On Wed, Mar 11, 2026 at 12:57 PM Andrii Nakryiko
[off-list ref] wrote:

On Fri, Mar 6, 2026 at 10:44 PM Amery Hung [off-list ref] wrote:

quoted

Simplify dynptr checking for helper and kfunc by unifying it. Remember
initialized dynptr in process_dynptr_func() so that we can easily
retrieve the information for verification later.

it would help to call out why all those checks you are removing are
not needed anymore

Mykyta also raised a similar question in another place. I will explain
in the commit msg if there are checks dropped in the next iteration.

quoted

Signed-off-by: Amery Hung <redacted>
---
 kernel/bpf/verifier.c | 179 +++++++++---------------------------------
 1 file changed, 36 insertions(+), 143 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0f77c4c5b510..d52780962adb 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c

@@ -277,8 +277,15 @@ struct bpf_map_desc {
        int uid;
 };

+struct bpf_dynptr_desc {
+       enum bpf_dynptr_type type;
+       u32 id;
+       u32 ref_obj_id;
+};
+
 struct bpf_call_arg_meta {
        struct bpf_map_desc map;
+       struct bpf_dynptr_desc initialized_dynptr;

nit: let's drop "initialized_" prefix? so verbose

Ack.

[...]

quoted

@@ -511,11 +513,6 @@ static bool is_ptr_cast_function(enum bpf_func_id func_id)
                func_id == BPF_FUNC_skc_to_tcp_request_sock;
 }

-static bool is_dynptr_ref_function(enum bpf_func_id func_id)
-{
-       return func_id == BPF_FUNC_dynptr_data;
-}
-
 static bool is_sync_callback_calling_kfunc(u32 btf_id);
 static bool is_async_callback_calling_kfunc(u32 btf_id);
 static bool is_callback_calling_kfunc(u32 btf_id);

@@ -597,8 +594,6 @@ static bool helper_multiple_ref_obj_use(enum bpf_func_id func_id,
                ref_obj_uses++;
        if (is_acquire_function(func_id, map))
                ref_obj_uses++;
-       if (is_dynptr_ref_function(func_id))
-               ref_obj_uses++;

e.g., why this is fine? (because we don't use ref_obj_id for tracking
dynptrs anymore, right? would be good to call this out in the commit
message)

Thanks for the example.

quoted

        return ref_obj_uses > 1;
 }

[...]

quoted

@@ -13559,22 +13464,10 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
                                }
                        }

-                       ret = process_dynptr_func(env, regno, insn_idx, dynptr_arg_type, clone_ref_obj_id);
+                       ret = process_dynptr_func(env, regno, insn_idx, dynptr_arg_type, clone_ref_obj_id,
+                                                 &meta->initialized_dynptr);
                        if (ret < 0)
                                return ret;
-
-                       if (!(dynptr_arg_type & MEM_UNINIT)) {

I can't fully connect MEM_UNINIT and CONST_PTR_TO_DYNPTR, this is
something that should be called out in commit message, IMO

Will explain in the commit message that !(dynptr_arg_type &
MEM_UNINIT) means the argument expects an initialized dynptr.

quoted

-                               int id = dynptr_id(env, reg);
-
-                               if (id < 0) {
-                                       verifier_bug(env, "failed to obtain dynptr id");
-                                       return id;
-                               }
-                               meta->initialized_dynptr.id = id;
-                               meta->initialized_dynptr.type = dynptr_get_type(env, reg);
-                               meta->initialized_dynptr.ref_obj_id = dynptr_ref_obj_id(env, reg);
-                       }
-
                        break;
                }
                case KF_ARG_PTR_TO_ITER:
--
2.47.3