PTR_TO_MEM for multi-level pointer parameters

Author: slava-at-cs

kernel/bpf/btf.c

@@ -760,6 +760,20 @@ const struct btf_type *btf_type_resolve_func_ptr(const struct btf *btf,
 	return NULL;
 }
 
+static bool is_multilevel_ptr(const struct btf *btf, const struct btf_type *t)
+{
+	int i;
+	u32 depth = btf_type_is_ptr(t) ? 1 : 0;
+
+	t = btf_type_resolve_ptr(btf, t->type, NULL);
+	for (i = 0; !!t && depth < 2; i++) {
+		depth += 1;
+		t = btf_type_resolve_ptr(btf, t->type, NULL);
+	}
+
+	return depth > 1;
+}
+
 /* Types that act only as a source, not sink or intermediate
  * type when resolving.
  */
@@ -6790,6 +6804,7 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
 	const char *tag_value;
 	u32 nr_args, arg;
 	int i, ret;
+	bool trusted, nullable;
 
 	if (off % 8) {
 		bpf_log(log, "func '%s' offset %d is not multiple of 8\n",
@@ -6927,11 +6942,35 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
 		}
 	}
 
+	trusted = prog_args_trusted(prog);
+	nullable = btf_param_match_suffix(btf, &args[arg], "__nullable");
+
+	if (is_multilevel_ptr(btf, t)) {
+		info->reg_type = PTR_TO_MEM | MEM_RDONLY;
+		if (!trusted)
+			info->reg_type |= PTR_UNTRUSTED;
+
+		if (nullable)
+			info->reg_type |= PTR_MAYBE_NULL;
+
+		/* The memory size cannot be determined without following the t->type. */
+		while (btf_type_is_modifier(t)) {
+			t = btf_type_by_id(btf, t->type);
+		}
+
+		WARN_ON(!btf_type_is_ptr(t));
+		BUG_ON(!btf_type_is_ptr(t)); // remove before submitting patches
+
+		info->btf_id = t->type;
+		info->btf = btf;
+		return true;
+	}
+
 	info->reg_type = PTR_TO_BTF_ID;
-	if (prog_args_trusted(prog))
+	if (trusted)
 		info->reg_type |= PTR_TRUSTED;
 
-	if (btf_param_match_suffix(btf, &args[arg], "__nullable"))
+	if (nullable)
 		info->reg_type |= PTR_MAYBE_NULL;
 
 	if (prog->expected_attach_type == BPF_TRACE_RAW_TP) {
@@ -7002,6 +7041,7 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
 		info->btf_id = t->type;
 		t = btf_type_by_id(btf, t->type);
 	}
+
 	if (!btf_type_is_struct(t)) {
 		bpf_log(log,
 			"func '%s' arg%d type %s is not a struct\n",

kernel/bpf/verifier.c

@@ -7789,6 +7789,16 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
 					regs[value_regno].btf = info.btf;
 					regs[value_regno].btf_id = info.btf_id;
 					regs[value_regno].ref_obj_id = info.ref_obj_id;
+				} else if (base_type(info.reg_type) == PTR_TO_MEM) {
+					u32 mem_size;
+					const struct btf_type *t;
+					t = btf_resolve_size(info.btf, btf_type_by_id(info.btf, info.btf_id), &mem_size);
+					if (IS_ERR(t)) {
+						verbose(env, "R%d mem size cannot be determined\n", value_regno);
+						return -EACCES;
+					}
+					BUG_ON(mem_size != sizeof(void*)); // remove before submitting a patch
+					regs[value_regno].mem_size = mem_size;
 				}
 			}
 			regs[value_regno].type = info.reg_type;

net/bpf/test_run.c

@@ -24,6 +24,7 @@
 #include <net/netdev_rx_queue.h>
 #include <net/xdp.h>
 #include <net/netfilter/nf_bpf_link.h>
+#include <linux/set_memory.h>
 
 #define CREATE_TRACE_POINTS
 #include <trace/events/bpf_test_run.h>
@@ -563,6 +564,41 @@ noinline int bpf_fentry_test10(const void *a)
 	return (long)a;
 }
 
+struct bpf_fentry_test_dptr_t {
+	int value;
+};
+
+/* Test fentry/fexit with nullable double pointer parameter */
+noinline int bpf_fentry_test11_double_ptr_nullable(struct bpf_fentry_test_dptr_t **dptr__nullable)
+{
+	if (!dptr__nullable) {
+		return -1;
+	}
+
+	return (*dptr__nullable)->value;
+}
+
+/* Test fentry/fexit with non-nullable double pointer parameter */
+noinline int bpf_fentry_test12_double_ptr(struct bpf_fentry_test_dptr_t **dptr)
+{
+	return (long)dptr;
+}
+
+/* Test fentry/fexit with void double pointer parameter and address validation */
+noinline int bpf_fentry_test13_void_double_ptr(void **dptr)
+{
+	return virt_addr_valid(dptr);
+}
+
+/* Test fentry/fexit with void triple pointer parameter. The volatile specifier
+ * doesn't affect function parameter behavior, but it is retained in the BTF type
+ * descriptor, forcing the verifier to walk through the type modifier chain.
+ */
+noinline int bpf_fentry_test14_void_triple_ptr(void **const *volatile dptr)
+{
+	return (long)dptr;
+}
+
 noinline void bpf_fentry_test_sinfo(struct skb_shared_info *sinfo)
 {
 }
@@ -670,18 +706,103 @@ static void *bpf_test_init(const union bpf_attr *kattr, u32 user_size,
 	return data;
 }
 
+/* Create a guaranteed-invalid address for testing copy_from_kernel_nofault.
+ * Returns a valid pointer to memory that has been made non-present,
+ * so any access will fault. Must be freed with free_invalid_test_address().
+ */
+static void *create_invalid_test_address(void)
+{
+#if defined(CONFIG_ARCH_HAS_SET_MEMORY) && \
+	(defined(CONFIG_X86) || defined(CONFIG_PPC))
+	void *addr;
+
+	addr = vmalloc(PAGE_SIZE);
+	if (!addr)
+		return NULL;
+
+	/* Make it non-present - any access will fault */
+	if (set_memory_np((unsigned long)addr, 1)) {
+		vfree(addr);
+		return NULL;
+	}
+
+	return addr;
+#elif defined(CONFIG_ARCH_HAS_SET_DIRECT_MAP)
+	struct page *page;
+
+	page = alloc_page(GFP_KERNEL);
+	if (!page)
+		return NULL;
+
+	/* Remove from direct map - any access will fault */
+	if (set_direct_map_invalid_noflush(page)) {
+		__free_page(page);
+		return NULL;
+	}
+	flush_tlb_kernel_range((unsigned long)page_address(page),
+			       (unsigned long)page_address(page) + PAGE_SIZE);
+
+	return page_address(page);
+#else
+	/* Fallback: return a canonical invalid address.
+	 * On 64-bit: middle of address space (non-canonical hole on x86-64).
+	 * On 32-bit: high user address unlikely to be mapped.
+	 * This is just a number, not allocated memory.
+	 */
+	 if (!virt_addr_valid(VMALLOC_END + 0x1000))
+		return VMALLOC_END + 0x1000;
+	else
+#ifdef CONFIG_64BIT
+		return (void *)0x0010000000000000UL;
+#else
+		return (void *)0xA0000000UL;
+#endif
+#endif
+}
+
+/* Free an invalid test address created by create_invalid_test_address().
+ * Restores the page to present state before freeing.
+ */
+static void free_invalid_test_address(void *addr)
+{
+	if (!addr)
+		return;
+
+#if defined(CONFIG_ARCH_HAS_SET_MEMORY) && \
+	(defined(CONFIG_X86) || defined(CONFIG_PPC))
+	set_memory_p((unsigned long)addr, 1);
+	vfree(addr);
+#elif defined(CONFIG_ARCH_HAS_SET_DIRECT_MAP)
+	struct page *page = virt_to_page(addr);
+
+	set_direct_map_default_noflush(page);
+	flush_tlb_kernel_range((unsigned long)addr,
+			       (unsigned long)addr + PAGE_SIZE);
+	__free_page(page);
+#else
+	/* Fallback case: addr is just a constant, nothing to free */
+#endif
+}
+
 int bpf_prog_test_run_tracing(struct bpf_prog *prog,
 			      const union bpf_attr *kattr,
 			      union bpf_attr __user *uattr)
 {
 	struct bpf_fentry_test_t arg = {};
+	struct bpf_fentry_test_dptr_t dptr_struct = { .value = 1979 };
+	struct bpf_fentry_test_dptr_t *dptr_ptr = &dptr_struct;
+	void *invalid_addr;
 	u16 side_effect = 0, ret = 0;
 	int b = 2, err = -EFAULT;
 	u32 retval = 0;
 
 	if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size)
 		return -EINVAL;
 
+	invalid_addr = create_invalid_test_address();
+	if (!invalid_addr)
+		return -ENOMEM;
+
 	switch (prog->expected_attach_type) {
 	case BPF_TRACE_FENTRY:
 	case BPF_TRACE_FEXIT:
@@ -695,7 +816,13 @@ int bpf_prog_test_run_tracing(struct bpf_prog *prog,
 		    bpf_fentry_test7((struct bpf_fentry_test_t *)0) != 0 ||
 		    bpf_fentry_test8(&arg) != 0 ||
 		    bpf_fentry_test9(&retval) != 0 ||
-		    bpf_fentry_test10((void *)0) != 0)
+		    bpf_fentry_test10((void *)0) != 0 ||
+		    bpf_fentry_test11_double_ptr_nullable(&dptr_ptr) != 1979 ||
+		    bpf_fentry_test12_double_ptr((struct bpf_fentry_test_dptr_t **)17) != 17 ||
+		    bpf_fentry_test13_void_double_ptr((void**)19) != virt_addr_valid((void*)19) ||
+		    bpf_fentry_test13_void_double_ptr((void**)invalid_addr) != virt_addr_valid(invalid_addr) ||
+		    bpf_fentry_test13_void_double_ptr((void**)ERR_PTR(-ENOMEM)) != virt_addr_valid(ERR_PTR(-ENOMEM)) ||
+		    bpf_fentry_test14_void_triple_ptr((void**const *volatile)ERR_PTR(-ENOMEM)) != (int)(long)ERR_PTR(-ENOMEM))
 			goto out;
 		break;
 	case BPF_MODIFY_RETURN:
@@ -717,6 +844,7 @@ int bpf_prog_test_run_tracing(struct bpf_prog *prog,
 
 	err = 0;
 out:
+	free_invalid_test_address(invalid_addr);
 	trace_bpf_test_finish(&err);
 	return err;
 }