On Sat, 2025-01-25 at 02:18 +0000, Peilin Ye wrote:
[...]
> +static int check_atomic_store(struct bpf_verifier_env *env, int insn_idx,
> + struct bpf_insn *insn)
> +{
> + int err;
> +
> + err = check_reg_arg(env, insn->src_reg, SRC_OP);
> + if (err)
> + return err;
> +
> + err = check_reg_arg(env, insn->dst_reg, SRC_OP);
> + if (err)
> + return err;
> +
> + if (is_pointer_value(env, insn->src_reg)) {
> + verbose(env, "R%d leaks addr into mem\n", insn->src_reg);
> + return -EACCES;
> + }
Nit: this check is done by check_mem_access(), albeit only for
PTR_TO_MEM, I think it's better to be consistent with
what happens for regular stores and avoid this check here.
> +
> + if (!atomic_ptr_type_ok(env, insn->dst_reg, insn)) {
> + verbose(env, "BPF_ATOMIC stores into R%d %s is not allowed\n",
> + insn->dst_reg,
> + reg_type_str(env, reg_state(env, insn->dst_reg)->type));
> + return -EACCES;
> + }
> +
> + if (is_arena_reg(env, insn->dst_reg)) {
> + err = save_aux_ptr_type(env, PTR_TO_ARENA, false);
> + if (err)
> + return err;
> + }
> +
> + /* Check whether we can write into the memory. */
> + err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
> + BPF_SIZE(insn->code), BPF_WRITE, insn->src_reg,
> + true, false);
> + if (err)
> + return err;
> + return 0;
> +}
[...]
