From: Alexei Starovoitov Date: Tue, 24 Mar 2026 20:36:32 +0000 (-0700) Subject: Merge branch 'bpf-add-multi-level-pointer-parameter-support-for-trampolines' X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70275388aeaa85027af76d26a803e9be35aba95e;p=thirdparty%2Fkernel%2Flinux.git Merge branch 'bpf-add-multi-level-pointer-parameter-support-for-trampolines' Slava Imameev says: ==================== bpf: Add multi-level pointer parameter support for trampolines This is v6 of a series adding support for new pointer types for trampoline parameters. Originally, only support for multi-level pointers was proposed. As suggested during review, it was extended to single-level pointers. During discussion, it was proposed to add support for any single or multi-level pointer type that is not a single-level pointer to a structure, with the condition if (!btf_type_is_struct(t)). The safety of this condition is based on BTF data verification performed for modules and programs, and vmlinux BTF being trusted to not contain invalid types, so it is not possible for invalid types, like PTR->DATASEC, PTR->FUNC, PTR->VAR and corresponding multi-level pointers, to reach btf_ctx_access. These changes appear to be a safe extension since any future support for arrays and output values would require annotation (similar to Microsoft SAL), which differentiates between current unannotated scalar cases and new annotated cases. This series adds BPF verifier support for single- and multi-level pointer parameters and return values in BPF trampolines. The implementation treats these parameters as SCALAR_VALUE. This is consistent with existing pointers to int and void that are already treated as SCALAR. This provides consistent logic for single- and multi-level pointers: if the type is treated as SCALAR for a single-level pointer, the same applies to multi-level pointers, except for pointers to structs which are currently PTR_TO_BTF_ID. However, in the case of multi-level pointers, they are treated as scalar since the verifier lacks the context to infer the size of their target memory regions. Background: Prior to these changes, accessing multi-level pointer parameters or return values through BPF trampoline context arrays resulted in verification failures in btf_ctx_access, producing errors such as: func '%s' arg%d type %s is not a struct For example, consider a BPF program that logs an input parameter of type struct posix_acl **: SEC("fentry/__posix_acl_chmod") int BPF_PROG(trace_posix_acl_chmod, struct posix_acl **ppacl, gfp_t gfp, umode_t mode) { bpf_printk("__posix_acl_chmod ppacl = %px\n", ppacl); return 0; } This program failed BPF verification with the following error: libbpf: prog 'trace_posix_acl_chmod': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(trace_posix_acl_chmod, struct posix_acl **ppacl, gfp_t gfp, umode_t mode) @ posix_acl_monitor.bpf.c:23 0: (79) r6 = *(u64 *)(r1 +16) ; R1=ctx() R6_w=scalar() 1: (79) r1 = *(u64 *)(r1 +0) func '__posix_acl_chmod' arg0 type PTR is not a struct invalid bpf_context access off=0 size=8 processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- The common workaround involved using helper functions to fetch parameter values by passing the address of the context array entry: SEC("fentry/__posix_acl_chmod") int BPF_PROG(trace_posix_acl_chmod, struct posix_acl **ppacl, gfp_t gfp, umode_t mode) { struct posix_acl **pp; bpf_probe_read_kernel(&pp, sizeof(ppacl), &ctx[0]); bpf_printk("__posix_acl_chmod %px\n", pp); return 0; } This approach introduced helper call overhead and created inconsistency with parameter access patterns. Improvements: With this patch, trampoline programs can directly access multi-level pointer parameters, eliminating helper call overhead and explicit ctx access while ensuring consistent parameter handling. For example, the following ctx access with a helper call: SEC("fentry/__posix_acl_chmod") int BPF_PROG(trace_posix_acl_chmod, struct posix_acl **ppacl, gfp_t gfp, umode_t mode) { struct posix_acl **pp; bpf_probe_read_kernel(&pp, sizeof(pp), &ctx[0]); bpf_printk("__posix_acl_chmod %px\n", pp); ... } is replaced by a load instruction: SEC("fentry/__posix_acl_chmod") int BPF_PROG(trace_posix_acl_chmod, struct posix_acl **ppacl, gfp_t gfp, umode_t mode) { bpf_printk("__posix_acl_chmod %px\n", ppacl); ... } The bpf_core_cast macro can be used for deeper level dereferences. v1 -> v2: * corrected maintainer's email v2 -> v3: * Addressed reviewers' feedback: * Changed the register type from PTR_TO_MEM to SCALAR_VALUE. * Modified tests to accommodate SCALAR_VALUE handling. * Fixed a compilation error for loongarch * https://lore.kernel.org/oe-kbuild-all/202602181710.tEK6nOl6-lkp@intel.com/ * Addressed AI bot review * Added a commentary to address a NULL pointer case * Removed WARN_ON * Fixed a commentary v3 -> v4: * Added more consistent support for single and multi-level pointers as suggested by reviewers. * added single level pointers to enum 32 and 64 * added single level pointers to functions * harmonized support for single and multi-level pointer types * added new tests to support the above changes * Removed create_bad_kaddr that allocated and invalidated kernel VA for tests, and replaced it with hardcoded values similar to bpf_testmod_return_ptr as suggested by reviewers. v4 -> v5: * As suggested, extended support to single-level pointers and covered all supported valid pointer (single- and multi-level) types with a wider condition if (!btf_type_is_struct(t)). * As requested, simplified tests by keeping only tests that check the verifier log for scalar(). v5 -> v6: * Fixed the test message based on the bot's feedback. ==================== Link: https://patch.msgid.link/20260314082127.7939-1-slava.imameev@crowdstrike.com Signed-off-by: Alexei Starovoitov --- 70275388aeaa85027af76d26a803e9be35aba95e