bpf: implement KF_IMPLICIT_PROG_AUX_ARG flag

theihor · Kernel Patches Daemon · commit 498f6e4c29a4 · 2025-09-24T14:21:50.000-07:00
Define KF_IMPLICIT_PROG_AUX_ARG and handle it in the BPF verifier.

The mechanism of patching is exactly the same as for __prog parameter
annotation: in check_kfunc_args() detect the relevant parameter and
remember regno in cur_aux(env)-&gt;arg_prog.

Then the (unchanged in this patch) fixup_kfunc_call() adds a mov
instruction to set the actual pointer to prog_aux.

The caveat for KF_IMPLICIT_PROG_AUX_ARG is in implicitness. We have to
separately check that the number of arguments is under
MAX_BPF_FUNC_REG_ARGS.

Signed-off-by: Ihor Solodrai &lt;ihor.solodrai@linux.dev&gt;
diff --git a/include/linux/btf.h b/include/linux/btf.h
@@ -79,6 +79,9 @@
 #define KF_ARENA_RET    (1 << 13) /* kfunc returns an arena pointer */
 #define KF_ARENA_ARG1   (1 << 14) /* kfunc takes an arena pointer as its first argument */
 #define KF_ARENA_ARG2   (1 << 15) /* kfunc takes an arena pointer as its second argument */
+/* kfunc takes a pointer to struct bpf_prog_aux as the last argument,
+ * passed implicitly in BPF */
+#define KF_IMPLICIT_PROG_AUX_ARG (1 << 16)
 
 /*
  * Tag marking a kernel function as a kfunc. This is meant to minimize the
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
@@ -11948,6 +11948,11 @@ static bool is_kfunc_rcu_protected(struct bpf_kfunc_call_arg_meta *meta)
 	return meta->kfunc_flags & KF_RCU_PROTECTED;
 }
 
+static bool is_kfunc_with_implicit_prog_aux_arg(struct bpf_kfunc_call_arg_meta *meta)
+{
+	return meta->kfunc_flags & KF_IMPLICIT_PROG_AUX_ARG;
+}
+
 static bool is_kfunc_arg_mem_size(const struct btf *btf,
 				  const struct btf_param *arg,
 				  const struct bpf_reg_state *reg)
@@ -12029,6 +12034,18 @@ static bool is_kfunc_arg_prog(const struct btf *btf, const struct btf_param *arg
 	return btf_param_match_suffix(btf, arg, "__prog");
 }
 
+static int set_kfunc_arg_prog_regno(struct bpf_verifier_env *env, struct bpf_kfunc_call_arg_meta *meta, u32 regno)
+{
+	if (meta->arg_prog) {
+		verifier_bug(env, "Only 1 prog->aux argument supported per-kfunc");
+		return -EFAULT;
+	}
+	meta->arg_prog = true;
+	cur_aux(env)->arg_prog = regno;
+
+	return 0;
+}
+
 static bool is_kfunc_arg_scalar_with_name(const struct btf *btf,
 					  const struct btf_param *arg,
 					  const char *name)
@@ -13050,6 +13067,21 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
 		return -EINVAL;
 	}
 
+	/* KF_IMPLICIT_PROG_AUX_ARG means that the kfunc has one less argument in BTF,
+	 * so we have to set_kfunc_arg_prog_regno() outside the arg check loop.
+	 */
+	if (is_kfunc_with_implicit_prog_aux_arg(meta)) {
+		if (nargs + 1 > MAX_BPF_FUNC_REG_ARGS) {
+			verifier_bug(env, "A kfunc with KF_IMPLICIT_PROG_AUX_ARG flag has %d > %d args",
+				     nargs + 1, MAX_BPF_FUNC_REG_ARGS);
+			return -EFAULT;
+		}
+		u32 regno = nargs + 1;
+		ret = set_kfunc_arg_prog_regno(env, meta, regno);
+		if (ret)
+			return ret;
+	}
+
 	/* Check that BTF function arguments match actual types that the
 	 * verifier sees.
 	 */
@@ -13066,14 +13098,11 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
 		if (is_kfunc_arg_ignore(btf, &args[i]))
 			continue;
 
+		/* __prog annotation check for backward compatibility */
 		if (is_kfunc_arg_prog(btf, &args[i])) {
-			/* Used to reject repeated use of __prog. */
-			if (meta->arg_prog) {
-				verifier_bug(env, "Only 1 prog->aux argument supported per-kfunc");
-				return -EFAULT;
-			}
-			meta->arg_prog = true;
-			cur_aux(env)->arg_prog = regno;
+			ret = set_kfunc_arg_prog_regno(env, meta, regno);
+			if (ret)
+				return ret;
 			continue;
 		}
 
