tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'bpf-reset-register-id-for-bpf_end-value-tracking'

Yazhou Tang says:

====================
bpf: Reset register ID for BPF_END value tracking

This patchset fixes a register's scalar ID issue for BPF_END operations
reported by Guillaume Laporte. Please see commit log of 1/2 for more details.

Changes v1 => v2:

1. Reset register ID inside scalar_byte_swap() conditionally. (Eduard)

v1: https://lore.kernel.org/bpf/20260303093956.395076-1-tangyazhou@zju.edu.cn/
====================

Link: https://patch.msgid.link/20260304083228.142016-1-tangyazhou@zju.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Alexei Starovoitov ac72464b 1f318b96

+29
+7
kernel/bpf/verifier.c
··· 15910 15910 /* Apply bswap if alu64 or switch between big-endian and little-endian machines */ 15911 15911 bool need_bswap = alu64 || (to_le == is_big_endian); 15912 15912 15913 + /* 15914 + * If the register is mutated, manually reset its scalar ID to break 15915 + * any existing ties and avoid incorrect bounds propagation. 15916 + */ 15917 + if (need_bswap || insn->imm == 16 || insn->imm == 32) 15918 + dst_reg->id = 0; 15919 + 15913 15920 if (need_bswap) { 15914 15921 if (insn->imm == 16) 15915 15922 dst_reg->var_off = tnum_bswap16(dst_reg->var_off);
+22
tools/testing/selftests/bpf/progs/verifier_bswap.c
··· 91 91 BSWAP_RANGE_TEST(le64_range, "le64", 0x3f00, 0x3f000000000000) 92 92 #endif 93 93 94 + SEC("socket") 95 + __description("BSWAP, reset reg id") 96 + __failure __msg("math between fp pointer and register with unbounded min value is not allowed") 97 + __naked void bswap_reset_reg_id(void) 98 + { 99 + asm volatile (" \ 100 + call %[bpf_ktime_get_ns]; \ 101 + r1 = r0; \ 102 + r0 = be16 r0; \ 103 + if r0 != 1 goto l0_%=; \ 104 + r2 = r10; \ 105 + r2 += -512; \ 106 + r2 += r1; \ 107 + *(u8 *)(r2 + 0) = 0; \ 108 + l0_%=: \ 109 + r0 = 0; \ 110 + exit; \ 111 + " : 112 + : __imm(bpf_ktime_get_ns) 113 + : __clobber_all); 114 + } 115 + 94 116 #else 95 117 96 118 SEC("socket")