Re: [PATCH bpf-next v4 1/2] bpf: Support new pointer param types via SCALAR_VALUE for trampolines

[Slava Imameev <slava.imameev@crowdstrike.com>]

On Tue, 03 Mar 2026 16:38:57 -0800, Eduard Zingerman wrote:
> On Wed, 2026-03-04 at 11:22 +1100, Slava Imameev wrote:
> > On Tue, 03 Mar 2026 14:43:01, Eduard Zingerman wrote:
> > > On Wed, 2026-03-04 at 08:49 +1100, Slava Imameev wrote:
> > > > On 2026-03-03 20:05 UTC, Eduard Zingerman wrote:
> > > > 
> > > > > > @@ -6902,11 +6921,7 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
> > > > > >               }
> > > > > >       }
> > > > > > 
> > > > > > -     /*
> > > > > > -      * If it's a pointer to void, it's the same as scalar from the verifier
> > > > > > -      * safety POV. Either way, no futher pointer walking is allowed.
> > > > > > -      */
> > > > > > -     if (is_void_or_int_ptr(btf, t))
> > > > > > +     if (is_ptr_treated_as_scalar(btf, t))
> > > > > >               return true;
> > > > > 
> > > > > I'm probably missing a point here, but what's wrong with Alexei's
> > > > > suggestion to do this instead:
> > > > > 
> > > > >         if (is_ptr_treated_as_scalar(btf, t))
> > > > >                  return true;
> > > > > ?
> > > 
> > > Uh-oh, I copy-pasted the wrong snippet, sorry.
> > > The correct snippet is:
> > > 
> > >          if (btf_type_is_struct_ptr(btf, t))
> > >                   return true;
> > > 
> > > With it the selftests pass (except for `float` tests noted earlier).
> > > And regardless of selftests, the code below this point will
> > > error out if `t` is not a pointer to struct.
> > 
> > I think you tested with
> > 
> > 	if (!btf_type_is_struct_ptr(btf, t))
> > 		return true;
> > 
> > I decided on a narrower condition, as
> > 
> > - if (!btf_type_is_struct_ptr(btf, t)) -
> 
> Yes, sorry again.
> 
> > changes the existing selection condition from "treat only these types
> > as scalar" to "treat as scalar any type that is not a pointer to
> > structure". Technically both approaches cover the problem I'm trying
> > to solve - multilevel pointer support for structures, but the latter is
> > open-ended and changes the current approach, which checks for pointers
> > to int and void. So I'm extending this to int, void, enum 32/64,
> > function, and corresponding multilevel pointers to these types and
> > multilevel pointers to structures.
> 
> BTF is defined for the following non-modifier types:
> - void        [allowed already]
> - int         [allowed already]
> - ptr         [multi-level pointers allowed by your patch]
> - array       [disallowed?]
> - struct      [single level pointers allowed already,
> - union		   multi-level allowed by your patch]
> - enum/enum64 [allowed by your patch]
> - func_proto  [allowed by your patch]
> - float       [disallowed]
> 
> And a few not reachable from function fields (I think BTF validation
> checks that these can't be met, but would be good to double-check.
> If it doesn't, it should):
> - func
> - var
> - datasec
> 
> So, effectively you disallow reading from tracing context fields of
> type: struct (non-pointer), array, float and a few types that can't be
> specified for struct fields.
> 
> Does not seem necessary, tbh.

I verified whether PTR->FUNC, PTR->DATASEC, PTR->VAR can be passed to
btf_ctx_access() in the current mainline.

I added helpers that inject PTR->FUNC, PTR->DATASEC, PTR->VAR as pre or
post calls to btf_check_meta(). In all cases, the BPF program load
failed with errors "arg0 type FUNC / DATASEC / VAR is not a struct",
which indicates that btf_check_meta() can indeed be called with
PTR->FUNC, PTR->DATASEC, PTR->VAR.

If the condition for pointer check is changed to
`if (!btf_type_is_struct_ptr(btf, t))`, these BPF programs will load
successfully with arguments set to scalar().

Do we accept this change in behavior?

Test case with invalid BTF types injection:
https://github.com/slava-at-cs/bpf/commit/c49af6500ace4e4aceee01c570e3b067aae7e48c

Branch:
https://github.com/slava-at-cs/bpf/commits/inject-invalid-btf/

To run test:
./vmtest.sh -- ./test_progs -t verifier_btf_ctx_access

The verifier log:
=============
0: R1=ctx() R10=fp0
; asm volatile ("					\ @ verifier_btf_ctx_access.c:85
0: (79) r2 = *(u64 *)(r1 +0)
func 'bpf_fentry_test_invalid_ptr_func' arg0 type FUNC is not a struct
invalid bpf_context access off=0 size=8
processed 1 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
=============

=============
0: R1=ctx() R10=fp0
; asm volatile ("					\ @ verifier_btf_ctx_access.c:85
0: (79) r2 = *(u64 *)(r1 +0)
func 'bpf_fentry_test_invalid_ptr_func' arg0 type DATASEC is not a struct
invalid bpf_context access off=0 size=8
processed 1 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
=============

=============
0: R1=ctx() R10=fp0
; asm volatile ("					\ @ verifier_btf_ctx_access.c:85
0: (79) r2 = *(u64 *)(r1 +0)
func 'bpf_fentry_test_invalid_ptr_func' arg0 type VAR is not a struct
invalid bpf_context access off=0 size=8
processed 1 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
=============