From: Emil Tsalapatis <emil@etsalapatis.com>
To: bpf@vger.kernel.org
Cc: andrii@kernel.org, ast@kernel.org, daniel@iogearbox.net,
eddyz87@gmail.com, martin.lau@kernel.org, memxor@gmail.com,
song@kernel.org, yonghong.song@linux.dev,
Emil Tsalapatis <emil@etsalapatis.com>
Subject: [PATCH bpf-next v5 3/5] bpf: extract check_subprogram_return_code() for clarity
Date: Fri, 27 Feb 2026 10:46:14 -0500 [thread overview]
Message-ID: <20260227154616.6846-4-emil@etsalapatis.com> (raw)
In-Reply-To: <20260227154616.6846-1-emil@etsalapatis.com>
From: Eduard Zingerman <eddyz87@gmail.com>
Both main progs and subprogs use the same function in the verifier,
check_return_code, to verify the type and value range of the register
being returned. However, subprogs only need a subset of the logic in
check_return_code. this also goes the way - check_return_code explicitly
checks whether it is handling a subprogram in multiple places, complicating
the logic. Separate the handling of the two into separate fucntions.
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
---
kernel/bpf/verifier.c | 65 ++++++++++++++++++++++++++++++-------------
1 file changed, 45 insertions(+), 20 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 9b49f1a6e8dc..fb4d14516043 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -17979,19 +17979,15 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
struct bpf_reg_state *reg = reg_state(env, regno);
struct bpf_retval_range range = retval_range(0, 1);
enum bpf_prog_type prog_type = resolve_prog_type(env->prog);
- int ret, err;
struct bpf_func_state *frame = env->cur_state->frame[0];
- const bool is_subprog = frame->subprogno;
- bool return_32bit = false;
const struct btf_type *reg_type, *ret_type = NULL;
+ int ret, err;
/* LSM and struct_ops func-ptr's return type could be "void" */
- if (!is_subprog || frame->in_exception_callback_fn) {
- if (program_returns_void(env))
- return 0;
- }
+ if (!frame->in_async_callback_fn && program_returns_void(env))
+ return 0;
- if (!is_subprog && prog_type == BPF_PROG_TYPE_STRUCT_OPS) {
+ if (prog_type == BPF_PROG_TYPE_STRUCT_OPS) {
/* Allow a struct_ops program to return a referenced kptr if it
* matches the operator's return type and is in its unmodified
* form. A scalar zero (i.e., a null pointer) is also allowed.
@@ -18025,15 +18021,6 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
goto enforce_retval;
}
- if (is_subprog && !frame->in_exception_callback_fn) {
- if (reg->type != SCALAR_VALUE) {
- verbose(env, "At subprogram exit the register R%d is not a scalar value (%s)\n",
- regno, reg_type_str(env, reg->type));
- return -EINVAL;
- }
- return 0;
- }
-
if (prog_type == BPF_PROG_TYPE_STRUCT_OPS && !ret_type)
return 0;
@@ -18056,8 +18043,7 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
if (!retval_range_within(range, reg)) {
verbose_invalid_scalar(env, reg, range, exit_ctx, reg_name);
- if (!is_subprog &&
- prog->expected_attach_type == BPF_LSM_CGROUP &&
+ if (prog->expected_attach_type == BPF_LSM_CGROUP &&
prog_type == BPF_PROG_TYPE_LSM &&
!prog->aux->attach_func_proto->type)
verbose(env, "Note, BPF_LSM_CGROUP that attach to void LSM hooks can't modify return value!\n");
@@ -18070,6 +18056,29 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
return 0;
}
+static int check_subprogram_return_code(struct bpf_verifier_env *env)
+{
+ struct bpf_reg_state *reg = reg_state(env, BPF_REG_0);
+ int err;
+
+ err = check_reg_arg(env, BPF_REG_0, SRC_OP);
+ if (err)
+ return err;
+
+ if (is_pointer_value(env, BPF_REG_0)) {
+ verbose(env, "R%d leaks addr as return value\n", BPF_REG_0);
+ return -EACCES;
+ }
+
+ if (reg->type != SCALAR_VALUE) {
+ verbose(env, "At subprogram exit the register R0 is not a scalar value (%s)\n",
+ reg_type_str(env, reg->type));
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
static void mark_subprog_changes_pkt_data(struct bpf_verifier_env *env, int off)
{
struct bpf_subprog_info *subprog;
@@ -20865,6 +20874,8 @@ static int process_bpf_exit_full(struct bpf_verifier_env *env,
bool *do_print_state,
bool exception_exit)
{
+ struct bpf_func_state *cur_frame = cur_func(env);
+
/* We must do check_reference_leak here before
* prepare_func_exit to handle the case when
* state->curframe > 0, it may be a callback function,
@@ -20898,7 +20909,21 @@ static int process_bpf_exit_full(struct bpf_verifier_env *env,
return 0;
}
- err = check_return_code(env, BPF_REG_0, "R0");
+ /*
+ * Return from a regular global subprogram differs from return
+ * from the main program or async/exception callback.
+ * Main program exit implies return code restrictions
+ * that depend on program type.
+ * Exit from exception callback is equivalent to main program exit.
+ * Exit from async callback implies return code restrictions
+ * that depend on async scheduling mechanism.
+ */
+ if (cur_frame->subprogno &&
+ !cur_frame->in_async_callback_fn &&
+ !cur_frame->in_exception_callback_fn)
+ err = check_subprogram_return_code(env);
+ else
+ err = check_return_code(env, BPF_REG_0, "R0");
if (err)
return err;
return PROCESS_BPF_EXIT;
--
2.49.0
next prev parent reply other threads:[~2026-02-27 15:46 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-27 15:46 [PATCH bpf-next v5 0/5] bpf: Allow void return type for global subprogs Emil Tsalapatis
2026-02-27 15:46 ` [PATCH bpf-next v5 1/5] bpf: Factor out program return value calculation Emil Tsalapatis
2026-02-27 15:50 ` Emil Tsalapatis
2026-02-27 18:57 ` Eduard Zingerman
2026-02-28 0:36 ` Emil Tsalapatis
2026-02-27 20:27 ` kernel test robot
2026-02-27 20:49 ` kernel test robot
2026-02-28 1:22 ` kernel test robot
2026-02-27 15:46 ` [PATCH bpf-next v5 2/5] bpf: Extract program_returns_void() for clarity Emil Tsalapatis
2026-02-27 15:46 ` Emil Tsalapatis [this message]
2026-02-27 19:42 ` [PATCH bpf-next v5 3/5] bpf: extract check_subprogram_return_code() " Eduard Zingerman
2026-02-27 15:46 ` [PATCH bpf-next v5 4/5] bpf: Allow void global functions in the verifier Emil Tsalapatis
2026-02-27 16:24 ` bot+bpf-ci
2026-02-27 19:32 ` Eduard Zingerman
2026-02-28 0:39 ` Emil Tsalapatis
2026-02-27 15:46 ` [PATCH bpf-next v5 5/5] selftests: bpf: Add tests for void global subprogs Emil Tsalapatis
2026-02-27 19:53 ` Eduard Zingerman
2026-02-28 0:32 ` Emil Tsalapatis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260227154616.6846-4-emil@etsalapatis.com \
--to=emil@etsalapatis.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=martin.lau@kernel.org \
--cc=memxor@gmail.com \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox