From: Daniel Borkmann <daniel@iogearbox.net>
To: kernel-janitors@vger.kernel.org
Subject: Re: bpf: allow bpf programs to tail-call other bpf programs
Date: Tue, 26 May 2015 16:16:30 +0000 [thread overview]
Message-ID: <55649C5E.4060605@iogearbox.net> (raw)
In-Reply-To: <20150523173328.GB31663@mwanda>
On 05/26/2015 06:01 PM, Alexei Starovoitov wrote:
> On 5/23/15 10:33 AM, Dan Carpenter wrote:
>> Hello Alexei Starovoitov,
>>
>> This is a semi-automatic email about new static checker warnings.
>>
>> The patch 04fd61ab36ec: "bpf: allow bpf programs to tail-call other
>> bpf programs" from May 19, 2015, leads to the following Smatch
>> complaint:
>>
>> kernel/bpf/verifier.c:921 check_call()
>> error: we previously assumed 'map' could be null (see line 911)
>>
>> kernel/bpf/verifier.c
>> 910
>> 911 if (map && map->map_type = BPF_MAP_TYPE_PROG_ARRAY &&
>> ^^^
>> Patch introduces a check for NULL.
>>
>> 912 func_id != BPF_FUNC_tail_call)
>> 913 /* prog_array map type needs extra care:
>> 914 * only allow to pass it into bpf_tail_call() for now.
>> 915 * bpf_map_delete_elem() can be allowed in the future,
>> 916 * while bpf_map_update_elem() must only be done via syscall
>> 917 */
>> 918 return -EINVAL;
>> 919
>> 920 if (func_id = BPF_FUNC_tail_call &&
>> 921 map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
>> ^^^^^^^^^^^^^
>> New unchecked dereference.
>
> that is false positive.
> See that 'if (func_id = BPF_FUNC_tail_call ...)' is done before
> map->map_type dereference.
> tail_call_proto has:
> .arg2_type = ARG_CONST_MAP_PTR
> so call at line 869:
> check_func_arg(env, BPF_REG_2, fn->arg2_type, &map);
> will check that arg2 is map_ptr and will assign valid map pointer
> into map variable.
> So if line 920 is true, then line 869 was ok as well and map
> pointer is valid. No need for extra check at line 921.
A bit hard to parse, perhaps. The control flow might have been easier
to understand, if it would have looked like:
if (!map)
/* Nothing to check further. */
return 0;
if (map->map_type = BPF_MAP_TYPE_PROG_ARRAY &&
func_id != BPF_FUNC_tail_call)
return -EINVAL;
if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY &&
func_id = BPF_FUNC_tail_call)
return -EINVAL;
return 0;
Cheers,
Daniel
next prev parent reply other threads:[~2015-05-26 16:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-23 17:33 bpf: allow bpf programs to tail-call other bpf programs Dan Carpenter
2015-05-26 16:01 ` Alexei Starovoitov
2015-05-26 16:16 ` Daniel Borkmann [this message]
2015-05-26 16:30 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55649C5E.4060605@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox