Re: [PATCH bpf-next v2 3/5] bpf: Allow subprogs to return arena pointers

["Emil Tsalapatis" <emil@etsalapatis.com>]

On Mon Jun 1, 2026 at 3:01 PM EDT, Eduard Zingerman wrote:
> On Fri, 2026-05-29 at 20:22 -0400, Emil Tsalapatis wrote:
>> BPF subprogs currently only return void or scalar values. However,
>> it is also safe to return arena pointers between subprogs in the same
>> BPF program: Arena pointers are guaranteed to be safe for both programs
>> at any point. Expand the verifier to permit returning an arena pointer
>> to the caller.
>> 
>> The main subprog is still not allowed to return an arena pointer because
>> arena pointers are internal to the BPF program, and the return values
>> permitted for each main subprog depend on the program type anyway.
>> 
>> Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com>
>> ---
>
> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
>
> [...]
>
>> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
>> index c6a930aca67e..7a8101879f84 100644
>> --- a/kernel/bpf/btf.c
>> +++ b/kernel/bpf/btf.c
>> @@ -7880,6 +7880,36 @@ static int btf_scan_type_tags(struct bpf_verifier_env *env,
>>  	return 0;
>>  }
>>  
>> +/* Check whether the type is a valid return type. */
>> +static int btf_validate_return_type(struct bpf_verifier_env *env, struct btf *btf,
>> +		const struct btf_type *t, int subprog)
>> +{
>> +	u32 tags = 0;
>> +	int err;
>> +
>> +	err = btf_scan_type_tags(env, btf, t->type, &tags);
>> +	if (err)
>> +		return err;
>> +	t = btf_type_by_id(btf, t->type);
>> +
>> +	while (btf_type_is_modifier(t))
>> +		t = btf_type_by_id(btf, t->type);
>
> Nit: btf_type_skip_modifiers().
>
>> +
>> +	/*
>> +	 * We allow all subprogs except for the main one to return any kind of arena pointer.
>> +	 * General arena variables are not allowed, since it makes no sense to return by value
>> +	 * a variable that's on the heap in the first place.
>> +	 */
>> +	if (subprog && (tags & ARG_TAG_ARENA) && btf_type_is_ptr(t))
>> +		return 0;
>> +
>> +	/* We always accept void or scalars. */
>> +	if (btf_type_is_void(t) || btf_type_is_int(t) || btf_is_any_enum(t))
>> +		return 0;
>> +
>> +	return -EOPNOTSUPP;
>> +}
>> +
>>  /* Process BTF of a function to produce high-level expectation of function
>>   * arguments (like ARG_PTR_TO_CTX, or ARG_PTR_TO_MEM, etc). This information
>>   * is cached in subprog info for reuse.
>> @@ -7963,17 +7993,15 @@ int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog)
>>  			tname, nargs, MAX_BPF_FUNC_REG_ARGS);
>>  		return -EINVAL;
>>  	}
>> -	/* check that function is void or returns int, exception cb also requires this */
>> -	t = btf_type_by_id(btf, t->type);
>> -	while (btf_type_is_modifier(t))
>> -		t = btf_type_by_id(btf, t->type);
>> -	if (!btf_type_is_void(t) && !btf_type_is_int(t) && !btf_is_any_enum(t)) {
>> -		if (!is_global)
>> -			return -EINVAL;
>> -		bpf_log(log,
>> -			"Global function %s() return value not void or scalar. "
>> -			"Only those are supported.\n",
>> -			tname);
>> +
>> +	err = btf_validate_return_type(env, btf, t, subprog);
>> +	if (err) {
>> +		if (is_global) {
>
> I understand that this is how it was implemented previously,
> but do we report a sane error if non-global function returns
> non-void/int/enum?
>

TL;DR for non-statics we consider the signature buggy and stop using it,
which seems to only matter for tracing/ext programs, and even there it
doesn't always make them fail.

I looked into this a bit, we are reporting -EOPNOTSUPP on all error paths that ends
up marking the subprog's BTF as unreliable. This prevents the function
from being EXT'ed, and forces the JIT to spill more registers in the
trampoline for fentry programs (while also loses all type info about
them). I don't think we need to add anything more for the time being on
the handling.


>> +			bpf_log(log,
>> +				"Global function %s() return value not void or scalar. "
>> +				"Only those are supported.\n",
>> +				tname);
>> +		}
>>  		return -EINVAL;
>
> Nit: 'return err'?
>
>>  	}
>>  
>
> [...]