bpf: Compare parent_id in refsafe() for REF_TYPE_PTR

refsafe() compared each reference's id and type but not its parent_id, so two states whose PTR references differ only in the parent object they were derived from could be wrongly treated as equivalent and pruned. Fix it by checking parent_id too. Fixes: 308c7a0ae885 ("bpf: Refactor object relationship tracking and fix dynptr UAF bug") Signed-off-by: Amery Hung <ameryhung@gmail.com> Link: https://lore.kernel.org/r/20260605202056.1780352-4-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
author: Amery Hung <ameryhung@gmail.com> 2026-06-05 13:20:54 -0700
committer: Alexei Starovoitov <ast@kernel.org> 2026-06-05 14:18:20 -0700
commit: 41025f441fe6addd93d2c333a3a184331e8ef6cf (patch)
tree: f651af298fccf3cf7975d28ee8ecc3b76438e8b3 /kernel/bpf
parent: 73d475dc6c13177fce0d9d892bff33299c8ad56a (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/bpf/states.c b/kernel/bpf/states.c
index 5945956a7573..06d9ae24f006 100644
--- a/kernel/bpf/states.c
+++ b/kernel/bpf/states.c
@@ -890,6 +890,9 @@ static bool refsafe(struct bpf_verifier_state *old, struct bpf_verifier_state *c
 			return false;
 		switch (old->refs[i].type) {
 		case REF_TYPE_PTR:
+			if (!check_ids(old->refs[i].parent_id, cur->refs[i].parent_id, idmap))
+				return false;
+			break;
 		case REF_TYPE_IRQ:
 			break;
 		case REF_TYPE_LOCK:
author	Amery Hung <ameryhung@gmail.com>	2026-06-05 13:20:54 -0700
committer	Alexei Starovoitov <ast@kernel.org>	2026-06-05 14:18:20 -0700
commit	41025f441fe6addd93d2c333a3a184331e8ef6cf (patch)
tree	f651af298fccf3cf7975d28ee8ecc3b76438e8b3 /kernel/bpf
parent	73d475dc6c13177fce0d9d892bff33299c8ad56a (diff)