bpf_rcu_read_unlock() converts MEM_RCU verifier registers to PTR_UNTRUSTED, but currently clears PTR_MAYBE_NULL at the same time.
That loses the nullable state for BTF_TYPE_SAFE_RCU_OR_NULL fields such as skb->sk. A program can read skb->sk while in an RCU read-side critical section, unlock RCU, and then dereference the pointer directly without the verifier requiring an explicit NULL check. Patch 1 preserves PTR_MAYBE_NULL when removing MEM_RCU. Patch 2 adds a focused regression test for the unchecked dereference and a matched null-checked control. Yiyang Chen (2): bpf: Preserve nullable RCU pointer state on unlock selftests/bpf: Cover nullable RCU pointer use after unlock kernel/bpf/verifier.c | 2 +- .../selftests/bpf/prog_tests/rcu_read_lock.c | 17 ++++++++++++++++ .../selftests/bpf/progs/rcu_read_lock.c | 20 +++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) base-commit: a975094bf98ca97be9146f9d3b5681a6f9cf5ce3 -- 2.34.1
