tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'bpf-make-kf_trusted_args-default'

Puranjay Mohan says:

====================
bpf: Make KF_TRUSTED_ARGS default

v2: https://lore.kernel.org/all/20251231171118.1174007-1-puranjay@kernel.org/
Changes in v2->v3:
- Fix documentation: add a new section for kfunc parameters (Eduard)
- Remove all occurances of KF_TRUSTED from comments, etc. (Eduard)
- Fix the netfilter kfuncs to drop dead NULL checks.
- Fix selftest for netfilter kfuncs to check for verification failures
and remove the runtime failure that are not possible after this
changes

v1: https://lore.kernel.org/all/20251224192448.3176531-1-puranjay@kernel.org/
Changes in v1->v2:
- Update kfunc_dynptr_param selftest to use a real pointer that is not
ptr_to_stack and not CONST_PTR_TO_DYNPTR rather than casting 1
(Alexei)
- Thoroughly review all kfuncs in the to find regressions or missing
annotations. (Eduard)
- Fix kfuncs found from the above step.

This series makes trusted arguments the default requirement for all BPF
kfuncs, inverting the current opt-in model. Instead of requiring
explicit KF_TRUSTED_ARGS flags, kfuncs now require trusted arguments by
default and must explicitly opt-out using __nullable/__opt annotations
or the KF_RCU flag.

This improves security and type safety by preventing BPF programs from
passing untrusted or NULL pointers to kernel functions at verification
time, while maintaining flexibility for the small number of kfuncs that
legitimately need to accept NULL or RCU pointers.

MOTIVATION

The current opt-in model is error-prone and inconsistent. Most kfuncs already
require trusted pointers from sources like KF_ACQUIRE, struct_ops callbacks, or
tracepoints. Making trusted arguments the default:

- Prevents NULL pointer dereferences at verification time
- Reduces defensive NULL checks in kernel code
- Provides better error messages for invalid BPF programs
- Aligns with existing patterns (context pointers, struct_ops already trusted)

IMPACT ANALYSIS

Comprehensive analysis of all 304+ kfuncs across 37 kernel files found:
- Most kfuncs (299/304) are already safe and require no changes
- Only 4 kfuncs required fixes (all included in this series)
- 0 regressions found in independent verification

All bpf selftests are passing. The hid_bpf tests are also passing:
# PASSED: 20 / 20 tests passed.
# Totals: pass:20 fail:0 xfail:0 xpass:0 skip:0 error:0

bpf programs in drivers/hid/bpf/progs/ show no regression as shown by
veristat:

Done. Processed 24 files, 62 programs. Skipped 0 files, 0 programs.

TECHNICAL DETAILS

The verifier now validates kfunc arguments in this order:
1. NULL check (runs first): Rejects NULL unless parameter has __nullable/__opt
2. Trusted check: Rejects untrusted pointers unless kfunc has KF_RCU

Special cases that bypass trusted checking:
- Context pointers (xdp_md, __sk_buff): Handled via KF_ARG_PTR_TO_CTX
- Struct_ops callbacks: Pre-marked as PTR_TRUSTED during initialization
- KF_RCU kfuncs: Have separate validation path for RCU pointers

BACKWARD COMPATIBILITY

This affects BPF program verification, not runtime:
- Valid programs passing trusted pointers: Continue to work
- Programs with bugs: May now fail verification (preventing runtime crashes)

This series introduces two intentional breaking changes to the BPF
verifier's kfunc handling:

1. NULL pointer rejection timing: Kfuncs that previously accepted NULL
pointers without KF_TRUSTED_ARGS will now reject NULL at verification
time instead of returning runtime errors. This affects netfilter
connection tracking functions (bpf_xdp_ct_lookup, bpf_skb_ct_lookup,
bpf_xdp_ct_alloc, bpf_skb_ct_alloc), which now enforce their documented
"Cannot be NULL" requirements at load time rather than returning -EINVAL
at runtime.

2. Fentry/fexit program restrictions: BPF programs using fentry/fexit
attachment points can no longer pass their callback arguments directly
to kfuncs, as these arguments are not marked as trusted by default.
Programs requiring trusted argument semantics should migrate to tp_btf
(tracepoint with BTF) attachment points where arguments are guaranteed
trusted by the verifier.

Both changes strengthen the verifier's safety guarantees by catching
errors earlier in the development cycle and are accompanied by
comprehensive test updates demonstrating the new expected behaviors.
====================

Link: https://patch.msgid.link/20260102180038.2708325-1-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Alexei Starovoitov e40030a4 c286e7e9

+357 -330
+214 -216
Documentation/bpf/kfuncs.rst
··· 50 50 kfunc. Otherwise one may directly make the kfunc visible to the BPF program by 51 51 registering it with the BPF subsystem. See :ref:`BPF_kfunc_nodef`. 52 52 53 - 2.2 Annotating kfunc parameters 54 - ------------------------------- 55 - 56 - Similar to BPF helpers, there is sometime need for additional context required 57 - by the verifier to make the usage of kernel functions safer and more useful. 58 - Hence, we can annotate a parameter by suffixing the name of the argument of the 59 - kfunc with a __tag, where tag may be one of the supported annotations. 60 - 61 - 2.2.1 __sz Annotation 62 - --------------------- 63 - 64 - This annotation is used to indicate a memory and size pair in the argument list. 65 - An example is given below:: 66 - 67 - __bpf_kfunc void bpf_memzero(void *mem, int mem__sz) 68 - { 69 - ... 70 - } 71 - 72 - Here, the verifier will treat first argument as a PTR_TO_MEM, and second 73 - argument as its size. By default, without __sz annotation, the size of the type 74 - of the pointer is used. Without __sz annotation, a kfunc cannot accept a void 75 - pointer. 76 - 77 - 2.2.2 __k Annotation 53 + 2.2 kfunc Parameters 78 54 -------------------- 79 55 80 - This annotation is only understood for scalar arguments, where it indicates that 81 - the verifier must check the scalar argument to be a known constant, which does 82 - not indicate a size parameter, and the value of the constant is relevant to the 83 - safety of the program. 56 + All kfuncs now require trusted arguments by default. This means that all 57 + pointer arguments must be valid, and all pointers to BTF objects must be 58 + passed in their unmodified form (at a zero offset, and without having been 59 + obtained from walking another pointer, with exceptions described below). 84 60 85 - An example is given below:: 86 - 87 - __bpf_kfunc void *bpf_obj_new(u32 local_type_id__k, ...) 88 - { 89 - ... 90 - } 91 - 92 - Here, bpf_obj_new uses local_type_id argument to find out the size of that type 93 - ID in program's BTF and return a sized pointer to it. Each type ID will have a 94 - distinct size, hence it is crucial to treat each such call as distinct when 95 - values don't match during verifier state pruning checks. 96 - 97 - Hence, whenever a constant scalar argument is accepted by a kfunc which is not a 98 - size parameter, and the value of the constant matters for program safety, __k 99 - suffix should be used. 100 - 101 - 2.2.3 __uninit Annotation 102 - ------------------------- 103 - 104 - This annotation is used to indicate that the argument will be treated as 105 - uninitialized. 106 - 107 - An example is given below:: 108 - 109 - __bpf_kfunc int bpf_dynptr_from_skb(..., struct bpf_dynptr_kern *ptr__uninit) 110 - { 111 - ... 112 - } 113 - 114 - Here, the dynptr will be treated as an uninitialized dynptr. Without this 115 - annotation, the verifier will reject the program if the dynptr passed in is 116 - not initialized. 117 - 118 - 2.2.4 __opt Annotation 119 - ------------------------- 120 - 121 - This annotation is used to indicate that the buffer associated with an __sz or __szk 122 - argument may be null. If the function is passed a nullptr in place of the buffer, 123 - the verifier will not check that length is appropriate for the buffer. The kfunc is 124 - responsible for checking if this buffer is null before using it. 125 - 126 - An example is given below:: 127 - 128 - __bpf_kfunc void *bpf_dynptr_slice(..., void *buffer__opt, u32 buffer__szk) 129 - { 130 - ... 131 - } 132 - 133 - Here, the buffer may be null. If buffer is not null, it at least of size buffer_szk. 134 - Either way, the returned buffer is either NULL, or of size buffer_szk. Without this 135 - annotation, the verifier will reject the program if a null pointer is passed in with 136 - a nonzero size. 137 - 138 - 2.2.5 __str Annotation 139 - ---------------------------- 140 - This annotation is used to indicate that the argument is a constant string. 141 - 142 - An example is given below:: 143 - 144 - __bpf_kfunc bpf_get_file_xattr(..., const char *name__str, ...) 145 - { 146 - ... 147 - } 148 - 149 - In this case, ``bpf_get_file_xattr()`` can be called as:: 150 - 151 - bpf_get_file_xattr(..., "xattr_name", ...); 152 - 153 - Or:: 154 - 155 - const char name[] = "xattr_name"; /* This need to be global */ 156 - int BPF_PROG(...) 157 - { 158 - ... 159 - bpf_get_file_xattr(..., name, ...); 160 - ... 161 - } 162 - 163 - 2.2.6 __prog Annotation 164 - --------------------------- 165 - This annotation is used to indicate that the argument needs to be fixed up to 166 - the bpf_prog_aux of the caller BPF program. Any value passed into this argument 167 - is ignored, and rewritten by the verifier. 168 - 169 - An example is given below:: 170 - 171 - __bpf_kfunc int bpf_wq_set_callback_impl(struct bpf_wq *wq, 172 - int (callback_fn)(void *map, int *key, void *value), 173 - unsigned int flags, 174 - void *aux__prog) 175 - { 176 - struct bpf_prog_aux *aux = aux__prog; 177 - ... 178 - } 179 - 180 - .. _BPF_kfunc_nodef: 181 - 182 - 2.3 Using an existing kernel function 183 - ------------------------------------- 184 - 185 - When an existing function in the kernel is fit for consumption by BPF programs, 186 - it can be directly registered with the BPF subsystem. However, care must still 187 - be taken to review the context in which it will be invoked by the BPF program 188 - and whether it is safe to do so. 189 - 190 - 2.4 Annotating kfuncs 191 - --------------------- 192 - 193 - In addition to kfuncs' arguments, verifier may need more information about the 194 - type of kfunc(s) being registered with the BPF subsystem. To do so, we define 195 - flags on a set of kfuncs as follows:: 196 - 197 - BTF_KFUNCS_START(bpf_task_set) 198 - BTF_ID_FLAGS(func, bpf_get_task_pid, KF_ACQUIRE | KF_RET_NULL) 199 - BTF_ID_FLAGS(func, bpf_put_pid, KF_RELEASE) 200 - BTF_KFUNCS_END(bpf_task_set) 201 - 202 - This set encodes the BTF ID of each kfunc listed above, and encodes the flags 203 - along with it. Ofcourse, it is also allowed to specify no flags. 204 - 205 - kfunc definitions should also always be annotated with the ``__bpf_kfunc`` 206 - macro. This prevents issues such as the compiler inlining the kfunc if it's a 207 - static kernel function, or the function being elided in an LTO build as it's 208 - not used in the rest of the kernel. Developers should not manually add 209 - annotations to their kfunc to prevent these issues. If an annotation is 210 - required to prevent such an issue with your kfunc, it is a bug and should be 211 - added to the definition of the macro so that other kfuncs are similarly 212 - protected. An example is given below:: 213 - 214 - __bpf_kfunc struct task_struct *bpf_get_task_pid(s32 pid) 215 - { 216 - ... 217 - } 218 - 219 - 2.4.1 KF_ACQUIRE flag 220 - --------------------- 221 - 222 - The KF_ACQUIRE flag is used to indicate that the kfunc returns a pointer to a 223 - refcounted object. The verifier will then ensure that the pointer to the object 224 - is eventually released using a release kfunc, or transferred to a map using a 225 - referenced kptr (by invoking bpf_kptr_xchg). If not, the verifier fails the 226 - loading of the BPF program until no lingering references remain in all possible 227 - explored states of the program. 228 - 229 - 2.4.2 KF_RET_NULL flag 230 - ---------------------- 231 - 232 - The KF_RET_NULL flag is used to indicate that the pointer returned by the kfunc 233 - may be NULL. Hence, it forces the user to do a NULL check on the pointer 234 - returned from the kfunc before making use of it (dereferencing or passing to 235 - another helper). This flag is often used in pairing with KF_ACQUIRE flag, but 236 - both are orthogonal to each other. 237 - 238 - 2.4.3 KF_RELEASE flag 239 - --------------------- 240 - 241 - The KF_RELEASE flag is used to indicate that the kfunc releases the pointer 242 - passed in to it. There can be only one referenced pointer that can be passed 243 - in. All copies of the pointer being released are invalidated as a result of 244 - invoking kfunc with this flag. KF_RELEASE kfuncs automatically receive the 245 - protection afforded by the KF_TRUSTED_ARGS flag described below. 246 - 247 - 2.4.4 KF_TRUSTED_ARGS flag 248 - -------------------------- 249 - 250 - The KF_TRUSTED_ARGS flag is used for kfuncs taking pointer arguments. It 251 - indicates that the all pointer arguments are valid, and that all pointers to 252 - BTF objects have been passed in their unmodified form (that is, at a zero 253 - offset, and without having been obtained from walking another pointer, with one 254 - exception described below). 255 - 256 - There are two types of pointers to kernel objects which are considered "valid": 61 + There are two types of pointers to kernel objects which are considered "trusted": 257 62 258 63 1. Pointers which are passed as tracepoint or struct_ops callback arguments. 259 64 2. Pointers which were returned from a KF_ACQUIRE kfunc. 260 65 261 66 Pointers to non-BTF objects (e.g. scalar pointers) may also be passed to 262 - KF_TRUSTED_ARGS kfuncs, and may have a non-zero offset. 67 + kfuncs, and may have a non-zero offset. 263 68 264 69 The definition of "valid" pointers is subject to change at any time, and has 265 70 absolutely no ABI stability guarantees. ··· 113 308 114 309 BTF_TYPE_EMIT(BTF_TYPE_SAFE_TRUSTED(struct socket)); 115 310 311 + 2.3 Annotating kfunc parameters 312 + ------------------------------- 116 313 117 - 2.4.5 KF_SLEEPABLE flag 314 + Similar to BPF helpers, there is sometime need for additional context required 315 + by the verifier to make the usage of kernel functions safer and more useful. 316 + Hence, we can annotate a parameter by suffixing the name of the argument of the 317 + kfunc with a __tag, where tag may be one of the supported annotations. 318 + 319 + 2.3.1 __sz Annotation 320 + --------------------- 321 + 322 + This annotation is used to indicate a memory and size pair in the argument list. 323 + An example is given below:: 324 + 325 + __bpf_kfunc void bpf_memzero(void *mem, int mem__sz) 326 + { 327 + ... 328 + } 329 + 330 + Here, the verifier will treat first argument as a PTR_TO_MEM, and second 331 + argument as its size. By default, without __sz annotation, the size of the type 332 + of the pointer is used. Without __sz annotation, a kfunc cannot accept a void 333 + pointer. 334 + 335 + 2.3.2 __k Annotation 336 + -------------------- 337 + 338 + This annotation is only understood for scalar arguments, where it indicates that 339 + the verifier must check the scalar argument to be a known constant, which does 340 + not indicate a size parameter, and the value of the constant is relevant to the 341 + safety of the program. 342 + 343 + An example is given below:: 344 + 345 + __bpf_kfunc void *bpf_obj_new(u32 local_type_id__k, ...) 346 + { 347 + ... 348 + } 349 + 350 + Here, bpf_obj_new uses local_type_id argument to find out the size of that type 351 + ID in program's BTF and return a sized pointer to it. Each type ID will have a 352 + distinct size, hence it is crucial to treat each such call as distinct when 353 + values don't match during verifier state pruning checks. 354 + 355 + Hence, whenever a constant scalar argument is accepted by a kfunc which is not a 356 + size parameter, and the value of the constant matters for program safety, __k 357 + suffix should be used. 358 + 359 + 2.3.3 __uninit Annotation 360 + ------------------------- 361 + 362 + This annotation is used to indicate that the argument will be treated as 363 + uninitialized. 364 + 365 + An example is given below:: 366 + 367 + __bpf_kfunc int bpf_dynptr_from_skb(..., struct bpf_dynptr_kern *ptr__uninit) 368 + { 369 + ... 370 + } 371 + 372 + Here, the dynptr will be treated as an uninitialized dynptr. Without this 373 + annotation, the verifier will reject the program if the dynptr passed in is 374 + not initialized. 375 + 376 + 2.3.4 __opt Annotation 377 + ------------------------- 378 + 379 + This annotation is used to indicate that the buffer associated with an __sz or __szk 380 + argument may be null. If the function is passed a nullptr in place of the buffer, 381 + the verifier will not check that length is appropriate for the buffer. The kfunc is 382 + responsible for checking if this buffer is null before using it. 383 + 384 + An example is given below:: 385 + 386 + __bpf_kfunc void *bpf_dynptr_slice(..., void *buffer__opt, u32 buffer__szk) 387 + { 388 + ... 389 + } 390 + 391 + Here, the buffer may be null. If buffer is not null, it at least of size buffer_szk. 392 + Either way, the returned buffer is either NULL, or of size buffer_szk. Without this 393 + annotation, the verifier will reject the program if a null pointer is passed in with 394 + a nonzero size. 395 + 396 + 2.3.5 __str Annotation 397 + ---------------------------- 398 + This annotation is used to indicate that the argument is a constant string. 399 + 400 + An example is given below:: 401 + 402 + __bpf_kfunc bpf_get_file_xattr(..., const char *name__str, ...) 403 + { 404 + ... 405 + } 406 + 407 + In this case, ``bpf_get_file_xattr()`` can be called as:: 408 + 409 + bpf_get_file_xattr(..., "xattr_name", ...); 410 + 411 + Or:: 412 + 413 + const char name[] = "xattr_name"; /* This need to be global */ 414 + int BPF_PROG(...) 415 + { 416 + ... 417 + bpf_get_file_xattr(..., name, ...); 418 + ... 419 + } 420 + 421 + 2.3.6 __prog Annotation 422 + --------------------------- 423 + This annotation is used to indicate that the argument needs to be fixed up to 424 + the bpf_prog_aux of the caller BPF program. Any value passed into this argument 425 + is ignored, and rewritten by the verifier. 426 + 427 + An example is given below:: 428 + 429 + __bpf_kfunc int bpf_wq_set_callback_impl(struct bpf_wq *wq, 430 + int (callback_fn)(void *map, int *key, void *value), 431 + unsigned int flags, 432 + void *aux__prog) 433 + { 434 + struct bpf_prog_aux *aux = aux__prog; 435 + ... 436 + } 437 + 438 + .. _BPF_kfunc_nodef: 439 + 440 + 2.4 Using an existing kernel function 441 + ------------------------------------- 442 + 443 + When an existing function in the kernel is fit for consumption by BPF programs, 444 + it can be directly registered with the BPF subsystem. However, care must still 445 + be taken to review the context in which it will be invoked by the BPF program 446 + and whether it is safe to do so. 447 + 448 + 2.5 Annotating kfuncs 449 + --------------------- 450 + 451 + In addition to kfuncs' arguments, verifier may need more information about the 452 + type of kfunc(s) being registered with the BPF subsystem. To do so, we define 453 + flags on a set of kfuncs as follows:: 454 + 455 + BTF_KFUNCS_START(bpf_task_set) 456 + BTF_ID_FLAGS(func, bpf_get_task_pid, KF_ACQUIRE | KF_RET_NULL) 457 + BTF_ID_FLAGS(func, bpf_put_pid, KF_RELEASE) 458 + BTF_KFUNCS_END(bpf_task_set) 459 + 460 + This set encodes the BTF ID of each kfunc listed above, and encodes the flags 461 + along with it. Ofcourse, it is also allowed to specify no flags. 462 + 463 + kfunc definitions should also always be annotated with the ``__bpf_kfunc`` 464 + macro. This prevents issues such as the compiler inlining the kfunc if it's a 465 + static kernel function, or the function being elided in an LTO build as it's 466 + not used in the rest of the kernel. Developers should not manually add 467 + annotations to their kfunc to prevent these issues. If an annotation is 468 + required to prevent such an issue with your kfunc, it is a bug and should be 469 + added to the definition of the macro so that other kfuncs are similarly 470 + protected. An example is given below:: 471 + 472 + __bpf_kfunc struct task_struct *bpf_get_task_pid(s32 pid) 473 + { 474 + ... 475 + } 476 + 477 + 2.5.1 KF_ACQUIRE flag 478 + --------------------- 479 + 480 + The KF_ACQUIRE flag is used to indicate that the kfunc returns a pointer to a 481 + refcounted object. The verifier will then ensure that the pointer to the object 482 + is eventually released using a release kfunc, or transferred to a map using a 483 + referenced kptr (by invoking bpf_kptr_xchg). If not, the verifier fails the 484 + loading of the BPF program until no lingering references remain in all possible 485 + explored states of the program. 486 + 487 + 2.5.2 KF_RET_NULL flag 488 + ---------------------- 489 + 490 + The KF_RET_NULL flag is used to indicate that the pointer returned by the kfunc 491 + may be NULL. Hence, it forces the user to do a NULL check on the pointer 492 + returned from the kfunc before making use of it (dereferencing or passing to 493 + another helper). This flag is often used in pairing with KF_ACQUIRE flag, but 494 + both are orthogonal to each other. 495 + 496 + 2.5.3 KF_RELEASE flag 497 + --------------------- 498 + 499 + The KF_RELEASE flag is used to indicate that the kfunc releases the pointer 500 + passed in to it. There can be only one referenced pointer that can be passed 501 + in. All copies of the pointer being released are invalidated as a result of 502 + invoking kfunc with this flag. 503 + 504 + 2.5.4 KF_SLEEPABLE flag 118 505 ----------------------- 119 506 120 507 The KF_SLEEPABLE flag is used for kfuncs that may sleep. Such kfuncs can only 121 508 be called by sleepable BPF programs (BPF_F_SLEEPABLE). 122 509 123 - 2.4.6 KF_DESTRUCTIVE flag 510 + 2.5.5 KF_DESTRUCTIVE flag 124 511 -------------------------- 125 512 126 513 The KF_DESTRUCTIVE flag is used to indicate functions calling which is ··· 321 324 calls. At the moment they only require CAP_SYS_BOOT capability, but more can be 322 325 added later. 323 326 324 - 2.4.7 KF_RCU flag 327 + 2.5.6 KF_RCU flag 325 328 ----------------- 326 329 327 - The KF_RCU flag is a weaker version of KF_TRUSTED_ARGS. The kfuncs marked with 328 - KF_RCU expect either PTR_TRUSTED or MEM_RCU arguments. The verifier guarantees 329 - that the objects are valid and there is no use-after-free. The pointers are not 330 - NULL, but the object's refcount could have reached zero. The kfuncs need to 331 - consider doing refcnt != 0 check, especially when returning a KF_ACQUIRE 332 - pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should very likely 333 - also be KF_RET_NULL. 330 + The KF_RCU flag allows kfuncs to opt out of the default trusted args 331 + requirement and accept RCU pointers with weaker guarantees. The kfuncs marked 332 + with KF_RCU expect either PTR_TRUSTED or MEM_RCU arguments. The verifier 333 + guarantees that the objects are valid and there is no use-after-free. The 334 + pointers are not NULL, but the object's refcount could have reached zero. The 335 + kfuncs need to consider doing refcnt != 0 check, especially when returning a 336 + KF_ACQUIRE pointer. Note as well that a KF_ACQUIRE kfunc that is KF_RCU should 337 + very likely also be KF_RET_NULL. 334 338 335 - 2.4.8 KF_RCU_PROTECTED flag 339 + 2.5.7 KF_RCU_PROTECTED flag 336 340 --------------------------- 337 341 338 342 The KF_RCU_PROTECTED flag is used to indicate that the kfunc must be invoked in ··· 352 354 353 355 .. _KF_deprecated_flag: 354 356 355 - 2.4.9 KF_DEPRECATED flag 357 + 2.5.8 KF_DEPRECATED flag 356 358 ------------------------ 357 359 358 360 The KF_DEPRECATED flag is used for kfuncs which are scheduled to be ··· 372 374 in upstream discussions regarding whether to keep, change, deprecate, or remove 373 375 those kfuncs if and when such discussions occur. 374 376 375 - 2.5 Registering the kfuncs 377 + 2.6 Registering the kfuncs 376 378 -------------------------- 377 379 378 380 Once the kfunc is prepared for use, the final step to making it visible is ··· 395 397 } 396 398 late_initcall(init_subsystem); 397 399 398 - 2.6 Specifying no-cast aliases with ___init 400 + 2.7 Specifying no-cast aliases with ___init 399 401 -------------------------------------------- 400 402 401 403 The verifier will always enforce that the BTF type of a pointer passed to a
+1 -4
drivers/hid/bpf/hid_bpf_dispatch.c
··· 295 295 { 296 296 struct hid_bpf_ctx_kern *ctx_kern; 297 297 298 - if (!ctx) 299 - return NULL; 300 - 301 298 ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx); 302 299 303 300 if (rdwr_buf_size + offset > ctx->allocated_size) ··· 361 364 u32 report_len; 362 365 363 366 /* check arguments */ 364 - if (!ctx || !hid_ops || !buf) 367 + if (!hid_ops) 365 368 return -EINVAL; 366 369 367 370 switch (rtype) {
+9 -14
fs/bpf_fs_kfuncs.c
··· 68 68 * 69 69 * Resolve the pathname for the supplied *path* and store it in *buf*. This BPF 70 70 * kfunc is the safer variant of the legacy bpf_d_path() helper and should be 71 - * used in place of bpf_d_path() whenever possible. It enforces KF_TRUSTED_ARGS 72 - * semantics, meaning that the supplied *path* must itself hold a valid 73 - * reference, or else the BPF program will be outright rejected by the BPF 74 - * verifier. 71 + * used in place of bpf_d_path() whenever possible. 75 72 * 76 73 * This BPF kfunc may only be called from BPF LSM programs. 77 74 * ··· 356 359 __bpf_kfunc_end_defs(); 357 360 358 361 BTF_KFUNCS_START(bpf_fs_kfunc_set_ids) 359 - BTF_ID_FLAGS(func, bpf_get_task_exe_file, 360 - KF_ACQUIRE | KF_TRUSTED_ARGS | KF_RET_NULL) 362 + BTF_ID_FLAGS(func, bpf_get_task_exe_file, KF_ACQUIRE | KF_RET_NULL) 361 363 BTF_ID_FLAGS(func, bpf_put_file, KF_RELEASE) 362 - BTF_ID_FLAGS(func, bpf_path_d_path, KF_TRUSTED_ARGS) 363 - BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) 364 - BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) 365 - BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) 366 - BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE | KF_TRUSTED_ARGS) 364 + BTF_ID_FLAGS(func, bpf_path_d_path) 365 + BTF_ID_FLAGS(func, bpf_get_dentry_xattr, KF_SLEEPABLE) 366 + BTF_ID_FLAGS(func, bpf_get_file_xattr, KF_SLEEPABLE) 367 + BTF_ID_FLAGS(func, bpf_set_dentry_xattr, KF_SLEEPABLE) 368 + BTF_ID_FLAGS(func, bpf_remove_dentry_xattr, KF_SLEEPABLE) 367 369 BTF_KFUNCS_END(bpf_fs_kfunc_set_ids) 368 370 369 371 static int bpf_fs_kfuncs_filter(const struct bpf_prog *prog, u32 kfunc_id) ··· 373 377 return -EACCES; 374 378 } 375 379 376 - /* bpf_[set|remove]_dentry_xattr.* hooks have KF_TRUSTED_ARGS and 377 - * KF_SLEEPABLE, so they are only available to sleepable hooks with 378 - * dentry arguments. 380 + /* bpf_[set|remove]_dentry_xattr.* hooks have KF_SLEEPABLE, so they are only 381 + * available to sleepable hooks with dentry arguments. 379 382 * 380 383 * Setting and removing xattr requires exclusive lock on dentry->d_inode. 381 384 * Some hooks already locked d_inode, while some hooks have not locked
+1 -1
fs/verity/measure.c
··· 162 162 __bpf_kfunc_end_defs(); 163 163 164 164 BTF_KFUNCS_START(fsverity_set_ids) 165 - BTF_ID_FLAGS(func, bpf_get_fsverity_digest, KF_TRUSTED_ARGS) 165 + BTF_ID_FLAGS(func, bpf_get_fsverity_digest) 166 166 BTF_KFUNCS_END(fsverity_set_ids) 167 167 168 168 static int bpf_get_fsverity_digest_filter(const struct bpf_prog *prog, u32 kfunc_id)
+1 -1
include/linux/bpf.h
··· 753 753 MEM_ALLOC = BIT(11 + BPF_BASE_TYPE_BITS), 754 754 755 755 /* PTR was passed from the kernel in a trusted context, and may be 756 - * passed to KF_TRUSTED_ARGS kfuncs or BPF helper functions. 756 + * passed to kfuncs or BPF helper functions. 757 757 * Confusingly, this is _not_ the opposite of PTR_UNTRUSTED above. 758 758 * PTR_UNTRUSTED refers to a kptr that was read directly from a map 759 759 * without invoking bpf_kptr_xchg(). What we really need to know is
+1 -2
include/linux/btf.h
··· 34 34 * 35 35 * And the following kfunc: 36 36 * 37 - * BTF_ID_FLAGS(func, bpf_task_acquire, KF_ACQUIRE | KF_TRUSTED_ARGS) 37 + * BTF_ID_FLAGS(func, bpf_task_acquire, KF_ACQUIRE) 38 38 * 39 39 * All invocations to the kfunc must pass the unmodified, unwalked task: 40 40 * ··· 66 66 * return 0; 67 67 * } 68 68 */ 69 - #define KF_TRUSTED_ARGS (1 << 4) /* kfunc only takes trusted pointer arguments */ 70 69 #define KF_SLEEPABLE (1 << 5) /* kfunc may sleep */ 71 70 #define KF_DESTRUCTIVE (1 << 6) /* kfunc performs destructive actions */ 72 71 #define KF_RCU (1 << 7) /* kfunc takes either rcu or trusted pointer arguments */
+3 -3
kernel/bpf/arena.c
··· 890 890 __bpf_kfunc_end_defs(); 891 891 892 892 BTF_KFUNCS_START(arena_kfuncs) 893 - BTF_ID_FLAGS(func, bpf_arena_alloc_pages, KF_TRUSTED_ARGS | KF_ARENA_RET | KF_ARENA_ARG2) 894 - BTF_ID_FLAGS(func, bpf_arena_free_pages, KF_TRUSTED_ARGS | KF_ARENA_ARG2) 895 - BTF_ID_FLAGS(func, bpf_arena_reserve_pages, KF_TRUSTED_ARGS | KF_ARENA_ARG2) 893 + BTF_ID_FLAGS(func, bpf_arena_alloc_pages, KF_ARENA_RET | KF_ARENA_ARG2) 894 + BTF_ID_FLAGS(func, bpf_arena_free_pages, KF_ARENA_ARG2) 895 + BTF_ID_FLAGS(func, bpf_arena_reserve_pages, KF_ARENA_ARG2) 896 896 BTF_KFUNCS_END(arena_kfuncs) 897 897 898 898 static const struct btf_kfunc_id_set common_kfunc_set = {
+1 -1
kernel/bpf/cpumask.c
··· 477 477 BTF_KFUNCS_START(cpumask_kfunc_btf_ids) 478 478 BTF_ID_FLAGS(func, bpf_cpumask_create, KF_ACQUIRE | KF_RET_NULL) 479 479 BTF_ID_FLAGS(func, bpf_cpumask_release, KF_RELEASE) 480 - BTF_ID_FLAGS(func, bpf_cpumask_acquire, KF_ACQUIRE | KF_TRUSTED_ARGS) 480 + BTF_ID_FLAGS(func, bpf_cpumask_acquire, KF_ACQUIRE) 481 481 BTF_ID_FLAGS(func, bpf_cpumask_first, KF_RCU) 482 482 BTF_ID_FLAGS(func, bpf_cpumask_first_zero, KF_RCU) 483 483 BTF_ID_FLAGS(func, bpf_cpumask_first_and, KF_RCU)
+10 -10
kernel/bpf/helpers.c
··· 4427 4427 BTF_ID_FLAGS(func, bpf_task_from_vpid, KF_ACQUIRE | KF_RET_NULL) 4428 4428 BTF_ID_FLAGS(func, bpf_throw) 4429 4429 #ifdef CONFIG_BPF_EVENTS 4430 - BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS) 4430 + BTF_ID_FLAGS(func, bpf_send_signal_task) 4431 4431 #endif 4432 4432 #ifdef CONFIG_KEYS 4433 4433 BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE) ··· 4467 4467 BTF_ID_FLAGS(func, bpf_iter_task_vma_next, KF_ITER_NEXT | KF_RET_NULL) 4468 4468 BTF_ID_FLAGS(func, bpf_iter_task_vma_destroy, KF_ITER_DESTROY) 4469 4469 #ifdef CONFIG_CGROUPS 4470 - BTF_ID_FLAGS(func, bpf_iter_css_task_new, KF_ITER_NEW | KF_TRUSTED_ARGS) 4470 + BTF_ID_FLAGS(func, bpf_iter_css_task_new, KF_ITER_NEW) 4471 4471 BTF_ID_FLAGS(func, bpf_iter_css_task_next, KF_ITER_NEXT | KF_RET_NULL) 4472 4472 BTF_ID_FLAGS(func, bpf_iter_css_task_destroy, KF_ITER_DESTROY) 4473 - BTF_ID_FLAGS(func, bpf_iter_css_new, KF_ITER_NEW | KF_TRUSTED_ARGS | KF_RCU_PROTECTED) 4473 + BTF_ID_FLAGS(func, bpf_iter_css_new, KF_ITER_NEW | KF_RCU_PROTECTED) 4474 4474 BTF_ID_FLAGS(func, bpf_iter_css_next, KF_ITER_NEXT | KF_RET_NULL) 4475 4475 BTF_ID_FLAGS(func, bpf_iter_css_destroy, KF_ITER_DESTROY) 4476 4476 #endif 4477 - BTF_ID_FLAGS(func, bpf_iter_task_new, KF_ITER_NEW | KF_TRUSTED_ARGS | KF_RCU_PROTECTED) 4477 + BTF_ID_FLAGS(func, bpf_iter_task_new, KF_ITER_NEW | KF_RCU_PROTECTED) 4478 4478 BTF_ID_FLAGS(func, bpf_iter_task_next, KF_ITER_NEXT | KF_RET_NULL) 4479 4479 BTF_ID_FLAGS(func, bpf_iter_task_destroy, KF_ITER_DESTROY) 4480 4480 BTF_ID_FLAGS(func, bpf_dynptr_adjust) ··· 4510 4510 BTF_ID_FLAGS(func, bpf_probe_read_kernel_str_dynptr) 4511 4511 BTF_ID_FLAGS(func, bpf_copy_from_user_dynptr, KF_SLEEPABLE) 4512 4512 BTF_ID_FLAGS(func, bpf_copy_from_user_str_dynptr, KF_SLEEPABLE) 4513 - BTF_ID_FLAGS(func, bpf_copy_from_user_task_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS) 4514 - BTF_ID_FLAGS(func, bpf_copy_from_user_task_str_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS) 4513 + BTF_ID_FLAGS(func, bpf_copy_from_user_task_dynptr, KF_SLEEPABLE) 4514 + BTF_ID_FLAGS(func, bpf_copy_from_user_task_str_dynptr, KF_SLEEPABLE) 4515 4515 #endif 4516 4516 #ifdef CONFIG_DMA_SHARED_BUFFER 4517 4517 BTF_ID_FLAGS(func, bpf_iter_dmabuf_new, KF_ITER_NEW | KF_SLEEPABLE) ··· 4536 4536 #if defined(CONFIG_BPF_LSM) && defined(CONFIG_CGROUPS) 4537 4537 BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU) 4538 4538 #endif 4539 - BTF_ID_FLAGS(func, bpf_stream_vprintk_impl, KF_TRUSTED_ARGS) 4540 - BTF_ID_FLAGS(func, bpf_task_work_schedule_signal_impl, KF_TRUSTED_ARGS) 4541 - BTF_ID_FLAGS(func, bpf_task_work_schedule_resume_impl, KF_TRUSTED_ARGS) 4542 - BTF_ID_FLAGS(func, bpf_dynptr_from_file, KF_TRUSTED_ARGS) 4539 + BTF_ID_FLAGS(func, bpf_stream_vprintk_impl) 4540 + BTF_ID_FLAGS(func, bpf_task_work_schedule_signal_impl) 4541 + BTF_ID_FLAGS(func, bpf_task_work_schedule_resume_impl) 4542 + BTF_ID_FLAGS(func, bpf_dynptr_from_file) 4543 4543 BTF_ID_FLAGS(func, bpf_dynptr_file_discard) 4544 4544 BTF_KFUNCS_END(common_btf_ids) 4545 4545
+1 -1
kernel/bpf/map_iter.c
··· 214 214 __bpf_kfunc_end_defs(); 215 215 216 216 BTF_KFUNCS_START(bpf_map_iter_kfunc_ids) 217 - BTF_ID_FLAGS(func, bpf_map_sum_elem_count, KF_TRUSTED_ARGS) 217 + BTF_ID_FLAGS(func, bpf_map_sum_elem_count) 218 218 BTF_KFUNCS_END(bpf_map_iter_kfunc_ids) 219 219 220 220 static const struct btf_kfunc_id_set bpf_map_iter_kfunc_set = {
+4 -12
kernel/bpf/verifier.c
··· 12040 12040 return meta->kfunc_flags & KF_RELEASE; 12041 12041 } 12042 12042 12043 - static bool is_kfunc_trusted_args(struct bpf_kfunc_call_arg_meta *meta) 12044 - { 12045 - return (meta->kfunc_flags & KF_TRUSTED_ARGS) || is_kfunc_release(meta); 12046 - } 12047 - 12048 12043 static bool is_kfunc_sleepable(struct bpf_kfunc_call_arg_meta *meta) 12049 12044 { 12050 12045 return meta->kfunc_flags & KF_SLEEPABLE; ··· 12619 12624 12620 12625 /* Enforce strict type matching for calls to kfuncs that are acquiring 12621 12626 * or releasing a reference, or are no-cast aliases. We do _not_ 12622 - * enforce strict matching for plain KF_TRUSTED_ARGS kfuncs by default, 12627 + * enforce strict matching for kfuncs by default, 12623 12628 * as we want to enable BPF programs to pass types that are bitwise 12624 12629 * equivalent without forcing them to explicitly cast with something 12625 12630 * like bpf_cast_to_kern_ctx(). ··· 13248 13253 return -EINVAL; 13249 13254 } 13250 13255 13251 - if ((is_kfunc_trusted_args(meta) || is_kfunc_rcu(meta)) && 13252 - (register_is_null(reg) || type_may_be_null(reg->type)) && 13253 - !is_kfunc_arg_nullable(meta->btf, &args[i])) { 13256 + if ((register_is_null(reg) || type_may_be_null(reg->type)) && 13257 + !is_kfunc_arg_nullable(meta->btf, &args[i]) && 13258 + !is_kfunc_arg_optional(meta->btf, &args[i])) { 13254 13259 verbose(env, "Possibly NULL pointer passed to trusted arg%d\n", i); 13255 13260 return -EACCES; 13256 13261 } ··· 13315 13320 fallthrough; 13316 13321 case KF_ARG_PTR_TO_ALLOC_BTF_ID: 13317 13322 case KF_ARG_PTR_TO_BTF_ID: 13318 - if (!is_kfunc_trusted_args(meta) && !is_kfunc_rcu(meta)) 13319 - break; 13320 - 13321 13323 if (!is_trusted_reg(reg)) { 13322 13324 if (!is_kfunc_rcu(meta)) { 13323 13325 verbose(env, "R%d must be referenced or trusted\n", regno);
+4 -4
kernel/sched/ext.c
··· 7229 7229 BTF_ID_FLAGS(func, bpf_iter_scx_dsq_new, KF_ITER_NEW | KF_RCU_PROTECTED) 7230 7230 BTF_ID_FLAGS(func, bpf_iter_scx_dsq_next, KF_ITER_NEXT | KF_RET_NULL) 7231 7231 BTF_ID_FLAGS(func, bpf_iter_scx_dsq_destroy, KF_ITER_DESTROY) 7232 - BTF_ID_FLAGS(func, scx_bpf_exit_bstr, KF_TRUSTED_ARGS) 7233 - BTF_ID_FLAGS(func, scx_bpf_error_bstr, KF_TRUSTED_ARGS) 7234 - BTF_ID_FLAGS(func, scx_bpf_dump_bstr, KF_TRUSTED_ARGS) 7232 + BTF_ID_FLAGS(func, scx_bpf_exit_bstr) 7233 + BTF_ID_FLAGS(func, scx_bpf_error_bstr) 7234 + BTF_ID_FLAGS(func, scx_bpf_dump_bstr) 7235 7235 BTF_ID_FLAGS(func, scx_bpf_reenqueue_local___v2) 7236 7236 BTF_ID_FLAGS(func, scx_bpf_cpuperf_cap) 7237 7237 BTF_ID_FLAGS(func, scx_bpf_cpuperf_cur) ··· 7250 7250 BTF_ID_FLAGS(func, scx_bpf_task_cgroup, KF_RCU | KF_ACQUIRE) 7251 7251 #endif 7252 7252 BTF_ID_FLAGS(func, scx_bpf_now) 7253 - BTF_ID_FLAGS(func, scx_bpf_events, KF_TRUSTED_ARGS) 7253 + BTF_ID_FLAGS(func, scx_bpf_events) 7254 7254 BTF_KFUNCS_END(scx_kfunc_ids_any) 7255 7255 7256 7256 static const struct btf_kfunc_id_set scx_kfunc_set_any = {
+5 -5
mm/bpf_memcontrol.c
··· 166 166 BTF_ID_FLAGS(func, bpf_get_mem_cgroup, KF_ACQUIRE | KF_RET_NULL | KF_RCU) 167 167 BTF_ID_FLAGS(func, bpf_put_mem_cgroup, KF_RELEASE) 168 168 169 - BTF_ID_FLAGS(func, bpf_mem_cgroup_vm_events, KF_TRUSTED_ARGS) 170 - BTF_ID_FLAGS(func, bpf_mem_cgroup_memory_events, KF_TRUSTED_ARGS) 171 - BTF_ID_FLAGS(func, bpf_mem_cgroup_usage, KF_TRUSTED_ARGS) 172 - BTF_ID_FLAGS(func, bpf_mem_cgroup_page_state, KF_TRUSTED_ARGS) 173 - BTF_ID_FLAGS(func, bpf_mem_cgroup_flush_stats, KF_TRUSTED_ARGS | KF_SLEEPABLE) 169 + BTF_ID_FLAGS(func, bpf_mem_cgroup_vm_events) 170 + BTF_ID_FLAGS(func, bpf_mem_cgroup_memory_events) 171 + BTF_ID_FLAGS(func, bpf_mem_cgroup_usage) 172 + BTF_ID_FLAGS(func, bpf_mem_cgroup_page_state) 173 + BTF_ID_FLAGS(func, bpf_mem_cgroup_flush_stats, KF_SLEEPABLE) 174 174 175 175 BTF_KFUNCS_END(bpf_memcontrol_kfuncs) 176 176
+5 -5
net/core/filter.c
··· 12438 12438 } 12439 12439 12440 12440 BTF_KFUNCS_START(bpf_kfunc_check_set_skb) 12441 - BTF_ID_FLAGS(func, bpf_dynptr_from_skb, KF_TRUSTED_ARGS) 12441 + BTF_ID_FLAGS(func, bpf_dynptr_from_skb) 12442 12442 BTF_KFUNCS_END(bpf_kfunc_check_set_skb) 12443 12443 12444 12444 BTF_KFUNCS_START(bpf_kfunc_check_set_skb_meta) 12445 - BTF_ID_FLAGS(func, bpf_dynptr_from_skb_meta, KF_TRUSTED_ARGS) 12445 + BTF_ID_FLAGS(func, bpf_dynptr_from_skb_meta) 12446 12446 BTF_KFUNCS_END(bpf_kfunc_check_set_skb_meta) 12447 12447 12448 12448 BTF_KFUNCS_START(bpf_kfunc_check_set_xdp) ··· 12455 12455 BTF_KFUNCS_END(bpf_kfunc_check_set_sock_addr) 12456 12456 12457 12457 BTF_KFUNCS_START(bpf_kfunc_check_set_tcp_reqsk) 12458 - BTF_ID_FLAGS(func, bpf_sk_assign_tcp_reqsk, KF_TRUSTED_ARGS) 12458 + BTF_ID_FLAGS(func, bpf_sk_assign_tcp_reqsk) 12459 12459 BTF_KFUNCS_END(bpf_kfunc_check_set_tcp_reqsk) 12460 12460 12461 12461 BTF_KFUNCS_START(bpf_kfunc_check_set_sock_ops) 12462 - BTF_ID_FLAGS(func, bpf_sock_ops_enable_tx_tstamp, KF_TRUSTED_ARGS) 12462 + BTF_ID_FLAGS(func, bpf_sock_ops_enable_tx_tstamp) 12463 12463 BTF_KFUNCS_END(bpf_kfunc_check_set_sock_ops) 12464 12464 12465 12465 static const struct btf_kfunc_id_set bpf_kfunc_set_skb = { ··· 12554 12554 __bpf_kfunc_end_defs(); 12555 12555 12556 12556 BTF_KFUNCS_START(bpf_sk_iter_kfunc_ids) 12557 - BTF_ID_FLAGS(func, bpf_sock_destroy, KF_TRUSTED_ARGS) 12557 + BTF_ID_FLAGS(func, bpf_sock_destroy) 12558 12558 BTF_KFUNCS_END(bpf_sk_iter_kfunc_ids) 12559 12559 12560 12560 static int tracing_iter_filter(const struct bpf_prog *prog, u32 kfunc_id)
+1 -1
net/core/xdp.c
··· 964 964 __bpf_kfunc_end_defs(); 965 965 966 966 BTF_KFUNCS_START(xdp_metadata_kfunc_ids) 967 - #define XDP_METADATA_KFUNC(_, __, name, ___) BTF_ID_FLAGS(func, name, KF_TRUSTED_ARGS) 967 + #define XDP_METADATA_KFUNC(_, __, name, ___) BTF_ID_FLAGS(func, name) 968 968 XDP_METADATA_KFUNC_xxx 969 969 #undef XDP_METADATA_KFUNC 970 970 BTF_KFUNCS_END(xdp_metadata_kfunc_ids)
+8 -14
net/netfilter/nf_conntrack_bpf.c
··· 114 114 struct nf_conn *ct; 115 115 int err; 116 116 117 - if (!opts || !bpf_tuple) 118 - return ERR_PTR(-EINVAL); 119 117 if (!(opts_len == NF_BPF_CT_OPTS_SZ || opts_len == 12)) 120 118 return ERR_PTR(-EINVAL); 121 119 if (opts_len == NF_BPF_CT_OPTS_SZ) { ··· 297 299 nfct = __bpf_nf_ct_alloc_entry(dev_net(ctx->rxq->dev), bpf_tuple, tuple__sz, 298 300 opts, opts__sz, 10); 299 301 if (IS_ERR(nfct)) { 300 - if (opts) 301 - opts->error = PTR_ERR(nfct); 302 + opts->error = PTR_ERR(nfct); 302 303 return NULL; 303 304 } 304 305 ··· 331 334 caller_net = dev_net(ctx->rxq->dev); 332 335 nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple, tuple__sz, opts, opts__sz); 333 336 if (IS_ERR(nfct)) { 334 - if (opts) 335 - opts->error = PTR_ERR(nfct); 337 + opts->error = PTR_ERR(nfct); 336 338 return NULL; 337 339 } 338 340 return nfct; ··· 363 367 net = skb->dev ? dev_net(skb->dev) : sock_net(skb->sk); 364 368 nfct = __bpf_nf_ct_alloc_entry(net, bpf_tuple, tuple__sz, opts, opts__sz, 10); 365 369 if (IS_ERR(nfct)) { 366 - if (opts) 367 - opts->error = PTR_ERR(nfct); 370 + opts->error = PTR_ERR(nfct); 368 371 return NULL; 369 372 } 370 373 ··· 397 402 caller_net = skb->dev ? dev_net(skb->dev) : sock_net(skb->sk); 398 403 nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple, tuple__sz, opts, opts__sz); 399 404 if (IS_ERR(nfct)) { 400 - if (opts) 401 - opts->error = PTR_ERR(nfct); 405 + opts->error = PTR_ERR(nfct); 402 406 return NULL; 403 407 } 404 408 return nfct; ··· 510 516 BTF_ID_FLAGS(func, bpf_skb_ct_lookup, KF_ACQUIRE | KF_RET_NULL) 511 517 BTF_ID_FLAGS(func, bpf_ct_insert_entry, KF_ACQUIRE | KF_RET_NULL | KF_RELEASE) 512 518 BTF_ID_FLAGS(func, bpf_ct_release, KF_RELEASE) 513 - BTF_ID_FLAGS(func, bpf_ct_set_timeout, KF_TRUSTED_ARGS) 514 - BTF_ID_FLAGS(func, bpf_ct_change_timeout, KF_TRUSTED_ARGS) 515 - BTF_ID_FLAGS(func, bpf_ct_set_status, KF_TRUSTED_ARGS) 516 - BTF_ID_FLAGS(func, bpf_ct_change_status, KF_TRUSTED_ARGS) 519 + BTF_ID_FLAGS(func, bpf_ct_set_timeout) 520 + BTF_ID_FLAGS(func, bpf_ct_change_timeout) 521 + BTF_ID_FLAGS(func, bpf_ct_set_status) 522 + BTF_ID_FLAGS(func, bpf_ct_change_status) 517 523 BTF_KFUNCS_END(nf_ct_kfunc_set) 518 524 519 525 static const struct btf_kfunc_id_set nf_conntrack_kfunc_set = {
+1 -1
net/netfilter/nf_flow_table_bpf.c
··· 105 105 __bpf_kfunc_end_defs(); 106 106 107 107 BTF_KFUNCS_START(nf_ft_kfunc_set) 108 - BTF_ID_FLAGS(func, bpf_xdp_flow_lookup, KF_TRUSTED_ARGS | KF_RET_NULL) 108 + BTF_ID_FLAGS(func, bpf_xdp_flow_lookup, KF_RET_NULL) 109 109 BTF_KFUNCS_END(nf_ft_kfunc_set) 110 110 111 111 static const struct btf_kfunc_id_set nf_flow_kfunc_set = {
+1 -1
net/netfilter/nf_nat_bpf.c
··· 55 55 __bpf_kfunc_end_defs(); 56 56 57 57 BTF_KFUNCS_START(nf_nat_kfunc_set) 58 - BTF_ID_FLAGS(func, bpf_ct_set_nat_info, KF_TRUSTED_ARGS) 58 + BTF_ID_FLAGS(func, bpf_ct_set_nat_info) 59 59 BTF_KFUNCS_END(nf_nat_kfunc_set) 60 60 61 61 static const struct btf_kfunc_id_set nf_bpf_nat_kfunc_set = {
+6 -6
net/sched/bpf_qdisc.c
··· 271 271 __bpf_kfunc_end_defs(); 272 272 273 273 BTF_KFUNCS_START(qdisc_kfunc_ids) 274 - BTF_ID_FLAGS(func, bpf_skb_get_hash, KF_TRUSTED_ARGS) 274 + BTF_ID_FLAGS(func, bpf_skb_get_hash) 275 275 BTF_ID_FLAGS(func, bpf_kfree_skb, KF_RELEASE) 276 276 BTF_ID_FLAGS(func, bpf_qdisc_skb_drop, KF_RELEASE) 277 - BTF_ID_FLAGS(func, bpf_dynptr_from_skb, KF_TRUSTED_ARGS) 278 - BTF_ID_FLAGS(func, bpf_qdisc_watchdog_schedule, KF_TRUSTED_ARGS) 279 - BTF_ID_FLAGS(func, bpf_qdisc_init_prologue, KF_TRUSTED_ARGS) 280 - BTF_ID_FLAGS(func, bpf_qdisc_reset_destroy_epilogue, KF_TRUSTED_ARGS) 281 - BTF_ID_FLAGS(func, bpf_qdisc_bstats_update, KF_TRUSTED_ARGS) 277 + BTF_ID_FLAGS(func, bpf_dynptr_from_skb) 278 + BTF_ID_FLAGS(func, bpf_qdisc_watchdog_schedule) 279 + BTF_ID_FLAGS(func, bpf_qdisc_init_prologue) 280 + BTF_ID_FLAGS(func, bpf_qdisc_reset_destroy_epilogue) 281 + BTF_ID_FLAGS(func, bpf_qdisc_bstats_update) 282 282 BTF_KFUNCS_END(qdisc_kfunc_ids) 283 283 284 284 BTF_SET_START(qdisc_common_kfunc_set)
+1 -1
net/xfrm/xfrm_state_bpf.c
··· 68 68 struct net *net = dev_net(xdp->rxq->dev); 69 69 struct xfrm_state *x; 70 70 71 - if (!opts || opts__sz < sizeof(opts->error)) 71 + if (opts__sz < sizeof(opts->error)) 72 72 return NULL; 73 73 74 74 if (opts__sz != BPF_XFRM_STATE_OPTS_SZ) {
+4 -1
tools/testing/selftests/bpf/prog_tests/bpf_nf.c
··· 19 19 { "change_timeout_after_alloc", "kernel function bpf_ct_change_timeout args#0 expected pointer to STRUCT nf_conn but" }, 20 20 { "change_status_after_alloc", "kernel function bpf_ct_change_status args#0 expected pointer to STRUCT nf_conn but" }, 21 21 { "write_not_allowlisted_field", "no write support to nf_conn at off" }, 22 + { "lookup_null_bpf_tuple", "Possibly NULL pointer passed to trusted arg1" }, 23 + { "lookup_null_bpf_opts", "Possibly NULL pointer passed to trusted arg3" }, 24 + { "xdp_lookup_null_bpf_tuple", "Possibly NULL pointer passed to trusted arg1" }, 25 + { "xdp_lookup_null_bpf_opts", "Possibly NULL pointer passed to trusted arg3" }, 22 26 }; 23 27 24 28 enum { ··· 115 111 if (!ASSERT_OK(err, "bpf_prog_test_run")) 116 112 goto end; 117 113 118 - ASSERT_EQ(skel->bss->test_einval_bpf_tuple, -EINVAL, "Test EINVAL for NULL bpf_tuple"); 119 114 ASSERT_EQ(skel->bss->test_einval_reserved, -EINVAL, "Test EINVAL for reserved not set to 0"); 120 115 ASSERT_EQ(skel->bss->test_einval_reserved_new, -EINVAL, "Test EINVAL for reserved in new struct not set to 0"); 121 116 ASSERT_EQ(skel->bss->test_einval_netns_id, -EINVAL, "Test EINVAL for netns_id < -1");
+3 -3
tools/testing/selftests/bpf/progs/cgroup_hierarchical_stats.c
··· 62 62 &init, BPF_NOEXIST); 63 63 } 64 64 65 - SEC("fentry/cgroup_attach_task") 66 - int BPF_PROG(counter, struct cgroup *dst_cgrp, struct task_struct *leader, 67 - bool threadgroup) 65 + SEC("tp_btf/cgroup_attach_task") 66 + int BPF_PROG(counter, struct cgroup *dst_cgrp, const char *path, 67 + struct task_struct *task, bool threadgroup) 68 68 { 69 69 __u64 cg_id = cgroup_id(dst_cgrp); 70 70 struct percpu_attach_counter *pcpu_counter = bpf_map_lookup_elem(
+1 -1
tools/testing/selftests/bpf/progs/cpumask_failure.c
··· 110 110 __failure __msg("NULL pointer passed to trusted arg0") 111 111 int BPF_PROG(test_cpumask_null, struct task_struct *task, u64 clone_flags) 112 112 { 113 - /* NULL passed to KF_TRUSTED_ARGS kfunc. */ 113 + /* NULL passed to kfunc. */ 114 114 bpf_cpumask_empty(NULL); 115 115 116 116 return 0;
+1 -1
tools/testing/selftests/bpf/progs/rbtree_fail.c
··· 153 153 } 154 154 155 155 SEC("?tc") 156 - __failure __msg("dereference of modified ptr_or_null_ ptr R2 off=16 disallowed") 156 + __failure __msg("Possibly NULL pointer passed to trusted arg1") 157 157 long rbtree_api_use_unchecked_remove_retval(void *ctx) 158 158 { 159 159 struct bpf_rb_node *res;
-7
tools/testing/selftests/bpf/progs/test_bpf_nf.c
··· 15 15 16 16 extern unsigned long CONFIG_HZ __kconfig; 17 17 18 - int test_einval_bpf_tuple = 0; 19 18 int test_einval_reserved = 0; 20 19 int test_einval_reserved_new = 0; 21 20 int test_einval_netns_id = 0; ··· 97 98 struct nf_conn *ct; 98 99 99 100 __builtin_memset(&bpf_tuple, 0, sizeof(bpf_tuple.ipv4)); 100 - 101 - ct = lookup_fn(ctx, NULL, 0, &opts_def, sizeof(opts_def)); 102 - if (ct) 103 - bpf_ct_release(ct); 104 - else 105 - test_einval_bpf_tuple = opts_def.error; 106 101 107 102 opts_def.reserved[0] = 1; 108 103 ct = lookup_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def,
+57
tools/testing/selftests/bpf/progs/test_bpf_nf_fail.c
··· 4 4 #include <bpf/bpf_tracing.h> 5 5 #include <bpf/bpf_helpers.h> 6 6 #include <bpf/bpf_core_read.h> 7 + #include "bpf_misc.h" 7 8 8 9 struct nf_conn; 9 10 ··· 18 17 struct nf_conn *bpf_skb_ct_alloc(struct __sk_buff *, struct bpf_sock_tuple *, u32, 19 18 struct bpf_ct_opts___local *, u32) __ksym; 20 19 struct nf_conn *bpf_skb_ct_lookup(struct __sk_buff *, struct bpf_sock_tuple *, u32, 20 + struct bpf_ct_opts___local *, u32) __ksym; 21 + struct nf_conn *bpf_xdp_ct_alloc(struct xdp_md *, struct bpf_sock_tuple *, u32, 22 + struct bpf_ct_opts___local *, u32) __ksym; 23 + struct nf_conn *bpf_xdp_ct_lookup(struct xdp_md *, struct bpf_sock_tuple *, u32, 21 24 struct bpf_ct_opts___local *, u32) __ksym; 22 25 struct nf_conn *bpf_ct_insert_entry(struct nf_conn *) __ksym; 23 26 void bpf_ct_release(struct nf_conn *) __ksym; ··· 148 143 if (!ct) 149 144 return 0; 150 145 bpf_ct_change_status(ct, 0); 146 + return 0; 147 + } 148 + 149 + SEC("?tc") 150 + __failure __msg("Possibly NULL pointer passed to trusted arg1") 151 + int lookup_null_bpf_tuple(struct __sk_buff *ctx) 152 + { 153 + struct bpf_ct_opts___local opts = {}; 154 + struct nf_conn *ct; 155 + 156 + ct = bpf_skb_ct_lookup(ctx, NULL, 0, &opts, sizeof(opts)); 157 + if (ct) 158 + bpf_ct_release(ct); 159 + return 0; 160 + } 161 + 162 + SEC("?tc") 163 + __failure __msg("Possibly NULL pointer passed to trusted arg3") 164 + int lookup_null_bpf_opts(struct __sk_buff *ctx) 165 + { 166 + struct bpf_sock_tuple tup = {}; 167 + struct nf_conn *ct; 168 + 169 + ct = bpf_skb_ct_lookup(ctx, &tup, sizeof(tup.ipv4), NULL, sizeof(struct bpf_ct_opts___local)); 170 + if (ct) 171 + bpf_ct_release(ct); 172 + return 0; 173 + } 174 + 175 + SEC("?xdp") 176 + __failure __msg("Possibly NULL pointer passed to trusted arg1") 177 + int xdp_lookup_null_bpf_tuple(struct xdp_md *ctx) 178 + { 179 + struct bpf_ct_opts___local opts = {}; 180 + struct nf_conn *ct; 181 + 182 + ct = bpf_xdp_ct_lookup(ctx, NULL, 0, &opts, sizeof(opts)); 183 + if (ct) 184 + bpf_ct_release(ct); 185 + return 0; 186 + } 187 + 188 + SEC("?xdp") 189 + __failure __msg("Possibly NULL pointer passed to trusted arg3") 190 + int xdp_lookup_null_bpf_opts(struct xdp_md *ctx) 191 + { 192 + struct bpf_sock_tuple tup = {}; 193 + struct nf_conn *ct; 194 + 195 + ct = bpf_xdp_ct_lookup(ctx, &tup, sizeof(tup.ipv4), NULL, sizeof(struct bpf_ct_opts___local)); 196 + if (ct) 197 + bpf_ct_release(ct); 151 198 return 0; 152 199 } 153 200
+2 -3
tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
··· 48 48 __failure __msg("arg#0 expected pointer to stack or const struct bpf_dynptr") 49 49 int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size, bool kernel) 50 50 { 51 - unsigned long val = 0; 51 + static struct bpf_dynptr val; 52 52 53 - return bpf_verify_pkcs7_signature((struct bpf_dynptr *)val, 54 - (struct bpf_dynptr *)val, NULL); 53 + return bpf_verify_pkcs7_signature(&val, &val, NULL); 55 54 } 56 55 57 56 SEC("lsm.s/bpf")
+1 -1
tools/testing/selftests/bpf/progs/test_kfunc_param_nullable.c
··· 29 29 } 30 30 31 31 SEC("tc") 32 - __failure __msg("expected pointer to stack or const struct bpf_dynptr") 32 + __failure __msg("Possibly NULL pointer passed to trusted arg0") 33 33 int kfunc_dynptr_nullable_test3(struct __sk_buff *skb) 34 34 { 35 35 struct bpf_dynptr data;
+10 -10
tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
··· 693 693 BTF_ID_FLAGS(func, bpf_kfunc_nested_acquire_nonzero_offset_test, KF_ACQUIRE) 694 694 BTF_ID_FLAGS(func, bpf_kfunc_nested_acquire_zero_offset_test, KF_ACQUIRE) 695 695 BTF_ID_FLAGS(func, bpf_kfunc_nested_release_test, KF_RELEASE) 696 - BTF_ID_FLAGS(func, bpf_kfunc_trusted_vma_test, KF_TRUSTED_ARGS) 697 - BTF_ID_FLAGS(func, bpf_kfunc_trusted_task_test, KF_TRUSTED_ARGS) 698 - BTF_ID_FLAGS(func, bpf_kfunc_trusted_num_test, KF_TRUSTED_ARGS) 696 + BTF_ID_FLAGS(func, bpf_kfunc_trusted_vma_test) 697 + BTF_ID_FLAGS(func, bpf_kfunc_trusted_task_test) 698 + BTF_ID_FLAGS(func, bpf_kfunc_trusted_num_test) 699 699 BTF_ID_FLAGS(func, bpf_kfunc_rcu_task_test, KF_RCU) 700 700 BTF_ID_FLAGS(func, bpf_kfunc_ret_rcu_test, KF_RET_NULL | KF_RCU_PROTECTED) 701 701 BTF_ID_FLAGS(func, bpf_kfunc_ret_rcu_test_nostruct, KF_RET_NULL | KF_RCU_PROTECTED) ··· 1158 1158 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail1) 1159 1159 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail2) 1160 1160 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail3) 1161 - BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_TRUSTED_ARGS | KF_RCU) 1161 + BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_RCU) 1162 1162 BTF_ID_FLAGS(func, bpf_kfunc_call_test_destructive, KF_DESTRUCTIVE) 1163 1163 BTF_ID_FLAGS(func, bpf_kfunc_call_test_static_unused_arg) 1164 1164 BTF_ID_FLAGS(func, bpf_kfunc_call_test_offset) ··· 1172 1172 BTF_ID_FLAGS(func, bpf_kfunc_call_sock_sendmsg, KF_SLEEPABLE) 1173 1173 BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_getsockname, KF_SLEEPABLE) 1174 1174 BTF_ID_FLAGS(func, bpf_kfunc_call_kernel_getpeername, KF_SLEEPABLE) 1175 - BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_prologue, KF_TRUSTED_ARGS | KF_SLEEPABLE) 1176 - BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_epilogue, KF_TRUSTED_ARGS | KF_SLEEPABLE) 1177 - BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_pro_epilogue, KF_TRUSTED_ARGS | KF_SLEEPABLE) 1178 - BTF_ID_FLAGS(func, bpf_kfunc_st_ops_inc10, KF_TRUSTED_ARGS) 1179 - BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1, KF_TRUSTED_ARGS) 1180 - BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1_impl, KF_TRUSTED_ARGS) 1175 + BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_prologue, KF_SLEEPABLE) 1176 + BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_epilogue, KF_SLEEPABLE) 1177 + BTF_ID_FLAGS(func, bpf_kfunc_st_ops_test_pro_epilogue, KF_SLEEPABLE) 1178 + BTF_ID_FLAGS(func, bpf_kfunc_st_ops_inc10) 1179 + BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1) 1180 + BTF_ID_FLAGS(func, bpf_kfunc_multi_st_ops_test_1_impl) 1181 1181 BTF_KFUNCS_END(bpf_testmod_check_kfunc_ids) 1182 1182 1183 1183 static int bpf_testmod_ops_init(struct btf *btf)