Skip to content

Commit

Permalink
bpf: teach verifier actual bounds of bpf_get_smp_processor_id() result
Browse files Browse the repository at this point in the history
bpf_get_smp_processor_id() helper returns current CPU on which BPF
program runs. It can't return value that is bigger than maximum allowed
number of CPUs (minus one, due to zero indexing). Teach BPF verifier to
recognize that. This makes it possible to use bpf_get_smp_processor_id()
result to index into arrays without extra checks, as demonstrated in
subsequent selftests/bpf patch.

Signed-off-by: Andrii Nakryiko <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alexei Starovoitov <[email protected]>
  • Loading branch information
anakryiko authored and Alexei Starovoitov committed Jul 12, 2023
1 parent 87e098e commit f42bcd1
Showing 1 changed file with 26 additions and 11 deletions.
37 changes: 26 additions & 11 deletions kernel/bpf/verifier.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
#include <linux/btf_ids.h>
#include <linux/poison.h>
#include <linux/module.h>
#include <linux/cpumask.h>

#include "disasm.h"

Expand Down Expand Up @@ -9116,19 +9117,33 @@ static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type,
{
struct bpf_reg_state *ret_reg = &regs[BPF_REG_0];

if (ret_type != RET_INTEGER ||
(func_id != BPF_FUNC_get_stack &&
func_id != BPF_FUNC_get_task_stack &&
func_id != BPF_FUNC_probe_read_str &&
func_id != BPF_FUNC_probe_read_kernel_str &&
func_id != BPF_FUNC_probe_read_user_str))
if (ret_type != RET_INTEGER)
return;

ret_reg->smax_value = meta->msize_max_value;
ret_reg->s32_max_value = meta->msize_max_value;
ret_reg->smin_value = -MAX_ERRNO;
ret_reg->s32_min_value = -MAX_ERRNO;
reg_bounds_sync(ret_reg);
switch (func_id) {
case BPF_FUNC_get_stack:
case BPF_FUNC_get_task_stack:
case BPF_FUNC_probe_read_str:
case BPF_FUNC_probe_read_kernel_str:
case BPF_FUNC_probe_read_user_str:
ret_reg->smax_value = meta->msize_max_value;
ret_reg->s32_max_value = meta->msize_max_value;
ret_reg->smin_value = -MAX_ERRNO;
ret_reg->s32_min_value = -MAX_ERRNO;
reg_bounds_sync(ret_reg);
break;
case BPF_FUNC_get_smp_processor_id:
ret_reg->umax_value = nr_cpu_ids - 1;
ret_reg->u32_max_value = nr_cpu_ids - 1;
ret_reg->smax_value = nr_cpu_ids - 1;
ret_reg->s32_max_value = nr_cpu_ids - 1;
ret_reg->umin_value = 0;
ret_reg->u32_min_value = 0;
ret_reg->smin_value = 0;
ret_reg->s32_min_value = 0;
reg_bounds_sync(ret_reg);
break;
}
}

static int
Expand Down

0 comments on commit f42bcd1

Please sign in to comment.