This patch-set consists of a series of bug fixes for register ID
tracking in verifier.c:states_equal()/regsafe() functions:
- for registers of type PTR_TO_MAP_{KEY,VALUE}, PTR_TO_PACKET[_META]
the regsafe() should call check_ids() even if registers are
byte-to-byte equal;
- states_equal() must maintain idmap that covers all function frames
in the state because functions like mark_ptr_or_null_regs() operate
on all registers in the state;
- regsafe() must compare spin lock ids for PTR_TO_MAP_VALUE registers.
The last point covers issue reported by Kumar Kartikeya Dwivedi in [1],
I borrowed the test commit from there.
Note, that there is also an issue with register id tracking for
scalars described here [2], it would be addressed separately.
[1] https://lore.kernel.org/bpf/20221111202719.982118-1-memxor@xxxxxxxxx/
[2] https://lore.kernel.org/bpf/20221128163442.280187-2-eddyz87@xxxxxxxxx/
Eduard Zingerman (6):
bpf: regsafe() must not skip check_ids()
selftests/bpf: test cases for regsafe() bug skipping check_id()
bpf: states_equal() must build idmap for all function frames
selftests/bpf: verify states_equal() maintains idmap across all frames
bpf: use check_ids() for active_lock comparison
selftests/bpf: test case for relaxed prunning of active_lock.id
Kumar Kartikeya Dwivedi (1):
selftests/bpf: Add pruning test case for bpf_spin_lock
include/linux/bpf_verifier.h | 4 +-
kernel/bpf/verifier.c | 48 ++++----
tools/testing/selftests/bpf/verifier/calls.c | 82 +++++++++++++
.../bpf/verifier/direct_packet_access.c | 54 +++++++++
.../selftests/bpf/verifier/spin_lock.c | 114 ++++++++++++++++++
.../selftests/bpf/verifier/value_or_null.c | 49 ++++++++
6 files changed, 324 insertions(+), 27 deletions(-)
--
2.34.1
