bpf_refcount_acquire() increments the refcount at the caller-supplied pointer plus the refcount field offset, then returns the caller-supplied pointer unchanged. The verifier records the return value as a base pointer to the refcounted object. bpf_list_pop_front() and bpf_rbtree_remove() can return embedded graph-node pointers as PTR_TO_BTF_ID | MEM_ALLOC with a fixed offset equal to the node field offset. Passing such a pointer directly to bpf_refcount_acquire() currently passes the refcounted-kptr type check. That makes the runtime operation start from base + node_off while the verifier models the returned pointer as the object base. Require refcount-acquire arguments to have zero offset. Programs can still acquire a refcount from a graph-node-derived pointer after normalizing it with container_of(). Fixes: 7c50b1cb76aca ("bpf: Add bpf_refcount_acquire kfunc") Signed-off-by: Yiyang Chen --- kernel/bpf/verifier.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 2abc79dbf..4510fe0b4 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -12392,6 +12392,11 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_ reg_arg_name(env, argno)); return -EINVAL; } + if (reg->var_off.value != 0) { + verbose(env, "%s must have zero offset when passed to %s\n", + reg_arg_name(env, argno), meta->func_name); + return -EINVAL; + } if (!type_is_non_owning_ref(reg->type)) meta->arg_owning_ref = true; -- 2.34.1