bpf: Normalize accessing netfilter ctx fields

guidosarducci · guidosarducci · commit 083790752b0c · 2025-11-04T22:38:24.000-08:00
BPF netfilter programs are currently not portable across 32-bit and 64-bit systems: within 'struct bpf_nf_ctx' size and offsets vary with system word size; the .is_valid_access() verifier hook rejects u64 loads on 32-bit hosts; and no .convert_ctx_access hook exists to rewrite such loads as u32. Update 'struct bpf_nf_ctx' ptr fields with __bpf_md_ptr() to gain stable sizing and offsets. In nf_is_valid_access() use bpf_ctx_range_ptr() for handling ptr field offsets, and create common bpf_ctx_ptr_size_valid() to check load sizes. Finally, add the verifier hook nf_convert_ctx_access() which rewrites loads according to system ptr size. Before: libbpf: prog 'with_invalid_return_code_test1': BPF program load failed: -EACCES libbpf: prog 'with_invalid_return_code_test1': failed to load: -EACCES libbpf: failed to load object 'verifier_netfilter_retcode' run_subtest:PASS:unexpected_load_success 0 nsec validate_msgs:FAIL:748 expect_msg VERIFIER LOG: ============= Global function with_invalid_return_code_test1() doesn't return scalar. Only those are supported. 0: R1=ctx() R10=fp0 ; asm volatile (" \ @ verifier_netfilter_retcode.c:12 0: (79) r0 = *(u64 *)(r1 +0) invalid bpf_context access off=0 size=8 is_valid_access=nf_is_valid_access processed 1 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 ============= EXPECTED SUBSTR: 'R0 is not a known value' torvalds#534/1 verifier_netfilter_retcode/bpf_exit with invalid return code. test1:FAIL After: torvalds#534/1 verifier_netfilter_retcode/bpf_exit with invalid return code. test1:OK torvalds#534/2 verifier_netfilter_retcode/bpf_exit with valid return code. test2:OK torvalds#534/3 verifier_netfilter_retcode/bpf_exit with valid return code. test3:OK torvalds#534/4 verifier_netfilter_retcode/bpf_exit with invalid return code. test4:OK torvalds#534 verifier_netfilter_retcode:OK Summary: 1/4 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
diff --git a/include/net/netfilter/nf_bpf_link.h b/include/net/netfilter/nf_bpf_link.h
@@ -1,8 +1,8 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 
 struct bpf_nf_ctx {
-	const struct nf_hook_state *state;
-	struct sk_buff *skb;
+	__bpf_md_ptr(const struct nf_hook_state *, state);
+	__bpf_md_ptr(struct sk_buff *, skb);
 };
 
 #if IS_ENABLED(CONFIG_NETFILTER_BPF_LINK)
diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
@@ -303,13 +303,13 @@ static bool nf_is_valid_access(int off, int size, enum bpf_access_type type,
 		return false;
 
 	switch (off) {
-	case bpf_ctx_range(struct bpf_nf_ctx, skb):
-		if (size != sizeof_field(struct bpf_nf_ctx, skb))
+	case bpf_ctx_range_ptr(struct bpf_nf_ctx, skb):
+		if (size != sizeof(__u64) && size != sizeof(long))
 			return false;
 
 		return nf_ptr_to_btf_id(info, "sk_buff");
-	case bpf_ctx_range(struct bpf_nf_ctx, state):
-		if (size != sizeof_field(struct bpf_nf_ctx, state))
+	case bpf_ctx_range_ptr(struct bpf_nf_ctx, state):
+		if (size != sizeof(__u64) && size != sizeof(long))
 			return false;
 
 		return nf_ptr_to_btf_id(info, "nf_hook_state");
@@ -320,6 +320,31 @@ static bool nf_is_valid_access(int off, int size, enum bpf_access_type type,
 	return false;
 }
 
+static u32 nf_convert_ctx_access(enum bpf_access_type type,
+				 const struct bpf_insn *si,
+				 struct bpf_insn *insn_buf,
+				 struct bpf_prog *prog, u32 *target_size)
+{
+	struct bpf_insn *insn = insn_buf;
+
+	switch (si->off) {
+	case offsetof(struct bpf_nf_ctx, state):
+		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct bpf_nf_ctx, state),
+				      si->dst_reg, si->src_reg,
+				      offsetof(struct bpf_nf_ctx, state));
+		break;
+	case offsetof(struct bpf_nf_ctx, skb):
+		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct bpf_nf_ctx, skb),
+				      si->dst_reg, si->src_reg,
+				      offsetof(struct bpf_nf_ctx, skb));
+		break;
+	default:
+		return false;
+	}
+
+	return insn - insn_buf;
+}
+
 static const struct bpf_func_proto *
 bpf_nf_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 {
@@ -328,5 +353,6 @@ bpf_nf_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 
 const struct bpf_verifier_ops netfilter_verifier_ops = {
 	.is_valid_access	= nf_is_valid_access,
+	.convert_ctx_access	= nf_convert_ctx_access,
 	.get_func_proto		= bpf_nf_func_proto,
 };
