
+ return -EINVAL;
}
/* Invalidate the dynptr and any derived slices */
diff --git a/tools/testing/selftests/bpf/progs/wakeup_source_fail.c b/tools/testing/selftests/bpf/progs/wakeup_source_fail.c
index b8bbb61d4d4e..d4d0f1610853 100644
--- a/tools/testing/selftests/bpf/progs/wakeup_source_fail.c
+++ b/tools/testing/selftests/bpf/progs/wakeup_source_fail.c
@@ -42,7 +42,7 @@ int wakeup_source_access_lock_fields(void *ctx)
}
SEC("syscall")
-__failure __msg("type=scalar expected=fp")
+__failure __msg("release kfunc bpf_wakeup_sources_read_unlock expects referenced PTR_TO_BTF_ID passed to R1")
int wakeup_source_unlock_no_lock(void *ctx)
{
struct bpf_ws_lock *lock = (void *)0x1;
--
2.53.0-Meta
next prev parent reply other threads:[~2026-05-19 18:13 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 18:12 [PATCH bpf-next v5 00/14] Refactor verifier object relationship tracking Amery Hung
2026-05-19 18:12 ` [PATCH bpf-next v5 01/14] bpf: Simplify mark_stack_slot_obj_read() and callers Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 02/14] bpf: Unify dynptr handling in the verifier Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 03/14] bpf: Assign reg->id when getting referenced kptr from ctx Amery Hung
2026-05-19 18:56 ` bot+bpf-ci
2026-05-19 20:17 ` Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 04/14] bpf: Preserve reg->id of pointer objects after null-check Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 05/14] bpf: Refactor object relationship tracking and fix dynptr UAF bug Amery Hung
2026-05-20 21:47 ` Eduard Zingerman
2026-05-21 7:18 ` Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 06/14] bpf: Remove redundant dynptr arg check for helper Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 07/14] bpf: Unify referenced object tracking in verifier Amery Hung
2026-05-20 22:28 ` Eduard Zingerman
2026-05-19 18:13 ` [PATCH bpf-next v5 08/14] bpf: Unify release handling for helpers and kfuncs Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 09/14] bpf: Fold ref_obj_id into id and introduce virtual references Amery Hung
2026-05-19 18:13 ` Amery Hung [this message]
2026-05-20 19:59 ` [PATCH bpf-next v5 10/14] bpf: Fix dynptr ref counting to scan all call frames Eduard Zingerman
2026-05-20 22:41 ` Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 11/14] selftests/bpf: Test creating dynptr from dynptr data and slice Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 12/14] selftests/bpf: Test using dynptr after freeing the underlying object Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 13/14] selftests/bpf: Test using slice after invalidating dynptr clone Amery Hung
2026-05-19 18:13 ` [PATCH bpf-next v5 14/14] selftests/bpf: Test using file dynptr after the reference on file is dropped Amery Hung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519181314.2731658-11-ameryhung@gmail.com \
--to=ameryhung@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
--cc=memxor@gmail.com \
--cc=mykyta.yatsenko5@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox