On Sun, 2026-01-18 at 16:16 +0800, Zesen Liu wrote:
> After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type
> tracking"),
> the verifier started relying on the access type flags in helper
> function prototypes to perform memory access optimizations.
>
> Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the
> corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the
> verifier to incorrectly assume that the buffer contents are unchanged
> across the helper call. Consequently, the verifier may optimize away
> subsequent reads based on this wrong assumption, leading to correctness
> issues.
>
> For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect
> since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM
> which correctly indicates write access to potentially uninitialized memory.
>
> Similar issues were recently addressed for specific helpers in commit
> ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer")
> and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name
> args").
>
> Fix these prototypes by adding the correct memory access flags.
>
> Fixes: 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking")
> Co-developed-by: Shuran Liu <[email protected]>
> Signed-off-by: Shuran Liu <[email protected]>
> Co-developed-by: Peili Gao <[email protected]>
> Signed-off-by: Peili Gao <[email protected]>
> Co-developed-by: Haoran Ni <[email protected]>
> Signed-off-by: Haoran Ni <[email protected]>
> Signed-off-by: Zesen Liu <[email protected]>
> ---
I looked trough the helpers annotated with MEM_WRITE in this patch,
indeed the write annotation is missing from these helpers.
In conjunction with the following logic in verifier.c:check_func_arg:
case ARG_PTR_TO_MEM:
/* The access to this pointer is only checked when we hit the
* next is_mem_size argument below.
*/
meta->raw_mode = arg_type & MEM_UNINIT;
if (arg_type & MEM_FIXED_SIZE) {
err = check_helper_mem_access(env, regno,
fn->arg_size[arg],
arg_type & MEM_WRITE ?
BPF_WRITE : BPF_READ,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
// arguments considered
read-only by default
false, meta);
if (err)
return err;
if (arg_type & MEM_ALIGNED)
err = check_ptr_alignment(env, reg, 0,
fn->arg_size[arg], true);
}
break;
This patch fixes a real problem.
[...]
> index fe28d86f7c35..59c2394981c7 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
[...]
> @@ -1526,7 +1526,7 @@ static const struct bpf_func_proto
> bpf_read_branch_records_proto = {
> .gpl_only = true,
> .ret_type = RET_INTEGER,
> .arg1_type = ARG_PTR_TO_CTX,
> - .arg2_type = ARG_PTR_TO_MEM_OR_NULL,
> + .arg2_type = ARG_PTR_TO_MEM_OR_NULL | MEM_WRITE,
> .arg3_type = ARG_CONST_SIZE_OR_ZERO,
> .arg4_type = ARG_ANYTHING,
> };
> @@ -1661,7 +1661,7 @@ static const struct bpf_func_proto
> bpf_get_stack_proto_raw_tp = {
> .gpl_only = true,
> .ret_type = RET_INTEGER,
> .arg1_type = ARG_PTR_TO_CTX,
> - .arg2_type = ARG_PTR_TO_MEM | MEM_RDONLY,
> + .arg2_type = ARG_PTR_TO_UNINIT_MEM,
Q: why ARG_PTR_TO_UNINIT_MEM here, but not for a previous function and
not for snprintf variants?
> .arg3_type = ARG_CONST_SIZE_OR_ZERO,
> .arg4_type = ARG_ANYTHING,
> };
[...]
