[PATCH bpf v4 0/2] bpf: Fix packet pointer invalidation for skb dynptr writes

Mon, 15 Jun 2026 08:16:28 -0700 

skb-backed dynptr writers may mutate packet data and therefore must
invalidate checked direct packet pointers. The normal verifier path had
coverage for bpf_dynptr_write() with concrete skb dynptrs, but missed
unspecialized global subprogram dynptr arguments. skb dynptr writer
kfuncs also did not participate in packet pointer invalidation.

Fix both paths by adding conservative static CFG predicates for
bpf_dynptr_write() and skb dynptr writer kfuncs, while keeping the normal
verifier invalidation tied to the checked dynptr argument. Extend
dynptr_fail coverage for helper and kfunc writes, including global
subprogram caller-side and callee-side cases.

Validation, rebased and tested on bpf.git master 8cd9520d35a6
("Linux 7.1"):

  git diff --check HEAD~2..HEAD: OK
  scripts/checkpatch.pl --strict --no-tree: OK
  make O=/tmp/patch008-v4-bpf-build olddefconfig: OK
  make O=/tmp/patch008-v4-bpf-build -j$(nproc) \
    kernel/bpf/verifier.o kernel/bpf/cfg.o: OK
  clang --target=bpfel ... dynptr_fail.c: OK
  make O=/tmp/patch008-v4-bpf-build -j$(nproc) bzImage: OK
  QEMU replay on 7.1.0-g5a2ca20101d9: PATCH008_SUMMARY failures=0 total=8

Changes in v4:
- Rebase from bpf-next to current bpf.git master 8cd9520d35a6 to resolve
  CI conflict.
- Address the helper-side global subprogram case for bpf_dynptr_write().
- Keep bpf_helper_changes_pkt_data() precise and add a separate static
  bpf_helper_may_change_pkt_data() predicate for CFG summaries.
- Keep kfunc CFG summaries conservative while preserving checked-argument
  precision in the normal verifier path.
- Extend selftests and QEMU replay coverage with bpf_dynptr_write()
  global-subprogram cases.
- Link to v3: 
https://patch.msgid.link/[email protected]

Yiyang Chen (2):
  bpf: Fix packet pointer invalidation for skb dynptr writes
  selftests/bpf: Add skb dynptr writer packet invalidation tests

 include/linux/bpf_verifier.h                  |   3 +
 include/linux/filter.h                        |   5 +
 kernel/bpf/cfg.c                              |   4 +-
 kernel/bpf/verifier.c                         |  88 ++++++++-
 .../testing/selftests/bpf/progs/dynptr_fail.c | 183 ++++++++++++++++++
 5 files changed, 278 insertions(+), 5 deletions(-)


base-commit: 8cd9520d35a6c38db6567e97dd93b1f11f185dc6
-- 
2.34.1

Reply via email to