[PATCH bpf-next] bpf: remember meta->iter info only for initialized iters

[PATCH bpf-next] bpf: remember meta->iter info only for initialized iters

[Andrii Nakryiko]

For iter_new() functions iterator state's slot might not be yet
initialized, in which case iter_get_spi() will return -ERANGE. This is
expected and is handled properly. But for iter_next() and iter_destroy()
cases iter slot is supposed to be initialized and correct, so -ERANGE is
not possible.

Move meta->iter.{spi,frameno} initialization into iter_next/iter_destroy
handling branch to make it more explicit that valid information will be
remembered in meta->iter block for subsequent use in process_iter_next_call(),
avoiding confusingly looking -ERANGE assignment for meta->iter.spi.

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
 kernel/bpf/verifier.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 50c995697f0e..b3d3db5058e4 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6778,13 +6778,6 @@ static int process_iter_arg(struct bpf_verifier_env *env, int regno, int insn_id
 	t = btf_type_skip_modifiers(meta->btf, t->type, &btf_id);	/* STRUCT */
 	nr_slots = t->size / BPF_REG_SIZE;
 
-	spi = iter_get_spi(env, reg, nr_slots);
-	if (spi < 0 && spi != -ERANGE)
-		return spi;
-
-	meta->iter.spi = spi;
-	meta->iter.frameno = reg->frameno;
-
 	if (is_iter_new_kfunc(meta)) {
 		/* bpf_iter_<type>_new() expects pointer to uninit iter state */
 		if (!is_iter_reg_valid_uninit(env, reg, nr_slots)) {
@@ -6811,10 +6804,17 @@ static int process_iter_arg(struct bpf_verifier_env *env, int regno, int insn_id
 			return -EINVAL;
 		}
 
+		spi = iter_get_spi(env, reg, nr_slots);
+		if (spi < 0)
+			return spi;
+
 		err = mark_iter_read(env, reg, spi, nr_slots);
 		if (err)
 			return err;
 
+		/* remember meta->iter info for process_iter_next_call() */
+		meta->iter.spi = spi;
+		meta->iter.frameno = reg->frameno;
 		meta->ref_obj_id = iter_ref_obj_id(env, reg, spi);
 
 		if (is_iter_destroy_kfunc(meta)) {
-- 
2.34.1

Re: [PATCH bpf-next] bpf: remember meta->iter info only for initialized iters

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to bpf/bpf-next.git (master)
by Martin KaFai Lau <martin.lau@kernel.org>:

On Wed, 22 Mar 2023 16:25:02 -0700 you wrote:
> For iter_new() functions iterator state's slot might not be yet
> initialized, in which case iter_get_spi() will return -ERANGE. This is
> expected and is handled properly. But for iter_next() and iter_destroy()
> cases iter slot is supposed to be initialized and correct, so -ERANGE is
> not possible.
> 
> Move meta->iter.{spi,frameno} initialization into iter_next/iter_destroy
> handling branch to make it more explicit that valid information will be
> remembered in meta->iter block for subsequent use in process_iter_next_call(),
> avoiding confusingly looking -ERANGE assignment for meta->iter.spi.
> 
> [...]

Here is the summary with links:
  - [bpf-next] bpf: remember meta->iter info only for initialized iters
    https://git.kernel.org/bpf/bpf-next/c/b63cbc490e18

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html