[PATCH bpf-next v2 0/2] bpf: Preserve untrusted memory pointer type on scalar add

Sat, 13 Jun 2026 05:39:12 -0700 

scalar += rdonly_untrusted_mem reaches adjust_ptr_min_max_vals() with the
pointer as the source register. The untrusted PTR_TO_MEM case returns there
without updating the scalar destination, leaving stale verifier state.

Update the destination before taking the untrusted PTR_TO_MEM early return.
ADD and pointer -= scalar keep the existing "do not track offsets" rule for
untrusted memory, while scalar -= pointer and unsupported pointer ALU
operations remain rejected instead of being accepted through the early return.

Patch 1 fixes the untrusted PTR_TO_MEM ALU early return. Patch 2 adds
verifier regression tests for scalar +=, scalar -=, and scalar ^= with
bpf_rdonly_cast(..., 0).

v1->v2:
  - Preserve the untrusted pointer state for scalar += pointer instead of
    rejecting the addition.
  - Reject scalar -= pointer and unsupported pointer ALU operations in the
    untrusted PTR_TO_MEM early return.
  - Update selftests for the new allowed-addition semantics and non-ADD ALU
    coverage.
v1: 
https://lore.kernel.org/bpf/20260609-f01-03-scalar-add-bpf-next-v1-0-e6212e274...@mails.tsinghua.edu.cn/

Validation:

  unpatched bpf-next 8496d9020ff3 with the new verifier cases:
    scalar_add_tracks_pointer: FAIL
      BPF_PROG_LOAD succeeded unexpectedly
    scalar_sub_ptr_not_ok: FAIL
      BPF_PROG_LOAD succeeded unexpectedly
    scalar_xor_ptr_not_ok: FAIL
      BPF_PROG_LOAD succeeded unexpectedly
    SUMMARY: FAIL

  patched bpf-next base 8496d9020ff3 + this series:
    scalar_add_tracks_pointer: PASS
      R1 bitwise operator &= on pointer prohibited
    scalar_sub_ptr_not_ok: PASS
      R1 tried to subtract pointer from scalar
    scalar_xor_ptr_not_ok: PASS
      R1 bitwise operator ^= on pointer prohibited
    SUMMARY: PASS

Signed-off-by: Nuoqi Gui <[email protected]>
---
Nuoqi Gui (2):
      bpf: Preserve untrusted memory pointer type on scalar add
      selftests/bpf: Cover scalar add from rdonly untrusted memory

 kernel/bpf/verifier.c                              | 28 +++++++++++-
 .../selftests/bpf/progs/mem_rdonly_untrusted.c     | 52 ++++++++++++++++++++++
 2 files changed, 78 insertions(+), 2 deletions(-)
---
base-commit: 8496d9020ff37a33c2a7b2fc84350fd03ffbde78
change-id: 20260610-f01-03-scalar-add-bpf-next-v2-0aaaa88499e9

Best regards,
--  
Nuoqi Gui <[email protected]>

Reply via email to