bpf: Compare parent_id in refsafe() for REF_TYPE_PTR

refsafe() compared each reference's id and type but not its parent_id,
so two states whose PTR references differ only in the parent object they
were derived from could be wrongly treated as equivalent and pruned. Fix
it by checking parent_id too.

Fixes: 308c7a0ae885 ("bpf: Refactor object relationship tracking and fix dynptr UAF bug")
Signed-off-by: Amery Hung <ameryhung@gmail.com>
Link: https://lore.kernel.org/r/20260605202056.1780352-4-ameryhung@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/states.c b/kernel/bpf/states.c
index 5945956a7573bdc92a09ce30fbc69c796081aabf..06d9ae24f006b5864a4eba428fd8c177c83cd914 100644 (file)
--- a/kernel/bpf/states.c
+++ b/kernel/bpf/states.c
@@ -890,6 +890,9 @@ static bool refsafe(struct bpf_verifier_state *old, struct bpf_verifier_state *c
                        return false;
                switch (old->refs[i].type) {
                case REF_TYPE_PTR:
+                       if (!check_ids(old->refs[i].parent_id, cur->refs[i].parent_id, idmap))
+                               return false;
+                       break;
                case REF_TYPE_IRQ:
                        break;
                case REF_TYPE_LOCK: