On Thu, Mar 21, 2019 at 02:34:36PM -0700, Jakub Kicinski wrote:
> Commit 7640ead93924 ("bpf: verifier: make sure callees don't prune
> with caller differences") connected up parentage chains of all
> frames of the stack. It didn't, however, ensure propagate_liveness()
> propagates all liveness information along those chains.
>
> This means pruning happening in the callee may generate explored
> states with incomplete liveness for the chains in lower frames
> of the stack.
>
> The included selftest is similar to the prior one from commit
> 7640ead93924 ("bpf: verifier: make sure callees don't prune with
> caller differences"), where callee would prune regardless of the
> difference in r8 state.
>
> Now we also initialize r9 to 0 or 1 based on a result from get_random().
> r9 is never read so the walk with r9 = 0 gets pruned (correctly) after
> the walk with r9 = 1 completes.
>
> The selftest is so arranged that the pruning will happen in the
> callee. Since callee does not propagate read marks of r8, the
> explored state at the pruning point prior to the callee will
> now ignore r8.
>
> Propagate liveness on all frames of the stack when pruning.
>
> Fixes: f4d7e40a5b71 ("bpf: introduce function calls (verification)")
> Signed-off-by: Jakub Kicinski <jakub.kicinski@xxxxxxxxxxxxx>
wow. Applied. Thanks a lot.
