A BPF function can return before its exit instruction: LD_ABS, LD_IND,
and tail_call() can all cause it to return abnormally.
When such a function is called by another BPF function, the verifier
doesn't take this into account when calculating the bounds of the return
value, or pointers to the caller's stack.
---
Changes in v2:
- Handle LD_ABS and LD_IND, not just tail_call()
- Split tests out
- Use inline asm for tests
Changes in v3:
- Don't handle just r0, model abnormal exits as a branch that exits or
falls through.
- Try to use C as much as possible for the tests.
Arthur Fabre (2):
bpf: Account for early exit of bpf_tail_call() and LD_ABS
selftests/bpf: Test r0 and ref lifetime after BPF-BPF call with
abnormal return
kernel/bpf/verifier.c | 84 +++++++++----
.../selftests/bpf/prog_tests/verifier.c | 2 +
.../bpf/progs/verifier_abnormal_ret.c | 115 ++++++++++++++++++
3 files changed, 178 insertions(+), 23 deletions(-)
create mode 100644 tools/testing/selftests/bpf/progs/verifier_abnormal_ret.c
--
2.43.0
