From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Eduard Zingerman <eddyz87@gmail.com>,
Sasha Levin <sashal@kernel.org>,
ast@kernel.org, bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 22/31] bpf: Ensure proper register state printing for cond jumps
Date: Tue, 7 Nov 2023 07:06:09 -0500 [thread overview]
Message-ID: <20231107120704.3756327-22-sashal@kernel.org> (raw)
In-Reply-To: <20231107120704.3756327-1-sashal@kernel.org>
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 1a8a315f008a58f54fecb012b928aa6a494435b3 ]
Verifier emits relevant register state involved in any given instruction
next to it after `;` to the right, if possible. Or, worst case, on the
separate line repeating instruction index.
E.g., a nice and simple case would be:
2: (d5) if r0 s<= 0x0 goto pc+1 ; R0_w=0
But if there is some intervening extra output (e.g., precision
backtracking log) involved, we are supposed to see the state after the
precision backtrack log:
4: (75) if r0 s>= 0x0 goto pc+1
mark_precise: frame0: last_idx 4 first_idx 0 subseq_idx -1
mark_precise: frame0: regs=r0 stack= before 2: (d5) if r0 s<= 0x0 goto pc+1
mark_precise: frame0: regs=r0 stack= before 1: (b7) r0 = 0
6: R0_w=0
First off, note that in `6: R0_w=0` instruction index corresponds to the
next instruction, not to the conditional jump instruction itself, which
is wrong and we'll get to that.
But besides that, the above is a happy case that does work today. Yet,
if it so happens that precision backtracking had to traverse some of the
parent states, this `6: R0_w=0` state output would be missing.
This is due to a quirk of print_verifier_state() routine, which performs
mark_verifier_state_clean(env) at the end. This marks all registers as
"non-scratched", which means that subsequent logic to print *relevant*
registers (that is, "scratched ones") fails and doesn't see anything
relevant to print and skips the output altogether.
print_verifier_state() is used both to print instruction context, but
also to print an **entire** verifier state indiscriminately, e.g.,
during precision backtracking (and in a few other situations, like
during entering or exiting subprogram). Which means if we have to print
entire parent state before getting to printing instruction context
state, instruction context is marked as clean and is omitted.
Long story short, this is definitely not intentional. So we fix this
behavior in this patch by teaching print_verifier_state() to clear
scratch state only if it was used to print instruction state, not the
parent/callback state. This is determined by print_all option, so if
it's not set, we don't clear scratch state. This fixes missing
instruction state for these cases.
As for the mismatched instruction index, we fix that by making sure we
call print_insn_state() early inside check_cond_jmp_op() before we
adjusted insn_idx based on jump branch taken logic. And with that we get
desired correct information:
9: (16) if w4 == 0x1 goto pc+9
mark_precise: frame0: last_idx 9 first_idx 9 subseq_idx -1
mark_precise: frame0: parent state regs=r4 stack=: R2_w=1944 R4_rw=P1 R10=fp0
mark_precise: frame0: last_idx 8 first_idx 0 subseq_idx 9
mark_precise: frame0: regs=r4 stack= before 8: (66) if w4 s> 0x3 goto pc+5
mark_precise: frame0: regs=r4 stack= before 7: (b7) r4 = 1
9: R4=1
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/bpf/20231011223728.3188086-6-andrii@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 873ade146f3de..372ffebdbdc46 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1515,7 +1515,8 @@ static void print_verifier_state(struct bpf_verifier_env *env,
if (state->in_async_callback_fn)
verbose(env, " async_cb");
verbose(env, "\n");
- mark_verifier_state_clean(env);
+ if (!print_all)
+ mark_verifier_state_clean(env);
}
static inline u32 vlog_alignment(u32 pos)
@@ -14135,6 +14136,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
!sanitize_speculative_path(env, insn, *insn_idx + 1,
*insn_idx))
return -EFAULT;
+ if (env->log.level & BPF_LOG_LEVEL)
+ print_insn_state(env, this_branch->frame[this_branch->curframe]);
*insn_idx += insn->off;
return 0;
} else if (pred == 0) {
@@ -14147,6 +14150,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
*insn_idx + insn->off + 1,
*insn_idx))
return -EFAULT;
+ if (env->log.level & BPF_LOG_LEVEL)
+ print_insn_state(env, this_branch->frame[this_branch->curframe]);
return 0;
}
--
2.42.0
next prev parent reply other threads:[~2023-11-07 12:09 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 12:05 [PATCH AUTOSEL 6.6 01/31] wifi: plfxlc: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 02/31] wifi: ath12k: Ignore fragments from uninitialized peer in dp Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 03/31] wifi: mac80211_hwsim: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 04/31] wifi: mac80211: don't return unset power in ieee80211_get_tx_power() Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 05/31] atl1c: Work around the DMA RX overflow issue Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 06/31] bpf: Detect IP == ksym.end as part of BPF program Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 07/31] wifi: ath9k: fix clang-specific fortify warnings Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 08/31] wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats() Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 09/31] wifi: ath10k: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 10/31] wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 11/31] ACPI: APEI: Fix AER info corruption when error status data has multiple sections Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 12/31] net: sfp: add quirk for Fiberstone GPON-ONU-34-20BI Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 13/31] wifi: mt76: mt7921e: Support MT7992 IP in Xiaomi Redmibook 15 Pro (2023) Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 14/31] wifi: mt76: fix clang-specific fortify warnings Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 15/31] wifi: mt76: get rid of false alamrs of tx emission issues Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 16/31] net: annotate data-races around sk->sk_tx_queue_mapping Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 17/31] net: annotate data-races around sk->sk_dst_pending_confirm Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 18/31] wifi: ath12k: mhi: fix potential memory leak in ath12k_mhi_register() Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 19/31] wifi: ath10k: Don't touch the CE interrupt registers after power up Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 20/31] net: sfp: add quirk for FS's 2.5G copper SFP Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 21/31] vsock: read from socket's error queue Sasha Levin
2023-11-07 12:06 ` Sasha Levin [this message]
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 23/31] wifi: iwlwifi: mvm: fix size check for fw_link_id Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 24/31] Bluetooth: btusb: Add date->evt_skb is NULL check Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 25/31] Bluetooth: Fix double free in hci_conn_cleanup Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 26/31] ACPI: EC: Add quirk for HP 250 G7 Notebook PC Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 27/31] tsnep: Fix tsnep_request_irq() format-overflow warning Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 28/31] gpiolib: acpi: Add a ignore interrupt quirk for Peaq C1010 Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 29/31] platform/chrome: kunit: initialize lock for fake ec_dev Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 30/31] of: address: Fix address translation when address-size is greater than 2 Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 31/31] platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231107120704.3756327-22-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox