On 2/4/26 11:16 AM, Kuniyuki Iwashima wrote:

For example, inet_sock(sk)->inet_opt could be freed by
setsockopt(IP_OPTIONS) even after fentry prog verifies
that it's not NULL.

This one should be fine because of rcu.

I'm not sure if bpf_core_cast() etc allows such access, but
if it's allowed, I think there is no general solution.

bpf_core_cast (i.e. the "kfunc" bpf_rdonly_cast) does not use the 
pointer argument, so should be fine. Its return value is marked as 
PTR_UNTRUSTED. iirc, PTR_UNTRUSTED cannot be passed to helper, so 
bpf_core_cast should be fine overall.

Fortunately that's not null-deref nor oob-write, and it just reads
stale info as Martin mentioned... so probably this is WAI for
tracing prog ?

afaik, the tracing radius is large, so the prog cannot expect much 
guarantee.

Reading in the bpf prog is fine. The exception is handled.

The problem here is passing it to a helper (not kfunc) that depends on 
the arg being valid.