A production BPF program had the following code produced by LLVM.
r0 = 1024;
r1 = ...; // r1 = trusted_or_null_(id=1)
r3 = r1; // r3 = trusted_or_null_(id=1) r1 = trusted_or_null_(id=1)
r3 += r0; // r3 = trusted_or_null_(id=1, off=1024)
if r1 == 0 goto pc+X;
After cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL"),
the production BPF program began throwing a warning in the verifier
because for the code above, when unmarking null mark from r1, the
verifier will notice another register r3 with same id but off != 0,
which is unexpected, since offset modification on PTR_MAYBE_NULL is not
permitted, but the aforementioned commit relaxed that restriction to
preserve compatibility with non-NULL raw_tp args.
Provide a fix to suppress the warning for raw_tp args. We will follow up
with a more generic fix to handle such patterns for all pointer types in
the verifier, which currently involves playing whack-a-mole with
suppressing such LLVM optimizations and reworking BPF programs to avoid
verifier errors.
Kumar Kartikeya Dwivedi (2):
bpf: Suppress warning for non-zero off raw_tp arg NULL check
selftests/bpf: Add raw_tp tests for PTR_MAYBE_NULL marking
kernel/bpf/verifier.c | 44 ++++++++--
.../selftests/bpf/prog_tests/raw_tp_null.c | 6 ++
.../selftests/bpf/progs/raw_tp_null_fail.c | 81 +++++++++++++++++++
3 files changed, 126 insertions(+), 5 deletions(-)
create mode 100644 tools/testing/selftests/bpf/progs/raw_tp_null_fail.c
base-commit: 45e04eb4d9d85603539984bc9ca930c380c93b15
--
2.43.5
