On Thu, Jun 20, 2024 at 01:18:10PM GMT, Shung-Hsi Yu wrote:
> Hi Eduard,
>
> I'm seeking suggestions for backporting callback handling fixes to the
> stable/linux-6.1.y (and similar branches), akin to what has been done
> for 6.6[1].
>
> Testing with the reproducer from Andrew Werner[2] it seems 6.1 has the
> same problem where the bpf_probe_read_user() call is only verified with
> the R1_w=fp-8 state, but not the R1_w=0xDEAD state because the latter
> was incorrectly pruned. So I believe the callback fixes are need.
>
> The main difference from 6.6 is that 6.1 does not have BPF open-coded
> iterator,
There's seem to be more than that, given regsafe() is critical to the
fix as it is being used in stacksafe() and func_states_equal(), 6.1 is
at least missing the following patch-sets:
- "BPF verifier state equivalence checks improvements"[1] for
refsafe()-related changes
- "verify scalar ids mapping in regsafe()"[2] for scalar IDs mapping in
regsafe() and mark_chain_precision()
> ... but AFAICT it does not mean "exact states comparison for
> iterator convergence checks" patch-set[3] can be dropped. This is
> because exact-state comparison from commit 2793a8b015f7 ("bpf: exact
> states comparison for iterator convergence checks") and loop-identifying
> algorithm in commit 2a0992829ea3 ("bpf: correct loop detection for
> iterators convergence") are critical for the fix; but it should be fine
> to ignore all changes to process_iter_*().
>
> The "verify callbacks as if they are called unknown number of
> times" patch-set[4] name already suggest that it is needed, so no doubts
> there (again, dropping iterator-related changes).
1: https://lore.kernel.org/all/20221223054921.958283-1-andrii@xxxxxxxxxx/
2: https://lore.kernel.org/bpf/20230613153824.3324830-1-eddyz87@xxxxxxxxx/
