[PATCH bpf-next v3 11/17] bpf, verifier: Remove side effects from may_access_direct_pkt_data
From: Jakub Sitnicki <jakub@cloudflare.com>
Date: 2026-01-07 14:28:24
Also in:
bpf
Subsystem:
bpf [core], bpf [general] (safe dynamic programs and tools), the rest · Maintainers:
Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi, Linus Torvalds
The may_access_direct_pkt_data() helper sets env->seen_direct_write as a side effect, which creates awkward calling patterns: - check_special_kfunc() has a comment warning readers about the side effect - specialize_kfunc() must save and restore the flag around the call Make the helper a pure function by moving the seen_direct_write flag setting to call sites that need it. Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> --- kernel/bpf/verifier.c | 33 ++++++++++++--------------------- 1 file changed, 12 insertions(+), 21 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 53635ea2e41b..1158c7764a34 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c@@ -6151,13 +6151,9 @@ static bool may_access_direct_pkt_data(struct bpf_verifier_env *env, if (meta) return meta->pkt_access; - env->seen_direct_write = true; return true; case BPF_PROG_TYPE_CGROUP_SOCKOPT: - if (t == BPF_WRITE) - env->seen_direct_write = true; - return true; default:
@@ -7708,15 +7704,17 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn err = check_stack_write(env, regno, off, size, value_regno, insn_idx); } else if (reg_is_pkt_pointer(reg)) { - if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) { - verbose(env, "cannot write into packet\n"); - return -EACCES; - } - if (t == BPF_WRITE && value_regno >= 0 && - is_pointer_value(env, value_regno)) { - verbose(env, "R%d leaks addr into packet\n", - value_regno); - return -EACCES; + if (t == BPF_WRITE) { + if (!may_access_direct_pkt_data(env, NULL, BPF_WRITE)) { + verbose(env, "cannot write into packet\n"); + return -EACCES; + } + if (value_regno >= 0 && is_pointer_value(env, value_regno)) { + verbose(env, "R%d leaks addr into packet\n", + value_regno); + return -EACCES; + } + env->seen_direct_write = true; } err = check_packet_access(env, regno, off, size, false); if (!err && t == BPF_READ && value_regno >= 0)
@@ -13893,11 +13891,11 @@ static int check_special_kfunc(struct bpf_verifier_env *env, struct bpf_kfunc_ca if (meta->func_id == special_kfunc_list[KF_bpf_dynptr_slice]) { regs[BPF_REG_0].type |= MEM_RDONLY; } else { - /* this will set env->seen_direct_write to true */ if (!may_access_direct_pkt_data(env, NULL, BPF_WRITE)) { verbose(env, "the prog does not allow writes to packet data\n"); return -EINVAL; } + env->seen_direct_write = true; } if (!meta->initialized_dynptr.id) {
@@ -22398,7 +22396,6 @@ static int fixup_call_args(struct bpf_verifier_env *env) static int specialize_kfunc(struct bpf_verifier_env *env, struct bpf_kfunc_desc *desc, int insn_idx) { struct bpf_prog *prog = env->prog; - bool seen_direct_write; void *xdp_kfunc; bool is_rdonly; u32 func_id = desc->func_id;
@@ -22414,16 +22411,10 @@ static int specialize_kfunc(struct bpf_verifier_env *env, struct bpf_kfunc_desc addr = (unsigned long)xdp_kfunc; /* fallback to default kfunc when not supported by netdev */ } else if (func_id == special_kfunc_list[KF_bpf_dynptr_from_skb]) { - seen_direct_write = env->seen_direct_write; is_rdonly = !may_access_direct_pkt_data(env, NULL, BPF_WRITE); if (is_rdonly) addr = (unsigned long)bpf_dynptr_from_skb_rdonly; - - /* restore env->seen_direct_write to its original value, since - * may_access_direct_pkt_data mutates it - */ - env->seen_direct_write = seen_direct_write; } else if (func_id == special_kfunc_list[KF_bpf_set_dentry_xattr]) { if (bpf_lsm_has_d_inode_locked(prog)) addr = (unsigned long)bpf_set_dentry_xattr_locked;
--
2.43.0