bpf: Support pointer param types via SCALAR_VALUE for trampolines

Add BPF verifier support for single- and multi-level pointer
parameters and return values in BPF trampolines by treating these
parameters as SCALAR_VALUE.

This extends the existing support for int and void pointers that are
already treated as SCALAR_VALUE.

This provides consistent logic for single and multi-level pointers:
if a type is treated as SCALAR for a single-level pointer, the same
applies to multi-level pointers. The exception is pointer-to-struct,
which is currently PTR_TO_BTF_ID for single-level but treated as
scalar for multi-level pointers since the verifier lacks context
to infer the size of target memory regions.

Safety is ensured by existing BTF verification, which rejects invalid
pointer types at the BTF verification stage.

Signed-off-by: Slava Imameev <slava.imameev@crowdstrike.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260314082127.7939-2-slava.imameev@crowdstrike.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 0c465f0077d5495bafffdca88db6f22c0f4810be..15f4c99a46c0f28263ca5aea5ff6e165766ef07c 100644 (file)
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6517,13 +6517,6 @@ struct btf *bpf_prog_get_target_btf(const struct bpf_prog *prog)
                return prog->aux->attach_btf;
 }
 
-static bool is_void_or_int_ptr(struct btf *btf, const struct btf_type *t)
-{
-       /* skip modifiers */
-       t = btf_type_skip_modifiers(btf, t->type, NULL);
-       return btf_type_is_void(t) || btf_type_is_int(t);
-}
-
 u32 btf_ctx_arg_idx(struct btf *btf, const struct btf_type *func_proto,
                    int off)
 {
@@ -6912,10 +6905,14 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
        }
 
        /*
-        * If it's a pointer to void, it's the same as scalar from the verifier
-        * safety POV. Either way, no futher pointer walking is allowed.
+        * If it's a single or multilevel pointer, except a pointer
+        * to a structure, it's the same as scalar from the verifier
+        * safety POV. Multilevel pointers to structures are treated as
+        * scalars. The verifier lacks the context to infer the size of
+        * their target memory regions. Either way, no further pointer
+        * walking is allowed.
         */
-       if (is_void_or_int_ptr(btf, t))
+       if (!btf_type_is_struct_ptr(btf, t))
                return true;
 
        /* this is a pointer to another type */