Re: [PATCH bpf v4 2/3] bpf: Add validation for bpf_set_retval argument
From: Xu Kuohai
Date: Thu Jun 04 2026 - 22:50:47 EST
On 6/5/2026 12:29 AM, Alexei Starovoitov wrote:
On Thu, Jun 4, 2026 at 6:52 AM <bot+bpf-ci@xxxxxxxxxx> wrote:
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c^^^^^^^^^^^^^^^
index 7fb88e1cd7c4..1bf58685b655 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -9952,6 +9952,7 @@ static int do_refine_retval_range(struct bpf_verifier_env *env,
int func_id,
struct bpf_call_arg_meta *meta)
{
+ struct bpf_retval_range range;
struct bpf_reg_state *ret_reg = ®s[BPF_REG_0];
if (ret_type != RET_INTEGER)
@@ -9980,6 +9981,29 @@ static int do_refine_retval_range(struct bpf_verifier_env *env,
ret_reg->s32_min_value = 0;
reg_bounds_sync(ret_reg);
break;
+ case BPF_FUNC_get_retval:
+ /*
+ * bpf_get_reval may see arbitrary value passed by bpf_prog_run_array_cg for
+ * CGROUP_GETSOCKOPT type.
+ */
+ if (env->prog->type == BPF_PROG_TYPE_CGROUP_SOCKOPT &&
+ env->prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT)
+ break;
+
+ if (env->prog->type == BPF_PROG_TYPE_LSM &&
+ env->prog->expected_attach_type == BPF_LSM_CGROUP) {
+ if (!env->prog->aux->attach_func_proto->type)
+ break;
+ bpf_lsm_get_retval_range(env->prog, &range);
+ } else {
+ range.minval = -MAX_ERRNO;
+ range.maxval = 0;
+ }
+
+ reg_set_srange64(ret_reg, range.minval, range.maxval);
+ reg_set_srange32(ret_reg, range.minval, range.maxval);
Are reg_set_srange64() and reg_set_srange32() defined in this kernel? A
search across the entire tree finds only these two call sites and no
definition. The struct bpf_retval_range has minval/maxval fields but no
associated reg_set_srange* helper exists in this codebase.
AI is correct, because patch subject is wrong.
It should have been [PATCH bpf-next v4].
Pls resubmit targeting correct tree.
OK, will target bpf-next in v5.
pw-bot: cr