On Tue, 2025-07-22 at 11:46 -0700, Eduard Zingerman wrote:
[...]
> > @@ -2274,7 +2278,8 @@ static bool reg_is_pkt_pointer_any(const struct bpf_reg_state *reg)
> > static bool reg_is_dynptr_slice_pkt(const struct bpf_reg_state *reg)
> > {
> > return base_type(reg->type) == PTR_TO_MEM &&
> > - (reg->type & DYNPTR_TYPE_SKB || reg->type & DYNPTR_TYPE_XDP);
> > + (reg->type &
> > + (DYNPTR_TYPE_SKB | DYNPTR_TYPE_XDP | DYNPTR_TYPE_SKB_META));
> > }
>
> Note: This function is used to identify pointers to packet data that
> might be stale after call to one of the functions in list [1].
> Once such pointers are identified, verifier would disallow
> access through these pointers.
> dynptr_from_skb_meta() is implemented as:
>
> bpf_dynptr_init(ptr, skb, BPF_DYNPTR_TYPE_SKB_META, 0, skb_metadata_len(skb));
>
> here any read or write goes through skb object, not a pointer derived from it.
> Given above, is it still necessary to list DYNPTR_FROM_SKB_META here?
> Or some functions from [1] can change skb_metadata_len(skb)?
>
> [1] https://elixir.bootlin.com/linux/v6.15.7/source/net/core/filter.c#L7989
Nevermind, it is necessary, otherwise your tests skb_meta_invalid_data_slice*
would be accepted. Sorry for the noise.
