From patchwork Mon Oct 30 13:21:41 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Shung-Hsi Yu <shung-hsi.yu@suse.com>
X-Patchwork-Id: 13440572
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net
 [23.128.96.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C917168CD
	for <bpf@vger.kernel.org>; Mon, 30 Oct 2023 13:22:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com
 header.b="Z9PnSkn6"
Received: from EUR02-VI1-obe.outbound.protection.outlook.com
 (mail-vi1eur02on2068.outbound.protection.outlook.com [40.107.241.68])
	by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9416A2;
	Mon, 30 Oct 2023 06:22:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=dla6VXlmI9EPm/GisKeS+uvYh+VmmSOT369H8rUUSvBqhusENMatg1kATpCgXU5k5liEaUw0rVTJVZLhlY/RdiYIKv/2tl3Dv2p38S6XVhiHDDJmOSz8CcZngKjAhOV3GmMgNpN6w0UWfK0ZMAKjNdPnbhjzJbeZE3lu/EL7E+oBJB+L02UeHwCfsK/80f9mg8Vd5RY7Wm4/OfoBwC8ywsP2ZAU8fpdRxPch1+SB4lZU1twGmPIv3EZdeRRJUs4VzrwqmuvmBcTlERcXKznMczy2uQ/O97RZtIsX5oZxjiosMnIY4mujmWUax+zaY1C3Lg0F/wfLIzfa+Tau99SkTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=V1JaIFbsxQXpTD2y87bIOS/wVTfYiIg7pmieucBTK0k=;
 b=FOBEFPzXYgMbT0Oe2kyKSmbwXkprQkJhj0+F2TfTOJqRD8q6MOWLoHIs/aPPCJLJiwmdHWlTxXAhKW3K2As2le1h4IPJzr2IkpBog8EWAZ7tjfZ+E2GuUw8fGwzS3zT3DaJX1lxF7F8fLMovlybvORWoPmhXq/vymOa4DcI6P1QVN+uhj+TGeWU27wPg1UtS6kft9qICUg5mv5BM5Pdb7adrkN5KFksAh+DSFSEs7F+mwKmodLojU2lpT/tf0mwq9ac6k8umPW35w+OJPS8Wv6qEVWJFW7MyFC+76mmCldKBp3QK36qAEBPHLYP6BoOgaTmF246e5yxv63qbSUArqQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com;
 dkim=pass header.d=suse.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=V1JaIFbsxQXpTD2y87bIOS/wVTfYiIg7pmieucBTK0k=;
 b=Z9PnSkn6FIlWxjOw9FMgWMOBwpMztvhmFNP4qlALxFwXVEDwp7DzFca5wG4mll8thZp4XX2r9iXjZzbRAzBleLx/indTSz++B8a05hyCGovCQM3oW8fdrA6JR0NM+Y/Zz8XE7QSGoLIV85JxfME9gA5ZmMiXyeAdtnEOITkt38ZqeBaQ+cz5RftJUP6qlsd6v7TnpiXStrT8gV3O0cC3l/PhlDYJ+ASR04wmBOl9GHA3qGExt/Jv3mY8pd5zvO4MXHpmmN7rJodLCD80Wk7+Mkh28dQCKHEG3ROg79f4kYlt4mUR0x7l4WPcIY0xpJQbBT+iNGxfVTVhgDblWzW3Lg==
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=suse.com;
Received: from AS8PR04MB9510.eurprd04.prod.outlook.com (2603:10a6:20b:44a::11)
 by PAXPR04MB8861.eurprd04.prod.outlook.com (2603:10a6:102:20c::23) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.14; Mon, 30 Oct
 2023 13:22:46 +0000
Received: from AS8PR04MB9510.eurprd04.prod.outlook.com
 ([fe80::9f3e:3b47:5ccd:c47c]) by AS8PR04MB9510.eurprd04.prod.outlook.com
 ([fe80::9f3e:3b47:5ccd:c47c%6]) with mapi id 15.20.6954.016; Mon, 30 Oct 2023
 13:22:46 +0000
From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
To: bpf@vger.kernel.org
Cc: Shung-Hsi Yu <shung-hsi.yu@suse.com>,
 Daniel Borkmann <daniel@iogearbox.net>, Andrii Nakryiko <andriin@fb.com>,
 Alexei Starovoitov <ast@kernel.org>, =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rge?=
	=?utf-8?q?nsen?= <toke@redhat.com>,
 John Fastabend <john.fastabend@gmail.com>,
 Andrii Nakryiko <andrii@kernel.org>, Martin KaFai Lau <martin.lau@linux.dev>,
 Song Liu <song@kernel.org>, Yonghong Song <yonghong.song@linux.dev>,
 KP Singh <kpsingh@kernel.org>, Stanislav Fomichev <sdf@google.com>,
 Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
 Eduard Zingerman <eddyz87@gmail.com>, stable@vger.kernel.org,
 Mohamed Mahmoud <mmahmoud@redhat.com>, Tao Lyu <tao.lyu@epfl.ch>
Subject: [RFC bpf 1/2] bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE |
 BPF_END
Date: Mon, 30 Oct 2023 21:21:41 +0800
Message-ID: <20231030132145.20867-2-shung-hsi.yu@suse.com>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <20231030132145.20867-1-shung-hsi.yu@suse.com>
References: <20231030132145.20867-1-shung-hsi.yu@suse.com>
X-ClientProxiedBy: FR4P281CA0007.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:d10:c8::10) To AS8PR04MB9510.eurprd04.prod.outlook.com
 (2603:10a6:20b:44a::11)
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AS8PR04MB9510:EE_|PAXPR04MB8861:EE_
X-MS-Office365-Filtering-Correlation-Id: cc81144f-34ec-4d94-6a12-08dbd94b4e29
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	0/p+QXFO6f6hYu1XVkteZ90++4ESDMKzevkVQpgPSz2rYlDo6DW2cgB4QURYHrWlooa3Oon9Vd/4HtuRN8ks8WOAiipAGlSJnNNvrHArgGj4Qvf0baNauav4eIM7XD+a9LNKf7xdu9h3BaLRhH9p+S+X18P1gVewV/KGfp0rn4Gi5lXp/ZfIaJjyf+5/ItzPLY7D0VngTQXwDQdPxkUFmXTf9VDEm0FFa2n0p4XDMbklpD/AwYdD2xNaxYP+laMygnuE0WV+yashkDN73qPCvDaLHnA+WWINKPmGsKXhgwzDUqCWPZmfmkzk29VNhKLOfPHj7TNJSuoaVMV1Y8RfjhcbtKHfuq4bLx2fVVgbHC3wx0ycIpjv2ikb8M5LDMloIBrsDl3qcjjazJeyc+vhoOjAsCkN3UtX4HiN13o7F+wOo32dyCUVEwD03WLYL3i5fNcnHhHvP41jEhHLFRFR44Xx/9z3N7DR6xcFPiLDKkJL4SO8sS7wZH2acb6s+EAfGw+VNqIEVwSpr7Ez65P6kM7lWQhHKMOS+0PD1pI17VYDmlkGReto9wWvWyEpmhmM
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8PR04MB9510.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(136003)(366004)(376002)(346002)(396003)(39860400002)(230922051799003)(186009)(451199024)(1800799009)(64100799003)(5660300002)(41300700001)(7416002)(2906002)(54906003)(66556008)(66946007)(66476007)(6486002)(8676002)(8936002)(4326008)(478600001)(316002)(6916009)(38100700002)(83380400001)(86362001)(36756003)(6506007)(6512007)(6666004)(1076003)(2616005)(66574015);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?kWq6RMc99gtDiukACDbkGfIcXEpE?=
	=?utf-8?q?ymkl1uEbf+dPYTXSDgbB/oH8xHz+Oh1/LE70rRGHmxT9rOlz2rV5+moIa8k9qBdAL?=
	=?utf-8?q?X827hW+OUxkcZKlngBu9FdbJA7qaAu6y6OfEd4WshxaW9dHph/oHoDzFIA7FBU9Q/?=
	=?utf-8?q?djaZWgweL9w7puZnukQyfTAYKKivRx6iT9MpZxcoDY3GsPqvQpyCK74VZIlmuPp2A?=
	=?utf-8?q?CM5K46RU4Y3BsQC81TjGi5rYnx8C4qQBEeeWH3udCskDPtwKCtGguayI+p8Ax42va?=
	=?utf-8?q?tiRzeacBnk/CFJJuZUXev/puafet2UI4ai9ODW9JClhBglsRWZyi6uLoYvZ445Uxu?=
	=?utf-8?q?rpwMUXhWv7jEoEc73vhNNiuQQIRvwptn6YJRrJw3Y4X4vcj2qMHDLrvIv09IN6V2Z?=
	=?utf-8?q?DHm4UC7e4UpRZj98R2l2Fyv4t6flFw2dAwN3+ObwTp0AwLKgc/eS+UC/DyuIpWWuc?=
	=?utf-8?q?Ek8TrdFb62+LJeZOSF58gBt2MLHAU1CxTKNJp3aRrxVQMpfHjs5r93y52wVlxGks6?=
	=?utf-8?q?+lFjMwFEJIfrfOlw7yPfih5IRQa/5FOfeDafqnGuYtO3MX4zvlF4jsYkekV0cQPLL?=
	=?utf-8?q?qrqsGYB2TrkGaxlyo14IZ0bE8ojlvvcD6t6BvY62nx7nVchPjeENieM+Sq+p9vMMe?=
	=?utf-8?q?GsSAUAlY7xfNbkjELK4/YetZt5ZBcasC6nMjhCjfV+Vf73mORm4yvOOtO35pDsweT?=
	=?utf-8?q?ZYTBn+L2KCyFxrTAEW5gRRKOD2ThJYWZZvnZqc1iBEmnMzotE+VD4Y3gAK8NLOyxW?=
	=?utf-8?q?W/MVTvB97fRWi4aPnuQMYlQqISHSWm/rdSPDJrs+dltBe6CGHw1DyD2uQL0k5Ujkp?=
	=?utf-8?q?czvYx2HzvBn9dJe2t3t519YMibI29gSDMpsyuvBSZ8ygwKpuLZSaTvwPtxCXa7FnD?=
	=?utf-8?q?1+bhYkGJC05A7JGj7VIPP9dyaow8BHS52GTcV+TtD3wHETQfTGeHcAxzs0K/k72DG?=
	=?utf-8?q?UT8IaMhPdRBH9iINVTvSRD9N26ofHxXlOLFn99wtK2a5rVGeS2C7mgFczbggglyny?=
	=?utf-8?q?i3o1HahNXMcbPGZKj179kMj1ryBoL//lKPrfLrE2gK3DreTf7jRTOJxHCwphZVG5m?=
	=?utf-8?q?12VQXHpOxaR3WXtMO/JQICndZkdilf3r7SxlckTNkjpEhAURi1fErZd7ANMSKeaKB?=
	=?utf-8?q?tjtjzAxskuB3hsLNtoCzU+93H3EehZwG/8D48E+ZcoDYitvj/g2ja1RyoaUeigpNs?=
	=?utf-8?q?7V5jNzoe8xrzjud8QE2qadRkviPDfTaJY2eLBzx+G7I7aGDf/K1WsAeOUpwnsFo/K?=
	=?utf-8?q?//WFfSBi1wVPGd/VANQyLqIPVYmM28L4ZaAKnQiJqDk7HheNjAo4Cd//gn9fqcpFz?=
	=?utf-8?q?qxtVOgL+q3bOMsWqytZrSMpusZ1r0OmTz26mMhJ6C6tAj6+vhIqCb3qc/FdCT0KKw?=
	=?utf-8?q?YbNlQI8ltQ8QAm5UqU8jYFaM637Ebvwe0jWqViacIby4qxsy2z4cfRIwHudh9v5bN?=
	=?utf-8?q?DlCTr1Iwe/AFDkn3bYQBhW/1dyn8NdhvkjUwLmNRR8B0nW62EraAjhhKtfGFGeqAT?=
	=?utf-8?q?EfG/dOYtTrZfOShGL5W+dIV9JNMl3ethyptHDnXl6H6HaDQklb2Jha347I87vMdHX?=
	=?utf-8?q?gIO8Su/Vq6oeQhIQslVmgsywFx0kkMzlQ=3D=3D?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 cc81144f-34ec-4d94-6a12-08dbd94b4e29
X-MS-Exchange-CrossTenant-AuthSource: AS8PR04MB9510.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Oct 2023 13:22:46.3003
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 NVqGTs+d1dCVpMR+kR21oolhfzzdBQ70OdwcL2NeI9w/NFX+aa/GLKdJAuH9Tj1V5Cs7oB2aOlz0LxAShO2XOw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR04MB8861
X-Patchwork-Delegate: bpf@iogearbox.net
X-Patchwork-State: RFC

BPF_END and BPF_NEG has a different specification for the source bit in
the opcode compared to other ALU/ALU64 instructions, and is either
reserved or use to specify the byte swap endianness. In both cases the
source bit does not encode source operand location, and src_reg is a
reserved field.

backtrack_insn() currently does not differentiate BPF_END and BPF_NEG
from other ALU/ALU64 instructions, which leads to r0 being incorrectly
marked as precise when processing BPF_ALU | BPF_TO_BE | BPF_END
instructions. This commit teaches backtrack_insn() to correctly mark
precision for such case.

While precise tracking of BPF_NEG and other BPF_END instructions are
correct and does not need fixing because their source bit are unset and
thus treated as the BPF_K case, this commit opt to process all BPF_NEG
and BPF_END instructions within the same if-clause so it better aligns
with current convention used in the verifier (e.g. check_alu_op).

Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking")
Cc: stable@vger.kernel.org
Reported-by: Mohamed Mahmoud <mmahmoud@redhat.com>
Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
Tested-by: Tao Lyu <tao.lyu@epfl.ch>
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
---
 kernel/bpf/verifier.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 873ade146f3d..646dc49263fd 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3426,7 +3426,12 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
 	if (class == BPF_ALU || class == BPF_ALU64) {
 		if (!bt_is_reg_set(bt, dreg))
 			return 0;
-		if (opcode == BPF_MOV) {
+		if (opcode == BPF_END || opcode == BPF_NEG) {
+			/* sreg is reserved and unused
+			 * dreg still need precision before this insn
+			 */
+			return 0;
+		} else if (opcode == BPF_MOV) {
 			if (BPF_SRC(insn->code) == BPF_X) {
 				/* dreg = sreg or dreg = (s8, s16, s32)sreg
 				 * dreg needs precision after this insn