bpf: Avoid warning on multiple referenced args in call

pchaigno · anakryiko · commit 65fdafd6765f · 2025-07-02T10:43:38.000-07:00
The description of full helper calls in syzkaller [1] and the addition of kernel warnings in commit 0df1a55 ("bpf: Warn on internal verifier errors") allowed syzbot to reach a verifier state that was thought to indicate a verifier bug [2]: 12: (85) call bpf_tcp_raw_gen_syncookie_ipv4#204 verifier bug: more than one arg with ref_obj_id R2 2 2 This error can be reproduced with the program from the previous commit: 0: (b7) r2 = 20 1: (b7) r3 = 0 2: (18) r1 = 0xffff92cee3cbc600 4: (85) call bpf_ringbuf_reserve#131 5: (55) if r0 == 0x0 goto pc+3 6: (bf) r1 = r0 7: (bf) r2 = r0 8: (85) call bpf_tcp_raw_gen_syncookie_ipv4#204 9: (95) exit bpf_tcp_raw_gen_syncookie_ipv4 expects R1 and R2 to be ARG_PTR_TO_FIXED_SIZE_MEM (with a size of at least sizeof(struct iphdr) for R1). R0 is a ring buffer payload of 20B and therefore matches this requirement. The verifier reaches the check on ref_obj_id while verifying R2 and rejects the program because the helper isn't supposed to take two referenced arguments. This case is a legitimate rejection and doesn't indicate a kernel bug, so we shouldn't log it as such and shouldn't emit a kernel warning. Link: google/syzkaller#4313 [1] Link: https://lore.kernel.org/all/686491d6.a70a0220.3b7e22.20ea.GAE@google.com/T/ [2] Fixes: 457f443 ("bpf: Implement BPF ring buffer and verifier support for it") Fixes: 0df1a55 ("bpf: Warn on internal verifier errors") Reported-by: syzbot+69014a227f8edad4d8c6@syzkaller.appspotmail.com Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Link: https://lore.kernel.org/r/cd09afbfd7bef10bbc432d72693f78ffdc1e8ee5.1751463262.git.paul.chaignon@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
@@ -9673,10 +9673,10 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 
 	if (reg->ref_obj_id && base_type(arg_type) != ARG_KPTR_XCHG_DEST) {
 		if (meta->ref_obj_id) {
-			verifier_bug(env, "more than one arg with ref_obj_id R%d %u %u",
-				     regno, reg->ref_obj_id,
-				     meta->ref_obj_id);
-			return -EFAULT;
+			verbose(env, "more than one arg with ref_obj_id R%d %u %u",
+				regno, reg->ref_obj_id,
+				meta->ref_obj_id);
+			return -EACCES;
 		}
 		meta->ref_obj_id = reg->ref_obj_id;
 	}

Original file line number	Diff line number	Diff line change
`@@ -9673,10 +9673,10 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,`
`9673`	`9673`
`9674`	`9674`	`if (reg->ref_obj_id && base_type(arg_type) != ARG_KPTR_XCHG_DEST) {`
`9675`	`9675`	`if (meta->ref_obj_id) {`
`9676`		`- verifier_bug(env, "more than one arg with ref_obj_id R%d %u %u",`
`9677`		`- regno, reg->ref_obj_id,`
`9678`		`- meta->ref_obj_id);`
`9679`		`- return -EFAULT;`
	`9676`	`+ verbose(env, "more than one arg with ref_obj_id R%d %u %u",`
	`9677`	`+ regno, reg->ref_obj_id,`
	`9678`	`+ meta->ref_obj_id);`
	`9679`	`+ return -EACCES;`
`9680`	`9680`	`}`
`9681`	`9681`	`meta->ref_obj_id = reg->ref_obj_id;`
`9682`	`9682`	`}`