Skip to content

Commit ab5cfac

Browse files
eddyz87Alexei Starovoitov
eddyz87
authored and
Alexei Starovoitov
committed
bpf: verify callbacks as if they are called unknown number of times
Prior to this patch callbacks were handled as regular function calls, execution of callback body was modeled exactly once. This patch updates callbacks handling logic as follows: - introduces a function push_callback_call() that schedules callback body verification in env->head stack; - updates prepare_func_exit() to reschedule callback body verification upon BPF_EXIT; - as calls to bpf_*_iter_next(), calls to callback invoking functions are marked as checkpoints; - is_state_visited() is updated to stop callback based iteration when some identical parent state is found. Paths with callback function invoked zero times are now verified first, which leads to necessity to modify some selftests: - the following negative tests required adding release/unlock/drop calls to avoid previously masked unrelated error reports: - cb_refs.c:underflow_prog - exceptions_fail.c:reject_rbtree_add_throw - exceptions_fail.c:reject_with_cp_reference - the following precision tracking selftests needed change in expected log trace: - verifier_subprog_precision.c:callback_result_precise (note: r0 precision is no longer propagated inside callback and I think this is a correct behavior) - verifier_subprog_precision.c:parent_callee_saved_reg_precise_with_callback - verifier_subprog_precision.c:parent_stack_slot_precise_with_callback Reported-by: Andrew Werner <[email protected]> Closes: https://lore.kernel.org/bpf/CA+vRuzPChFNXmouzGG+wsy=6eMcfr1mFG0F3g7rbg-sedGKW3w@mail.gmail.com/ Acked-by: Andrii Nakryiko <[email protected]> Signed-off-by: Eduard Zingerman <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>
1 parent 58124a9 commit ab5cfac

File tree

5 files changed

+240
-113
lines changed

5 files changed

+240
-113
lines changed

include/linux/bpf_verifier.h

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -400,6 +400,7 @@ struct bpf_verifier_state {
400400
struct bpf_idx_pair *jmp_history;
401401
u32 jmp_history_cnt;
402402
u32 dfs_depth;
403+
u32 callback_unroll_depth;
403404
};
404405

405406
#define bpf_get_spilled_reg(slot, frame, mask) \
@@ -511,6 +512,10 @@ struct bpf_insn_aux_data {
511512
* this instruction, regardless of any heuristics
512513
*/
513514
bool force_checkpoint;
515+
/* true if instruction is a call to a helper function that
516+
* accepts callback function as a parameter.
517+
*/
518+
bool calls_callback;
514519
};
515520

516521
#define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */

0 commit comments

Comments
 (0)