git.ipfire.org Git - thirdparty/linux.git/commit

author	Kumar Kartikeya Dwivedi <memxor@gmail.com>
	Fri, 27 Feb 2026 00:57:24 +0000 (16:57 -0800)
committer	Alexei Starovoitov <ast@kernel.org>
	Tue, 3 Mar 2026 16:45:16 +0000 (08:45 -0800)
commit	de6c7d99f898d82106e3c3b84cd03453201a565c
tree	772fce7894fdb33a2a8d4a0993c34cdf0f064988	tree \| snapshot
parent	b1d6bd5462f1e16adb805ce293bd11e9d7c47e6c	commit \| diff

bpf: Relax fixed offset check for PTR_TO_CTX

The limitation on fixed offsets stems from the fact that certain program
types rewrite the accesses to the context structure and translate them
to accesses to the real underlying type. Technically, in the past, we
could have stashed the register offset in insn_aux and made rewrites
work, but we've never needed it in the past since the offset for such
context structures easily fit in the s16 signed instruction offset.

Regardless, the consequence is that for program types where the program
type's verifier ops doesn't supply a convert_ctx_access callback, we
unnecessarily reject accesses with a modified ctx pointer (i.e., one
whose offset has been shifted) in check_ptr_off_reg. Make an exception
for such program types (like syscall, tracepoint, raw_tp, etc.).

Pass in fixed_off_ok as true to __check_ptr_off_reg for such cases, and
accumulate the register offset into insn->off passed to check_ctx_access.
In particular, the accumulation is critical since we need to correctly
track the max_ctx_offset which is used for bounds checking the buffer
for syscall programs at runtime.

Reported-by: Tejun Heo <tj@kernel.org>
Reported-by: Dan Schatzberg <dschatzberg@meta.com>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260227005725.1247305-2-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>