Patch "bpf: unconditionally reset backtrack_state masks on global func exit" has been added to the 6.5-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 7 Oct 2023 08:17:30 -0400

This is a note to let you know that I've just added the patch titled

    bpf: unconditionally reset backtrack_state masks on global func exit

to the 6.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-unconditionally-reset-backtrack_state-masks-on-g.patch
and it can be found in the queue-6.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 842ebdaf6c091003bc4d28bf7e8eaf432f98aab3
Author: Andrii Nakryiko <andrii@xxxxxxxxxx>
Date:   Mon Sep 18 14:01:10 2023 -0700

    bpf: unconditionally reset backtrack_state masks on global func exit
    
    [ Upstream commit 81335f90e8a88b81932df011105c46e708744f44 ]
    
    In mark_chain_precision() logic, when we reach the entry to a global
    func, it is expected that R1-R5 might be still requested to be marked
    precise. This would correspond to some integer input arguments being
    tracked as precise. This is all expected and handled as a special case.
    
    What's not expected is that we'll leave backtrack_state structure with
    some register bits set. This is because for subsequent precision
    propagations backtrack_state is reused without clearing masks, as all
    code paths are carefully written in a way to leave empty backtrack_state
    with zeroed out masks, for speed.
    
    The fix is trivial, we always clear register bit in the register mask, and
    then, optionally, set reg->precise if register is SCALAR_VALUE type.
    
    Reported-by: Chris Mason <clm@xxxxxxxx>
    Fixes: be2ef8161572 ("bpf: allow precision tracking for programs with subprogs")
    Signed-off-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230918210110.2241458-1-andrii@xxxxxxxxxx
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 9cdba4ce23d2b..93fd32f2957b7 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4039,11 +4039,9 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
 				bitmap_from_u64(mask, bt_reg_mask(bt));
 				for_each_set_bit(i, mask, 32) {
 					reg = &st->frame[0]->regs[i];
-					if (reg->type != SCALAR_VALUE) {
-						bt_clear_reg(bt, i);
-						continue;
-					}
-					reg->precise = true;
+					bt_clear_reg(bt, i);
+					if (reg->type == SCALAR_VALUE)
+						reg->precise = true;
 				}
 				return 0;
 			}






