Re: bpf: allow bpf programs to tail-call other bpf programs

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

From: Alexei Starovoitov <ast@plumgrid.com>
To: kernel-janitors@vger.kernel.org
Subject: Re: bpf: allow bpf programs to tail-call other bpf programs
Date: Tue, 26 May 2015 16:01:25 +0000	[thread overview]
Message-ID: <556498D5.9060207@plumgrid.com> (raw)
In-Reply-To: <20150523173328.GB31663@mwanda>

On 5/23/15 10:33 AM, Dan Carpenter wrote:
> Hello Alexei Starovoitov,
>
> This is a semi-automatic email about new static checker warnings.
>
> The patch 04fd61ab36ec: "bpf: allow bpf programs to tail-call other
> bpf programs" from May 19, 2015, leads to the following Smatch
> complaint:
>
> kernel/bpf/verifier.c:921 check_call()
> 	 error: we previously assumed 'map' could be null (see line 911)
>
> kernel/bpf/verifier.c
>     910	
>     911		if (map && map->map_type = BPF_MAP_TYPE_PROG_ARRAY &&
>                      ^^^
> Patch introduces a check for NULL.
>
>     912		    func_id != BPF_FUNC_tail_call)
>     913			/* prog_array map type needs extra care:
>     914			 * only allow to pass it into bpf_tail_call() for now.
>     915			 * bpf_map_delete_elem() can be allowed in the future,
>     916			 * while bpf_map_update_elem() must only be done via syscall
>     917			 */
>     918			return -EINVAL;
>     919	
>     920		if (func_id = BPF_FUNC_tail_call &&
>     921		    map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
>                      ^^^^^^^^^^^^^
> New unchecked dereference.

that is false positive.
See that 'if (func_id = BPF_FUNC_tail_call ...)' is done before
map->map_type dereference.
tail_call_proto has:
.arg2_type = ARG_CONST_MAP_PTR
so call at line 869:
check_func_arg(env, BPF_REG_2, fn->arg2_type, &map);
will check that arg2 is map_ptr and will assign valid map pointer
into map variable.
So if line 920 is true, then line 869 was ok as well and map
pointer is valid. No need for extra check at line 921.

next prev parent reply	other threads:[~2015-05-26 16:01 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-23 17:33 bpf: allow bpf programs to tail-call other bpf programs Dan Carpenter
2015-05-26 16:01 ` Alexei Starovoitov [this message]
2015-05-26 16:16 ` Daniel Borkmann
2015-05-26 16:30 ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=556498D5.9060207@plumgrid.com \
    --to=ast@plumgrid.com \
    --cc=kernel-janitors@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox