skb-backed dynptr writer kfuncs can mutate skb packet data.
The verifier does not currently treat those kfuncs as packet-changing.
A direct packet pointer checked before the call can stay usable after the
write.
bpf_dynptr_write() already clears packet pointers through the helper path.
Teach kfunc argument checking to do the same for skb and skb-meta dynptr
destinations. For static CFG analysis, conservatively classify dynptr writer
kfuncs as packet-changing so global subprogram summaries are correct even
before register states exist.
Keep source-only dynptr arguments unchanged.
v3 also treats unspecialized global-subprogram dynptr arguments as possibly
packet-backed in the precise verifier path. This covers packet pointer
invalidation inside a global subprogram body where the argument may point to an
skb dynptr provided by the caller.
Validation:
Rebase:
fetched bpf-next origin/master on 2026-06-15;
series base is e4287bf34f97a ("selftests/bpf: Work around llvm stack
overflow in crypto progs").
Without this series:
linux-stable-v7.0.12 accepts the three original stale packet pointer cases;
linux-mainline-v7.1-rc7 accepts the three original stale packet pointer
cases;
the source-only bpf_dynptr_copy() control loads on both kernels.
With this series applied:
patched bpf-next rejects the five stale packet pointer cases with
"invalid mem access 'scalar'";
the source-only bpf_dynptr_copy() control still loads;
QEMU direct-runner reports PATCH008_SUMMARY failures=0 total=6.
Build and style checks:
git diff --check HEAD~2..HEAD: OK
checkpatch.pl --strict --no-tree: OK
make O=$BUILD kernel/bpf/verifier.o kernel/bpf/cfg.o: OK
make O=$BUILD -j$(nproc) bzImage: OK
dynptr_fail.bpf.o build against patched vmlinux BTF: OK
v2:
https://lore.kernel.org/bpf/[email protected]/
Signed-off-by: Yiyang Chen <[email protected]>
---
Changes in v3:
- Rebased onto fetched bpf-next origin/master (e4287bf34f97a).
- Split static CFG packet-changing detection from precise checked-argument
invalidation.
- Treat unspecialized global subprogram dynptr arguments as possibly
packet-backed for writer invalidation.
- Add global subprogram regression tests for caller-side and local stale
packet pointer invalidation.
Changes in v2:
- Resend as a properly threaded series. No code changes.
Yiyang Chen (2):
bpf: Fix packet pointer invalidation for skb dynptr writes
selftests/bpf: Add skb dynptr writer packet invalidation tests
include/linux/bpf_verifier.h | 3 +
kernel/bpf/cfg.c | 2 +-
kernel/bpf/verifier.c | 79 +++++++++-
.../testing/selftests/bpf/progs/dynptr_fail.c | 140 ++++++++++++++++++
4 files changed, 222 insertions(+), 2 deletions(-)
base-commit: e4287bf34f97a88c7d9322f5bde828724c073a6b
--
2.34.1
