selftests/bpf: Cover writable BTF field global subprog args

Add a verifier test for passing a BTF-backed task_struct field pointer to a
global subprogram argument typed as writable memory.

The direct field store is already rejected.
The global subprogram path should be rejected too.
The callee must not lose the BTF pointer's read-only provenance.
It must not validate the argument as ordinary writable memory.

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
Link: https://lore.kernel.org/bpf/20260609-f01-04-btf-writable-arg-v1-2-f449cd970669@mails.tsinghua.edu.cn
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

diff --git a/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c b/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
index ea273e15220938cc9b444697a539b5a6becc9ff7..0bdeb7bc4687a9abde1cfa6d63ea769259404dbc 100644 (file)
--- a/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
+++ b/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
@@ -287,6 +287,25 @@ int trusted_to_untrusted_mem(void *ctx)
        return subprog_void_untrusted(bpf_get_current_task_btf());
 }
 
+__weak int subprog_write_mem_arg(int *p)
+{
+       if (!p)
+               return 0;
+
+       *p = 42;
+       return 0;
+}
+
+SEC("?tp_btf/task_newtask")
+__failure
+__msg("only read is supported")
+int trusted_btf_field_to_writable_mem(void *ctx)
+{
+       struct task_struct *task = bpf_get_current_task_btf();
+
+       return subprog_write_mem_arg(&task->prio);
+}
+
 SEC("tp_btf/sys_enter")
 __success
 int anything_to_untrusted_mem(void *ctx)