This is a note to let you know that I've just added the patch titled bpf: make sure scalar args don't accept __arg_nonnull tag to the 6.8-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bpf-make-sure-scalar-args-don-t-accept-__arg_nonnull.patch and it can be found in the queue-6.8 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 77572d29a28df711b1feb1c0647fb816662733fa Author: Andrii Nakryiko <andrii@xxxxxxxxxx> Date: Thu Jan 4 16:09:03 2024 -0800 bpf: make sure scalar args don't accept __arg_nonnull tag [ Upstream commit 18810ad3929ff6b5d8e67e3adc40d690bd780fd6 ] Move scalar arg processing in btf_prepare_func_args() after all pointer arg processing is done. This makes it easier to do validation. One example of unintended behavior right now is ability to specify __arg_nonnull for integer/enum arguments. This patch fixes this. Signed-off-by: Andrii Nakryiko <andrii@xxxxxxxxxx> Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx> Link: https://lore.kernel.org/r/20240105000909.2818934-3-andrii@xxxxxxxxxx Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx> Stable-dep-of: 1eb986746a67 ("bpf: don't emit warnings intended for global subprogs for static subprogs") Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 5964711891767..dbe7a590f565a 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -7058,10 +7058,6 @@ int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog) while (btf_type_is_modifier(t)) t = btf_type_by_id(btf, t->type); - if (btf_type_is_int(t) || btf_is_any_enum(t)) { - sub->args[i].arg_type = ARG_ANYTHING; - continue; - } if (btf_type_is_ptr(t) && btf_get_prog_ctx_type(log, btf, t, prog_type, i)) { sub->args[i].arg_type = ARG_PTR_TO_CTX; continue; @@ -7091,6 +7087,10 @@ int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog) bpf_log(log, "arg#%d marked as non-null, but is not a pointer type\n", i); return -EINVAL; } + if (btf_type_is_int(t) || btf_is_any_enum(t)) { + sub->args[i].arg_type = ARG_ANYTHING; + continue; + } bpf_log(log, "Arg#%d type %s in %s() is not supported yet.\n", i, btf_type_str(t), tname); return -EINVAL;