On Sat Jun 20, 2026 at 8:17 AM PDT, Yiyang Chen wrote:
> bpf_rcu_read_unlock() converts RCU-protected verifier registers to
> untrusted pointers so that programs cannot keep using RCU-trusted
> references after the read-side critical section ends.
>
> That conversion also clears PTR_MAYBE_NULL. For fields from the
> BTF_TYPE_SAFE_RCU_OR_NULL allowlist, such as skb->sk, the verifier records
> MEM_RCU | PTR_MAYBE_NULL while inside the RCU read-side critical section.
> Clearing both flags on unlock drops the nullable state and allows a direct
> post-unlock BTF member load without an explicit NULL check.
That's exactly the point. The code works as designed.
> Only clear MEM_RCU during RCU unlock invalidation. Preserve PTR_MAYBE_NULL
> so normal nullable-pointer checks reject direct access, while an explicit
> NULL check can still refine the pointer before use.
>
> Fixes: 30ee9821f943 ("bpf: Allowlist few fields similar to __rcu tag.")
Nothing to fix.
pw-bot: cr
> Signed-off-by: Yiyang Chen <[email protected]>
> ---
> kernel/bpf/verifier.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 2abc79dbf..e53c4bfe4 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -9001,7 +9001,7 @@ static void invalidate_rcu_protected_refs(struct
> bpf_verifier_env *env)
>
> bpf_for_each_reg_in_vstate_mask(env->cur_state, state, reg, stack,
> clear_mask, ({
> if (reg->type & MEM_RCU) {
> - reg->type &= ~(MEM_RCU | PTR_MAYBE_NULL);
> + reg->type &= ~MEM_RCU;
> reg->type |= PTR_UNTRUSTED;
> }
> }));
