[PATCH bpf-next 2/2] selftests/bpf: Cover writable BTF field global subprog args

Tue, 09 Jun 2026 07:54:39 -0700 

Add a verifier test for passing a BTF-backed task_struct field pointer to a
global subprogram argument typed as writable memory.

The direct field store is already rejected.
The global subprogram path should be rejected too.
The callee must not lose the BTF pointer's read-only provenance.
It must not validate the argument as ordinary writable memory.

Signed-off-by: Nuoqi Gui <[email protected]>
---
 .../selftests/bpf/progs/verifier_global_ptr_args.c    | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c 
b/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
index ea273e152209..0bdeb7bc4687 100644
--- a/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
+++ b/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
@@ -287,6 +287,25 @@ int trusted_to_untrusted_mem(void *ctx)
        return subprog_void_untrusted(bpf_get_current_task_btf());
 }
 
+__weak int subprog_write_mem_arg(int *p)
+{
+       if (!p)
+               return 0;
+
+       *p = 42;
+       return 0;
+}
+
+SEC("?tp_btf/task_newtask")
+__failure
+__msg("only read is supported")
+int trusted_btf_field_to_writable_mem(void *ctx)
+{
+       struct task_struct *task = bpf_get_current_task_btf();
+
+       return subprog_write_mem_arg(&task->prio);
+}
+
 SEC("tp_btf/sys_enter")
 __success
 int anything_to_untrusted_mem(void *ctx)

-- 
2.34.1

Reply via email to