[bpf,1/2] bpf: Fix may_goto with negative offset.

Message ID	20240619235355.85031-1-alexei.starovoitov@gmail.com (mailing list archive)
State	Accepted
Commit	635c7a3cb3bf81067a31e7b7ec404793d1667466
Delegated to:	BPF
Headers	show Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D0281E515 for <bpf@vger.kernel.org>; Wed, 19 Jun 2024 23:54:01 +0000 (UTC) From: Alexei Starovoitov <alexei.starovoitov@gmail.com> To: bpf@vger.kernel.org Cc: daniel@iogearbox.net, andrii@kernel.org, martin.lau@kernel.org, memxor@gmail.com, eddyz87@gmail.com, zacecob@protonmail.com, kernel-team@fb.com Subject: [PATCH bpf 1/2] bpf: Fix may_goto with negative offset. Date: Wed, 19 Jun 2024 16:53:54 -0700 Message-Id: <20240619235355.85031-1-alexei.starovoitov@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[bpf,1/2] bpf: Fix may_goto with negative offset. \| expand [bpf,1/2] bpf: Fix may_goto with negative offset. [bpf,2/2] selftests/bpf: Add tests for may_goto with negative offset.

Message ID

20240619235355.85031-1-alexei.starovoitov@gmail.com (mailing list archive)

State

Accepted

Commit

635c7a3cb3bf81067a31e7b7ec404793d1667466

Delegated to:

BPF

Headers

show

Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com
 [209.85.210.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D0281E515
	for <bpf@vger.kernel.org>; Wed, 19 Jun 2024 23:54:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1718841242; cv=none;
 b=t44pFKHz9R3cakmABbwj1KN0vaitQg+nV4x2QiGkeWUQ3fhSWHOYNLwACQWag5m9J0EB9+x1/9T+OYJ+0eb+DVwaELUYoj8DLcr3pbpYlJyI/6HmpyepJRZbgZUnFYg8tqf6mHWOLQ7lJDbP+YdZW7NSDbVXmSCRpDeXZAMMlSE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1718841242; c=relaxed/simple;
	bh=uLPQp76Pr5CsySRpH4YOhG6wK1Cc8HlUu+B5miMpMlo=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=tuUHMjJKUkcABUwo1mvppg602Xg5woqltDhbUiDVMhkStknb2FmHCgmBeSpYF8tHlDnffsIt4zS2QP+cgr/XrS4T1QRWxKqarDRiwfrCI40ZvRD3zYIbqQFdzeqW+4vIoA7PBFOUIhtSWH3BrgGcgGvx9/3yWWSmKThdjwceTXU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=N5Wh1oTP; arc=none smtp.client-ip=209.85.210.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="N5Wh1oTP"
Received: by mail-pf1-f180.google.com with SMTP id
 d2e1a72fcca58-705fff50de2so242132b3a.1
        for <bpf@vger.kernel.org>; Wed, 19 Jun 2024 16:54:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1718841240; x=1719446040;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=qk+dEawLpaZatOnQPDUSem7ShPDKFJJ3iJ+3pIhW5dQ=;
        b=N5Wh1oTPMrTI7QKD9JsJopFfz9CHGtHILSoXk6AMmBReDyVhKjHNMsa8csTFQPWHSL
         ZsZL98+LwkMmotT9BcErzvxNhHZ/6yucxiAMahuSiOBYwZ6W2kflonctLkItbuq/jFtt
         8u9I8Puh8gRufzfp7d+FuUEj921XYVLIvQaRdRn/ayLvGG0cSAW2VRLLSiq3sfy7Z6/l
         tuA9Yu8huQ2+Yx2hiZb2Rt1Bks4e/TzsM37StlV1eUyQKIDfcMX/S/7uKXyl9bGcu/TO
         Wvgct3TDf8Mr6M0pVE33F52D1kn8Fz8wNnwMgnxhr2UiyrWmJYI94txQBL3p5fF6F+5r
         Lfhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1718841240; x=1719446040;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=qk+dEawLpaZatOnQPDUSem7ShPDKFJJ3iJ+3pIhW5dQ=;
        b=awGClQ4kzfg+qUVUSpGuXPTZoiCEJ0F0TwzkktpJ8XU5mg+9Ua0dHPuusxWumguUFJ
         PsgLRJ5tU1iDtwrG+YEM0NLnY1yG4EZdw2Wod3WoS8ZdW6s7SQKiZTp/d3JY58sLs4fN
         aJzfte14nonherCK76DyoqKluMekcMuKeVUk3I7SF/YTFDPFbwuKF8VL4xZX2dlhF/0W
         y0y9bsnXlAxzRWO5lgGB+uSO1TPFT5Eh359pta+IwYSRac9GdYws1r/I/KNlpJSGuQeR
         eNzzVdjGzSDE9Y9Uh5vvFsb7vC4WjPVIkf3CqUhPWPk62K9JqlzWK6fSlhqmYBi4mw8w
         B2Tg==
X-Gm-Message-State: AOJu0YyNrgkRQuXFLV/sdX/66qaYfgaa++Bft2tE9hIfeHWZ8BY2LuQi
	D3dKKURrv6dhX+iw4G+rr+hR+ojSyXlM7AgpSqiqgUoIsAqmD6MKLivc5A==
X-Google-Smtp-Source: 
 AGHT+IE3LBGlItbo8jzAsUDk3DeMnJzgVvqLR440eRPwWY+GdgWskzdIKq3Zsh8U8JtZQMY2OIbCpw==
X-Received: by 2002:a05:6a00:d0:b0:6f6:76c8:122c with SMTP id
 d2e1a72fcca58-706290a2d5cmr5005155b3a.16.1718841239796;
        Wed, 19 Jun 2024 16:53:59 -0700 (PDT)
Received: from localhost.localdomain ([2620:10d:c090:400::5:7a04])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-705ccb92b47sm11205376b3a.214.2024.06.19.16.53.58
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Wed, 19 Jun 2024 16:53:59 -0700 (PDT)
From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: bpf@vger.kernel.org
Cc: daniel@iogearbox.net,
	andrii@kernel.org,
	martin.lau@kernel.org,
	memxor@gmail.com,
	eddyz87@gmail.com,
	zacecob@protonmail.com,
	kernel-team@fb.com
Subject: [PATCH bpf 1/2] bpf: Fix may_goto with negative offset.
Date: Wed, 19 Jun 2024 16:53:54 -0700
Message-Id: <20240619235355.85031-1-alexei.starovoitov@gmail.com>
X-Mailer: git-send-email 2.39.3 (Apple Git-146)
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Delegate: bpf@iogearbox.net

Series

[bpf,1/2] bpf: Fix may_goto with negative offset. | expand

Context	Check	Description
bpf/vmtest-bpf-PR	success	PR summary
netdev/series_format	success	Single patches do not need cover letters
netdev/tree_selection	success	Clearly marked for bpf
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	fail	Errors and warnings before: 45 this patch: 45
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	fail	1 blamed authors not CCed: john.fastabend@gmail.com; 8 maintainers not CCed: jolsa@kernel.org john.fastabend@gmail.com haoluo@google.com song@kernel.org martin.lau@linux.dev yonghong.song@linux.dev kpsingh@kernel.org sdf@fomichev.me
netdev/build_clang	fail	Errors and warnings before: 36 this patch: 36
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	fail	Errors and warnings before: 55 this patch: 55
netdev/checkpatch	warning	WARNING: line length of 86 exceeds 80 columns WARNING: line length of 87 exceeds 80 columns WARNING: line length of 97 exceeds 80 columns
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
bpf/vmtest-bpf-VM_Test-0	success	Logs for Lint
bpf/vmtest-bpf-VM_Test-1	success	Logs for ShellCheck
bpf/vmtest-bpf-VM_Test-2	success	Logs for Unittests
bpf/vmtest-bpf-VM_Test-3	success	Logs for Validate matrix.py
bpf/vmtest-bpf-VM_Test-5	success	Logs for aarch64-gcc / build-release
bpf/vmtest-bpf-VM_Test-23	success	Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18-O2
bpf/vmtest-bpf-VM_Test-6	success	Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-4	success	Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-VM_Test-9	success	Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-10	success	Logs for aarch64-gcc / veristat
bpf/vmtest-bpf-VM_Test-11	success	Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-VM_Test-12	success	Logs for s390x-gcc / build-release
bpf/vmtest-bpf-VM_Test-16	success	Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc
bpf/vmtest-bpf-VM_Test-19	success	Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-VM_Test-18	success	Logs for set-matrix
bpf/vmtest-bpf-VM_Test-17	success	Logs for s390x-gcc / veristat
bpf/vmtest-bpf-VM_Test-20	success	Logs for x86_64-gcc / build-release
bpf/vmtest-bpf-VM_Test-21	success	Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-22	success	Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-24	success	Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-25	success	Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-26	success	Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-27	success	Logs for x86_64-gcc / veristat / veristat on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-28	success	Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-30	success	Logs for x86_64-llvm-17 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-31	success	Logs for x86_64-llvm-17 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-29	success	Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17-O2
bpf/vmtest-bpf-VM_Test-32	success	Logs for x86_64-llvm-17 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-35	success	Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-34	success	Logs for x86_64-llvm-17 / veristat
bpf/vmtest-bpf-VM_Test-33	success	Logs for x86_64-llvm-17 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-37	success	Logs for x86_64-llvm-18 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-36	success	Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18-O2
bpf/vmtest-bpf-VM_Test-38	fail	Logs for x86_64-llvm-18 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-39	success	Logs for x86_64-llvm-18 / test (test_progs_cpuv4, false, 360) / test_progs_cpuv4 on x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-40	success	Logs for x86_64-llvm-18 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-41	success	Logs for x86_64-llvm-18 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-42	success	Logs for x86_64-llvm-18 / veristat
bpf/vmtest-bpf-VM_Test-7	success	Logs for aarch64-gcc / test (test_progs, false, 360) / test_progs on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-8	success	Logs for aarch64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-13	success	Logs for s390x-gcc / test (test_maps, false, 360) / test_maps on s390x with gcc
bpf/vmtest-bpf-VM_Test-15	success	Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-VM_Test-14	success	Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc

Context

Check

Description

bpf/vmtest-bpf-PR

success

PR summary

netdev/series_format

success

Single patches do not need cover letters

netdev/tree_selection

success

Clearly marked for bpf

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag present in non-next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

fail

Errors and warnings before: 45 this patch: 45

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

fail

1 blamed authors not CCed: john.fastabend@gmail.com; 8 maintainers not CCed: jolsa@kernel.org john.fastabend@gmail.com haoluo@google.com song@kernel.org martin.lau@linux.dev yonghong.song@linux.dev kpsingh@kernel.org sdf@fomichev.me

netdev/build_clang

fail

Errors and warnings before: 36 this patch: 36

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

fail

Errors and warnings before: 55 this patch: 55

netdev/checkpatch

warning

WARNING: line length of 86 exceeds 80 columns WARNING: line length of 87 exceeds 80 columns WARNING: line length of 97 exceeds 80 columns

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

bpf/vmtest-bpf-VM_Test-0

success

Logs for Lint

bpf/vmtest-bpf-VM_Test-1

success

Logs for ShellCheck

bpf/vmtest-bpf-VM_Test-2

success

Logs for Unittests

bpf/vmtest-bpf-VM_Test-3

success

Logs for Validate matrix.py

bpf/vmtest-bpf-VM_Test-5

success

Logs for aarch64-gcc / build-release

bpf/vmtest-bpf-VM_Test-23

success

Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18-O2

bpf/vmtest-bpf-VM_Test-6

success

Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc

bpf/vmtest-bpf-VM_Test-4

success

Logs for aarch64-gcc / build / build for aarch64 with gcc

bpf/vmtest-bpf-VM_Test-9

success

Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc

bpf/vmtest-bpf-VM_Test-10

success

Logs for aarch64-gcc / veristat

bpf/vmtest-bpf-VM_Test-11

success

Logs for s390x-gcc / build / build for s390x with gcc

bpf/vmtest-bpf-VM_Test-12

success

Logs for s390x-gcc / build-release

bpf/vmtest-bpf-VM_Test-16

success

Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc

bpf/vmtest-bpf-VM_Test-19

success

Logs for x86_64-gcc / build / build for x86_64 with gcc

bpf/vmtest-bpf-VM_Test-18

success

Logs for set-matrix

bpf/vmtest-bpf-VM_Test-17

success

Logs for s390x-gcc / veristat

bpf/vmtest-bpf-VM_Test-20

success

Logs for x86_64-gcc / build-release

bpf/vmtest-bpf-VM_Test-21

success

Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc

bpf/vmtest-bpf-VM_Test-22

success

Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc

bpf/vmtest-bpf-VM_Test-24

success

Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc

bpf/vmtest-bpf-VM_Test-25

success

Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc

bpf/vmtest-bpf-VM_Test-26

success

Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc

bpf/vmtest-bpf-VM_Test-27

success

Logs for x86_64-gcc / veristat / veristat on x86_64 with gcc

bpf/vmtest-bpf-VM_Test-28

success

Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17

bpf/vmtest-bpf-VM_Test-30

success

Logs for x86_64-llvm-17 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-17

bpf/vmtest-bpf-VM_Test-31

success

Logs for x86_64-llvm-17 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-17

bpf/vmtest-bpf-VM_Test-29

success

Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17-O2

bpf/vmtest-bpf-VM_Test-32

success

Logs for x86_64-llvm-17 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-17

bpf/vmtest-bpf-VM_Test-35

success

Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18

bpf/vmtest-bpf-VM_Test-34

success

Logs for x86_64-llvm-17 / veristat

bpf/vmtest-bpf-VM_Test-33

success

Logs for x86_64-llvm-17 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-17

bpf/vmtest-bpf-VM_Test-37

success

Logs for x86_64-llvm-18 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-18

bpf/vmtest-bpf-VM_Test-36

success

Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18-O2

bpf/vmtest-bpf-VM_Test-38

fail

Logs for x86_64-llvm-18 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-18

bpf/vmtest-bpf-VM_Test-39

success

Logs for x86_64-llvm-18 / test (test_progs_cpuv4, false, 360) / test_progs_cpuv4 on x86_64 with llvm-18

bpf/vmtest-bpf-VM_Test-40

success

Logs for x86_64-llvm-18 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-18

bpf/vmtest-bpf-VM_Test-41

success

Logs for x86_64-llvm-18 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-18

bpf/vmtest-bpf-VM_Test-42

success

Logs for x86_64-llvm-18 / veristat

bpf/vmtest-bpf-VM_Test-7

success

Logs for aarch64-gcc / test (test_progs, false, 360) / test_progs on aarch64 with gcc

bpf/vmtest-bpf-VM_Test-8

success

Logs for aarch64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on aarch64 with gcc

bpf/vmtest-bpf-VM_Test-13

success

Logs for s390x-gcc / test (test_maps, false, 360) / test_maps on s390x with gcc

bpf/vmtest-bpf-VM_Test-15

success

Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc

bpf/vmtest-bpf-VM_Test-14

success

Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc

Commit Message

Alexei Starovoitov June 19, 2024, 11:53 p.m. UTC

From: Alexei Starovoitov <ast@kernel.org>

Zac's syzbot crafted a bpf prog that exposed two bugs in may_goto.
The 1st bug is the way may_goto is patched. When offset is negative
it should be patched differently.
The 2nd bug is in the verifier:
when current state may_goto_depth is equal to visited state may_goto_depth
it means there is an actual infinite loop. It's not correct to prune
exploration of the program at this point.
Note, that this check doesn't limit the program to only one may_goto insn,
since 2nd and any further may_goto will increment may_goto_depth only
in the queued state pushed for future exploration. The current state
will have may_goto_depth == 0 regardless of number of may_goto insns
and the verifier has to explore the program until bpf_exit.

Reported-by: Zac Ecob <zacecob@protonmail.com>
Closes: https://lore.kernel.org/bpf/CAADnVQL-15aNp04-cyHRn47Yv61NXfYyhopyZtUyxNojUZUXpA@mail.gmail.com/
Fixes: 011832b97b31 ("bpf: Introduce may_goto instruction")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
 kernel/bpf/verifier.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

Comments

Eduard Zingerman June 20, 2024, 1:04 p.m. UTC | #1

On Wed, 2024-06-19 at 16:53 -0700, Alexei Starovoitov wrote:
> From: Alexei Starovoitov <ast@kernel.org>
> 
> Zac's syzbot crafted a bpf prog that exposed two bugs in may_goto.
> The 1st bug is the way may_goto is patched. When offset is negative
> it should be patched differently.
> The 2nd bug is in the verifier:
> when current state may_goto_depth is equal to visited state may_goto_depth
> it means there is an actual infinite loop. It's not correct to prune
> exploration of the program at this point.
> Note, that this check doesn't limit the program to only one may_goto insn,
> since 2nd and any further may_goto will increment may_goto_depth only
> in the queued state pushed for future exploration. The current state
> will have may_goto_depth == 0 regardless of number of may_goto insns
> and the verifier has to explore the program until bpf_exit.
> 
> Reported-by: Zac Ecob <zacecob@protonmail.com>
> Closes: https://lore.kernel.org/bpf/CAADnVQL-15aNp04-cyHRn47Yv61NXfYyhopyZtUyxNojUZUXpA@mail.gmail.com/
> Fixes: 011832b97b31 ("bpf: Introduce may_goto instruction")
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> ---

Took me a while to figure out why we don't need this for iterators.

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

patchwork-bot+netdevbpf@kernel.org June 21, 2024, 9:30 p.m. UTC | #2

Hello:

This series was applied to bpf/bpf.git (master)
by Andrii Nakryiko <andrii@kernel.org>:

On Wed, 19 Jun 2024 16:53:54 -0700 you wrote:
> From: Alexei Starovoitov <ast@kernel.org>
> 
> Zac's syzbot crafted a bpf prog that exposed two bugs in may_goto.
> The 1st bug is the way may_goto is patched. When offset is negative
> it should be patched differently.
> The 2nd bug is in the verifier:
> when current state may_goto_depth is equal to visited state may_goto_depth
> it means there is an actual infinite loop. It's not correct to prune
> exploration of the program at this point.
> Note, that this check doesn't limit the program to only one may_goto insn,
> since 2nd and any further may_goto will increment may_goto_depth only
> in the queued state pushed for future exploration. The current state
> will have may_goto_depth == 0 regardless of number of may_goto insns
> and the verifier has to explore the program until bpf_exit.
> 
> [...]

Here is the summary with links:
  - [bpf,1/2] bpf: Fix may_goto with negative offset.
    https://git.kernel.org/bpf/bpf/c/635c7a3cb3bf
  - [bpf,2/2] selftests/bpf: Add tests for may_goto with negative offset.
    https://git.kernel.org/bpf/bpf/c/d3a2cbf6e4e5

You are awesome, thank you!

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 5586a571bf55..214a9fa8c6fb 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -17460,11 +17460,11 @@  static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
 				goto skip_inf_loop_check;
 			}
 			if (is_may_goto_insn_at(env, insn_idx)) {
-				if (states_equal(env, &sl->state, cur, RANGE_WITHIN)) {
+				if (sl->state.may_goto_depth != cur->may_goto_depth &&
+				    states_equal(env, &sl->state, cur, RANGE_WITHIN)) {
 					update_loop_entry(cur, &sl->state);
 					goto hit;
 				}
-				goto skip_inf_loop_check;
 			}
 			if (calls_callback(env, insn_idx)) {
 				if (states_equal(env, &sl->state, cur, RANGE_WITHIN))
@@ -20049,7 +20049,10 @@  static int do_misc_fixups(struct bpf_verifier_env *env)
 
 			stack_depth_extra = 8;
 			insn_buf[0] = BPF_LDX_MEM(BPF_DW, BPF_REG_AX, BPF_REG_10, stack_off);
-			insn_buf[1] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_AX, 0, insn->off + 2);
+			if (insn->off >= 0)
+				insn_buf[1] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_AX, 0, insn->off + 2);
+			else
+				insn_buf[1] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_AX, 0, insn->off - 1);
 			insn_buf[2] = BPF_ALU64_IMM(BPF_SUB, BPF_REG_AX, 1);
 			insn_buf[3] = BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_AX, stack_off);
 			cnt = 4;

[bpf,1/2] bpf: Fix may_goto with negative offset.

Checks

Commit Message

Comments

Patch