Hi, I found eBPF verifier is flawed when checking the atomic64_xchg instruction, which will cause usability issues. For example, the program below is safe and correct in privileged mode. However, it mis-rejects the program. Moreover, the error string is misleading. 0: R1=ctx(off=0,imm=0) R10=fp0 0: (7a) *(u64 *)(r10 -8) = 272 ; R10=fp0 fp-8_w=272 1: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 2: (db) r2 = atomic64_xchg((u64 *)(r2 -8), r2) misaligned access off (0x0; 0xffffffffffffffff)+0+-8 size 8 The root cause of this bug is described below: When checking atomic exchange instructions in check_atomic(), the verifier checks the read and write safety on the memory r2-8. 1) In the read check (first), it marks r2 as an unknown scalar, as the instruction will assign the value from r2-8 to r2, and the value at r2-8 is unknown. 2) When it comes to the second check, that is the write check, it checks whether the memory at r2-8 is writable. However, at this time, r2 is marked as scalar instead of stack pointer, thus, it reports this error. Signed-off-by: Tao Lyu <tao.lyu@xxxxxxx> --- tools/testing/selftests/bpf/verifier/atomic_exchg.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 tools/testing/selftests/bpf/verifier/atomic_exchg.c diff --git a/tools/testing/selftests/bpf/verifier/atomic_exchg.c b/tools/testing/selftests/bpf/verifier/atomic_exchg.c new file mode 100644 index 000000000000..f05ab5f45245 --- /dev/null +++ b/tools/testing/selftests/bpf/verifier/atomic_exchg.c @@ -0,0 +1,12 @@ +{ + "Incorrect atomic_exchg verification", + .insns = { + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0x110), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ATOMIC_OP(BPF_DW, BPF_XCHG, BPF_REG_2, BPF_REG_2, -8), + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, +}, + -- 2.25.1