On Fri, Dec 6, 2024 at 8:11 AM Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> wrote: > > An implication of this fix, which follows from the way the raw_tp fixes > were implemented, is that all PTR_MAYBE_NULL trusted PTR_TO_BTF_ID are > engulfed by these checks, and PROBE_MEM will apply to all of them, incl. > those coming from helpers with KF_ACQUIRE returning maybe null trusted > pointers. This NULL tagging after this commit will be sticky. Compared > to a solution which only specially tagged raw_tp args with a different > special maybe null tag (like PTR_SOFT_NULL), it's a consequence of > overloading PTR_MAYBE_NULL with this meaning. > > Fixes: cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL") > Reported-by: Manu Bretelle <chantra@xxxxxxxx> > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> > --- > kernel/bpf/verifier.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 82f40d63ad7b..556fb609d4a4 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -15365,6 +15365,12 @@ static void mark_ptr_or_null_reg(struct bpf_verifier_env *env, > return; > > if (is_null) { > + /* We never mark a raw_tp trusted pointer as scalar, to > + * preserve backwards compatibility, instead just leave > + * it as is. > + */ > + if (mask_raw_tp_reg_cond(env, reg)) > + return; The blast radius is getting too big. Patch 1 is ok, but here we're doubling down on the hack in commit cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL") I think we need to revert the raw_tp masking hack and go with denylist the way Jiri proposed: https://lore.kernel.org/bpf/ZrIj9jkXqpKXRuS7@krava/ denylist is certainly less safer and it's a whack-a-mole comparing to allowlist, but it's much much shorter according to Jiri's analysis: https://lore.kernel.org/bpf/Zr3q8ihbe8cUdpfp@krava/ Eduard had an idea how to auto generate such allow/denylist during the build. That could be a follow up.