When user sends message to bpf prog by a user ring buffer, a callback
in bpf prog should load data from the user ring buffer.
By default, check_mem_access() doesn't handle the type of
CONST_PTR_TO_DYNPTR. So verifier reports an invalid memory access issue.
So add the case of CONST_PTR_TO_DYNPTR type. Make bpf prog to handle
content in the user ring buffer.
Signed-off-by: Haojian Zhuang <haojian.zhuang@xxxxxxxxxx>
Cc: Alexei Starovoitov <ast@xxxxxxxxxx>
Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Cc: John Fastabend <john.fastabend@xxxxxxxxx>
Cc: bpf@xxxxxxxxxxxxxxx
---
kernel/bpf/verifier.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 65f598694d55..84066e7246f9 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6862,6 +6862,15 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
if (!err && value_regno >= 0 && (rdonly_mem || t == BPF_READ))
mark_reg_unknown(env, regs, value_regno);
+ } else if (reg->type == CONST_PTR_TO_DYNPTR) {
+ if (t == BPF_WRITE) {
+ verbose(env, "R%d cannot write into %s\n",
+ regno, reg_type_str(env, reg->type));
+ return -EACCES;
+ }
+
+ if (value_regno >= 0)
+ mark_reg_unknown(env, regs, value_regno);
} else {
verbose(env, "R%d invalid mem access '%s'\n", regno,
reg_type_str(env, reg->type));
--
2.43.0
