Commit 2a5418a13fcf changed verifier dead code handling from patching with
NOPs to using a loop trap made with BPF_JMP_IMM(BPF_JA, 0, 0, -1). This
confuses the JIT static analysis, which follows the loop assuming the
verifier passed safe code, and results in a system hang and RCU stall.
Update reg_val_propagate_range() to fall through these trap insns.
Trigger the bug using test_verifier "check known subreg with unknown reg".
Fixes: 2a5418a13fcf ("bpf: improve dead code sanitizing")
Signed-off-by: Tony Ambardar <Tony.Ambardar@xxxxxxxxx>
---
arch/mips/net/ebpf_jit.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/mips/net/ebpf_jit.c b/arch/mips/net/ebpf_jit.c
index ad0e54a842fc..e60a089ee3b3 100644
--- a/arch/mips/net/ebpf_jit.c
+++ b/arch/mips/net/ebpf_jit.c
@@ -1691,6 +1691,14 @@ static int reg_val_propagate_range(struct jit_ctx *ctx, u64 initial_rvt,
return idx;
case BPF_JA:
rvt[idx] |= RVT_DONE;
+ /*
+ * Verifier dead code patching can use
+ * infinite-loop traps, causing hangs and
+ * RCU stalls here. Treat traps as nops
+ * if detected and fall through.
+ */
+ if (insn->off == -1)
+ break;
idx += insn->off;
break;
case BPF_JEQ:
--
2.25.1
