Commit 9cba966f authored by Mykyta Yatsenko's avatar Mykyta Yatsenko Committed by Alexei Starovoitov
Browse files

bpf: verifier: centralize const dynptr check in unmark_stack_slots_dynptr() 



Move the const dynptr check into unmark_stack_slots_dynptr() so callers
don’t have to duplicate it. This puts the validation next to the code
that manipulates dynptr stack slots and allows upcoming changes to reuse
it directly.

Signed-off-by: default avatarMykyta Yatsenko <yatsenko@meta.com>
Acked-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Acked-by: default avatarEduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20251026203853.135105-6-mykyta.yatsenko5@gmail.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 5a5fff60

kernel/bpf/verifier.c

+9 −8
Original line number Diff line number Diff line
@@ -828,6 +828,15 @@ static int unmark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_re 
	struct bpf_func_state *state = func(env, reg);

	int spi, ref_obj_id, i;









	/*









	 * This can only be set for PTR_TO_STACK, as CONST_PTR_TO_DYNPTR cannot









	 * be released by any dynptr helper. Hence, unmark_stack_slots_dynptr









	 * is safe to do directly.









	 */









	if (reg->type == CONST_PTR_TO_DYNPTR) {









		verifier_bug(env, "CONST_PTR_TO_DYNPTR cannot be released");









		return -EFAULT;









	}









	spi = dynptr_get_spi(env, reg);









	if (spi < 0)









		return spi;








@@ -11514,15 +11523,7 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn















	if (meta.release_regno) {









		err = -EINVAL;









		/* This can only be set for PTR_TO_STACK, as CONST_PTR_TO_DYNPTR cannot









		 * be released by any dynptr helper. Hence, unmark_stack_slots_dynptr









		 * is safe to do directly.









		 */









		if (arg_type_is_dynptr(fn->arg_type[meta.release_regno - BPF_REG_1])) {









			if (regs[meta.release_regno].type == CONST_PTR_TO_DYNPTR) {









				verifier_bug(env, "CONST_PTR_TO_DYNPTR cannot be released");









				return -EFAULT;









			}









			err = unmark_stack_slots_dynptr(env, &regs[meta.release_regno]);









		} else if (func_id == BPF_FUNC_kptr_xchg && meta.ref_obj_id) {









			u32 ref_obj_id = meta.ref_obj_id;