Re: [PATCH bpf-next v4 1/2] bpf: Support new pointer param types via SCALAR_VALUE for trampolines

[Slava Imameev <slava.imameev@crowdstrike.com>]

Tue, 10 Mar 2026 11:52:10 -0700, Eduard Zingerman wrote:
> [...]
> 
> > I verified whether PTR->FUNC, PTR->DATASEC, PTR->VAR can be passed to
> > btf_ctx_access() in the current mainline.
> > 
> > I added helpers that inject PTR->FUNC, PTR->DATASEC, PTR->VAR as pre or
> > post calls to btf_check_meta(). In all cases, the BPF program load
> > failed with errors "arg0 type FUNC / DATASEC / VAR is not a struct",
> > which indicates that btf_check_meta() can indeed be called with
> > PTR->FUNC, PTR->DATASEC, PTR->VAR.
> > 
> > If the condition for pointer check is changed to
> > `if (!btf_type_is_struct_ptr(btf, t))`, these BPF programs will load
> > successfully with arguments set to scalar().
> > 
> > Do we accept this change in behavior?
> 
> Kernel validates BTF before loading, see kernel/bpf/btf.c:btf_resolve().
> Validation is applied to kernel, module and program-level BTF.
> Does BTF containing PTR->DATASEC and PTR->VAR pass validation?
> If it does, validation should be updated to reject such cases.
> For PTR->FUNC, which one is legit PTR->FUNC or PTR->FUNC_PROTO?
> The legit one should be allowed and invalid should be rejected
> at validation phase.
> 
> You can craft invalid BTF as in the following selftest:
> tools/testing/selftests/bpf/prog_tests/btf.c.
> 
> [...]

Invalid BTF pointer types PTR->DATASEC, PTR->FUNC, PTR->VAR are
rejected by btf_ptr_resolve(), which is called through the sequence
btf_check_all_types()->btf_resolve()->btf_ptr_resolve().

PTR->FUNC_PROTO is a valid type.

vmlinux BTF is processed by btf_parse_vmlinux, which calls
btf_parse_base. Since btf_parse_base doesn't call btf_check_all_types,
it becomes possible to invoke btf_ctx_access with PTR->DATASEC,
PTR->FUNC, PTR->VAR in case of vmlinux BTF.

Modules and programs BTF are processed by btf_parse, which calls
btf_check_all_types and detects invalid pointer types, so
btf_ctx_access cannot see PTR->DATASEC, PTR->FUNC, PTR->VAR in
these cases.

If btf_check_all_types is added to btf_parse_base, invalid pointer
types get detected inside btf_parse_vmlinux, resulting in failure
to process vmlinux BTF and effectively disabling BPF. libbpf
returns this error:
libbpf: Error in bpf_object__probe_loading(): -EINVAL. Couldn't load
trivial BPF program. Make sure your kernel supports BPF
(CONFIG_BPF_SYSCALL=y) and/or that RLIMIT_MEMLOCK is set to big
enough value.

If vmlinux BTF is trusted not to contain invalid types like
PTR->DATASEC, PTR->FUNC, PTR->VAR, which seems reasonable, we can
conclude that btf_ctx_access will never observe these types.

Adopting the view that vmlinux BTF is consistent, we can replace
btf_ctx_access's condition for inferring scalar() for pointers
from "if (is_void_or_int_ptr(btf, t))" to
"if (!btf_type_is_struct_ptr(btf, t))".

Otherwise, we need to either check types for vmlinux BTF,
incurring additional cost, or use explicit checks for pointer types
that can be inferred as scalar by btf_ctx_access to exclude invalid
types. This would let invalid pointer types be rejected with an
error like "func 'bpf_fentry_test_invalid_ptr_func' arg0 type FUNC
is not a struct".