On Fri, Apr 26, 2024 at 11:56 AM Alexei Starovoitov
<alexei.starovoitov@xxxxxxxxx> wrote:
>
> From: Alexei Starovoitov <ast@xxxxxxxxxx>
>
> The verifier assumes that 'sk' field in 'struct socket' is valid
> and non-NULL when 'socket' pointer itself is trusted and non-NULL.
> That may not be the case when socket was just created and
> passed to LSM socket_accept hook.
> Fix this verifier assumption and adjust tests.
>
> Reported-by: Liam Wisehart <liamwisehart@xxxxxxxx>
> Fixes: 6fcd486b3a0a ("bpf: Refactor RCU enforcement in the verifier.")
> Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
> ---
> kernel/bpf/verifier.c | 23 +++++++++++++++----
> .../selftests/bpf/progs/local_storage.c | 20 ++++++++--------
> .../testing/selftests/bpf/progs/lsm_cgroup.c | 8 +++++--
> 3 files changed, 35 insertions(+), 16 deletions(-)
>
Makes sense, but can you also fix up one of benchmark's programs, see
[0], veristat-based CI run caught success->failure change (in
bench_local_storage_create.bpf.o)
[0] https://github.com/kernel-patches/bpf/actions/runs/8853140420/job/24313511057
pw-bot: cr
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 4e474ef44e9c..c2780a5c396a 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -2368,6 +2368,8 @@ static void mark_btf_ld_reg(struct bpf_verifier_env *env,
> regs[regno].type = PTR_TO_BTF_ID | flag;
> regs[regno].btf = btf;
> regs[regno].btf_id = btf_id;
> + if (type_may_be_null(flag))
> + regs[regno].id = ++env->id_gen;
> }
>
> #define DEF_NOT_SUBREG (0)
[...]
