From: Slava Imameev <slava.imameev@crowdstrike.com>
To: <eddyz87@gmail.com>
Cc: <andrii@kernel.org>, <ast@kernel.org>, <bpf@vger.kernel.org>,
<daniel@iogearbox.net>, <davem@davemloft.net>,
<edumazet@google.com>, <haoluo@google.com>, <horms@kernel.org>,
<john.fastabend@gmail.com>, <jolsa@kernel.org>,
<kpsingh@kernel.org>, <kuba@kernel.org>,
<linux-kernel@vger.kernel.org>, <linux-kselftest@vger.kernel.org>,
<linux-open-source@crowdstrike.com>, <martin.lau@linux.dev>,
<netdev@vger.kernel.org>, <pabeni@redhat.com>, <sdf@fomichev.me>,
<shuah@kernel.org>, <slava.imameev@crowdstrike.com>,
<song@kernel.org>, <yonghong.song@linux.dev>
Subject: Re: Re: [PATCH bpf-next v2 0/2] bpf: Add multi-level pointer parameter
Date: Wed, 18 Feb 2026 21:43:28 +1100 [thread overview]
Message-ID: <20260218104328.14341-1-slava.imameev@crowdstrike.com> (raw)
In-Reply-To: <bb4bf5fe648ac71c969c6228ac6e72ea85cbc64b.camel@gmail.com>
> > The verifier assigns SCALAR type to single-level pointers (void*, int*).
>
> So, the simplest change for pointers to pointers would be as below, right?
>
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -6906,7 +6906,8 @@ bool btf_ctx_access(int off, int size, enum bpf_acc=
ess_type type,
> * If it's a pointer to void, it's the same as scalar from the ve=
rifier
> * safety POV. Either way, no futher pointer walking is allowed.
> */
> - if (is_void_or_int_ptr(btf, t))
> + if (is_void_or_int_ptr(btf, t) || !is_ptr_to_struct(btf, t))
> return true;
>
> /* this is a pointer to another type */
>
> Except that loaded value would be marked as scalar() and one would
> need to cast it using e.g. bpf_core_cast() to obtain an untrusted
> pointer.
I considered using a scalar as a simpler solution, but there are some
disadvantages with casting to scalar and using bpf_core_cast:
- Casting to scalar removes nullable and trusted properties
- bpf_core_cast cannot cast to multi-level pointers without
introducing a new typedef or a wrapper for a pointer
Let's consider the following LSM program which has trusted parameters, and
logs the value for (*mnt_opts):
SEC("lsm/sb_eat_lsm_opts")
int BPF_PROG(sb_eat_lsm_opts_1,char *options, void **mnt_opts)
With this patch:
- This program is valid:
SEC("lsm/sb_eat_lsm_opts")
int BPF_PROG(sb_eat_lsm_opts_1,char *options, void **mnt_opts)
{
bpf_printk("%p\n", *mnt_opts);
return 0;
}
- This program is semantically invalid as mnt_opts is a trusted
parameter, so there are no run-time checks and the verifier rejects
out-of-bounds access:
SEC("lsm/sb_eat_lsm_opts")
int BPF_PROG(sb_eat_lsm_opts_1,char *options, void **mnt_opts)
{
bpf_printk("%p\n", *(mnt_opts+10));
return 0;
}
With casting to a scalar and following bpf_core_cast:
- This programs cannot be compiled as bpf_core_cast cannot cast to a
multi-level pointer:
SEC("lsm/sb_eat_lsm_opts")
int BPF_PROG(sb_eat_lsm_opts_1,char *options, void **mnt_opts)
{
void** ppt = bpf_core_cast(mnt_opts, void*);
bpf_printk("%p\t", *ppt);
return 0;
}
- There is a workaround, which requires introducing a wrapper for
a pointer or typedef:
struct pvoid {
void* v;
};
typedef void* pvoid;
SEC("lsm/sb_eat_lsm_opts")
int BPF_PROG(sb_eat_lsm_opts_1,char *options, void **mnt_opts)
{
struct pvoid* ppt = bpf_core_cast(mnt_opts, struct pvoid);
bpf_printk("%p\t", ppt->v);
return 0;
}
SEC("lsm/sb_eat_lsm_opts")
int BPF_PROG(sb_eat_lsm_opts_2,char *options, void **mnt_opts)
{
pvoid* ppt = bpf_core_cast(mnt_opts, pvoid);
bpf_printk("%p\t", *ppt);
return 0;
}
- This program passes verifier, though it is semantically invalid
as logs an invalid data using a trusted parameter:
SEC("lsm/sb_eat_lsm_opts")
int BPF_PROG(sb_eat_lsm_opts_1,char *options, void **mnt_opts)
{
struct pvoid* ppt = bpf_core_cast(mnt_opts + 10, struct pvoid);
bpf_printk("%p\t", ppt->v);
return 0;
}
The similar examples can be done for nullable annotation, which
is ignored for a scalar allowing semantically invalid BPF programs to
pass verifier.
> > For multi-level pointers, I selected PTR_TO_MEM to enable memory access
> > through a single load instruction for the first level of dereference,
> > with subsequent dereferences becoming SCALAR. This design eliminates
> > helper call for parameter dereference, replacing it with a load
> > instruction (e.g., void* ptr =3D *pptr).
>
> If going this route instead, is there a technical reason to limit this
> logic to multi-level pointers? Applying same rules to `int *` and
> alike seem more consistent.
I decided to address only multilevel pointers as this is what we
encountered in practice and have to use BPF helper workarounds.
I think there are no technical restrictions for treating single
level pointers as PTR_TO_MEM.
However, there is some cohesion between multilevel pointers being
PTR_TO_MEM and single level being scalar, as verifier infers a scalar
for PTR_TO_MEM dereference, so:
foo(void *ptr1, void **pptr)
{
void* ptr2 = *pptr; /* verifier infers a scalar for ptr2*/
/* both ptr1 and ptr2 are scalars */
}
next prev parent reply other threads:[~2026-02-18 10:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 22:13 [PATCH bpf-next v2 0/2] bpf: Add multi-level pointer parameter support for trampolines Slava Imameev
2026-02-17 22:13 ` [PATCH bpf-next v2 1/2] bpf: Support multi-level pointer params via PTR_TO_MEM " Slava Imameev
2026-02-17 22:13 ` [PATCH bpf-next v2 2/2] selftests/bpf: Add trampolines multi-level pointer params test coverage Slava Imameev
2026-02-17 22:47 ` bot+bpf-ci
2026-02-18 9:25 ` kernel test robot
2026-02-18 1:48 ` [PATCH bpf-next v2 0/2] bpf: Add multi-level pointer parameter support for trampolines Eduard Zingerman
2026-02-18 10:43 ` Slava Imameev [this message]
2026-02-18 16:16 ` Re: [PATCH bpf-next v2 0/2] bpf: Add multi-level pointer parameter David Windsor
2026-02-19 3:15 ` Alexei Starovoitov
2026-02-19 5:17 ` Yonghong Song
2026-02-23 9:44 ` Re: " Slava Imameev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260218104328.14341-1-slava.imameev@crowdstrike.com \
--to=slava.imameev@crowdstrike.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=horms@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-open-source@crowdstrike.com \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox