On Mon, Jun 15, 2026 at 10:49 AM Yiyang Chen <[email protected]> wrote: > > skb-backed dynptr writers can mutate packet data, but not all verifier > paths invalidate checked direct packet pointers after those writes. > > bpf_dynptr_write() handles skb and skb-meta dynptrs in the normal helper > path, but global subprogram dynptr arguments are verified as > unspecialized local dynptr pointers. Treat such arguments as possibly > packet-backed for packet pointer invalidation. > > Carry that possibly-packet-backed state through dynptr clones and dynptr > slices. Otherwise a global subprogram can clone its dynptr argument and > write through the stack clone, or obtain a LOCAL-typed dynptr slice and > write through the original dynptr, without invalidating packet pointers > or slice pointers that may refer to reallocated skb data. > > Global subprogram summaries are computed during CFG analysis before > register states exist. Add conservative static CFG predicates for > bpf_dynptr_write() and skb dynptr writer kfuncs so caller-side packet > pointers are invalidated after global calls that may write packet data. > > Keep the normal verifier invalidation precise: helpers and kfuncs still > use the checked dynptr argument and only invalidate when the written > dynptr is, or may be, skb-backed. Source-only dynptr arguments remain > unchanged.
Nack. Nothing to fix. pw-bot: cr
