[PATCH bpf-next v3 0/2] bpf: Allow access to const void pointer arguments in tracing programs
If we try to access argument which is pointer to const void, it's an UNKNOWN type, verifier will fail to load. Use is_void_or_int_ptr to check if type is void or int pointer. Add a selftest to check it. --- KaFai Wan (2): bpf: Allow access to const void pointer arguments in tracing programs selftests/bpf: Add test to access const void pointer argument in tracing program kernel/bpf/btf.c| 13 +++-- net/bpf/test_run.c | 8 +++- .../selftests/bpf/progs/verifier_btf_ctx_access.c | 12 3 files changed, 22 insertions(+), 11 deletions(-) Changelog: v2->v3: Addressed comments from jirka - remove duplicate checks for void pointer Details in here: https://lore.kernel.org/bpf/20250416161756.1079178-1-kafai@hotmail.com/ v1->v2: Addressed comments from jirka - use btf_type_is_void to check if type is void - merge is_void_ptr and is_int_ptr to is_void_or_int_ptr - fix selftests Details in here: https://lore.kernel.org/all/20250412170626.3638516-1-kafai@hotmail.com/ -- 2.43.0
[PATCH bpf-next v3 2/2] selftests/bpf: Add test to access const void pointer argument in tracing program
Adding verifier test for accessing const void pointer argument in
tracing programs.
The test program loads 1st argument of bpf_fentry_test10 function
which is const void pointer and checks that verifier allows that.
Signed-off-by: KaFai Wan
---
net/bpf/test_run.c | 8 +++-
.../selftests/bpf/progs/verifier_btf_ctx_access.c| 12
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 7cb192cbd65f..aaf13a7d58ed 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -569,6 +569,11 @@ __bpf_kfunc u32 bpf_fentry_test9(u32 *a)
return *a;
}
+int noinline bpf_fentry_test10(const void *a)
+{
+ return (long)a;
+}
+
void noinline bpf_fentry_test_sinfo(struct skb_shared_info *sinfo)
{
}
@@ -699,7 +704,8 @@ int bpf_prog_test_run_tracing(struct bpf_prog *prog,
bpf_fentry_test6(16, (void *)17, 18, 19, (void *)20, 21) !=
111 ||
bpf_fentry_test7((struct bpf_fentry_test_t *)0) != 0 ||
bpf_fentry_test8(&arg) != 0 ||
- bpf_fentry_test9(&retval) != 0)
+ bpf_fentry_test9(&retval) != 0 ||
+ bpf_fentry_test10((void *)0) != 0)
goto out;
break;
case BPF_MODIFY_RETURN:
diff --git a/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
b/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
index 28b939572cda..03942cec07e5 100644
--- a/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
+++ b/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
@@ -65,4 +65,16 @@ __naked void ctx_access_u32_pointer_reject_8(void)
" ::: __clobber_all);
}
+SEC("fentry/bpf_fentry_test10")
+__description("btf_ctx_access const void pointer accept")
+__success __retval(0)
+__naked void ctx_access_const_void_pointer_accept(void)
+{
+ asm volatile (" \
+ r2 = *(u64 *)(r1 + 0); /* load 1st argument value (const void
pointer) */\
+ r0 = 0; \
+ exit; \
+" ::: __clobber_all);
+}
+
char _license[] SEC("license") = "GPL";
--
2.43.0
Re: [PATCH bpf-next 2/2] selftests/bpf: Add test to access const void pointer argument in tracing program
On Mon, Apr 14, 2025 at 6:35 PM Jiri Olsa wrote:
>
> On Sun, Apr 13, 2025 at 01:06:26AM +0800, KaFai Wan wrote:
> > Adding verifier test for accessing const void pointer argument in
> > tracing programs.
> >
> > The test program loads 2nd argument of kfree tp_btf which is
> > const void pointer and checks that verifier allows that.
> >
> > Signed-off-by: KaFai Wan
> > ---
> > .../selftests/bpf/progs/verifier_btf_ctx_access.c| 9 +
> > 1 file changed, 9 insertions(+)
> >
> > diff --git a/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
> > b/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
> > index 28b939572cda..a6cec7f73dcd 100644
> > --- a/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
> > +++ b/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
> > @@ -65,4 +65,13 @@ __naked void ctx_access_u32_pointer_reject_8(void)
> > "::: __clobber_all);
> > }
> >
> > +SEC("tp_btf/kfree")
> > +__description("btf_ctx_access const void pointer accept")
> > +int ctx_access_const_void_pointer_accept(void)
> > +{
> > + /* load 2nd argument value (const void pointer) */
> > + asm volatile ("r2 = *(u64 *)(r1 + 8); ");
>
> I think we should follow formatting of other tests in the file,
> a do smth like:
>
> asm volatile (" \
> r2 = *(u64 *)(r1 + 8); "); /* load 2nd argument value (const void
> pointer) */\
> ...
I will fix it. and I find out the kernel does not support test_run of tp_btf, I
will change to fentry.
>
> thanks,
> jirka
>
>
> > + return 0;
> > +}
> > +
> > char _license[] SEC("license") = "GPL";
> > --
> > 2.43.0
> >
thanks,
kafai
[PATCH bpf-next v4 2/2] selftests/bpf: Add test to access const void pointer argument in tracing program
Adding verifier test for accessing const void pointer argument in
tracing programs.
The test program loads 1st argument of bpf_fentry_test10 function
which is const void pointer and checks that verifier allows that.
Signed-off-by: KaFai Wan
Acked-by: Jiri Olsa
---
net/bpf/test_run.c | 8 +++-
.../selftests/bpf/progs/verifier_btf_ctx_access.c| 12
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 7cb192cbd65f..aaf13a7d58ed 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -569,6 +569,11 @@ __bpf_kfunc u32 bpf_fentry_test9(u32 *a)
return *a;
}
+int noinline bpf_fentry_test10(const void *a)
+{
+ return (long)a;
+}
+
void noinline bpf_fentry_test_sinfo(struct skb_shared_info *sinfo)
{
}
@@ -699,7 +704,8 @@ int bpf_prog_test_run_tracing(struct bpf_prog *prog,
bpf_fentry_test6(16, (void *)17, 18, 19, (void *)20, 21) !=
111 ||
bpf_fentry_test7((struct bpf_fentry_test_t *)0) != 0 ||
bpf_fentry_test8(&arg) != 0 ||
- bpf_fentry_test9(&retval) != 0)
+ bpf_fentry_test9(&retval) != 0 ||
+ bpf_fentry_test10((void *)0) != 0)
goto out;
break;
case BPF_MODIFY_RETURN:
diff --git a/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
b/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
index 28b939572cda..03942cec07e5 100644
--- a/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
+++ b/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
@@ -65,4 +65,16 @@ __naked void ctx_access_u32_pointer_reject_8(void)
" ::: __clobber_all);
}
+SEC("fentry/bpf_fentry_test10")
+__description("btf_ctx_access const void pointer accept")
+__success __retval(0)
+__naked void ctx_access_const_void_pointer_accept(void)
+{
+ asm volatile (" \
+ r2 = *(u64 *)(r1 + 0); /* load 1st argument value (const void
pointer) */\
+ r0 = 0; \
+ exit; \
+" ::: __clobber_all);
+}
+
char _license[] SEC("license") = "GPL";
--
2.43.0
[PATCH bpf-next v4 1/2] bpf: Allow access to const void pointer arguments in tracing programs
Adding support to access arguments with const void pointer arguments
in tracing programs.
Currently we allow tracing programs to access void pointers. If we try to
access argument which is pointer to const void like 2nd argument in kfree,
verifier will fail to load the program with;
0: R1=ctx() R10=fp0
; asm volatile ("r2 = *(u64 *)(r1 + 8); ");
0: (79) r2 = *(u64 *)(r1 +8)
func 'kfree' arg1 type UNKNOWN is not a struct
Changing the is_int_ptr to void and generic integer check and renaming
it to is_void_or_int_ptr.
Cc: Leon Hwang
Signed-off-by: KaFai Wan
Acked-by: Jiri Olsa
---
kernel/bpf/btf.c | 13 +++--
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 16ba36f34dfa..14cdefc15f0e 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6383,12 +6383,12 @@ struct btf *bpf_prog_get_target_btf(const struct
bpf_prog *prog)
return prog->aux->attach_btf;
}
-static bool is_int_ptr(struct btf *btf, const struct btf_type *t)
+static bool is_void_or_int_ptr(struct btf *btf, const struct btf_type *t)
{
/* skip modifiers */
t = btf_type_skip_modifiers(btf, t->type, NULL);
- return btf_type_is_int(t);
+ return btf_type_is_void(t) || btf_type_is_int(t);
}
static u32 get_ctx_arg_idx(struct btf *btf, const struct btf_type *func_proto,
@@ -6776,14 +6776,7 @@ bool btf_ctx_access(int off, int size, enum
bpf_access_type type,
}
}
- if (t->type == 0)
- /* This is a pointer to void.
-* It is the same as scalar from the verifier safety pov.
-* No further pointer walking is allowed.
-*/
- return true;
-
- if (is_int_ptr(btf, t))
+ if (is_void_or_int_ptr(btf, t))
return true;
/* this is a pointer to another type */
--
2.43.0
[PATCH bpf-next v4 0/2] bpf: Allow access to const void pointer arguments in tracing programs
If we try to access argument which is pointer to const void, it's an UNKNOWN type, verifier will fail to load. Use is_void_or_int_ptr to check if type is void or int pointer. Add a selftest to check it. --- KaFai Wan (2): bpf: Allow access to const void pointer arguments in tracing programs selftests/bpf: Add test to access const void pointer argument in tracing program kernel/bpf/btf.c| 13 +++-- net/bpf/test_run.c | 8 +++- .../selftests/bpf/progs/verifier_btf_ctx_access.c | 12 3 files changed, 22 insertions(+), 11 deletions(-) Changelog: v3->v4: Addressed comments from Alexei Starovoitov - change SOB to match From email address - add Acked-by from jirka Details in here: https://lore.kernel.org/all/20250417151548.1276279-1-kafai@hotmail.com/ v2->v3: Addressed comments from jirka - remove duplicate checks for void pointer Details in here: https://lore.kernel.org/bpf/20250416161756.1079178-1-kafai@hotmail.com/ v1->v2: Addressed comments from jirka - use btf_type_is_void to check if type is void - merge is_void_ptr and is_int_ptr to is_void_or_int_ptr - fix selftests Details in here: https://lore.kernel.org/all/20250412170626.3638516-1-kafai@hotmail.com/ -- 2.43.0
[PATCH bpf-next 0/2] bpf: Allow access to const void pointer arguments in tracing programs
hi, Tracing programs can access arguments via BTF [1]. Currently we allow tracing programs to access pointers to string (char pointer), void pointers, pointers to structs, and int pointers [2]. If we try to access argument which is pointer to const void like 2nd argument in kfree, it's an UNKNOWN type, verifier will fail to load. typedef void (*btf_trace_kfree)(void *, long unsigned int, const void *); [1] https://lore.kernel.org/bpf/20191016032505.2089704-7-...@kernel.org/ [2] https://lore.kernel.org/bpf/20211208193245.172141-1-jo...@kernel.org/ --- KaFai Wan (2): bpf: Allow access to const void pointer arguments in tracing programs selftests/bpf: Add test to access const void pointer argument in tracing program kernel/bpf/btf.c | 10 +- .../selftests/bpf/progs/verifier_btf_ctx_access.c | 9 + 2 files changed, 18 insertions(+), 1 deletion(-) -- 2.43.0
[PATCH bpf-next 1/2] bpf: Allow access to const void pointer arguments in tracing programs
Adding support to access arguments with const void pointer arguments
in tracing programs.
Currently we allow tracing programs to access void pointers. If we try to
access argument which is pointer to const void like 2nd argument in kfree,
verifier will fail to load the program with;
0: R1=ctx() R10=fp0
; asm volatile ("r2 = *(u64 *)(r1 + 8); ");
0: (79) r2 = *(u64 *)(r1 +8)
func 'kfree' arg1 type UNKNOWN is not a struct
Adding is_void_ptr to generic void pointer check.
Cc: Leon Hwang
Signed-off-by: KaFai Wan
---
kernel/bpf/btf.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 16ba36f34dfa..e11d3afd0562 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6383,6 +6383,14 @@ struct btf *bpf_prog_get_target_btf(const struct
bpf_prog *prog)
return prog->aux->attach_btf;
}
+static bool is_void_ptr(struct btf *btf, const struct btf_type *t)
+{
+ /* skip modifiers */
+ t = btf_type_skip_modifiers(btf, t->type, NULL);
+
+ return t->type == 0;
+}
+
static bool is_int_ptr(struct btf *btf, const struct btf_type *t)
{
/* skip modifiers */
@@ -6776,7 +6784,7 @@ bool btf_ctx_access(int off, int size, enum
bpf_access_type type,
}
}
- if (t->type == 0)
+ if (is_void_ptr(btf, t))
/* This is a pointer to void.
* It is the same as scalar from the verifier safety pov.
* No further pointer walking is allowed.
--
2.43.0
[PATCH bpf-next 2/2] selftests/bpf: Add test to access const void pointer argument in tracing program
Adding verifier test for accessing const void pointer argument in
tracing programs.
The test program loads 2nd argument of kfree tp_btf which is
const void pointer and checks that verifier allows that.
Signed-off-by: KaFai Wan
---
.../selftests/bpf/progs/verifier_btf_ctx_access.c| 9 +
1 file changed, 9 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
b/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
index 28b939572cda..a6cec7f73dcd 100644
--- a/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
+++ b/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
@@ -65,4 +65,13 @@ __naked void ctx_access_u32_pointer_reject_8(void)
" ::: __clobber_all);
}
+SEC("tp_btf/kfree")
+__description("btf_ctx_access const void pointer accept")
+int ctx_access_const_void_pointer_accept(void)
+{
+ /* load 2nd argument value (const void pointer) */
+ asm volatile ("r2 = *(u64 *)(r1 + 8); ");
+ return 0;
+}
+
char _license[] SEC("license") = "GPL";
--
2.43.0
[PATCH bpf-next v2 2/2] selftests/bpf: Add test to access const void pointer argument in tracing program
Adding verifier test for accessing const void pointer argument in
tracing programs.
The test program loads 1st argument of bpf_fentry_test10 function
which is const void pointer and checks that verifier allows that.
Signed-off-by: KaFai Wan
---
net/bpf/test_run.c | 8 +++-
.../selftests/bpf/progs/verifier_btf_ctx_access.c| 12
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 7cb192cbd65f..aaf13a7d58ed 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -569,6 +569,11 @@ __bpf_kfunc u32 bpf_fentry_test9(u32 *a)
return *a;
}
+int noinline bpf_fentry_test10(const void *a)
+{
+ return (long)a;
+}
+
void noinline bpf_fentry_test_sinfo(struct skb_shared_info *sinfo)
{
}
@@ -699,7 +704,8 @@ int bpf_prog_test_run_tracing(struct bpf_prog *prog,
bpf_fentry_test6(16, (void *)17, 18, 19, (void *)20, 21) !=
111 ||
bpf_fentry_test7((struct bpf_fentry_test_t *)0) != 0 ||
bpf_fentry_test8(&arg) != 0 ||
- bpf_fentry_test9(&retval) != 0)
+ bpf_fentry_test9(&retval) != 0 ||
+ bpf_fentry_test10((void *)0) != 0)
goto out;
break;
case BPF_MODIFY_RETURN:
diff --git a/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
b/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
index 28b939572cda..03942cec07e5 100644
--- a/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
+++ b/tools/testing/selftests/bpf/progs/verifier_btf_ctx_access.c
@@ -65,4 +65,16 @@ __naked void ctx_access_u32_pointer_reject_8(void)
" ::: __clobber_all);
}
+SEC("fentry/bpf_fentry_test10")
+__description("btf_ctx_access const void pointer accept")
+__success __retval(0)
+__naked void ctx_access_const_void_pointer_accept(void)
+{
+ asm volatile (" \
+ r2 = *(u64 *)(r1 + 0); /* load 1st argument value (const void
pointer) */\
+ r0 = 0; \
+ exit; \
+" ::: __clobber_all);
+}
+
char _license[] SEC("license") = "GPL";
--
2.43.0
[PATCH bpf-next v2 1/2] bpf: Allow access to const void pointer arguments in tracing programs
Adding support to access arguments with const void pointer arguments
in tracing programs.
Currently we allow tracing programs to access void pointers. If we try to
access argument which is pointer to const void like 2nd argument in kfree,
verifier will fail to load the program with;
0: R1=ctx() R10=fp0
; asm volatile ("r2 = *(u64 *)(r1 + 8); ");
0: (79) r2 = *(u64 *)(r1 +8)
func 'kfree' arg1 type UNKNOWN is not a struct
Changing the is_int_ptr to void and generic integer check and renaming
it to is_void_or_int_ptr.
Cc: Leon Hwang
Signed-off-by: KaFai Wan
---
kernel/bpf/btf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 16ba36f34dfa..0b1724453b75 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6383,12 +6383,12 @@ struct btf *bpf_prog_get_target_btf(const struct
bpf_prog *prog)
return prog->aux->attach_btf;
}
-static bool is_int_ptr(struct btf *btf, const struct btf_type *t)
+static bool is_void_or_int_ptr(struct btf *btf, const struct btf_type *t)
{
/* skip modifiers */
t = btf_type_skip_modifiers(btf, t->type, NULL);
- return btf_type_is_int(t);
+ return btf_type_is_void(t) || btf_type_is_int(t);
}
static u32 get_ctx_arg_idx(struct btf *btf, const struct btf_type *func_proto,
@@ -6783,7 +6783,7 @@ bool btf_ctx_access(int off, int size, enum
bpf_access_type type,
*/
return true;
- if (is_int_ptr(btf, t))
+ if (is_void_or_int_ptr(btf, t))
return true;
/* this is a pointer to another type */
--
2.43.0
[PATCH bpf-next v2 0/2] bpf: Allow access to const void pointer arguments in tracing programs
If we try to access argument which is pointer to const void, it's an UNKNOWN type, verifier will fail to load. Use is_void_or_int_ptr to check if type is void or int pointer. And fix selftests. --- KaFai Wan (2): bpf: Allow access to const void pointer arguments in tracing programs selftests/bpf: Add test to access const void pointer argument in tracing program kernel/bpf/btf.c | 6 +++--- net/bpf/test_run.c | 8 +++- .../selftests/bpf/progs/verifier_btf_ctx_access.c| 12 3 files changed, 22 insertions(+), 4 deletions(-) Changelog: v1->v2: Addressed comments from jirka - use btf_type_is_void to check if type is void - merge is_void_ptr and is_int_ptr to is_void_or_int_ptr - fix selftests Some details in here: https://lore.kernel.org/all/20250412170626.3638516-1-kafai@hotmail.com/ -- 2.43.0
Re: [PATCH bpf-next 1/2] bpf: Allow access to const void pointer arguments in tracing programs
On Mon, Apr 14, 2025 at 6:35 PM Jiri Olsa wrote:
>
> On Sun, Apr 13, 2025 at 01:06:25AM +0800, KaFai Wan wrote:
> > Adding support to access arguments with const void pointer arguments
> > in tracing programs.
> >
> > Currently we allow tracing programs to access void pointers. If we try to
> > access argument which is pointer to const void like 2nd argument in kfree,
> > verifier will fail to load the program with;
> >
> > 0: R1=ctx() R10=fp0
> > ; asm volatile ("r2 = *(u64 *)(r1 + 8); ");
> > 0: (79) r2 = *(u64 *)(r1 +8)
> > func 'kfree' arg1 type UNKNOWN is not a struct
> >
> > Adding is_void_ptr to generic void pointer check.
> >
> > Cc: Leon Hwang
> > Signed-off-by: KaFai Wan
> > ---
> > kernel/bpf/btf.c | 10 +-
> > 1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> > index 16ba36f34dfa..e11d3afd0562 100644
> > --- a/kernel/bpf/btf.c
> > +++ b/kernel/bpf/btf.c
> > @@ -6383,6 +6383,14 @@ struct btf *bpf_prog_get_target_btf(const struct
> > bpf_prog *prog)
> > return prog->aux->attach_btf;
> > }
> >
> > +static bool is_void_ptr(struct btf *btf, const struct btf_type *t)
> > +{
> > + /* skip modifiers */
> > + t = btf_type_skip_modifiers(btf, t->type, NULL);
> > +
> > + return t->type == 0;
>
> I think you can use btf_type_is_void in here
>
Yes, I will use btf_type_is_void.
> > +}
> > +
> > static bool is_int_ptr(struct btf *btf, const struct btf_type *t)
> > {
> > /* skip modifiers */
> > @@ -6776,7 +6784,7 @@ bool btf_ctx_access(int off, int size, enum
> > bpf_access_type type,
> > }
> > }
> >
> > - if (t->type == 0)
> > + if (is_void_ptr(btf, t))
>
> lgtm,
>
> nit, the is_void_ptr name suggest there's also ptr check in the helper
> function,
> which is not the case. I understand it follows is_int_ptr name, but perhaps we
> could rename both helpers to is_void and is_int ... feel free to ignore ;-)
you are right, I will rename it. but I'm not sure if it's possible to merge
these two functions into one like is_void_or_int, they both skip modifiers.
>
> jirka
>
>
> > /* This is a pointer to void.
> >* It is the same as scalar from the verifier safety pov.
> >* No further pointer walking is allowed.
> > --
> > 2.43.0
> >
thanks,
kafai
