On Tue, 2026-06-23 at 17:34 +0000, Yiyang Chen wrote:
> BTF struct walks relax the struct-size check for accesses through a
> trailing flexible array. That is valid for ordinary BTF type walking, but
> PTR_TO_BTF_ID | MEM_ALLOC values point to objects allocated with the static
> BTF type size.
>
> When walking a MEM_ALLOC object, reject the access before applying the
> flexible-array relaxation if the access range extends past the struct size.
> This keeps verifier-approved BTF accesses within the bytes provided by the
> allocation kfunc.
>
> Fixes: 958cf2e273f0 ("bpf: Introduce bpf_obj_new")
> Fixes: 36d8bdf75a93 ("bpf: Add alloc/xchg/direct_access support for local
> percpu kptr")
> Signed-off-by: Yiyang Chen <[email protected]>
> ---
Acked-by: Eduard Zingerman <[email protected]>
> kernel/bpf/btf.c | 14 +++++++++-----
> 1 file changed, 9 insertions(+), 5 deletions(-)
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 15ae7c43f..3e68af9c1 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -7069,7 +7069,7 @@ enum bpf_struct_walk_result {
> static int btf_struct_walk(struct bpf_verifier_log *log, const struct btf
> *btf,
> const struct btf_type *t, int off, int size,
> u32 *next_btf_id, enum bpf_type_flag *flag,
> - const char **field_name)
> + const char **field_name, bool is_alloc)
Nit: 'walk_flex_arrays' would be a better name.
> {
> u32 i, moff, mtrue_end, msize = 0, total_nelems = 0;
> const struct btf_type *mtype, *elem_type = NULL;
[...]
