This is a note to let you know that I've just added the patch titled
bpf: widening for callback iterators
to the 6.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bpf-widening-for-callback-iterators.patch
and it can be found in the queue-6.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From cafe2c21508a38cdb3ed22708842e957b2572c3e Mon Sep 17 00:00:00 2001
From: Eduard Zingerman <eddyz87@xxxxxxxxx>
Date: Tue, 21 Nov 2023 04:06:58 +0200
Subject: bpf: widening for callback iterators
From: Eduard Zingerman <eddyz87@xxxxxxxxx>
commit cafe2c21508a38cdb3ed22708842e957b2572c3e upstream.
Callbacks are similar to open coded iterators, so add imprecise
widening logic for callback body processing. This makes callback based
loops behave identically to open coded iterators, e.g. allowing to
verify programs like below:
struct ctx { u32 i; };
int cb(u32 idx, struct ctx* ctx)
{
++ctx->i;
return 0;
}
...
struct ctx ctx = { .i = 0 };
bpf_loop(100, cb, &ctx, 0);
...
Acked-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
Signed-off-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
Link: https://lore.kernel.org/r/20231121020701.26440-9-eddyz87@xxxxxxxxx
Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
kernel/bpf/verifier.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -9595,9 +9595,10 @@ static bool in_rbtree_lock_required_cb(s
static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
{
- struct bpf_verifier_state *state = env->cur_state;
+ struct bpf_verifier_state *state = env->cur_state, *prev_st;
struct bpf_func_state *caller, *callee;
struct bpf_reg_state *r0;
+ bool in_callback_fn;
int err;
callee = state->frame[state->curframe];
@@ -9659,7 +9660,8 @@ static int prepare_func_exit(struct bpf_
* there function call logic would reschedule callback visit. If iteration
* converges is_state_visited() would prune that visit eventually.
*/
- if (callee->in_callback_fn)
+ in_callback_fn = callee->in_callback_fn;
+ if (in_callback_fn)
*insn_idx = callee->callsite;
else
*insn_idx = callee->callsite + 1;
@@ -9673,6 +9675,24 @@ static int prepare_func_exit(struct bpf_
/* clear everything in the callee */
free_func_state(callee);
state->frame[state->curframe--] = NULL;
+
+ /* for callbacks widen imprecise scalars to make programs like below verify:
+ *
+ * struct ctx { int i; }
+ * void cb(int idx, struct ctx *ctx) { ctx->i++; ... }
+ * ...
+ * struct ctx = { .i = 0; }
+ * bpf_loop(100, cb, &ctx, 0);
+ *
+ * This is similar to what is done in process_iter_next_call() for open
+ * coded iterators.
+ */
+ prev_st = in_callback_fn ? find_prev_entry(env, state, *insn_idx) : NULL;
+ if (prev_st) {
+ err = widen_imprecise_scalars(env, prev_st, state);
+ if (err)
+ return err;
+ }
return 0;
}
Patches currently in stable-queue which might be from eddyz87@xxxxxxxxx are
queue-6.6/bpf-move-explored_state-closer-to-the-beginning-of-verifier.c.patch
queue-6.6/bpf-verify-callbacks-as-if-they-are-called-unknown-number-of-times.patch
queue-6.6/selftests-bpf-test-widening-for-iterating-callbacks.patch
queue-6.6/bpf-keep-track-of-max-number-of-bpf_loop-callback-iterations.patch
queue-6.6/bpf-extract-setup_func_entry-utility-function.patch
queue-6.6/selftests-bpf-tests-with-delayed-read-precision-makrs-in-loop-body.patch
queue-6.6/selftests-bpf-track-string-payload-offset-as-scalar-in-strobemeta.patch
queue-6.6/bpf-print-full-verifier-states-on-infinite-loop-detection.patch
queue-6.6/selftests-bpf-track-tcp-payload-offset-as-scalar-in-xdp_synproxy.patch
queue-6.6/bpf-extract-__check_reg_arg-utility-function.patch
queue-6.6/bpf-extract-same_callsites-as-utility-function.patch
queue-6.6/bpf-widening-for-callback-iterators.patch
queue-6.6/selftests-bpf-test-if-state-loops-are-detected-in-a-tricky-case.patch
queue-6.6/bpf-correct-loop-detection-for-iterators-convergence.patch
queue-6.6/selftests-bpf-tests-for-iterating-callbacks.patch
queue-6.6/bpf-exact-states-comparison-for-iterator-convergence-checks.patch
queue-6.6/selftests-bpf-check-if-max-number-of-bpf_loop-iterations-is-tracked.patch
