Re: [PATCH bpf-next v2] bpf: verifier: initialize imm in kfunc_tab in add_kfunc_call()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Puranjay Mohan <puranjay@kernel.org>
To: Eduard Zingerman <eddyz87@gmail.com>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Martin KaFai Lau <martin.lau@kernel.org>,
	Kumar Kartikeya Dwivedi <memxor@gmail.com>,
	kernel-team@meta.com
Subject: Re: [PATCH bpf-next v2] bpf: verifier: initialize imm in kfunc_tab in add_kfunc_call()
Date: Fri, 14 Nov 2025 11:32:44 +0000	[thread overview]
Message-ID: <mb61pv7jc4zoj.fsf@kernel.org> (raw)
In-Reply-To: <f3f7858c0a54c6eef670fe36f7cd15cc1f7dae16.camel@gmail.com>

Eduard Zingerman <eddyz87@gmail.com> writes:

> On Thu, 2025-11-13 at 10:40 +0000, Puranjay Mohan wrote:
>
> [...]
>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 1268fa075d4c..31136f9c418b 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -3273,7 +3273,7 @@ static int add_kfunc_call(struct bpf_verifier_env *env, u32 func_id, s16 offset)
>>  	struct bpf_kfunc_desc *desc;
>>  	const char *func_name;
>>  	struct btf *desc_btf;
>> -	unsigned long addr;
>> +	unsigned long addr, call_imm;
>>  	int err;
>>  
>>  	prog_aux = env->prog->aux;
>> @@ -3369,8 +3369,20 @@ static int add_kfunc_call(struct bpf_verifier_env *env, u32 func_id, s16 offset)
>>  	if (err)
>>  		return err;
>>  
>> +	if (bpf_jit_supports_far_kfunc_call()) {
>> +		call_imm = func_id;
>> +	} else {
>> +		call_imm = BPF_CALL_IMM(addr);
>> +		/* Check whether the relative offset overflows desc->imm */
>> +		if ((unsigned long)(s32)call_imm != call_imm) {
>> +			verbose(env, "address of kernel func_id %u is out of range\n", func_id);
>> +			return -EINVAL;
>> +		}
>> +	}
>
> Instead of having this logic in two places, how about moving the
> desc->imm setup down to sort_kfunc_descs_by_imm_off()?
> I think it the only consumer of desc->imm in verifier.c.
> E.g. as in the diff attached.

This seems like the best way to move ahead with fixing this. I will send
v3 with your suggested diff.

>> +
>>  	desc = &tab->descs[tab->nr_descs++];
>>  	desc->func_id = func_id;
>> +	desc->imm = call_imm;
>>  	desc->offset = offset;
>>  	desc->addr = addr;
>>  	desc->func_model = func_model;
>> @@ -22353,17 +22365,15 @@ static int specialize_kfunc(struct bpf_verifier_env *env, struct bpf_kfunc_desc
>>  	}
>>  
>>  set_imm:
>> -	if (bpf_jit_supports_far_kfunc_call()) {
>> -		call_imm = func_id;
>> -	} else {
>> +	if (!bpf_jit_supports_far_kfunc_call()) {
>>  		call_imm = BPF_CALL_IMM(addr);
>>  		/* Check whether the relative offset overflows desc->imm */
>>  		if ((unsigned long)(s32)call_imm != call_imm) {
>>  			verbose(env, "address of kernel func_id %u is out of range\n", func_id);
>>  			return -EINVAL;
>>  		}
>> +		desc->imm = call_imm;
>>  	}
>> -	desc->imm = call_imm;
>>  	desc->addr = addr;
>>  	return 0;
>>  }
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 1268fa075d4c..7ffe526c34cb 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3391,16 +3391,44 @@ static int kfunc_desc_cmp_by_imm_off(const void *a, const void *b)
>  	return 0;
>  }
>  
> -static void sort_kfunc_descs_by_imm_off(struct bpf_prog *prog)
> +static int set_kfunc_desc_imm(struct bpf_verifier_env *env, struct bpf_kfunc_desc *desc)
> +{
> +	unsigned long call_imm;
> +
> +	if (bpf_jit_supports_far_kfunc_call()) {
> +		call_imm = desc->func_id;
> +		return 0;
> +	} else {
> +		call_imm = BPF_CALL_IMM(desc->addr);
> +		/* Check whether the relative offset overflows desc->imm */
> +		if ((unsigned long)(s32)call_imm != call_imm) {
> +			verbose(env, "address of kernel func_id %u is out of range\n",
> +				desc->func_id);
> +			return -EINVAL;
> +		}
> +	}
> +	desc->imm = call_imm;
> +	return 0;
> +}
> +
> +static int sort_kfunc_descs_by_imm_off(struct bpf_verifier_env *env)
>  {
>  	struct bpf_kfunc_desc_tab *tab;
> +	int i, err;
>  
> -	tab = prog->aux->kfunc_tab;
> +	tab = env->prog->aux->kfunc_tab;
>  	if (!tab)
> -		return;
> +		return 0;
> +
> +	for (i = 0; i < tab->nr_descs; i++) {
> +		err = set_kfunc_desc_imm(env, &tab->descs[i]);
> +		if (err)
> +			return err;
> +	}
>  
>  	sort(tab->descs, tab->nr_descs, sizeof(tab->descs[0]),
>  	     kfunc_desc_cmp_by_imm_off, NULL);
> +	return 0;
>  }
>  
>  bool bpf_prog_has_kfunc_call(const struct bpf_prog *prog)
> @@ -22320,10 +22348,10 @@ static int specialize_kfunc(struct bpf_verifier_env *env, struct bpf_kfunc_desc
>  	bool is_rdonly;
>  	u32 func_id = desc->func_id;
>  	u16 offset = desc->offset;
> -	unsigned long addr = desc->addr, call_imm;
> +	unsigned long addr = desc->addr;
>  
>  	if (offset) /* return if module BTF is used */
> -		goto set_imm;
> +		return 0;
>  
>  	if (bpf_dev_bound_kfunc_id(func_id)) {
>  		xdp_kfunc = bpf_dev_bound_resolve_kfunc(prog, func_id);
> @@ -22351,19 +22379,6 @@ static int specialize_kfunc(struct bpf_verifier_env *env, struct bpf_kfunc_desc
>  		if (!env->insn_aux_data[insn_idx].non_sleepable)
>  			addr = (unsigned long)bpf_dynptr_from_file_sleepable;
>  	}
> -
> -set_imm:
> -	if (bpf_jit_supports_far_kfunc_call()) {
> -		call_imm = func_id;
> -	} else {
> -		call_imm = BPF_CALL_IMM(addr);
> -		/* Check whether the relative offset overflows desc->imm */
> -		if ((unsigned long)(s32)call_imm != call_imm) {
> -			verbose(env, "address of kernel func_id %u is out of range\n", func_id);
> -			return -EINVAL;
> -		}
> -	}
> -	desc->imm = call_imm;
>  	desc->addr = addr;
>  	return 0;
>  }
> @@ -23441,7 +23456,9 @@ static int do_misc_fixups(struct bpf_verifier_env *env)
>  		}
>  	}
>  
> -	sort_kfunc_descs_by_imm_off(env->prog);
> +	ret = sort_kfunc_descs_by_imm_off(env);
> +	if (ret)
> +		return ret;
>  
>  	return 0;
>  }

     prev parent reply	other threads:[~2025-11-14 11:32 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-13 10:40 [PATCH bpf-next v2] bpf: verifier: initialize imm in kfunc_tab in add_kfunc_call() Puranjay Mohan
2025-11-13 10:55 ` Kumar Kartikeya Dwivedi
2025-11-13 15:34 ` Mykyta Yatsenko
2025-11-13 19:57 ` Eduard Zingerman
2025-11-14 11:32   ` Puranjay Mohan [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=mb61pv7jc4zoj.fsf@kernel.org \
    --to=puranjay@kernel.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=kernel-team@meta.com \
    --cc=martin.lau@kernel.org \
    --cc=memxor@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.