This is a note to let you know that I've just added the patch titled bpf: widening for callback iterators to the 6.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bpf-widening-for-callback-iterators.patch and it can be found in the queue-6.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From cafe2c21508a38cdb3ed22708842e957b2572c3e Mon Sep 17 00:00:00 2001 From: Eduard Zingerman <eddyz87@xxxxxxxxx> Date: Tue, 21 Nov 2023 04:06:58 +0200 Subject: bpf: widening for callback iterators From: Eduard Zingerman <eddyz87@xxxxxxxxx> commit cafe2c21508a38cdb3ed22708842e957b2572c3e upstream. Callbacks are similar to open coded iterators, so add imprecise widening logic for callback body processing. This makes callback based loops behave identically to open coded iterators, e.g. allowing to verify programs like below: struct ctx { u32 i; }; int cb(u32 idx, struct ctx* ctx) { ++ctx->i; return 0; } ... struct ctx ctx = { .i = 0 }; bpf_loop(100, cb, &ctx, 0); ... Acked-by: Andrii Nakryiko <andrii@xxxxxxxxxx> Signed-off-by: Eduard Zingerman <eddyz87@xxxxxxxxx> Link: https://lore.kernel.org/r/20231121020701.26440-9-eddyz87@xxxxxxxxx Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- kernel/bpf/verifier.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9595,9 +9595,10 @@ static bool in_rbtree_lock_required_cb(s static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx) { - struct bpf_verifier_state *state = env->cur_state; + struct bpf_verifier_state *state = env->cur_state, *prev_st; struct bpf_func_state *caller, *callee; struct bpf_reg_state *r0; + bool in_callback_fn; int err; callee = state->frame[state->curframe]; @@ -9659,7 +9660,8 @@ static int prepare_func_exit(struct bpf_ * there function call logic would reschedule callback visit. If iteration * converges is_state_visited() would prune that visit eventually. */ - if (callee->in_callback_fn) + in_callback_fn = callee->in_callback_fn; + if (in_callback_fn) *insn_idx = callee->callsite; else *insn_idx = callee->callsite + 1; @@ -9673,6 +9675,24 @@ static int prepare_func_exit(struct bpf_ /* clear everything in the callee */ free_func_state(callee); state->frame[state->curframe--] = NULL; + + /* for callbacks widen imprecise scalars to make programs like below verify: + * + * struct ctx { int i; } + * void cb(int idx, struct ctx *ctx) { ctx->i++; ... } + * ... + * struct ctx = { .i = 0; } + * bpf_loop(100, cb, &ctx, 0); + * + * This is similar to what is done in process_iter_next_call() for open + * coded iterators. + */ + prev_st = in_callback_fn ? find_prev_entry(env, state, *insn_idx) : NULL; + if (prev_st) { + err = widen_imprecise_scalars(env, prev_st, state); + if (err) + return err; + } return 0; } Patches currently in stable-queue which might be from eddyz87@xxxxxxxxx are queue-6.6/bpf-move-explored_state-closer-to-the-beginning-of-verifier.c.patch queue-6.6/bpf-verify-callbacks-as-if-they-are-called-unknown-number-of-times.patch queue-6.6/selftests-bpf-test-widening-for-iterating-callbacks.patch queue-6.6/bpf-keep-track-of-max-number-of-bpf_loop-callback-iterations.patch queue-6.6/bpf-extract-setup_func_entry-utility-function.patch queue-6.6/selftests-bpf-tests-with-delayed-read-precision-makrs-in-loop-body.patch queue-6.6/selftests-bpf-track-string-payload-offset-as-scalar-in-strobemeta.patch queue-6.6/bpf-print-full-verifier-states-on-infinite-loop-detection.patch queue-6.6/selftests-bpf-track-tcp-payload-offset-as-scalar-in-xdp_synproxy.patch queue-6.6/bpf-extract-__check_reg_arg-utility-function.patch queue-6.6/bpf-extract-same_callsites-as-utility-function.patch queue-6.6/bpf-widening-for-callback-iterators.patch queue-6.6/selftests-bpf-test-if-state-loops-are-detected-in-a-tricky-case.patch queue-6.6/bpf-correct-loop-detection-for-iterators-convergence.patch queue-6.6/selftests-bpf-tests-for-iterating-callbacks.patch queue-6.6/bpf-exact-states-comparison-for-iterator-convergence-checks.patch queue-6.6/selftests-bpf-check-if-max-number-of-bpf_loop-iterations-is-tracked.patch