Patch "bpf: Fix verifier log for async callback return values" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    bpf: Fix verifier log for async callback return values

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-fix-verifier-log-for-async-callback-return-value.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 68d240c535beb5315ce604406dbcc1370f50c3af
Author: David Vernet <void@xxxxxxxxxxxxx>
Date:   Mon Oct 9 11:14:13 2023 -0500

    bpf: Fix verifier log for async callback return values
    
    [ Upstream commit 829955981c557c7fc7416581c4cd68a8a0c28620 ]
    
    The verifier, as part of check_return_code(), verifies that async
    callbacks such as from e.g. timers, will return 0. It does this by
    correctly checking that R0->var_off is in tnum_const(0), which
    effectively checks that it's in a range of 0. If this condition fails,
    however, it prints an error message which says that the value should
    have been in (0x0; 0x1). This results in possibly confusing output such
    as the following in which an async callback returns 1:
    
      At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x1)
    
    The fix is easy -- we should just pass the tnum_const(0) as the correct
    range to verbose_invalid_scalar(), which will then print the following:
    
      At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x0)
    
    Fixes: bfc6bb74e4f1 ("bpf: Implement verifier support for validation of async callbacks.")
    Signed-off-by: David Vernet <void@xxxxxxxxxxxxx>
    Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
    Link: https://lore.kernel.org/bpf/20231009161414.235829-1-void@xxxxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ecf4332ff312f..a4be7c1c11aaf 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -9570,7 +9570,7 @@ static int check_return_code(struct bpf_verifier_env *env)
 	struct tnum enforce_attach_type_range = tnum_unknown;
 	const struct bpf_prog *prog = env->prog;
 	struct bpf_reg_state *reg;
-	struct tnum range = tnum_range(0, 1);
+	struct tnum range = tnum_range(0, 1), const_0 = tnum_const(0);
 	enum bpf_prog_type prog_type = resolve_prog_type(env->prog);
 	int err;
 	struct bpf_func_state *frame = env->cur_state->frame[0];
@@ -9608,8 +9608,8 @@ static int check_return_code(struct bpf_verifier_env *env)
 			return -EINVAL;
 		}
 
-		if (!tnum_in(tnum_const(0), reg->var_off)) {
-			verbose_invalid_scalar(env, reg, &range, "async callback", "R0");
+		if (!tnum_in(const_0, reg->var_off)) {
+			verbose_invalid_scalar(env, reg, &const_0, "async callback", "R0");
 			return -EINVAL;
 		}
 		return 0;



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux