[PATCH bpf v3 0/3] Fix for raw_tp PTR_MAYBE_NULL handling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A production BPF program had the following code produced by LLVM.

r0 = 1024;
r1 = ...; // r1 = trusted_or_null_(id=1)
r3 = r1;  // r3 = trusted_or_null_(id=1) r1 = trusted_or_null_(id=1)
r3 += r0; // r3 = trusted_or_null_(id=1, off=1024)
if r1 == 0 goto pc+X;

After cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL"),
the production BPF program began throwing a warning in the verifier
because for the code above, when unmarking null mark from r1, the
verifier will notice another register r3 with same id but off != 0,
which is unexpected, since offset modification on PTR_MAYBE_NULL is not
permitted, but the aforementioned commit relaxed that restriction to
preserve compatibility with non-NULL raw_tp args.

Another production program hit a case where generic code it was calling
into would perform a NULL check, while the program knows and is written
with the knowledge that the raw_tp arg can never be NULL.

In earlier versions before the raw_tp change, verifier would never walk
the path where raw_tp arg was seen as scalar zero, but now it will,
hence code in the program that operates on the raw_tp arg later on will
fail on dereferencing a scalar.

Provide a fix to suppress the warning for raw_tp args, and not mark NULL
checked raw_tp args as scalars. We will follow up with a more generic
fix to handle such patterns for all pointer types in the verifier, which
currently involves playing whack-a-mole with suppressing such LLVM
optimizations and reworking BPF programs to avoid verifier errors.

Changelog:
----------
v2 -> v3
v2: https://lore.kernel.org/bpf/20241205223152.2434683-1-memxor@xxxxxxxxx

 * Add Acked-by for Patch 1
 * Add fix for scalar dereference issue
 * Roll both fixes into one, as second fix undoes first
 * Fix nits

v1 -> v2
v1: https://lore.kernel.org/bpf/20241204024154.21386-1-memxor@xxxxxxxxx

 * Fix eager unmarking bug (Eduard)
 * Generalize approach, always unmark NULL when off == 0 is checked
 * Make NULL check noop if operand has off != 0
 * Do not reset id when treating as noop
 * Trim comment (Alexei)
 * Adjust selftests

Kumar Kartikeya Dwivedi (3):
  bpf: Suppress warning for non-zero off raw_tp arg NULL check
  bpf: Do not mark NULL-checked raw_tp arg as scalar
  selftests/bpf: Add raw_tp tests for PTR_MAYBE_NULL marking

 kernel/bpf/verifier.c                         | 44 +++++++--
 .../selftests/bpf/prog_tests/raw_tp_null.c    |  6 ++
 .../selftests/bpf/progs/raw_tp_null_fail.c    | 90 +++++++++++++++++++
 3 files changed, 133 insertions(+), 7 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/progs/raw_tp_null_fail.c


base-commit: 5a6ea7022ff4d2a65ae328619c586d6a8909b48b
-- 
2.43.5





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux