[PATCH bpf v5 0/2] bpf: Fix packet pointer invalidation for skb dynptr writes

Mon, 15 Jun 2026 10:52:47 -0700 

skb-backed dynptr writers may mutate packet data and therefore must
invalidate checked direct packet pointers. The normal verifier path had
coverage for bpf_dynptr_write() with concrete skb dynptrs, but missed
unspecialized global subprogram dynptr arguments. skb dynptr writer
kfuncs also did not participate in packet pointer invalidation.

Fix both paths by adding conservative static CFG predicates for
bpf_dynptr_write() and skb dynptr writer kfuncs, while keeping the normal
verifier invalidation tied to the checked dynptr argument. Track when a
LOCAL dynptr may actually be packet-backed, and propagate that state
through dynptr clones and returned dynptr slices.

Validation, rebased and tested on bpf.git master 0e0611827f33
("Merge tag 'pull-fixes' of 
gitolite.kernel.org:pub/scm/linux/kernel/git/viro/vfs"):

  git diff --check HEAD~2..HEAD: OK
  scripts/checkpatch.pl --strict --no-tree: OK
  make O=/tmp/patch008-v4-bpf-build -j16 \
    kernel/bpf/verifier.o kernel/bpf/cfg.o kernel/bpf/states.o: OK
  clang --target=bpfel ... dynptr_fail.c: OK
  make O=/tmp/patch008-v4-bpf-build -j16 bzImage: OK
  QEMU replay on 7.1.0-g7feeed42d8b9:
    PATCH008_SUMMARY failures=0 total=10

Changes in v5:
- Carry maybe-packet-backed dynptr state for unspecialized global
  subprogram dynptr arguments.
- Propagate that state through bpf_dynptr_clone() and dynptr slice returns.
- Invalidate LOCAL-typed dynptr slices when they may refer to packet data.
- Include the new dynptr state bit in stack state pruning comparisons.
- Add selftests for the global-dynptr clone and LOCAL-slice bypasses.
- Rebase onto bpf.git master 0e0611827f33.
- Link to v4: 
https://patch.msgid.link/[email protected]

Yiyang Chen (2):
  bpf: Fix packet pointer invalidation for skb dynptr writes
  selftests/bpf: Add skb dynptr writer packet invalidation tests

 include/linux/bpf_verifier.h                  |   6 +
 include/linux/filter.h                        |   5 +
 kernel/bpf/cfg.c                              |   4 +-
 kernel/bpf/states.c                           |   2 +
 kernel/bpf/verifier.c                         | 145 +++++++++--
 .../testing/selftests/bpf/progs/dynptr_fail.c | 238 ++++++++++++++++++
 6 files changed, 382 insertions(+), 18 deletions(-)


base-commit: 0e0611827f3349d0a2ac121c023a6d3260dcecdb
-- 
2.34.1

Reply via email to