> diff --git a/tools/testing/selftests/bpf/progs/dynptr_fail.c
> b/tools/testing/selftests/bpf/progs/dynptr_fail.c
> --- a/tools/testing/selftests/bpf/progs/dynptr_fail.c
> +++ b/tools/testing/selftests/bpf/progs/dynptr_fail.c
> @@ -1232,6 +1232,189 @@ int skb_invalid_data_slice4(struct __sk_buff *skb)
> return SK_PASS;
> }
>
> +char dynptr_writer_data[8] = "test";
> +char dynptr_writer_dst[8];
> +
> +extern int bpf_dynptr_copy(struct bpf_dynptr *dst, __u64 dst_off,
> + struct bpf_dynptr *src, __u64 src_off,
> + __u64 size) __ksym __weak;
> +extern int bpf_dynptr_memset(struct bpf_dynptr *ptr, __u64 offset,
> + __u64 size, __u8 val) __ksym __weak;
> +extern int bpf_probe_read_kernel_dynptr(struct bpf_dynptr *dptr,
> + __u64 off, __u64 size,
> + const void *unsafe_ptr__ign) __ksym
> __weak;
> +
> +__noinline int global_dynptr_helper_write(struct bpf_dynptr *ptr)
> +{
> + return bpf_dynptr_write(ptr, 0, dynptr_writer_data, 1, 0);
> +}
> +
> +__noinline int global_dynptr_helper_write_and_read(struct __sk_buff *skb,
> + struct bpf_dynptr *ptr)
> +{
> + __u8 *data = (void *)(long)skb->data;
> + __u8 *data_end = (void *)(long)skb->data_end;
> +
> + if (data + 1 > data_end)
> + return SK_DROP;
> +
> + bpf_dynptr_write(ptr, 0, dynptr_writer_data, 1, 0);
> +
> + /* this should fail */
> + return *data;
> +}
> +
> +__noinline int global_dynptr_kfunc_memset(struct bpf_dynptr *ptr)
> +{
> + return bpf_dynptr_memset(ptr, 0, 1, 0);
> +}
> +
> +__noinline int global_dynptr_kfunc_memset_and_read(struct __sk_buff *skb,
> + struct bpf_dynptr *ptr)
> +{
> + __u8 *data = (void *)(long)skb->data;
> + __u8 *data_end = (void *)(long)skb->data_end;
> +
> + if (data + 1 > data_end)
> + return SK_DROP;
> +
> + bpf_dynptr_memset(ptr, 0, 1, 0);
> +
> + /* this should fail */
> + return *data;
> +}
> +
> +SEC("?tc")
> +__failure __msg("invalid mem access 'scalar'")
> +int skb_pkt_ptr_invalid_after_global_dynptr_write(struct __sk_buff *skb)
> +{
> + __u8 *data = (void *)(long)skb->data;
> + __u8 *data_end = (void *)(long)skb->data_end;
> + struct bpf_dynptr ptr;
> +
> + if (data + 1 > data_end)
> + return SK_DROP;
> +
> + bpf_dynptr_from_skb(skb, 0, &ptr);
> + global_dynptr_helper_write(&ptr);
> +
> + /* this should fail */
> + return *data;
> +}
> +
> +SEC("?tc")
> +__failure __msg("invalid mem access 'scalar'")
> +int skb_pkt_ptr_invalid_inside_global_dynptr_write(struct __sk_buff *skb)
> +{
> + struct bpf_dynptr ptr;
> +
> + bpf_dynptr_from_skb(skb, 0, &ptr);
> +
> + return global_dynptr_helper_write_and_read(skb, &ptr);
> +}
> +
> +SEC("?tc")
> +__failure __msg("invalid mem access 'scalar'")
> +int skb_pkt_ptr_invalid_after_dynptr_memset(struct __sk_buff *skb)
> +{
> + __u8 *data = (void *)(long)skb->data;
> + __u8 *data_end = (void *)(long)skb->data_end;
> + struct bpf_dynptr ptr;
> +
> + if (data + 1 > data_end)
> + return SK_DROP;
> +
> + bpf_dynptr_from_skb(skb, 0, &ptr);
> + bpf_dynptr_memset(&ptr, 0, 1, 0);
> +
> + /* this should fail */
> + return *data;
> +}
> +
> +SEC("?tc")
> +__failure __msg("invalid mem access 'scalar'")
> +int skb_pkt_ptr_invalid_after_global_dynptr_memset(struct __sk_buff *skb)
> +{
> + __u8 *data = (void *)(long)skb->data;
> + __u8 *data_end = (void *)(long)skb->data_end;
> + struct bpf_dynptr ptr;
> +
> + if (data + 1 > data_end)
> + return SK_DROP;
> +
> + bpf_dynptr_from_skb(skb, 0, &ptr);
> + global_dynptr_kfunc_memset(&ptr);
> +
> + /* this should fail */
> + return *data;
> +}
> +
> +SEC("?tc")
> +__failure __msg("invalid mem access 'scalar'")
> +int skb_pkt_ptr_invalid_inside_global_dynptr_memset(struct __sk_buff *skb)
> +{
> + struct bpf_dynptr ptr;
> +
> + bpf_dynptr_from_skb(skb, 0, &ptr);
> +
> + return global_dynptr_kfunc_memset_and_read(skb, &ptr);
> +}
> +
> +SEC("?tc")
> +__failure __msg("invalid mem access 'scalar'")
> +int skb_pkt_ptr_invalid_after_dynptr_copy_dst(struct __sk_buff *skb)
> +{
> + __u8 *data = (void *)(long)skb->data;
> + __u8 *data_end = (void *)(long)skb->data_end;
> + struct bpf_dynptr dst, src;
> +
> + if (data + 1 > data_end)
> + return SK_DROP;
> +
> + bpf_dynptr_from_skb(skb, 0, &dst);
> + bpf_dynptr_from_mem(dynptr_writer_data, sizeof(dynptr_writer_data), 0,
> &src);
> + bpf_dynptr_copy(&dst, 0, &src, 0, 1);
> +
> + /* this should fail */
> + return *data;
> +}
> +
> +SEC("?tc")
> +__success
> +int skb_pkt_ptr_valid_after_dynptr_copy_src(struct __sk_buff *skb)
> +{
> + __u8 *data = (void *)(long)skb->data;
> + __u8 *data_end = (void *)(long)skb->data_end;
> + struct bpf_dynptr dst, src;
> +
> + if (data + 1 > data_end)
> + return SK_DROP;
> +
> + bpf_dynptr_from_skb(skb, 0, &src);
> + bpf_dynptr_from_mem(dynptr_writer_dst, sizeof(dynptr_writer_dst), 0,
> &dst);
> + bpf_dynptr_copy(&dst, 0, &src, 0, 1);
> +
> + return *data;
> +}
> +
> +SEC("?tc")
> +__failure __msg("invalid mem access 'scalar'")
> +int skb_pkt_ptr_invalid_after_probe_read_kernel_dynptr(struct __sk_buff *skb)
> +{
> + __u8 *data = (void *)(long)skb->data;
> + __u8 *data_end = (void *)(long)skb->data_end;
> + struct bpf_dynptr ptr;
> +
> + if (data + 1 > data_end)
> + return SK_DROP;
> +
> + bpf_dynptr_from_skb(skb, 0, &ptr);
> + bpf_probe_read_kernel_dynptr(&ptr, 0, 1, dynptr_writer_data);
> +
> + /* this should fail */
> + return *data;
> +}
This patch series was NACKed by Alexei Starovoitov in v3 with the comment
"nack. pw-bot: cr" (change requested). The companion verifier fix patch
(patch 1/2 in the series) was rejected, which blocks this selftest patch
from landing. A v4 was posted to address the helper-side bpf_dynptr_write()
case, but has not yet received maintainer feedback.
Are there plans to address the maintainer feedback and resubmit the series?
Reference: https://lore.kernel.org/bpf/[email protected]/
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27557183694
