On Tue, Aug 30, 2022 at 11:03 AM Dave Marchevsky <davemarchevsky@xxxxxx> wrote:
>
> Verifier logic to confirm that a callback function returns 0 or 1 was
> added in commit 69c087ba6225b ("bpf: Add bpf_for_each_map_elem() helper").
> At the time, callback return value was only used to continue or stop
> iteration.
>
> In order to support callbacks with a broader return value range, such as
> those added further in this series, add a callback_ret_range to
> bpf_func_state. Verifier's helpers which set in_callback_fn will also
> set the new field, which the verifier will later use to check return
> value bounds.
>
> Default to tnum_range(0, 1) instead of using tnum_unknown as a sentinel
> value as the latter would prevent the valid range (0, U64_MAX) being
> used.
>
> Signed-off-by: Dave Marchevsky <davemarchevsky@xxxxxx>
> ---
> include/linux/bpf_verifier.h | 1 +
> kernel/bpf/verifier.c | 4 +++-
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
> index 2e3bad8640dc..9c017575c034 100644
> --- a/include/linux/bpf_verifier.h
> +++ b/include/linux/bpf_verifier.h
> @@ -237,6 +237,7 @@ struct bpf_func_state {
> */
> u32 async_entry_cnt;
> bool in_callback_fn;
> + struct tnum callback_ret_range;
> bool in_async_callback_fn;
>
> /* The following fields should be last. See copy_func_state() */
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 9bef8b41e737..68bfa7c28048 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -1745,6 +1745,7 @@ static void init_func_state(struct bpf_verifier_env *env,
> state->callsite = callsite;
> state->frameno = frameno;
> state->subprogno = subprogno;
> + state->callback_ret_range = tnum_range(0, 1);
> init_reg_state(env, state);
> mark_verifier_state_scratched(env);
> }
> @@ -6879,6 +6880,7 @@ static int set_find_vma_callback_state(struct bpf_verifier_env *env,
> __mark_reg_not_init(env, &callee->regs[BPF_REG_4]);
> __mark_reg_not_init(env, &callee->regs[BPF_REG_5]);
> callee->in_callback_fn = true;
> + callee->callback_ret_range = tnum_range(0, 1);
Thanks for removing this restriction for callback functions!
One quick question: is this line above needed? I think in
__check_func_call, we always call init_func_state() first before
calling set_find_vma_callback_state(), so after the init_func_state()
call, the callee->callback_ret_range will already be set to
tnum_range(0,1).
> return 0;
> }
>
> @@ -6906,7 +6908,7 @@ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
> caller = state->frame[state->curframe];
> if (callee->in_callback_fn) {
> /* enforce R0 return value range [0, 1]. */
> - struct tnum range = tnum_range(0, 1);
> + struct tnum range = callee->callback_ret_range;
>
> if (r0->type != SCALAR_VALUE) {
> verbose(env, "R0 not a scalar value\n");
> --
> 2.30.2
>
