On Mon, 2026-06-22 at 04:56 +0000, Yiyang Chen wrote:
> bpf_obj_new() and bpf_percpu_obj_new() allocate the static BTF size for
> the selected program-BTF type. A struct type can still end with a
> zero-length flexible array, and generic BTF struct walks have special
> handling that can accept accesses beyond the static struct size through
> such a member.
>
> Reject allocation kfunc types with trailing flexible arrays before marking
> the return value as PTR_TO_BTF_ID | MEM_ALLOC. This keeps the
> verifier-visible BTF access shape aligned with the object size allocated by
> the runtime kfunc.
>
> Fixes: 958cf2e273f0 ("bpf: Introduce bpf_obj_new")
> Fixes: 36d8bdf75a93 ("bpf: Add alloc/xchg/direct_access support for local
> percpu kptr")
> Signed-off-by: Yiyang Chen <[email protected]>
> ---
Hi Yiyang, thank you for the report.
I think this should be handled at the btf_struct_walk() level by
checking MEM_ALLOC flag. And there is no need to check if the array is
flex or not, checking if the final offset reaches past the allocated
object boundary should be sufficient.
pw-bot: cr.
[...]
