On Mon Jun 15, 2026 at 7:14 AM PDT, Yiyang Chen wrote:
> skb-backed dynptr writer kfuncs can mutate packet data, but the verifier
> leaves checked direct packet pointers usable after kfunc calls.
> The bpf_dynptr_write() helper already invalidates packet pointers
> through clear_all_pkt_pointers(). Make skb dynptr writer kfuncs
> follow the same rule.
>
> Keep two verifier predicates for this. CFG analysis runs before register
> states are available, so conservatively mark dynptr writer kfuncs as
> packet-changing for subprogram summaries. The normal verifier path uses
> the checked dynptr argument and invalidates only when the written dynptr
> is, or may be, skb-backed.
>
> Global subprogram dynptr arguments are prepared as unspecialized local
> dynptr pointers, so treat CONST_PTR_TO_DYNPTR local dynptr writer
> destinations as possibly packet-backed. This keeps packet pointer
> invalidation sound both after global subprogram calls and inside global
> subprogram bodies.
>
> Fixes: daec295a7094 ("bpf/helpers: Introduce bpf_dynptr_copy kfunc")
> Fixes: a498ee7576de ("bpf: Implement dynptr copy kfuncs")
> Fixes: 5fc5d8fded57 ("bpf: Add bpf_dynptr_memset() kfunc")
> Signed-off-by: Yiyang Chen <[email protected]>nack. pw-bot: cr
