Patch "bpf: Fix inner map state pruning regression." has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 21 Nov 2021 18:05:55 -0500

This is a note to let you know that I've just added the patch titled

    bpf: Fix inner map state pruning regression.

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-fix-inner-map-state-pruning-regression.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 81f3bb8e3c8a1c7f54f8c5347ab729f765627107
Author: Alexei Starovoitov <ast@xxxxxxxxxx>
Date:   Wed Nov 10 09:25:56 2021 -0800

    bpf: Fix inner map state pruning regression.
    
    [ Upstream commit 34d11a440c6167133201b7374065b59f259730d7 ]
    
    Introduction of map_uid made two lookups from outer map to be distinct.
    That distinction is only necessary when inner map has an embedded timer.
    Otherwise it will make the verifier state pruning to be conservative
    which will cause complex programs to hit 1M insn_processed limit.
    Tighten map_uid logic to apply to inner maps with timers only.
    
    Fixes: 3e8ce29850f1 ("bpf: Prevent pointer mismatch in bpf_timer_init.")
    Reported-by: Lorenz Bauer <lmb@xxxxxxxxxxxxxx>
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
    Tested-by: Lorenz Bauer <lmb@xxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/bpf/CACAyw99hVEJFoiBH_ZGyy=+oO-jyydoz6v1DeKPKs2HVsUH28w@xxxxxxxxxxxxxx
    Link: https://lore.kernel.org/bpf/20211110172556.20754-1-alexei.starovoitov@xxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ddba80554fef3..cba37d83451eb 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1143,7 +1143,8 @@ static void mark_ptr_not_null_reg(struct bpf_reg_state *reg)
 			/* transfer reg's id which is unique for every map_lookup_elem
 			 * as UID of the inner map.
 			 */
-			reg->map_uid = reg->id;
+			if (map_value_has_timer(map->inner_map_meta))
+				reg->map_uid = reg->id;
 		} else if (map->map_type == BPF_MAP_TYPE_XSKMAP) {
 			reg->type = PTR_TO_XDP_SOCK;
 		} else if (map->map_type == BPF_MAP_TYPE_SOCKMAP ||






