| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEf4Bza-ar8vFWdWf1Krtyg8zLNYBUxLSJ5mHYLniqNBJhBXqw@mail.gmail.com>
Date: Fri, 9 Jan 2026 15:25:09 -0800
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Ihor Solodrai <ihor.solodrai@...ux.dev>
Cc: Alexei Starovoitov <ast@...nel.org>, Andrii Nakryiko <andrii@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, Martin KaFai Lau <martin.lau@...ux.dev>,
Eduard Zingerman <eddyz87@...il.com>, Mykyta Yatsenko <yatsenko@...a.com>, Tejun Heo <tj@...nel.org>,
Alan Maguire <alan.maguire@...cle.com>, Benjamin Tissoires <bentiss@...nel.org>,
Jiri Kosina <jikos@...nel.org>, bpf@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-input@...r.kernel.org, sched-ext@...ts.linux.dev
Subject: Re: [PATCH bpf-next v1 03/10] bpf: Verifier support for KF_IMPLICIT_ARGS
On Fri, Jan 9, 2026 at 10:49 AM Ihor Solodrai <ihor.solodrai@...ux.dev> wrote:
>
> A kernel function bpf_foo marked with KF_IMPLICIT_ARGS flag is
> expected to have two associated types in BTF:
> * `bpf_foo` with a function prototype that omits implicit arguments
> * `bpf_foo_impl` with a function prototype that matches the kernel
> declaration of `bpf_foo`, but doesn't have a ksym associated with
> its name
>
> In order to support kfuncs with implicit arguments, the verifier has
> to know how to resolve a call of `bpf_foo` to the correct BTF function
> prototype and address.
>
> To implement this, in add_kfunc_call() kfunc flags are checked for
> KF_IMPLICIT_ARGS. For such kfuncs a BTF func prototype is adjusted to
> the one found for `bpf_foo_impl` (func_name + "_impl" suffix, by
> convention) function in BTF.
>
> This effectively changes the signature of the `bpf_foo` kfunc in the
> context of verification: from one without implicit args to the one
> with full argument list.
>
> Whether a kfunc argument is implicit or not is determined by
> is_kfunc_arg_implicit(). The values of implicit arguments by design
> are provided by the verifier, and so they can only be of particular
> types. In this patch the only allowed implicit arg type is a pointer
> to struct bpf_prog_aux. The __prog args (usually void *) are also
> considered implicit for backwards compatibility.
>
> In order to enable the verifier to correctly set an implicit
> bpf_prog_aux arg value at runtime, is_kfunc_arg_prog() is extended to
> check for the arg type. At a point when prog arg is determined in
> check_kfunc_args() the kfunc with implicit args already has a
> prototype with full argument list, so the existing value patch
> mechanism just works.
>
> If a new kfunc with KF_IMPLICIT_ARG is declared for an existing kfunc
> that uses a __prog argument (a legacy case), the prototype
> substitution works in exactly the same way, assuming the kfunc follows
> the _impl naming convention. The difference is only in how _impl
> prototype is added to the BTF, which is not the verifier's
> concern. See a subsequent resolve_btfids patch for details.
>
> In check_kfunc_call() reset the subreg_def of registers holding
> implicit arguments to correctly track zero extensions.
>
> Signed-off-by: Ihor Solodrai <ihor.solodrai@...ux.dev>
> ---
> include/linux/btf.h | 1 +
> kernel/bpf/verifier.c | 70 +++++++++++++++++++++++++++++++++++++++++--
> 2 files changed, 69 insertions(+), 2 deletions(-)
>
[...]
> + impl_id = btf_find_by_name_kind(btf, impl_name, BTF_KIND_FUNC);
> + if (impl_id <= 0) {
> + verbose(env, "cannot find function %s in BTF\n", impl_name);
> + return NULL;
> + }
> +
> + func = btf_type_by_id(btf, impl_id);
> + if (!func || !btf_type_is_func(func)) {
btf_find_by_name_kind() above guarantees that we both will have
non-NULL func and it will be BTF_KIND_FUNC, drop these defensive
checks.
> + verbose(env, "%s (btf_id %d) is not a function\n", impl_name, impl_id);
> + return NULL;
> + }
> +
> + return btf_type_by_id(btf, func->type);
> +}
> +
> static int fetch_kfunc_meta(struct bpf_verifier_env *env,
> s32 func_id,
> s16 offset,
> @@ -3308,7 +3340,16 @@ static int fetch_kfunc_meta(struct bpf_verifier_env *env,
> }
>
> func_name = btf_name_by_offset(btf, func->name_off);
> - func_proto = btf_type_by_id(btf, func->type);
> +
> + /*
> + * An actual prototype of a kfunc with KF_IMPLICIT_ARGS flag
> + * can be found through the counterpart _impl kfunc.
> + */
> + if (unlikely(kfunc_flags && KF_IMPLICIT_ARGS & *kfunc_flags))
drop unlikely(), it's unnecessary micro-optimization (if at all)
(I'd also swap order to more conventional: `*kfunc_flags & KF_IMPLICIT_ARGS`)
> + func_proto = find_kfunc_impl_proto(env, btf, func_name);
> + else
> + func_proto = btf_type_by_id(btf, func->type);
> +
> if (!func_proto || !btf_type_is_func_proto(func_proto)) {
> verbose(env, "kernel function btf_id %d does not have a valid func_proto\n",
> func_id);
[...]
> @@ -14303,6 +14358,17 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
> for (i = 0; i < nargs; i++) {
> u32 regno = i + 1;
>
> + /*
> + * Implicit kfunc arguments are set after main verification pass.
> + * For correct tracking of zero-extensions we have to reset subreg_def for such
> + * args. Otherwise mark_btf_func_reg_size() will be inspecting subreg_def of regs
> + * from an earlier (irrelevant) point in the program, which may lead to an error
> + * in opt_subreg_zext_lo32_rnd_hi32().
> + */
> + if (unlikely(KF_IMPLICIT_ARGS & meta.kfunc_flags
> + && is_kfunc_arg_implicit(desc_btf, &args[i])))
> + regs[regno].subreg_def = DEF_NOT_SUBREG;
ditto about unlikely(), this is used for rare cases where performance
matters a lot (and it's obvious which case is "common", so should be
kept linear in assembly code)
> +
> t = btf_type_skip_modifiers(desc_btf, args[i].type, NULL);
> if (btf_type_is_ptr(t))
> mark_btf_func_reg_size(env, regno, sizeof(void *));
> --
> 2.52.0
>
Powered by blists - more mailing lists