bpf_obj_new() and bpf_percpu_obj_new() allocate only the static BTF size for the selected program-BTF type.
A program-BTF struct can nevertheless end with a zero-length flexible array. Generic BTF struct walks have special handling for such trailing arrays, and can validate field accesses beyond the allocated static object size. Patch 1 rejects allocation kfunc types with trailing flexible arrays. Patch 2 adds a linked_list negative loader case for the rejection. Yiyang Chen (2): bpf: Reject flexible-array allocation types selftests/bpf: Cover flexible-array allocation rejection kernel/bpf/verifier.c | 28 +++++++++++++++++++ .../selftests/bpf/prog_tests/linked_list.c | 2 ++ .../selftests/bpf/progs/linked_list_fail.c | 23 +++++++++++++++ 3 files changed, 53 insertions(+) base-commit: a975094bf98ca97be9146f9d3b5681a6f9cf5ce3 -- 2.34.1
