skb-backed dynptr writer kfuncs can mutate skb packet data.
The verifier does not currently treat those kfuncs as packet-changing.
A direct packet pointer checked before the call can stay usable after the
write.
bpf_dynptr_write() already clears packet pointers through the helper path.
Teach kfunc argument checking to do the same for skb and skb-meta dynptr
destinations.
Keep source-only dynptr arguments unchanged.
Validation:
Without this series:
linux-stable-v7.0.12 accepts the three stale packet pointer cases;
linux-mainline-v7.1-rc7 accepts the three stale packet pointer cases;
the source-only bpf_dynptr_copy() control loads on both kernels.
With this series applied:
patched bpf-next rejects the three stale packet pointer cases with
"invalid mem access 'scalar'";
the source-only bpf_dynptr_copy() control still loads.
Build and style checks:
git diff --check: OK
checkpatch.pl --strict --no-tree: OK
make O=$BUILD kernel/bpf/verifier.o: OK
make O=$BUILD -j$(nproc) bzImage: OK
dynptr_fail.bpf.o build against patched vmlinux BTF: OK
Signed-off-by: Yiyang Chen <[email protected]>
---
Yiyang Chen (2):
bpf: Fix packet pointer invalidation for skb dynptr writes
selftests/bpf: Add skb dynptr writer packet invalidation tests
include/linux/bpf_verifier.h | 1 +
kernel/bpf/verifier.c | 62 ++++++++++++-
.../testing/selftests/bpf/progs/dynptr_fail.c | 89 +++++++++++++++++++
3 files changed, 151 insertions(+), 1 deletion(-)
base-commit: e4287bf34f97a88c7d9322f5bde828724c073a6b
change-id: 20260615-bpf-skb-dynptr-pkt-inval
Best regards,
Yiyang Chen
--
2.34.1
