Hello:
This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <[email protected]>:
On Sat, 06 Jun 2026 18:50:36 +0800 you wrote:
> A constant offset added to a PTR_TO_FLOW_KEYS register lands in
> reg->var_off, but check_flow_keys_access() bounds-checks only insn->off
> and never folds reg->var_off.value. A BPF_PROG_TYPE_FLOW_DISSECTOR
> program can therefore do "flow_keys += 0x1000; *(flow_keys + 0)" and have
> it accepted, then read/write kernel stack past struct bpf_flow_keys at
> runtime. Patch 1 folds reg->var_off.value into the offset (and rejects
> non-constant offsets), mirroring check_ctx_access(); patch 2 adds verifier
> selftests.
>
> [...]
Here is the summary with links:
- [bpf-next,v3,1/2] bpf, verifier: fold reg->var_off into PTR_TO_FLOW_KEYS
bounds check
https://git.kernel.org/bpf/bpf-next/c/37363191cbe8
- [bpf-next,v3,2/2] selftests/bpf: add tests for PTR_TO_FLOW_KEYS offset
bounds
https://git.kernel.org/bpf/bpf-next/c/3ce6b42458f0
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
