[PATCH bpf-next v1 0/8] bpf: additional use-cases for untrusted PTR_TO_MEM

Eduard Zingerman <eddyz87@xxxxxxxxx> · Wed, 2 Jul 2025 15:42:01 -0700

This patch set introduces two usability enhancements leveraging
untrusted pointers to mem:
- When reading a pointer field from a PTR_TO_BTF_ID, the resulting
  value is now assumed to be PTR_TO_MEM|MEM_RDONLY|PTR_UNTRUSTED
  instead of SCALAR_VALUE, provided the pointer points to a primitive
  type.
- __arg_untrusted attribute for global function parameters,
  allowed for pointer arguments of both structural and primitive
  types:
  - For structural types, the attribute produces
    PTR_TO_BTF_ID|PTR_UNTRUSTED.
  - For primitive types, it yields
    PTR_TO_MEM|MEM_RDONLY|PTR_UNTRUSTED.

Here are examples enabled by the series:

  struct foo {
    int *arr;
  };
  ...
  p = bpf_core_cast(..., struct foo);
  bpf_for(i, 0, ...) {
    ... p->arr[i] ...       // load at any offset is allowed
  }

  int memcmp(void *a __arg_untrusted, void *b __arg_untrusted, size_t n) {
    bpf_for(i, 0, n)
      if (a[i] - b[i])      // load at any offset is allowed
        return ...;
    return 0;
  }

The patch-set was inspired by Anrii's series [1]. The goal of that
series was to define a generic global glob_match function, capable to
accept any pointer type:

  __weak int glob_match(const char *pat, const char *str);

  char filename_glob[32];

  void foo(...) {
    ...
    task = bpf_get_current_task_btf();
    filename = task->mm->exe_file->f_path.dentry->d_name.name;
    ... match_glob(filename_glob,  // pointer to map value
                   filename) ...   // scalar
  }

At the moment, there is no straightforward way to express such a
function. This patch-set makes it possible to define it as follows:

  __weak int glob_match(const char *pat __arg_untrusted,
                        const char *str __arg_untrusted);

[1] https://github.com/anakryiko/linux/tree/bpf-mem-cast

Eduard Zingerman (8):
  bpf: make makr_btf_ld_reg return error for unexpected reg types
  bpf: rdonly_untrusted_mem for btf id walk pointer leafs
  selftests/bpf: ptr_to_btf_id struct walk ending with primitive pointer
  bpf: attribute __arg_untrusted for global function parameters
  libbpf: __arg_untrusted in bpf_helpers.h
  selftests/bpf: test cases for __arg_untrusted
  bpf: support for void/primitive __arg_untrusted global func params
  selftests/bpf: tests for __arg_untrusted void * global func params

 include/linux/btf.h                           |   1 +
 kernel/bpf/btf.c                              |  48 +++++++-
 kernel/bpf/verifier.c                         |  78 +++++++++----
 tools/lib/bpf/bpf_helpers.h                   |   1 +
 .../selftests/bpf/prog_tests/linked_list.c    |   2 +-
 .../bpf/progs/mem_rdonly_untrusted.c          |  31 +++++
 .../bpf/progs/verifier_global_ptr_args.c      | 107 ++++++++++++++++++
 7 files changed, 239 insertions(+), 29 deletions(-)

-- 
2.47.1